Instant messaging putting access to information at risk – Report

Ottawa, November 28, 2013—Suzanne Legault, Information Commissioner of Canada, issued a special report to Parliament today that recommends specific controls be placed on instant messaging to preserve government records and respect the federal access to information law. Instant messages include what are commonly called “PINs” sent and received on BlackBerrys.

“After investigating the use of wireless devices and instant messaging in 11 federal institutions, I have concluded that there is a real risk that information that should be accessible by Canadians is being irremediably deleted or lost,” Legault said.

There were approximately 98,000 BlackBerrys issued to government institutions. Instant messages sent and received on these devices are automatically deleted—usually after 30 days—making them generally unavailable for access to information purposes.

“While technology is a powerful tool for innovation, its use must not infringe on the right of Canadians to know what government is doing and to hold it accountable for its decisions,” Legault said.

The report makes three specific recommendations, including that a government-wide policy be issued instructing institutions to disable instant messaging on all government-issued wireless devices, with few exceptions. The President of the Treasury Board does not agree with the recommendations and has declined to implement them.

-30-

The report is available on the OIC website.

For more information:
Natalie Hall
Manager, Communications and Media Relations
Office of the Information Commissioner
Tel.: 613-995-6496
Email: natalie.hall@oic-ci.gc.ca

Highlights

Investigation into the impact of instant messaging on access to information

  1. The use of instant messaging on government-issued wireless devices to conduct government business is putting the right of access to information at an unacceptable risk.
    • As of August 2013, there were approximately 98,000 BlackBerrys issued to government institutions. Most of these devices would have had instant messaging enabled, including allowing communications via BlackBerry PIN (personal identification number).
    • Instant messages are automatically deleted from wireless devices, usually after 30 days. Generally, instant messages are not recoverable once they have been deleted.
    • Of the 11 investigated institutions, only Foreign Affairs, Development and Trade Canada, and National Defence automatically back up at least some instant messages on servers.
    • Consequently, in most institutions, instant messages are unlikely to exist anywhere after auto-deletion and would be unavailable to be processed in response to access requests.
  2. Access to instant messages sent and received by ministers’ office staff is at particular risk.
    • All surveyed ministers’ offices enable instant messaging for their staff. However, the training on the information management and access responsibilities associated with instant messaging varies widely and is insufficient.
    • Under current policies, ministers’ offices are generally the last to be asked for records in response to access requests—likely after instant messages have been auto-deleted.
    • The Information Commissioner recommended that ministers’ offices be asked for records right away.
  3. Current policies are insufficient to promote consistent practice, direction and training across the government on the use and treatment of instant messages. In addition, policy guidance is such that, without automatic back-up, the preservation of instant messages for access and other purposes relies on individual employees’ taking the initiative to store them.
  4. Policies currently proposed by the Treasury Board Secretariat would put the right of access at further risk by allowing instant messages to be auto-deleted after only three days, instead of the current 30 days.
  5. Institutions were unable to provide compelling reasons for using instant messaging that outweigh the risk to the quasi-constitutional right of access.
    • Institutions allow instant messaging because it is faster and, in remote locations, cheaper than using email, and because it makes communications possible when servers are down.
    • The Commissioner recommended that instant messaging be disabled, except for when there is a genuine operational need for it. Institutions must set up a mechanism to automatically back up all messages and must provide users with training on their information management and access to information responsibilities.
  6. The current treatment of instant messages hinders the Commissioner’s ability to investigate complaints about missing records.
    • Given that it is usually at least 90 days (30 days to respond to a request and 60 days to make a complaint) before the Commissioner receives complaints about how institutions handled access requests, the chances that instant messages will still exist at that point are virtually nil.
    • Missing records complaints amount to nearly half of complaints about refusals to grant access. The Office of the Information commissioner registered more than 400 missing records complaints in 2012–2013.
  7. The investigation highlights the need for the Access to Information Act to be amended to require government officials to create records documenting their decisions for access purposes.
    • Eight of the eleven subject institutions allow employees to use wireless devices for sending and receiving information of business value (in addition to brief, transitory messages).
    • Unless individuals store these messages on a server, or they are automatically backed up, information on government decision making will be irremediably lost.
    • The Commissioner recommended that the Act be amended to include a duty to document decisions, with appropriate sanctions for non-compliance.
  8. The President of the Treasury Board has not agreed to abide by the Commissioner’s recommendations and has declined to implement them.