Archived Content

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Without a trace

Background

Media reports appeared in the press in the summer of 2008 concerning litigation related to a wrongful dismissal action filed in court against the National Gallery of Canada (NGC). Those reports, based on documents filed with the court, suggested that records were destroyed and/or individuals were counselled to destroy records that may have been responsive to an Access to Information Act request.

Section 67.1 of the Act makes it an offence to destroy, mutilate or alter a record, or direct, propose, counsel or cause any person in any manner to do such things with the intent to deny a right of access under this Act. A person who contravenes this section of the Act is guilty of an indictable offence and liable to imprisonment for a term not exceeding two years or a fine not exceeding $10,000 or both; or an offence punishable on summary conviction and liable to imprisonment for a term not exceeding six months or to a fine not exceeding $5,000 or to both.

In light of the serious nature of these allegations, the Information Commissioner initiated a complaint against the National Gallery of Canada, and we launched an investigation into the matter.

Resolving the complaint

The NGC cooperated fully with our investigation. We examined two issues. First and foremost, we looked at whether, in fact, records had been destroyed that related to an access request and whether some individuals had been counselled to destroy those records. Second, we looked at all the possible factors giving rise to those events, including corporate leadership, e-mail and access to information policies in place at the time of these events, and the availability of training for employees and senior management at the time of this incident.

It should be noted that upon learning of the incident involving the destruction of records, the NGC immediately took remedial action. In recognizing the seriousness of the incident, it adopted a number of measures to address deficiencies to ensure that similar incidents do not take place in the future. Since it adopted these measures before our investigation got underway, we did not make any specific recommendations. We did, however, make a number of observations in arriving at our findings.

Our investigation found as a fact that records responsive to the access to information request were destroyed and individuals were counselled to destroy records during the course of the processing of the request. While we found these to be the facts of the matter, we did not investigate nor did we make any findings regarding whether these actions were done “with intent to deny a right of access under [the] Act” as set out in section 67.1.

Our mandate is to conduct administrative investigations into federal institutions’ compliance with the Act and to make findings of fact. We cannot conduct criminal investigations nor can we assign civil or criminal liability. That said, in conducting an investigation, we may uncover evidence of a possible commission of an offence which may lead us to refer the matter to the Attorney General of Canada as provided under the Act.

In this case, we did find evidence of an offence having been committed under section 67.1. As a result, the Information Commissioner has referred this matter to the Attorney General of Canada.

In finding this complaint to be well founded and resolved, we made the following observations to the NGC.

First, despite the existence of policies such as the “Computer equipment – E-mail – Internet Access – Electronic documents (2005)”, we found that there was a general lack of computer use and e-mail training for the majority of non-information technology staff. This contributed to employees being unaware of both the proper use of e-mail, as well as their retention and disposal policies.

Second, we observed that at the time of the incident, employees had the ability to erase all traces of e-mails thereby enabling employees to permanently delete these records. Following the incident in question, the NGC disabled this function so that henceforth only certain employees in the Information Technology Branch would be able to perform this function.

Third, after the incident, the NGC amended its “Policies and Procedures: Computer equipment – E-mail – Internet Access – Electronic documents (Nov. 2008)”, the “ATIP Policy (Nov. 2008)”, and “E-mail Etiquette (Nov. 2008)” and made all such policies available on the Intranet. It also directed management to familiarize themselves with the policies, and directed management to educate employees of such policies. Furthermore these policies are now part of the orientation training presented to all new employees.

Finally, although some training was given to employees, we found that at the time of the incident, leadership and guidance from the corporate sector was lacking with regards to access to information and privacy (ATIP) training. Such training was not provided on a consistent basis to existing employees, nor was it offered in sufficient detail to new employees as part of their orientation. Also, the training for employees (particularly senior management) on such ATIP policies, and on the duties and responsibilities therein was lacking. There should have been continuous training on the subject, and mandatory training for any new employee. The policies and procedures in place concerning access to information and privacy were, likewise, deficient.

The NGC asked us to review its ATIP and e-mail usage policies. We will work with the NGC to clarify those policies outside the ambit of this investigation.

Lessons learned

It is the responsibility of institutions to fully train employees on its ATIP and information management policies and practices so that they know and understand their legal obligations under the Act. By not providing the knowledge and support, institutions run the risk of their staff making decisions that may lead to serious consequences when handling access to information requests.