FREEDOM OF INFORMATION AND PROTECTION OF PRIVACY ACT, 1987

OFFICE OF THE INFORMATION AND PRIVACY COMMISSIONER

CONTENTS

Monday 4 February 1991

Freedom of Information and Protection of Privacy Act, 1987

Office of The Information and Privacy Commissioner

Adjournment

STANDING COMMITTEE ON THE LEGISLATIVE ASSEMBLY

Chair: Duignan, Noel (Halton North NDP)

Vice-Chair: MacKinnon, Ellen (Lambton NDP)

Cooper, Mike (Kitchener-Wilmot NDP)

Frankford, Robert (Scarborough East NDP)

Marland, Margaret (Mississauga South PC)

Mathyssen, Irene (Middlesex NDP)

McClelland, Carman (Brampton North L)

Morin, Gilles E. (Carleton East L)

Murdock. Sharon (Sudbury NDP)

O'Neil, Hugh P. (Quinte L)

Owens, Stephen (Scarborough Centre NDP)

Villeneuve, Noble (Stormont, Dundas and Glengarry PC)

Substitutions:

Fletcher, Derek (Guelph NDP) for Mr Frankford

Mills, Gordon (Durham East NDP) for Mr Cooper

Sorbara, Gregory S. (York Centre L) Mr H. O'Neil

Clerk: Arnott, Douglas

Staff: McNaught, Andrew, Research Officer, Legislative Research Office

The committee met at 1407 in room 151.

FREEDOM OF INFORMATION AND PROTECTION OF PRIVACY ACT, 1987

Consideration of a comprehensive review of the Freedom of Information and Protection of Privacy Act, 1987.

The Chair: I call the committee to order.

Mr Owens: Mr Chairman, we have had some discussions in and around the mandate of this committee. As we are aware that there are some concerns with respect to the Municipal Freedom of Information and Protection of Privacy Act now, I would like to make a request of you as the Chair and the other two parties that if we have witnesses who want to discuss issues around the municipal act inasmuch as it relates to the provincial act, we allow them that latitude. There may be from time to time some witnesses come forward who may be able to shed some light through the municipal act on the issue of the provincial act, and I make that request to you.

The Chair: Thank you, Mr Owens. I am willing to allow that latitude if it is the wish of the committee.

Mr McClelland: A brief comment, Mr Chairman: I think it is inevitable that will happen, certainly as we review the implementation of the legislation with respect to provincial bodies, agencies and so forth. There will be some spillover. That is inevitable. I think in particular areas with respect to information available to the media with respect to policing and so forth, those types of things experienced with the OPP as we get into the implementation with municipal forces and so on, it is inevitable that there will be that crossover. I think to unduly limit it and say that we have to keep that focus so narrow with respect to Ontario matters would be to our detriment and we could certainly do well to listen to people and to discuss and consider issues that may be raised, that spinoff, if you will, in terms of municipal, so I am in complete agreement and accord with Mr Owens on that matter.

Ms S. Murdock: Just in keeping with that too, I do not know how the other members feel, but given that this is a complete review and we have a year to do it, we should be as open as possible to whatever any group says to us.

Mrs Marland: I know when we discussed this at the subcommittee, the concern was, especially when we looked at some of the names, that their whole focus might totally be on the municipal aspect. But I certainly concur with Mr Owens's suggestion. And who knows? We may end up killing two birds with one stone and improving both acts.

OFFICE OF THE INFORMATION AND PRIVACY COMMISSIONER

The Chair: I would like to at this time invite our first witnesses to appear in front of the committee and they are from the Office of the Information and Privacy Commissioner. Thank you for coming. State your name and the position you hold. The floor is yours.

Mr Mitchinson: Thank you. Mr Chairman and members of the standing committee, I first want to thank you for providing the Office of the Information and Privacy Commissioner with the opportunity to appear before you during the three-year review of the provincial act. I will be referring to our office, the Office of the Information and Privacy Commissioner, as the IPC throughout my presentation.

Before I begin, let me introduce myself and my colleagues. My name is Tom Mitchinson and I am the executive director of the IPC. I am responsible for the overall administrative and operational functions of the agency. Ann Cavoukian, one of our assistant commissioners, is the agency's principal spokesperson on matters dealing with part III of the act, involving the protection of personal privacy. Tom Wright, our other assistant commissioner, performs a corresponding role with respect to part II of the act dealing with the resolution of appeals. Tom is a delegated decision-maker with authority to issue orders under the act. Finally, in the audience is John Eichmanis, who is the manager of strategic planning and policy development for the IPC, who may be familiar to a number of members.

Mrs Marland: You can give his formal history.

Mr Mitchinson: I could not do it justice.

Ann, Tom and I constitute the IPC's executive committee and we have provided collective management for the agency since our former commissioner, Sydney Linden, left the IPC in April of last year. I know I speak for the three of us when I say that we very much look forward to the appointment of a new commissioner over the next short while. We take considerable pride in the fact that the agency has managed to operate reasonably well over the past 10 months, but we all recognize the need for the leadership of a commissioner who can assume all the responsibilities vested in that office by the act. However, until such time as a new commissioner is appointed, we will continue to do all we can to assist the committee in its deliberations.

Before proceeding, I would just like to publicly acknowledge the important and significant role played by Chief Judge Linden during his term as Information and Privacy Commissioner. His leadership during the formative stages of the IPC's development was a key factor in any successes we can claim today.

I understand that it is customary at legislative hearings such as this to have one person make the presentation and, accordingly, I will present the IPC's corporate view and attempt to answer questions raised by committee members. Where supplementary information is required, I will turn to my colleagues for assistance. It would be my preference to hold questions until the end of the presentation since I hope to address a number of anticipated issues during the course of my remarks. However, I will defer to the Chair on how he wishes to handle that.

My presentation is intended to provide the committee with our view on how the provincial act is working. While others will no doubt offer different opinions, my presentation will be made from the perspective of the IPC and I will try to assess the overall success of the act from that perspective.

Before I proceed, let me just say a few words about the material we have provided to the committee. I see the committee members have received the two binders of information. Most of this material has been made available to you for reference purposes. I will just briefly review the material that is included in those binders.

If I can deal with the material in reverse order and start with binder II, you will see that it contains a number of items you may already be aware of. As you know, one of the IPC's mandates is to conduct research into the purposes of the act. One of these purposes is the protection of personal privacy and we have sought to develop policy papers we hope will make a contribution from a privacy perspective to the public debate on various issues.

Two policy papers have been prepared which deal with the question of HIV/AIDS, and both have been included in binder II. The document entitled HIV/AIDS in the Workplace provides guidelines for the handling of sensitive HIV/AIDS-related personal information in the Ontario public sector. These guidelines have been adopted by the interministerial committee on AIDS and provide a framework for institutions to follow when addressing this very important and sensitive issue.

A second report, HIV/AIDS: A Need for Privacy, outlines the IPC view on how the issues surrounding the testing for HIV/AIDS should be dealt with by the Ontario government. Also included in binder II are the IPC guidelines on the use of fax technology and an update of how those guidelines are being used in the Ontario public service. In addition, a report called Caller Identification has been included, together with a general guide to the act, produced by our communications department.

The 1989 annual report of the commissioner has also been provided in binder II as has a summary report which outlines the findings of a detailed review of how AIDS-related personal information is collected, used and disclosed throughout the Ontario government.

Finally, at the back of binder II you will find a consolidation of newspaper and other print media articles from roughly 1 January 1988, when the act first came into effect, until the end of 1990. We have compiled this material for the committee, and for anyone else who may be interested, in order to give some appreciation of how the act has been received and perceived in the community and by the print media.

Turning now to binder I, it contains the material we hope will be of most use to this committee during the review of the provincial act. The act and all relevant amendments and regulations are your point of reference and are located at the front of the binder.

Next is a paper prepared specifically for these hearings which contains suggestions of where the act might be amended. We hope that the committee will carefully consider these suggestions in the context of determining what sections of the act require amendment. All the amendments we are suggesting in this paper flow out of our three years of experience in working with the act.

The next item in binder I is a paper on computer matching that was also prepared specifically for the three-year review. I will be returning to both the computer-matching paper and our suggested changes to the act later in my presentation.

Following the computer-matching paper is a survey of government of Ontario institutions that was done at the request of your predecessor committee. It seeks to provide information on the status, role and functions being performed by institutions' freedom of information and privacy co-ordinators. As you know, these co-ordinators are very important players in the operation of the act and to the success of Ontario's access and privacy scheme.

Also included is a document we hope the committee will be able to use as a reference tool during the three-year review. It compares Ontario's legislation to other jurisdictions with access and privacy schemes and was prepared for the IPC by Jennifer Wilson, Mr McNaught's predecessor, from the legislative library research service.

At the back of binder I we have included selected requests and appeals statistics covering the past three years. At the end of each calendar year, statistics are compiled on the number of access requests received and completed by the various government institutions covered by the act and on the number of appeals received and disposed of by the IPC. The report and graphs in binder I cover appeals data for the years 1988, 1989 and 1990. However, request data are available only for 1988 and 1989, because institutions are still in the process of reporting on their 1990 activity. I would refer committee members to our 1989 annual report in binder II for detailed statistical information covering 1988 and 1989.

Let me move on now to providing our assessment of the operation of Ontario's freedom of information and protection of privacy scheme over the past three years. I should state at the outset that in many ways Ontario's scheme is unique. One of its unique features is the combination of access, or freedom of information, and protection of privacy within one piece of legislation. Few other jurisdictions have followed this approach, and while it offers a number of advantages, there are some disadvantages as well.

1420

One disadvantage is the potential for confusing the two concepts or values. When we speak of access to government information, we are talking about access to administrative, operational and policy-related information contained in ministry and agency records. In other words, we are dealing with information about what a particular government institution does. The obverse of access in this context is secrecy. Privacy, on the other hand, deals with individuals and, in the context of the act, the protection of an individual's personal information. There is no obverse to privacy. You either have it or you do not, and you certainly cannot equate privacy with secrecy. When you invade someone's privacy you are taking away something that cannot be retrieved. The act attempts to limit invasions of privacy and says that an invasion should only be permitted if it can be justified because of an equal or higher value.

To say, as some people have, that in seeking to protect personal privacy this act is encouraging secrecy or hindering access to information is to misread the act and to misunderstand the basic principles that underlie it.

We cannot emphasize the distinction between secrecy and privacy too much. If confusion about these concepts is permitted to carry the day in public debates, privacy will be increasingly difficult to defend and this will make the IPC's task all the more difficult in the future. Also, and perhaps more importantly, it may lead to a general insensitivity to the claims of privacy as a human value.

Three elements or components are necessary in order to make the act work. First, there is the public, which has been given certain rights under the act, namely, the right of access to information in government records and the right of protection of their personal information. The extent to which the public is aware of the act and uses it is an important component in making the act a success. The second component is the institutions and the degree to which they are well organized and committed to making the act work. Finally, there is the Information and Privacy Commissioner's office, which has been given certain mandates and functions under the act.

All three components are absolutely necessary for the system established under the act to work. The act cannot properly function without strong commitment from the IPC, efficient and co-operative institutions and a well-informed public.

As you will see from the media response contained in binder II, the act has been discussed in the print media in most parts of Ontario. However, the extent to which individuals know about the act is more difficult to determine. From what we can tell, the general public seems to be reasonably well informed about the provincial act, but there is considerable scope to increase this level of awareness.

Some impressionistic information about public awareness can be found in our annual reports. In 1988, members of the public made a total of 4,784 requests to the 318 provincial institutions for access to general records or personal information. In 1989, this figure increased to 8,233 requests.

Although there is not a one-to-one correlation between the number of requesters and the number of requests, this figure indicates a significant increase in the use of the act by the public over the first two years of operation. We find this to be an encouraging sign, but we believe that considerable work must still be done to increase public awareness of the act. Public education is one of the IPC's primary responsibilities and we have dedicated significant time and resources to developing an educational outreach program directed at making the act better known in the community.

Another interesting statistic is the breakdown of the types of people who use the act. Figures relating to categories of users must be treated with some caution, as requesters are not required to identify themselves. However, we have been able to come up with some information regarding who uses the act. At least 50% of all requesters over the first two years were individuals acting in their private capacity. The next most frequent users were business representatives, with 7.2%, followed by researchers and the media, with 3% each. More than 30% of the requesters during this period could not be identified by type.

It is difficult to reach any definitive conclusions from these figures in such a short period of time. However, we feel that the Legislature can take some comfort in knowing that the Ontario public is interested in and uses the act and that both knowledge and usage appear to be growing.

Turning now to institutions, as you are aware, the Chairman of the Management Board of Cabinet is the minister responsible for the administration of the act. Although the act did not come into force until I January 1988, Management Board's freedom of information and privacy branch, under the direction of Frank White, began the work of creating an administrative infrastructure to deal with the act well before the implementation date. Mr White's branch oversaw the creation of a network of information and privacy co-ordinators in all ministries and agencies covered by the act and ensured that these co-ordinators were trained and ready to handle their responsibilities.

As a result of Management Board's efforts, when 1 January 1988 arrived, there was little delay in processing the first requests. Mr White and his staff continue to provide institutions with advice and assistance on how to deal with the never-ending stream of new issues that arise during the ongoing implementation of this very complex piece of legislation.

While every new act takes time to understand and implement and problems invariably arise, from the IPC's perspective we feel the vast majority of institutions and their senior officials have approached the act with a positive spirit and have co-operated with us in ensuring that the act is being implemented as intended by the Legislature.

You will see from the results of the survey done on the role and functions of the freedom of information and privacy co-ordinators that, by and large, they are fulfilling the responsibilities envisaged for them and are beginning to define their professional status within the civil service.

To satisfy the principles of the act, access to information should be timely and result in the requester receiving as much of the requested information as possible. It is up to the institutions to adhere to these principles, and for the most part they have done a good job. In 1988, 80% of requests were completed within 30 days or less, and this figure increased in 1989 to 84%. It is too early to know whether these figures indicate a long-term trend, but they do show that institutions have taken the issue of timeliness seriously.

Turning to the level of disclosure of general records or personal information, we find that institutions, in the first two years of operation, have been able to satisfy the majority of requesters. In 1988, all requested information was released in 56% of the cases and at least part of the requested information was released in another 22%. Total refusal accounted for only 16% of requests. In 1989, the comparable figures were 71% for full disclosure, 16% for partial disclosure and only 9% for no disclosure.

When these figures are read together with the results of the survey, we can postulate that institutions are responsive, their co-ordinators reasonably well trained, and they are able to respond to the general public in a way that satisfies the majority of requesters most of the time.

I now want to turn my attention to the third component of Ontario's scheme, the Office of the Information and Privacy Commissioner. The Information and Privacy Commissioner is an independent officer of the Legislative Assembly who has been given a number of roles and responsibilities under the act. Some of the more important functions are resolving appeals, advising on privacy implications of proposed legislation and government programs, ensuring compliance with the act through investigation of complaints received from the public and by proactive reviews of government operations, researching matters relating to the operation of the act and educating the public. Clearly, the IPC is a key component of the infrastructure created to make the act work effectively.

As with any new organization, the first few years have been a period of learning and adjusting. We have learned a lot and will continue to do so, but we believe the IPC has now settled into its role and has a clear understanding of its mandate. In the early part of 1990, we completed a review of our organizational structure and introduced changes which would permit us to be more effective in responding to the demands of the provincial act and to prepare for the increase in demands when municipalities were added to Ontario's access and privacy scheme in January 1991.

Looking at the IPC's various functions, I can report that our educational outreach program has been ongoing from the very start of our operations. The commissioner and assistant commissioners, as well as other senior staff of the IPC, have made frequent appearances throughout the province to speak about the act and the rights it gives the public.

In our advisory role, we review all bills introduced in the House, assessing whether they have any access or privacy implications. Where they do, we draw our concerns to the attention of the appropriate ministry, and, on the whole, the government has been open and responsive to our comments and suggestions.

1430

In other instances we have commented on proposed government programs. The most significant matter dealt with thus far has been our involvement with the introduction of the new health number by the Ministry of Health. While we agreed that the number in many ways represented an improvement over the previous OHIP number, its introduction did raise some significant privacy concerns. The federal experience with the social insurance number showed us the tremendous potential a uniquely assigned number has of becoming a universal identifier. Broad use of the SIN was never intended or sanctioned by federal legislation when it was introduced in the 1960s, yet, because no controls were imposed, the number is widely used and indeed required by both the public and private sectors for services which have no relation to the original intent of the number. In order to prevent a similar situation developing with the Ontario health number, we sought a commitment from the Ministry of Health to make private sector usage illegal and to control use of the number in the public sector to clearly defined, health-related purposes.

As you know, before the House recessed in December, the Minister of Health introduced Bill 24, the Health Cards and Numbers Control Act, which addressed our concerns. In her statement to the House when introducing Bill 24, the minister acknowledged the role played by the IPC in sensitizing the government and the public to the need for the controls established by the legislation. We look forward to the passage of this bill and also to the introduction of a wider-ranging health care information protection act in the upcoming spring session.

In the area of policy development, the IPC has been an active participant in the debate surrounding the issue of HIV and AIDS and privacy. After some careful research and consultation, the IPC published two reports on the subject. The first one, HIV/AIDS in the Workplace, made a series of recommendations on how HIV/AIDS-related personal information should be treated in the workplace. Our second report, HIV/AIDS: A Need for Privacy, made recommendations on the issue of anonymous HIV testing and recommended a new approach to the question of contact tracing and partner notification. The Minister of Health has publicly supported the thrust of the recommendations contained in this report, and I understand the detailed discussions regarding possible implementation of our recommendations are currently under way in the ministry.

We are also engaged in studies of other privacy issues, such as smart card technology and genetic engineering, to name but two. We will also begin to take a clear look at the issues of electronic records and workplace privacy during 1991.

Ensuring compliance with the act is another important function of the IPC. In carrying out this role, our compliance department responds to complaints from members of the public that their privacy has been breached by an institution. Each complaint is investigated and a report is prepared making recommendations to institutions regarding any violations of the act relating to the proper collection, retention, use, disclosure and security of personal information.

Our compliance department has also undertaken what we call compliance reviews. These reviews involve a comprehensive investigation and analysis of an institution's information management practices as they relate to the protection of personal information. A copy of the summary of our review on HIV/AIDS-related personal information in the Ministry of Health has been included in binder II. We have also recently completed a review of the operation of the Ministry of Government Services record centre, which will be reported in our upcoming 1990 annual report.

Finally, a large part of the IPC's mandate concerns the resolution of disputes between requesters and institutions regarding the right of access to records in the custody or under the control of these institutions. When a request for access to general records or personal information has been denied, the requester has a right, under the act, to appeal the institution's decision to the IPC. When an appeal is received, our appeals department first tries to mediate a settlement between the parties. If mediation is not possible, then the appeal proceeds to an inquiry where all parties are given an opportunity to make submissions to the commissioner or the assistant commissioner, before an order is issued which concludes the appeal.

Over the past three years, the proportion of appeals resolved by order of the commissioner has fallen steadily, from 40% in 1988 to 32% in 1989 to only 16% in 1990. All other appeals were resolved through some form of settlement: mediation, withdrawal or abandonment. We see this as a very encouraging statistic and an indication that the act is working in the way the Legislature intended. As institutions become more knowledgeable about the act, requests are responded to in accordance with the presumption that records should be released unless an exemption applies. Of those decisions that are appealed, many are settled on the basis of a detailed explanation of the act to either or both parties and a realization from one or other that either the records should be released or an exemption properly applies.

The growing body of jurisprudence developed through the issuance of more than 200 orders during the first three years of operation also provides a basis for encouraging settlement. We are optimistic that this trend towards settlement will continue and that only the very difficult and novel cases will require disposition by order of the commissioner or assistant commissioner.

For the remainder of my presentation I would like to outline the IPC's suggested changes to the act and to discuss our recommendations regarding the most appropriate way of grappling with the complex and difficult issue of computer matching in the Ontario government. The act requires the IPC to make proposals such as these to the House on an annual basis. However, given the purpose of this committee's hearings, we felt it would be appropriate to present our suggestions to this committee now rather than waiting for our 1990 annual report.

Our suggested changes focus on what we consider practical issues that need to be resolved. We have quite intentionally not addressed broader issues that would in effect open up the act to major restructuring and revision. However, we do believe that these broader considerations are within the purview of this committee, and if the committee proposes amendments of this nature we would simply request the opportunity to comment on them before any report is finalized so that the committee is made aware of the impact any proposed changes will have on the operation of the IPC.

The document Suggested Changes to the Freedom of Information and Protection of Privacy Act, 1987, which you received a few weeks ago and which is contained in binder I, describes our proposals. The report sets out three types of changes to the act.

The first are technical changes, which are prompted largely as a result of faulty legislative drafting and do not affect substantive rights. We believe these 11 proposed amendments are for the most part self-explanatory and I will not deal with each one individually. Examples of types of changes we categorize as technical are minor amendments to section 1 which clarify the wording dealing with "custody" and "control" and changes to other sections of the act which correct inconsistencies in the use of the words "appeal" and "review."

The second type of suggested changes have been classified as clarification changes. These changes could affect substantive rights and the committee may want to consider them more carefully than the technical ones. Our experience with the act over the past three years indicates that these clarifications are necessary in order to make the act work more effectively. I will just touch briefly on a couple of the 17 clarification changes we suggest.

Clause 22(a) of the act allows the head to refuse to disclose a record where the record has been published or is currently available to the public, but it does not expressly require the head to inform the person requesting access of the specific location of these records. As former commissioner Linden noted in one of his orders, the purpose of this exemption is to enable the institution to avoid the unnecessary expenditure of funds on photocopying material which is otherwise readily available. However, this purpose is clearly defeated if the requester does not know where to go to obtain this material. Our suggested amendment simply clarifies the situation by requiring the head to inform the requester of the location of the record when claiming the clause 22(a) exemption.

Another example of a clarification change is under clause 29(1)(b) and subsection 29(3), which deal with the notice provided by the head to a requester when access is refused. The current provisions do not require the institution to include a description of the record identified as responding to the request. If a requester has been refused access to a record, how can that person make an informed decision about whether to appeal the decision of the head if he or she does not have some knowledge of the nature of the record? Our suggested change would simply add a subclause to these sections which requires the notice to include a description of the record, thereby codifying what is necessarily implicit in these subsections.

1440

The third part of the report deals with what we call policy changes which affect substantive rights and may result in changes in the way decisions are made. I will now discuss a number of these 16 suggested policy changes in a bit more detail.

A number of suggestions concern the position of the commissioner. We feel the term of office should be increased from five to seven years, as is the case in most other comparable jurisdictions. We also think the commissioner should have the authority to appoint whatever number of assistant commissioners he or she feels is appropriate, and that a salary range for the commissioner should be established rather than determined on an ad hoc basis.

We also suggest that the commissioner be required to take an oath of office and confidentiality, and that IPC employees take an oath of confidentiality upon joining the agency. This requirement would make explicit the duty of the commissioner and IPC staff to keep all matters confidential that come within their purview.

Another internal IPC matter which we feel should be addressed is the commissioner's authority to discipline IPC employees on the one hand and the right of employees to grieve any disciplinary action on the other. These matters are not covered in the act at present, yet are established for most other legislative agencies.

Next, we have a number of policy change suggestions that touch on substantive provisions of the act.

Subsection 52(6) of the act gives the head of an institution the authority to require the commissioner to inspect a record at the ministry or agency. Although the practice in the vast majority of appeals has been for the institution to forward a copy of the record to our offices, as presently worded, a head could require the commissioner and IPC staff to view all records relating to every appeal at the institution's premises. This is both impractical and clearly not the intent of the legislation. Therefore, we have suggested that this section be amended to restrict on-site examination of records to exceptional circumstances where it would not be practical to reproduce the record by reason of its length or nature.

The act provides that where an institution does not respond to a request for access within the 30-day time period, the head is deemed to have refused access. However, if the deemed refusal is appealed, no penalty is available for failure to adhere to the statutory time limits, and therefore the institution has little incentive to comply. To address this deficiency, we suggest that a subsection be added to the act which allows the commissioner, in a deemed refusal situation, to require the head to waive fees which would otherwise be recoverable.

The act, in setting out the various privacy protection provisions, is largely silent on the question of what obligation institutions have in ensuring the security of personal information. We have included a suggested amendment that would make this obligation explicit. Since institutions must consider security-related matters in order to fully comply with the privacy provisions of the act, we feel this obligation should be explicitly acknowledged and addressed in the legislation.

There are a number of other privacy-related issues that require attention. We have included a suggested change that would require that all correspondence to the IPC from minors and those in correctional institutions or psychiatric facilities be kept confidential. The need for confidentiality is obvious to us and will ensure that these people are more fully able to exercise their rights under the act. Similar provisions to the ones we are suggesting are found in the Ombudsman Act.

Another issue we feel strongly about is the use of mailing lists. Mailing lists of individuals' names and addresses are compiled almost routinely by organizations for a variety of purposes but principally for commercial gain. The release of this information without the consent of individuals raises a number of privacy concerns. While part III of the act recognizes and protects personal privacy by restricting the use and disclosure of information, the protection may not extend far enough to include mailing lists, thereby encouraging the plethora of unsolicited and unwanted mail. We suggest that a subclause be added to the act which adds mailing list information to the category of information the release of which is presumed to constitute an unjustified invasion of personal privacy.

Perhaps the most difficult subject for us to raise is the extension of the powers of the commissioner. We fully appreciate that any extension of formal powers needs to be carefully considered by the committee, and I want to make it clear that any suggestions we are making in this area are restricted to difficulties we have experienced in working with the legislation over the past three years.

First, we are recommending that the commissioner be authorized to extend the period for filing an appeal beyond the 30-day time limit in special circumstances. We have dealt with instances where an appellant, for justifiable reasons, has not been able to meet the 30-day deadline. As long as the exercise of discretion is restricted to exceptional cases, we believe that the underlying principles of the act are better served by expressly authorizing the commissioner to extend the time period; concerns about equity and justice should prevail over strict adherence to time limits.

We also suggest that consideration be given to the following two related amendments. First, the act, while stating that the commissioner can make an order disposing of an appeal, does not explicitly provide that an action or decision of the commissioner is final and conclusive. It is clear, from a review of the debates when the act was originally passed, that the Legislature intended to establish the commissioner as the ultimate decision-maker for appeals. We are simply proposing that an express provision to this effect, commonly referred to as a "privative clause," be included in the legislation.

Second, we suggest that the commissioner be given express authority to reconsider a decision or revoke an order in exceptional circumstances. This would provide the necessary flexibility to correct the outcome of an appeal where an error has been made and would eliminate the need for the parties to seek relief through the court process.

These two suggested amendments are consistent with provisions found in the enabling legislation for tribunals performing comparable functions to that of the commissioner.

We also suggest that the act give the commissioner explicit authority to investigate and review activities of institutions that may be in breach of the privacy principles of the act. The act imposes a duty on the commissioner to perform certain functions which implicitly require the authority to investigate complaints and review information management practices of institutions. Our proposed amendments codify this authority, following precedents found in other jurisdictions which have similar privacy protection legislation, thereby eliminating any need for the IPC to rely on the goodwill of institutions when undertaking investigations and reviews.

Finally, we suggest that the commissioner's order-making powers be extended in the area of privacy protection. At present these powers are restricted to ordering an institution to cease a personal information collection practice or to destroy collections of personal information. We feel this authority is not sufficient to adequately ensure the proper management of personal information, and the commissioner should also be given authority to order an institution to cease a use, disclosure or retention practice that contravenes the act.

The final matter I would like to raise with the committee this afternoon is the practice of computer matching, which is a serious concern of all privacy commissioners. The IPC has produced a detailed report which is included in your materials, and I would like to briefly highlight our findings and recommendations.

Computer matching involves the computerized linkage of automated record systems or databases to identify similarities or differences in that information. For example, in the United States, lists of people who have defaulted on student loans are matched with lists of federal government employees, thereby enabling the government to identify those employees from whom it needs to recover outstanding loans. While computer matches such as this may appear on the surface to be logical and defensible, it is imperative that procedural safeguards are put in place prior to approval and implementation.

The central issue in the debate about computer matching is whether there are adequate safeguards associated with the technology to prevent violations of personal privacy. Computer matching is perceived by privacy advocates to be a potential threat to civil liberties and privacy. All western European countries, the United States and the Canadian federal government use matching as an audit and investigative tool. While no study exists documenting the use of computer matching in the Ontario government, we feel it is reasonable to assume from the experience of other jurisdictions that matching is being practised here as well.

There is a pressing need to determine the extent of computer matching within Ontario and to bring a degree of public accountability to bear on the issue. It is recognized that computer matching is an important and effective tool for the government; however, it is also evident that the privacy concerns associated with matching are grave enough to warrant some form of regulation.

1450

The statutory authority of the Information and Privacy Commissioner to review computer matching is limited. As a result, we are not able to effectively regulate or monitor computer matching practices that do exist and indeed we are seriously hampered in our ability even to determine the existence of current or proposed matching programs. If the question of computer matching is to be properly addressed in Ontario, it cannot be done by a simple amendment to the existing statutory framework found in the provincial Freedom of Information and Protection of Privacy Act. It requires a detailed examination of the extent of the problem and careful consideration of the most appropriate mechanism to control and monitor both existing and proposed computer matches.

We propose that a task force be set up within the Ontario government to examine the issue and its associated privacy concerns and to report within six months with recommendations on the most appropriate course of action.

That concludes my presentation. On behalf of my colleagues, I want to thank committee members for their attention and patience with my long-winded remarks. If there are any questions, we would be pleased to answer them. But before we begin, I would like to make one final request of the committee. I understand that you will be hearing from a number of individuals and organizations over the next several days. The IPC will be monitoring these hearings and if it would be of assistance to the committee, we would be pleased to provide written comments on any presentations which touch on areas of our responsibility. Realistically, I think we could undertake to have this information to the committee within two weeks following completion of your hearings, if there is an interest in that on the part of the committee.

Again, thank you very much.

The Chair: Thank you, Mr Mitchinson, for making your presentation. I will open the floor for questions. We have roughly until about 4 o'clock or we can extend the time if so wished. We can go around to each political party roughly about 25 minutes. I would like to begin the proceedings today with the official opposition.

Mr McClelland: Thank you for your presentation and your availability to assist us in this process.

One area that drew particular interest to me, among others, was the issue brought forth on page 29, the issue with respect to the authorities to investigate and review activities that may be in breach of the principles of the act. You indicated that the commissioner by implication is charged with that responsibility. Can you flesh that out a little bit and perhaps give us some assistance in terms of what kinds of particular tools you would see being provided by legislation and the staffing implications of the range of investigations that you are perhaps called upon to undertake at the present time -- you indicated that happens by implication, in any event -- the kinds of things that you would see flowing from the specific authority to investigate?

Let me tell you where I am coming from in part. I have a sense that some people are going to say: "We're going to end up with another policing-type agency. We already have agencies and institutions that fulfil that function." Do we have another watchdog, are we having yet another organization which will be adding another layer of prying, if I can use that word, imposing management suggestions to an agency that is already undertaking the responsibilities that could do so with a little bit of guidance or some assistance from the commissioner? How far do you want to take this investigative unit? How much authority, how inclusive, how many people?

Mr Mitchinson: Maybe I could address the people issue first. I think as it stands now, whatever complaints we receive from members of the public that require investigation we now investigate. It is not as if we would be doing anything new that we are not already doing under the act, so I think I can tell you that the resource implications are minimal from it.

I think we have found in the past that when we make our recommendations to the House as part of the requirements under the act, to do so we are basically commenting on the management practices of the government. We cannot conceive of how we could comment on those practices if we do not have authority to investigate and determine whether there are any problems at all.

What happens right now is that on occasion we have had to spend some time trying to convince the various government institutions of that argument in order for us to begin what will ultimately be done in any event. I do not think we are talking about anything more than clarification.

I can just tell you that in a number of jurisdictions, certainly the federal privacy commission, or Australia or Quebec, normally the provisions that we are suggesting are in place in the privacy commission. It is in a sense, I suppose, from our perspective perhaps an oversight as opposed to a fundamentally different way of looking at the way we operate.

Mr Morin: I understand that the role of the commissioner is somewhat akin to the Ombudsman in many ways.

Mr Mitchinson: In many ways, yes.

Mr Morin: The Ombudsman is appointed for a period of 10 years to age 65 and can only be dismissed for cause. Why not do the same thing for the Information and Privacy Commissioner?

Mr Mitchinson: When we were considering what to propose in that area, we looked not only at the Ombudsman but also at some other comparable commissioners. We looked at the federal privacy commissioner, the federal information commissioner, the Australian commissioner and Quebec commissioners and we found that generally the most common period of appointment was seven years. The Ombudsman period was the only one that was 10 years. We just felt that the most logical period term was seven years.

Mr Morin: Two offices of the Legislature would not have that uniformity.

Mr Mitchinson: I do not think we feel strongly about that. I think we felt that five years was probably too short compared to what most other comparable tribunal heads were appointed for.

Mr Sorbara: I have a number of questions relating to the data banks that the government has, that private industry has and the role of the privacy commissioner and your office in that regard. I was interested, however, in listening to your remarks concerning the advisory role of the commission. In fact, in your remarks you referred to the fact that the commission's most challenging advisory role so far had to do with its advice proffered to the government in consideration of the introduction of our new health card -- the number that distinguishes us and our health, or lack thereof, from every other citizen in the province of Ontario.

Could you tell me, first of all, a little bit about that and about the role you played, about the issues that were brought up for your consideration and how those issues were resolved?

Mr Mitchinson: I think Ann Cavoukian is probably the best person to answer that.

Dr Cavoukian: We have been monitoring the introduction of the new health number for some time now, I would say since the beginning of 1988. At that point it was not clear what form the health number was going to take or the medium that was going to be used because there was considerable debate as to whether smart card technology must be used instead of the existing magnetic stripe.

Mr Sorbara: Can you just explain that to the committee, smart card technology, what the difference is and what we have?

Dr Cavoukian: I will try to be brief. Smart card technology would require that a computer chip with memory be embedded in the card that would hold a fair amount of information on the card.

Mr Sorbara: Like your entire medical history.

Dr Cavoukian: That is one possibility, certainly, so that if you went to a pharmacist, for example, or your own physician and you gave that card, that individual would be aware of the contents of the card. They would have a reader and it would enable reading of that card. We worked quite closely with the Ministry of Health and it decided, I think properly so, that at this point in time the technology was not sufficient to ensure the level of privacy protection we felt was necessary if you did go the smart card route, because in the wrong hands, of course your entire medical history would be available.

The Ministry of Health decided to go the striped card route and at that point decided on the method of the number, that it would be a unique personal identification number, each individual would have his or her own number as opposed to the present subscriber-based OHIP system where the head of the family only had the number. From a privacy protection point of view, there are clear advantages to each individual having his own number and having his own personal information.

1500

The area that causes a great deal of concern is that without adequate controls on the use of the health number, since in effect it becomes a personal identification number, a universal identification number, if there were not adequate controls imposed at the time of introduction it could go the route of the social insurance number which, you may be aware, has been subjected to a great deal of abuse. It was introduced in the mid-1960s, absent of any controls on its use and it has been --

Mr Sorbara: I just want to interrupt you at that point. I think it is fair to say that at the time of the introduction of the SIN there were commitments on the part of the government, clear and unequivocal, that the social insurance number would be used only for the purposes stated in the act and for no other purposes. Is that not right?

Dr Cavoukian: That was the intent, clearly. However, its use grew enormously. The controls on its use were lacking even though the intended use, as you indicated, was for just two purposes initially. It has in effect become the de facto identification number for Canada. It is used widely by both the public and the private sector. We were concerned that the Ontario health number not follow the same route and we contacted the Minister of Health and requested that legislative controls be introduced now, prior to its actual implementation, that would do two things. They would restrict the use of the health number within the public sector to health-related purposes and would prohibit its use in effect by the private sector, which we felt had no right to this information.

A considerable degree of dialogue went back and forth between ourselves and the previous government and then, as you know, there was a change in government. We also met with the new Minister of Health, Evelyn Gigantes, and she was very receptive to our comments. As you know, Bill 24 was introduced just before the House rose and very adequately covers the concerns that we had and that we made available to her.

Mr Sorbara: I want to get back to the original debate that was going on between you as an adviser to the government and the Ministry of Health and the government writ largely over the question of a smart card or a relatively dumb card. You would consider this a relatively stupid card, would you not, in comparison to the smart card?

Dr Cavoukian: It is possible to call it that. It is not a smart card.

Mr Sorbara: This can only tell the name, address, phone number, previous residences and a few other tidbits of information.

Dr Cavoukian: Yes.

Mr Sorbara: A smart card could really keep an individual's entire medical history, including all his visits to a psychiatrist, all his or her visits to doctors of any number and description, other sorts of services provided by the state to the individual; that is what a smart card can do.

Dr Cavoukian: That is correct, yes.

Mr Sorbara: Was the ministry advocating a smart card and you were advocating a relatively less sophisticated card?

Dr Cavoukian: Not really. There was considerable dialogue, but we did not recommend that they go the magnetic stripe route versus the smart card route. We raised concerns with the smart card which they were aware of. We talked about those. They had a number of options and I remember the meeting in February 1988, when we met again. They on their own had decided quite independently to go the magnetic stripe route. We did not get into a great debate as to why, but one of the concerns they articulated was that they felt the technology, in terms of ensuring the level of security and confidentiality needed to protect privacy they were committed to, was at least three to five years away.

Mr Sorbara: What you are saying is that it is quite possible, once we have smarter technologies, that these cards will be replaced with a smart card that has a little computer chip with history encoded on it.

Dr Cavoukian: It is certainly possible.

Mr Sorbara: What would you predict is going to happen?

Dr Cavoukian: I predict that is certainly a possibility within the next 10 years. I cannot predict a time frame. It would depend on the level of the technology.

Mr Sorbara: I am also interested in the comments related to the comments on the health card, particularly where you say that you look forward to the passage of Bill 24, which creates a statutory prohibition I guess on inappropriate use of the card, and also to the introduction of a wider-ranging health care information protection act in the upcoming spring session. Can you tell us about that? What should we expect? Are you scooping the Minister of Health now or is this something that we should already know about?

Mr Mitchinson: No. When the Minister of Health introduced Bill 24, she made reference to the fact at that time that discussions were under way with the intent of introducing a health care information protection act.

Mr Sorbara: What do you anticipate is going to be in that act?

Mr Mitchinson: If you recall the Krever commission study into the use of health-related personal information, I think the intent is to build on that document and to introduce a scheme that deals with the protection of personal information that is resident in the entire provincial health system -- in doctors' offices, in hospitals, in the Ministry of Health, in the whole system.

Mr Sorbara: We do look forward to a world in which pretty quickly a card like this, whether smart or less smart, is going to be inserted in a machine in a doctor's office and all the information that might be available becomes available to that doctor or the receptionist or the nurse or the other individuals working in that office. Is that right?

Mr Mitchinson: I think it is pointless to think that the technology is not going to exist. The technology clearly will exist. There is little doubt of that. We are very concerned that when the technology does progress, adequate controls continue to be placed on the use of that technology to protect at the same level as we have acquired protection with the less smart technology. I think that is one of our major priorities, and one of our areas of attention on an ongoing basis is the evolution of smart card technology, particularly as it relates to potential use in the health care field. I think by moving at this stage of the game to a magnetic stripe technology, all it did, to some extent, was make our job a little bit easier now and our job a little bit more difficult as technology evolves.

Mr Sorbara: Mr Chairman, just to be very clear on this, the reason for pursuing this line of questions is in some respects to point out that although this act was introduced into the Legislature, in fact based on a model designed by a former Liberal member of the Legislature, Jim Breithaupt, who is now the chair of the Commercial Registration Appeal Tribunal, and designed to provide all of the world with the information that it should have access to that resides within government, whether it is on emerging policies or documents relating to health and safety -- I was familiar with those during my time in the Ministry of Labour -- or innumerable things, and it was the subject of the presentation of the executive director of the commission, what is increasingly apparent to me is that the real challenge for government over the medium and long term is going to be the effective management of privacy of the individual citizen. Particularly given the submissions that you made in the final part of your presentation referring to computer matching, it sounds to me like, in pursuing those investigations, what you are suggesting you want to do is to put some sort of constraint on government itself not to be overly aggressive or overly ambitious with the information that it itself has.

The original intention of the act was to provide information to the general public without undue harassment by government officials. We added to that a protection of privacy component. You seem to be building on that and saying the commission should intervene or at least make policy suggestions to manage the government's overaggressive use of information that it has in a variety of data banks and indeed be able to match that. That is of interest to me because it is the very management of that information in the private sector which is so challenging and so threatening to the individual.

Just to give you an example, at American Express I am told that protection of privacy is one of the key training elements for everyone who comes on and works for that company. Why? Because inappropriately managed, someone could go into the computer data banks and trace all of my activities over the past six months, who I sent flowers to --

Mrs Marland: I did not get them.

Mr Sorbara: Well, Margaret, that is American Express's fault, not mine. But they are coming COD, unfortunately, given recent events. And on it, who I sent flowers to, what hotels I stayed in, what I ate, how much I leave for a tip, what kind of gifts I buy at what particular times of the year, and on and on at the press of a button.

1510

Mr Mitchinson: If I could just interject there, I think one of the reasons you will notice why we have isolated computer matching as a separate heading and a separate report is because, based on investigations that we did, we concluded that this was a very large problem. This is not something that could be addressed simply, like some of the other recommendations, by an amendment to the act.

If it is going to be handled effectively and if we are going to address some of the concerns which I think you are alluding to, the first step of the game in the government sector is for the government to get an awareness of just what kind of computer matching activity is happening. How big is it? How extensive is it? How many controls are on it already? What is the proper way of regulating the use of the technology? It is the same, in a sense, as the comments on the smart card technology. There is no point in resisting the fact that the technology will be able to provide this efficiency. It is, "Let's make sure we can respond to it in order to protect some of the other interests."

Dr Cavoukian: If I could just make one comment directed to another point of your question, there are two main purposes to the legislation. Of course, it is the freedom of information side of the legislation that speaks to general records of the government to promote government accountability, records relating to the operation of the government policies, programs of the government. Those are the records that the FOI section of the legislation applies to. There is not, as you know, this freedom of information access to personal information, to my personal information or to yours. There are two entirely separate parts of the act, and personal information is to be protected. It is not at odds with the release of general records relating to the government, but it is just very important to keep the two entirely separate purposes of the act and the two types of records in your mind.

Mr Sorbara: I think I understand that, and just before my colleague's supplementary, my final question or request for a comment, it seems to me, given we have members of the press here present, what are they interested in: the protection of privacy of individuals and locations that they think they should have access to?

We are now trying to protect, not based on its inappropriateness under the freedom of information side, but the other side which you describe -- that is, the desire to protect the privacy of individuals whose names and alleged crimes perhaps ought not to be provided to the entire world, and it really is the entire world, given our current technologies. It is not the local newspaper; it is a broadcast around the world.

It seems to me that the freedom of information side, which was the pith and substance of this entire exercise, when it was formulated and presented in the form of a bill, or a policy paper and then a bill -- "Freedom of information. Let's open up government. Let's let the citizens know what is going on" -- that part of the exercise is pretty much under control.

Some people do not get everything they want, and sometimes you have to mediate and sometimes you reach a settlement and sometimes there is an appeal. But the great public policy challenge is the protection of privacy, given our technological ability to aggregate and then divide up and deal with data that can at the touch of a button give a pretty interesting and pretty personal profile of individuals who may not want that information made available to other individuals or the general public.

Am I right in that? Is this your problem now? Is it right to say that the problem of the freedom of information side is pretty well under control, and privacy is the real issue?

Mr Mitchinson: I think the more it is said in terms of black or white, the less ability we have to really agree. I think it is too early to really say that the freedom of information side is without its difficulties. It certainly does have its difficulties associated with it as well. But I think if you are looking at which side of the legislation has the potential for ongoing breadth and development and evolution, probably the privacy side of things does. If you look at the way the act was structured, you will find that the sections dealing with freedom of information are laid out more definitively, whereas the sections dealing with the protection of privacy are talked about in more abstract terms, which is, I think, one of the reasons why, when we are asking for some clarification in mandate, primarily it is on the privacy protection side as opposed to the access side.

Mr McClelland: Mr Sorbara, in talking about the health card, uses by way of analogy and reference the American Express commercial card. He also raised the issue that you say one of the most difficult subjects would be the extension of the part of the commissioner. Well, let's talk about the commission and the act itself.

You are talking about mailing lists. Getting back to your mailing list, it seems to me that we are getting into an area -- and I would be interested in your comments on this -- of the commercial-corporate-private sector operation as opposed to government. To what extent do you feel philosophically it is appropriate for the commission to begin to move into that area -- I think implicitly you are suggesting that; if I am wrong, I would like some correction on that -- and do you think it is appropriate that we address that under the privy of this act or look at it more in the area of commercial practices?

I see some problems, quite frankly, in moving away from government institutions at whatever level, provincial or municipal, and moving into the private corporate sector using this as a vehicle. I do not question the appropriateness of considering the need for that type of legislation or even examining it. Whether it is rejected or not is irrelevant, but I wonder about the appropriateness of this act.

Mr Mitchinson: It is a very good question, a very interesting question, which we have also turned our minds to. In various jurisdictions around the world there are the equivalent of privacy commissions that are involved in regulating the private sector. It does exist, but it would be wrong to think that a system involving the private sector could simply be included in the legislation as it currently exists, because there is no jurisdiction in the world that tries to provide freedom of information to the private sector.

We are just dealing with the access to personal information by people in that component of freedom of information, but that is it. Nobody is suggesting that private sector records should be made available to the public. So the fact that we have two broad mandates included in one legislation does present some inhibitions to simply bringing in the private sector.

Another aspect is that in those jurisdictions that do regulate the private sector, generally they are registration-based systems where if an organization wishes to make use of personal information for a purpose, it goes to a body before it is implemented and it asks for authority to do so. That commission then goes and analyses the request and decides whether or not it can be supported, whereas our system is an investigation review system. Nobody is required to register with us. People go ahead and do their business the way they see best and we come in and monitor that and review that.

The Chair: Thank you. Your time has expired.

Mr Sorbara: We were just getting going. We were on a roll.

Mrs Marland: Can I just clarify? I am sure that in the year ahead, for this committee at any time that we wish our deputants from today to come back, we would have that flexibility.

The Chair: Yes.

Mrs Marland: Because I can see that the more we get into this very critical subject, the more enlightened we are going to become with the act and, therefore, the more questions we will have of you three as individuals.

Mr Sorbara: But you are already enlightened.

Mrs Marland: I am, very. I remember, when employers started putting the social insurance number on employee application forms for employment, there was a very big controversy, and I think now, frankly -- and I think in one of your answers earlier this afternoon you almost concur, if I did not take what you said incorrectly -- sometimes systems are developed and their purpose is designed, and then we get into a situation where it is expanded without the risks and the repercussions of the expansion really being analysed ahead of time.

Frankly, my feeling is, and I have not been in a position where I have studied it at any length, that the SIN numbers are being misused in a lot of circumstances. When we start to look at, as Mr Sorbara mentioned, our latest government-issued card in terms of our health card, I have to wonder if down the road we are going to be putting at risk the protection of the patient rather than the protection of the patient's health. There has to be a point at which to have a smart card becomes a tremendous violation of that patient's privacy and not necessarily is balanced off in weight with an equal protection of that patient's health.

1520

Mr Mitchinson: I think we share the same concern. That, I guess, is our job. Our job is to make sure that as the efficiency arguments are put forward, the privacy component is addressed and considered and dealt with. I think we share your views.

Mrs Marland: I know there are concerns about people getting large numbers of prescriptions by going from doctor to doctor or emergency department to emergency department. Maybe if the records of what that patient has already been prescribed were readily available on a computer, perhaps we would be in a position to break down that particular scam. For the number of people who do that, I really worry about the protection of privacy for that patient. I find the whole process rather scary, to tell you the truth. I think we always felt that eventually we would all end up just being a digit in somebody's computer somewhere. We forget the Christian names and the family names. I really feel that the responsibility you have overall in any area of the impact that this act can have on government is very, very crucial.

Mr Mitchinson: Yes, that is rather overwhelming. I agree with you. I think that is a very important role for us. I think all we can say at this stage of the game is that at whatever level we have had to deal with it, in this context so far we feel we have been able to do it. We feel we have been able to address and sensitize the government to the privacy concerns. I can assure you that we will continue to attempt to do that as the technology evolves. We know full well that the technology is going to evolve. There is no doubt about it.

Mrs Marland: I know, on the other hand, there are areas where access to information, freedom of information, is very important. One example that I really think about a lot is when the furore developed over the Love Canal in New York state. At that time, under their existing freedom of information restrictions, no one could get to the bottom, both in the literal sense and the research sense, of what that property involved. In the meantime, the Hooker chemical company, which had owned the property, was being maligned and everyone who had anything to do with it was being very severely criticized because of what had evolved with that property. Yet when the freedom of information changed -- I have forgotten what the US statute was called. What was it called?

Mr Mitchinson: They would have a state statute and a federal statute.

Mrs Marland: They did, I know. I have forgotten what the name of their legislation is, but in any case, when it came out, what they found was a complete reversal. Here this company had been damned because it had put all this garbage in what had been constructed as a canal, as you know the story. In any case, the thing is that in that case, until they could release those records, everybody had a totally inaccurate interpretation of what the circumstances were, and then when the truth came out, in fact the Hooker chemical company had not wanted to sell the property to the school board. The school board that wanted to build the school at the Love Canal had gone to the city of Niagara Falls, New York. and forced the city to force the company to sell it to it so that it could build a school there even though there were some rumours of what was in that land, and none of this came out until the access to that information was made available.

That is a very real example. It is a story that everybody understands and can identify with it. There, freedom of information actually served a purpose for everyone. It certainly did for the chemical company that had been maligned and it did for the public to understand a process and what had gone on and who really was responsible.

I am very supportive of that process, but as I say, I am very nervous about the privacy of us as individuals. As far as our health records are concerned, I think we can legislate specific aspects of health that have to be public. Certainly if you get smallpox you have to be quarantined, so maybe we will get to the point where if you have AIDS it has to be publicized. There are a whole lot of areas where we see changes being made, and those changes will be made at a time when it is appropriate to make those changes in order to protect public health.

Quarantine is a protection for public health in terms of epidemics. There are other epidemics for which there are different sets of rules for different diseases in terms of public health, so why does the public or would the public ever really have to know what is on my smart card? The only reason I would want a smart card would be if it was a protection of my health. My reaction to that is that if my health records have been private all along, and since computer records have been kept of people's health histories and we have not had a problem without this next step, then I really think we would have to be very cautious, as government, to legislate that next step.

Mr Mitchinson: Again, I quite agree. I think what we have to be sensitive to is that as technology evolves, capabilities evolve in an exponential manner. I think safeguards that may have been adequate all along may no longer be adequate as technology advances. I think our role and a number of other people's role is just to make sure that continues to be the case.

Mrs Marland: We can always assume that we have very ethical staff in the American Express organization, as an example, that has Mr Sorbara's card, but the fact of life is that people are people and human beings are human beings and we can never be guaranteed that computer matching would not go underground or illegally. So my sense to protect myself or my family or anyone else from that is that I want the least amount of information in that computer to start with, and that is why I really object to it when people ask me for my social insurance number unnecessarily.

I really look forward to getting further into this subject as this year progresses and to discussing it at a future opportunity with you.

Mr Villeneuve: Thank you for an interesting presentation. I see from your statistics that in 1988 you had 4,700 and some requests, and that in 1989 it almost doubled, to some 318 provincial institutions. We seem to assume that health reasons are the main reasons for information. You have monitored all this. Can you tell us which area of government receives the most requests for information that has hitherto not been available?

Mr Mitchinson: Yes. Do you have your binders with you?

Mr Villeneuve: I do not. I am sorry.

1530

Mr Mitchinson: Okay. If you can just bear with me, we have some summary statistics in the binder. It is in binder I, section 6. On the request side, the figures are available only for 1988 and 1989 and they show in the back of it. Figure 1 deals with the type of requests that are available, figure 2 the numbers, and figure 3 the disposition. I thought we had some that dealt with the numbers of institutions; I guess we do not -- oh, yes; we do, sorry, no, that is only on appeals. I guess the best I can do for you is to give you the 1989 figures out of the annual report.

Mr Villeneuve: My main question revolves around this: Do you see a zeroing in on a supposedly problem area that could continue to get worse or do you see the requests going in a rather general direction?

Mr Mitchinson: No. I think in each year there have been certain institutions which have received the bulk of the requests under the act, and I think the nature of the business that various ministries and agencies perform lend themselves, I suppose, to more of an interest from the public in requesting information. I do not think we have had enough time yet to really identify the trends definitively. On the other side -- I am just thinking off the top of my head on some of the statistical information we had -- there was, I know, a difference in the agencies within the first two years of operation. In one year certain agencies seemed to be the focal point for requests and then in the next year that dropped off quite dramatically.

Mr Villeneuve: Would you see within these agencies that information is requested from a great degree of variance as to the availability or the perceived availability of information? I gather your job is to monitor and make sure that it is rather uniform across the board. I am led to believe that information was readily available prior to this legislation which, all of a sudden, became classified information. I can understand that, but to the point where we may be creating a monster, that need not be.

Mr Mitchinson: Maybe Tom can comment a bit on that.

Mr Wright: I think you are absolutely correct in looking at the situation that existed before this legislation came into effect. In fact, there is a means whereby if you basically had access to general records before the act came into effect, you should continue to do so. I do not have a sense that there has been any change or tightening up as far as the general records area is concerned. I think it is important that we keep in mind this distinction between purely government information records, as Mr Mitchinson described in his presentation, and information about you and I, which we call personal information that is treated quite differently.

As well, just to talk a little bit further with respect to what Tom said, in one year, for example, the Ministry of Revenue had a large volume of requests because for some reason everyone was looking for his own personal assessment information. That issue was resolved within that year and in the following year that number of requests just simply dropped because they were gone, so it fluctuates. It is very issue-specific.

Mr Villeneuve: So that was basically testing the system, is what you are telling me. People were testing it to see if indeed what was on pertaining to them was close to what they perceived or to what they thought they had on record.

Mr Wright: That is a very good way of describing it. Yes.

Mr Villeneuve: As time goes on and as things become more and more sophisticated, I guess your job would be to monitor some of the problems that you have outlined with the computer matchings and what have you. Would you have the power to prevent that?

Mr Mitchinson: I guess it all depends on what authority we have in the legislation. I think right now the authority to deal with improper management of personal information is restricted to prohibiting collection practice and ordering a destruction of information. Right now we do not have order-making authority to deal with use of personal information or with disclosure of personal information. I think one of the suggested amendments that we raised was that we feel if we are to provide an oversight function in ensuring the proper management of personal information, it has to really be broader than simply issues relating to collection; it has to deal with use and disclosure and retention as well. Otherwise it is not really coming to grips with the extent of the problem.

I think if we were to get more involved as a regulatory body in the area of computer matching or whatever, as I said in my remarks, it would have to be done by some fairly extensive review of the provisions that currently exist.

Mr Villeneuve: Can you at this particular point in time prevent a credit card company, for example, from providing information about where I have spent money with my credit card over the past 12 months? Can you prevent that?

Mr Mitchinson: No. The credit card companies are all private sector organizations, totally outside the purview of this legislation. We have no role in regulating credit agencies right now.

Mr Villeneuve: This is where a lot of the matching would occur.

Mr Mitchinson: I think where it is relevant right now is that under Bill 24 a credit agency would be prohibited from using your new health number in any business that it did, whereas now, if you have dealt with them, you will know that they routinely use the SIN number, but they would be prohibited now under this legislation from using the new Ontario health number.

Mr Villeneuve: Do you foresee your role as needing to be expanded, maybe with more teeth as you go on?

Mr Mitchinson: As it relates to the private sector?

Mr Villeneuve: Yes, as it relates to the entire information gamut, which is a pretty broad spectrum.

Mr Mitchinson: I think we have outlined in our brief that we do feel there is a justification for expanded powers in privacy protection under the current provincial act. As I said to Mr McClelland, I think if you start dealing with the private sector, then that is a much bigger issue and I think it would have to be looked at basically from first principles.

Ms S. Murdock: I have a couple of quick questions; hopefully quick. On page 11 of the submission there is a mention, "Although there is not a one-one correlation between the number of requesters and the number of requests...." I get the impression that there is a correlation or there has been some correlation done.

Mr Mitchinson: I could not give you correlative figures on it. I just wanted to make the point there that there are some requesters who make multiple requests, so you cannot just simply conclude that, for instance, there have been 8,233 individual requesters.

Ms S. Murdock: Okay, so there is no record at this moment as to whether or not a requester makes 500 requests.

Mr Mitchinson: At the request level? Is there?

Mr Wright: No.

Mr Mitchinson: No, not at the request level.

Ms S. Murdock: The second question I have is again from your submission. A six-month task force on computer matches? Have you done any costing on that in terms of what the cost factor would be?

Mr Mitchinson: No. we have not. In fact, as I tried to say there a little bit earlier, I think in order for anyone to make any effective decisions in the area of computer matching, we feel that more information needs to be known and that this is, in a sense, an information-gathering purpose behind this task force, an ability to come back and provide some recommendations as to which way we should go. I do not think we envisioned it to be an expensive undertaking or a very heavily resource-laden undertaking, but I do not --

Ms S. Murdock: Has this information gathering been done in other jurisdictions, for instance in the United States or Australia?

Mr Mitchinson: One of the issues we have found, and the reason why we have recommended a task force approach, is that the approaches that were taken in the other jurisdictions on the problem have basically not come to grips with the vast nature of the problem. The survey and to sort of design a comprehensive system to deal with it has not been the approach that has been taken in these other jurisdictions. They have tried to piecemeal it, and as a result I think they have been largely ineffective in coming to grips with the fundamental problems around computer matching.

1540

Ms S. Murdock: Okay. Lastly, this is just a global question. In the materials that you provided to us, I do not have much difficulty with the technical aspects; it is just clarification of language and using the same language throughout. In the proposed policy changes, however, in every instance you explained what the situation was, what you were proposing and how the proposed amendments would resolve the problems that you have encountered in its use over the past three years.

I am just wondering, in the proposed amendments there is no indication anywhere throughout as to possible red flags as to user groups or consumer groups that may object to that kind of an amendment, or proposed amendment, and I was wondering if you had looked at that or if you were prepared at some time in the future to provide us with that information.

Mr Mitchinson: I think the approach we took to identifying amendments, from our perspective, was where we saw difficulties in the way we have been doing business over the last three years that could be remedied. Anything that we are proposing there, as we are aware, would not affect the user groups that use the act right now. They are primarily related to the things that would make us able to do our job better. If you notice, a lot of the provisions relate to the operation of our agency itself, and a number of the other ones deal with our ability to deal with institutions of the government more effectively. They are not targeted at user groups or any way of inhibiting the right of someone to use the act or to complain to us. If anything, I think they are enhancing that concept.

Mr Owens: On page 25 of your submission you make reference to needing a legislated mechanism to discipline employees. I am wondering why you would be different from other government agencies or employers in the field with respect to discipline and why discipline for cause cannot be used in its regular form, and second, with respect to its impact on collective agreements, your reference to grievance makes me believe that we are talking about employees who are certified in a bargaining agreement; how would that type of legislation impact on the rights of those people within that bargaining unit?

Mr Mitchinson: Just to start off, we are not an organized agency. There is no bargaining unit within our organization. I think our intent by making this suggestion is basically to do just what you have suggested, to make our organization operate just the same way every other comparable organization operates.

If you look in the legislation, for instance, for the Audit Act or the Legislative Assembly Act or the Election Act as it relates to the employees of those various legislative bodies, generally they have a system in place that allows for grievance of actions related to dismissals or classifications or anything like that, and our act is just simply silent on it. There is nothing in it whatsoever. We are suggesting that we introduce a scheme very much patterned after the auditors' operation, which gives the employees the right to grieve and also makes it clear that the employer has responsibilities under the act as well.

I do not mean to imply that there is no authority now -- I think there is considerable authority -- but I think that to be more consistent with other organizations it would be better to have it laid out specifically in the legislation.

Mr Owens: Second, on page 29 you talk about giving a commissioner the flexibility to change an appeal. What type of mechanism do you see that taking?

Mr Mitchinson: Tom, maybe you can speak to that.

Mr Wright: I can. In terms of the flexibility, what we are looking for is simply the situation where there is a misstatement of some kind, an incorrectly stated fact in an order. We are talking about the order situation. I can indicate that it is simply the sort of ability that other tribunals have. What it does is assist all parties to the appeal to avoid the need to go on to a court and take the time to have a court basically recognize that yes, something just happened, it should not have, and through the miracles, or lack of, word processing etc, some things do happen. This mechanism simply allows small changes that do not necessarily affect the validity of the order to be made. It is a fairly administrative situation as far as administrative tribunals are concerned.

Mr Owens: With respect to the cost it involves to an individual in filing or requesting information, do you have any idea what the average cost was last year or the last couple of years per request to an individual?

Mr Mitchinson: There is no request cost associated with an appeal. The cost takes place at the request stage. I really think probably the Management Board people are the best people to provide you with information about anything like that relating to the request stage.

The Chair: Is that a request for that information?

Mr Owens: Yes, it is actually. I would like to find out what the average cost is and then I would also like to find out from the Management Board people whether they see that as being prohibitive or whether they are looking at any changes to make the system more inclusive rather than exclusive.

The Chair: Are there any further questions?

Mr Sorbara: Do we get some questions over here tomorrow, or are our 25 minutes up and that is it?

The Chair: I can certainly allow a certain latitude, if that is the wish of the committee, but that means the other parties would get response time as well. Is that the wish of the committee?

Mr Sorbara: I am not the whip on this committee. I am actually substituting. I know that you cut off Mr McClelland a while ago at the 25-minute mark and then the New Democrats did not seem to have enough questions to fill in the time available for the completion of today's work. I thought maybe you wanted some other questions or were soliciting some other questions from other members.

The Chair: Is that the wish of the committee? That is not the wish of the committee.

Mr Sorbara: What is not the wish of the committee?

The Chair: Is it the wish of the committee to go around again with questions?

Mr Owens: Are we planning on finishing at 4 o'clock?

The Chair: Yes, 4 o'clock.

Ms S. Murdock: If it is going to elucidate anything, I would be most happy for Mr Sorbara to speak.

Interjections.

Mr Sorbara: I think there is some disagreement on your side.

Ms S. Murdock: In truth, the whole point of this exercise is to learn as much as we can from any source and from any question that we can. I think it is fair that we do that.

Mr Sorbara: I want to ask a few questions on the primary side of your mandate; that is, the freedom of information side, the side that has a freedom of information co-ordinator placed in every ministry to deal with requests for information which are considered and then a decision is made by, in most cases, the deputy minister, but under the act a person called the head of the organization.

I am wondering if you have an example or two of an appeal that was difficult and the basis upon which the appeal was adjudicated, whether in favour of the requester of the information or against. What I am trying to get to is the kind of information that people are looking for.

Mr Mitchinson: I am going to very gingerly turn this over to Tom Wright, but I will just say at the outset that on the access to information side, we perform the function of a quasi-judicial tribunal.

Mr Sorbara: I understand that.

Mr Mitchinson: We have to be very careful. So if we are a bit guarded in the way we describe it, it is for that reason.

Mr Sorbara: But you render decisions.

Mr Mitchinson: Right.

Mr Sorbara: I do not want you to talk about a case that you are currently considering, but a judgement that was made, what was the request for the information, what were the issues in the appeal, how did you decide that question and why did you decide it in that fashion? Pick a difficult one; pick a tricky one. There are lots of requests for information. I will just give you a personal anecdotal experience.

When I was the Minister of Consumer and Commercial Relations, the head of the liquor board employees' union came to see me and said, "We've been trying to get a piece of information out of your ministry through freedom of information for months and months and we can't get it." I said, "What is it that you want?" He described it to me and I said: "Why didn't you just ask me for it? I don't have any problem disclosing that."

I am trying to get a sense within the adjudicative context of what people are looking for, what the issues are when you are considering an appeal and what the territory is like. Describe the judicial territory, if you could.

Mr Wright: I would be happy to do that. I will use an example, as Tom mentioned, of an order that was issued I believe in the month of December. The person had asked for a study that had been done by some consultants who had been retained by one of the ministries with a view to --

Mr Sorbara: What ministry?

Mr Wright: I believe it was the Ministry of Natural Resources. This was a request that was made earlier in the year. The person was asking for this study which related to the cottaging policy that was going to be developed in the north. This person had an interest in terms of the environmental impact that might take place, depending on the nature of the policy that was ultimately developed. They made a request to the ministry and the request was denied on the basis that, one, in some way it was a cabinet record because a policy had not yet been agreed upon, and second --

Mr Sorbara: Was that a general, typical line of defence, that this is a cabinet record, that this is for advice to a minister, that this is on its way to cabinet?

Mr Wright: Cabinet record actually has not been an exemption that has been used all that much in terms of the appeals that we have seen. In this particular case, it was one that was used. The other one that was used was advice for recommendations of a consultant retained by the institution. That is an exemption that is available to the government under section 13.

Those two exemptions were the basis for the denial of access. The person appealed to the commission and the process that we have in place for dealing with an appeal proceeded to the point where it could not be mediated. There was no opportunity to mediate in that case, so we went to the final stage which is where an order is actually made. Both of the parties to the appeal are given an opportunity to make representations to me in this case --

Mr Sorbara: You sit alone under those circumstances?

Mr Wright: I am a sole decision-maker. That is correct, yes.

Mr Owens: On a point of order, Mr Chairman: I am just wondering how much time you have allocated on this new rotation per each.

The Chair: About four minutes, Mr Owens, and I was just going to ask Mrs Marland if she had a further question to ask. Are there further questions over here?

Mr Sorbara: Am I done then?

Mr Fletcher: You are done.

Mr Sorbara: I am in the middle of this question and I am not going to be able to finish it.

The Chair: You can finish your question and the response.

Mr Wright: Yes, in fact I am the person who makes the decision in the appeal, and in that particular circumstance I found that the facts were such that it was not a record that fell within the cabinet record exemption. In fact, looking at section 13 in that particular case, although it clearly did contain advice or recommendations, the act itself contains in section 13 a number of exceptions. Even if a record contains advice or recommendations, the Legislature when the act was introduced said, "But, if it is this type of record" -- one of which was a type of study -- "then that whole record should go out."

What I ordered in that case was that the record be disclosed. Our practice is to ask the ministry to confirm that the record has been disclosed pursuant to the order and we received that notice in that case and in fact an acknowledgement from the person asking for the record that it had been received.

Mr Sorbara: And you provided written reasons for your decisions?

Mr Wright: Every order is in writing, yes.

The Chair: Thank you. We wish to thank the two assistant commissioners and the executive director of the Office of the Information and Privacy Commissioner for coming along here today. No doubt we will be hearing from you through the course of the year. Thank you.

Before we go, just a point of information for the committee. On behalf of the committee, I have requested the clerk to see if he can do something about the climate in this committee room for the duration of the hearing. As an addition to the agenda for tomorrow afternoon, the Solicitor General will be appearing at 3:45. Meeting adjourned until 10 am.

The committee adjourned at 1555.