Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Speaking notes for an address
By Andrea Neill
Assistant Information Commissioner of Canada
At the 6th International Conference of Information Commissioners
Thank you for your warm welcome in Oslo. We, in Canada, have so much in common with you in Norway that I feel that we are “kindred spirits”. We both have our share of lakes, of fjords and forests – of snow and cold spells, too. And who knows, had the Vikings stuck around a little longer in Newfoundland, in L’Anse-aux-Meadows, we might have had a common heritage to share as well.
But I’m here today to talk about something else we all have in common, that is the challenges we face, as Information Commissioners and Ombudsman, in dealing with the issue of accessing e-Information. By this I mean information that is not put to paper, but rather resides on our networks, computers, BlackBerries, laptops and even in the “Cloud”.
My intention is to explore first how our law handles the complexity of accessing e-Information. How our law now handles accessing information is, for all intents and purposes, reactive. It is reactive and reflects the traditional modus operandi of the public sector. It is reactive in the sense that access is granted after someone asks for it.
I want to go further and offer a vision of a system that fully embraces the benefits associated with having information stored and disseminated electronically. It is a vision that goes further than our access laws. – A vision where information is routinely disclosed, with the exception of that which governments must protect because it poses a risk of injury to a public or private interest. – A vision where information is simply made available because it can be, thanks to technology. E-Information evolves and, free from the confines of ink on paper, lends itself to being proactively disclosed.
Finally, I want to pose the challenge of how we, as post-millennium Information Commissioners, are going to maximize compliance with freedom of information legislation and foster the shift from reactive to proactive disclosure within the context of rapidly evolving technologies.
What is e-Information?
With the advent and proliferation of technology, there is a massive accumulation and amazingly flow of information. And it is not simply information that is static in nature, but information that can easily adapt and change depending on new inputs and desired outputs. Think of any common database that your government might have.
For example, in Canada we have a database maintained by Health Canada that tracks adverse drug reactions. Whenever a patient is admitted to a health care facility as a result of an adverse drug reaction, the information is captured so that analysts can cull, analyze and determine patterns, warn of problems and provide input into new policies. This database is anything but static. With each entry, there are about 128 fields of information associated with an event. In time, some of those fields can be populated. In time, additional entries are made. Over time, the database morphs, shifts and reveals new “secrets” depending on what information has found its way in or out. This type of accumulated information is wealth.
These types of databases represent wealth to governments because they can, while respecting privacy principles, use the information to enhance their programs and services. They are wealth to drug manufacturers because they can derive better profits from analyzing the information. They are wealth to journalists because there are a myriad of stories within the databases – human stories. Most importantly, they are wealth to the public who are consumers of these drugs and will be better informed about them. This type of accumulated information is, as the prominent academic Alasdair Roberts put it, the “Mother lode”.
Accessing e-Information using the access laws or the reactive mode
We all know that e-Information is abundant, that it is the number one most valued commodity in our society and that governments are custodians of huge volumes of it. So what does access to that government-held information look like when we examine the reactive mode of gaining access? That is, how does our law work when it requires an individual to ask for e-Information?
In 1997, the highest court in Canada recognized the public’s right to government-held information as a quasi-constitutional right. Judges agreed that is was necessary and crucial to the democratic system, and enabled meaningful participation in a just and free society.
At the federal level in Canada, we have a law that provides meaningful access to information held by governments. All our provinces and territories have similar laws – 14 in all. Not unlike many countries, our legislation was written long before the computing world was fully contemplated or understood. In Canada, it was written in the late 1970s and adopted in the early 1980s. That was before the personal computer. That was before the PlayStation, iPhone and that wonderful Canadian invention, the BlackBerry.
During the 1960s and 1970s, e-Information was a cumbersome set of punch cards and mainframe computers that occupied entire rooms – if not entire floors of large buildings. And, while those systems could technically hold more information than the existing paper-based records, the reality is that the cost of storage kept information on paper.
Fast forward a few decades, however, and we now have e-Information being created and stored, archived and backed-up by a multiplier that we cannot even accurately calculate.
What does this mean for those of us in the access to information world? The exponential amounts of information created poses obvious problems associated with, for example, finding the right information relevant to an access request, or with retrieving it from an archival system. When the law was written, the idea of a back-up tape was some cumbersome series of gigantic reels of information that replicated an organization’s entire system. It was extremely difficult, if not impossible, to go and retrieve one component of that system let alone one individual file.
Today, back-up systems keep archives of specific individual files that can be restored with varying degrees of effort. The differences in systems are quite dramatic when you consider that back-ups, when they were cumbersome and inefficient, did not pose problems for access to information because the information was simply inaccessible. Today, the status of this information in back-up systems remains controversial.
Our view is that the Canadian legislation is sound in terms of its principles but is in serious need of modernization. For example, our federal law currently restricts access rights to Canadians and persons present in Canada. In the context of today’s technological environment, it is becoming increasingly difficult to sustain the concept of limited access. Consequently, the Information Commissioner has recommended to Parliament that the law be amended to provide universal access.
In terms of the drafters’ attempt to capture the concept of accessing e-Information, their language is not perfect but it is workable. Section 4(3) of the federal Access to Information Act states:
For the purposes of this Act, any record requested under this Act that does not exist but can, subject to such limitations as may be prescribed by regulation, be produced from a machine readable record under the control of a government institution using computer hardware and software and technical expertise normally used by the government institution shall be deemed to be a record under the control of the government institution.
“Machine readable record”? – An odd term, indeed. However, it works. How does it work? Well, it tells the government that just because the information is stored digitally as opposed to on paper, the government still has to produce the information even if that digitally-stored information requires manipulation prior to getting it into a state where it can be released. Consequently, if the information is, on its own, not even a record because it can’t be isolated as such, the law still requires the government to manipulate the information so that it becomes a releasable record. While not a provision that is as clear and direct as Scotland’s “duty to assist” provision, our section 4(3) is a codification of at least one component of the duty to assist.
To be clear, while the provision doesn’t require the creation of information itself, it is a powerful section that requires that institutions extract information from a database or databases to create a record. Without this provision, we might not have any meaningful access to the mother lodes of e-Information that exist.
The Information and Privacy Commissioner of Ontario was recently involved in a case where this issue arose. In that case, a journalist wanted access to a database that tracked all people who were arrested by the Toronto Police Department. The journalist wanted to see how often there were repeat arrests attributed to the same individual. It is important to note that the journalist did not care to know who the individuals were. He simply wanted to be able to track how often people get arrested after they have been arrested a first time – how many “repeats” there were in the system.
To avoid having to deal with names of individuals, the requester asked the Police to substitute all names with unique numeric identifiers that would totally mask the identities of individuals. The Police refused and, when confronted with an Order from the provincial Information and Privacy Commissioner to disclose the database, the Police appealed to the courts.
Eventually, the Court of Appeal upheld the Commissioner’s decision. If an algorithm could be applied to alter the information into a format that made it releasable, then the Police had to apply it. This demonstrates that, despite the use of old school terms, for example machine readable record, that Canadian legislators had anticipated the evolution of technologies.
However, let me raise a couple of outstanding issues that we are currently working through where our law does not easily lend itself to the technical realities of our world. One is the use of PIN to PIN communications. PIN to PIN allows federal officials to exchange messages on their BlackBerries without the messages ever passing through the federal institution’s server. This represents a potential technological blow to accountability and transparency.
Views on PIN to PIN communications range from those of advocates who claim they should be prohibited and made technologically impossible for public servants because they really serve no purpose other than to avoid accountability and transparency – to those of bureaucrats who propose that all PIN to PIN communications must occur within a well-thought out policy framework.
Although government has issued guidance, we do not know yet how well it is being applied in terms of monitoring and oversight, except when our Office deals with complaints.
Access requests for the BlackBerry messages of some senior federal officials, and subsequent complaints to our Office regarding the non-existence of these messages highlight the challenges of managing information when new wireless communication technologies are used. These cases demonstrated how important it is for institutions to ensure that employees understand that these new devices produce records which must be properly maintained. It also demonstrated the importance of having sound policies stressing the principles of good information management, security, access to information and privacy.
Another challenge posed by the proliferation of e-Information is the misconception that the information is transitory. It is difficult to maintain the mindset that all of this information is, by law, something that can and should be accessed. Because of these challenges to our law’s ability to adequately deal with unique problems raised by the exponential creation of e-Information, it is absolutely crucial for governments to implement sound information management systems.
Moving toward proactive disclosure of e-Information
To re-iterate, e-Information poses unique challenges to our access to information regimes because of its abundance and fluidity and because it is difficult to stay on top of technological developments such as PIN to PIN communications. However, our law is relatively well-equipped to address most issues and, where it falls short, we urge governments to, among other things, implement better information management systems that are designed to ensure adequate accessibility to the information.
Is this enough? Let us take a close look at the reactive mode of gaining access. First of all, in Canada, it is estimated that it costs anywhere between $1400 and $2200 for each request made of government. Secondly, the retrieval of e-Information based on requests for information results in huge volumes of duplicate copies of the same information. The electronic “carbon copy” facility has proven to be both a blessing and a curse. The duplicate information is cumbersome to process and provides no value to the individuals seeking access. Thirdly, the reactive mode encourages long and extensive searches for information that, while it may exist in some form of back-up, is actually information that was properly and legitimately deleted in accordance with established archival retention schedules.
From an oversight perspective, accessing e-Information has its challenges, particularly in investigating complaints. Let me give you some examples based on our experience. We have an antiquated fee scheme that was written twenty-six years ago to support our paper-based law. In investigating fee complaints related to e-Information, we find instances of what appear to be exorbitant fees being assessed by institutions to create records from information contained in databases. Sometimes the fees are reasonable because of the work required to manipulate the data into a reasonable form. But there are other times where the fees imposed may be a deterrent to providing access.
In addition, the process of investigating complaints about no records, missing records or incomplete searches, which now account for 35% of our refusal complaints, is becoming more complex. Inadequate information management policies and a lack of adherence to basic information management principles result in complaints involving huge volumes of records containing many versions and duplicates of the same information to the other extreme of there being no relevant records at all.
Investigators not only need a sound knowledge of information management practices, they need to have the skill sets and technological expertise to be able to gather electronic evidence as part of their investigating claims of missing or altered records or information being inappropriately deleted.
As an illustration of this need, we experienced two very high profile public inquiries in Canada where the common theme was the notion that public officials had deleted information or otherwise obstructed access to information. As a result, our law was amended to impose strict penalties on anyone caught willfully concealing, altering, falsifying or destroying information in an attempt to thwart access.
Clearly, there remain a number of challenges that our reactive access system has and will continue to have difficulty dealing with. This is where I want to elaborate on a vision of a proactive state of disclosure.
The Commonwealth Secretariat has developed the Commonwealth Freedom of Information Bill (Part II) that calls on public bodies to publish certain information about their functions, decision-making and recommendations.
The Atlanta Declaration of 2008 also calls for a “positive obligation on public institutions to disseminate information related to their core function.” In fact, the Scottish Commissioner specifically raised it as being an example of the good side of freedom of information in a speech made in 2007 in which he reviewed the Scottish freedom of information experience. The important point is that several jurisdictions that have lived through the reactive models have all realized the proactive model is a necessary component to ensuring true accountability.
Curiously, prior to the Canadian access law being implemented, some government institutions were proactive in their disclosure. Of course, there was some obscurity inherent in the fact that the disclosure was in paper format and difficult to understand. For example, there was a publication listing all government contracts with third parties. Once the access to information law came into force, that practice stopped and folks were required to make a formal request for the same information. Recently, because of the ease with which e-Information lends itself to being proactively disclosed, the government has returned to the publication of contracts. It is a much better system now because it is on-line, searchable and done in relative real time.
Another example is that, almost ten years ago in Canada, our then Prime Minister issued a policy requiring all bureaucrats above a certain level to post, on-line, the specific details of their travel and hospitality claims. What an uproar! But, the uproar wasn’t from public servants who were being ordered to release this information. Nor was it from Canadians who were finding out for the first time how senior officials were spending their tax dollars. The uproar was from the finance departments which were upset by the procedural difficulty imposed by the policy.
A few years later with a bit of time to develop systems and better computer programming, the posting of this information is now done exceptionally well by many government institutions. In fact, the technology exists to allow this type of posting to occur almost in real time. There’s really no need for it not to be available right away. It’s simply a matter of making sure your financial reporting program is properly synced to your web portal. Technology makes it possible to be very good at proactive disclosure.
Of course, not all proactive disclosure can occur without its own set of challenges. One of the thorniest issues that arise when we think about proactive disclosure is that we are talking about releasing massive accumulations of information. If you’re dealing with a massive amount of information, there is a good chance that you’re also dealing with personal information and you therefore have privacy considerations to take into account.
In my earlier example about accessing the database maintained by the police in Toronto, it was relatively easy to eliminate the privacy issue because the journalist was clearly not interested in receiving any personal identifying information. However, in other cases, the ability to remove personal identifying information can be complex. De-personalizing information held in databases has become a science.
Another example of a challenge to proactive disclosure arises in the push to have administrative tribunals publish their decisions on-line. This is a clear move towards proactive disclosure but the implications to privacy cannot be ignored. Oversight bodies, including our provincial Commissioner who oversees both access and privacy issues in Saskatchewan have published best practices for administrative tribunals.
At the federal level, a judiciary committee is currently reviewing the issue in an attempt to balance access and privacy rights.
The path to greater access
My intention today is to leave you with a sense of what I think are the most important things to do when dealing with e-Information. While we have a vision of Canada moving more and more towards proactive disclosure, our recommendations of what governments need to do with respect to e-Information have just as much to do with the reactive mode as the proactive mode.
First, I have already mentioned the need for better information management systems, policies and procedures. That is a given.
Second, we need to review how the activities of our Offices operate together to maximize compliance. We call it the “compliance continuum”. Maximizing compliance, especially when resources are limited, can be achieved by means of a variety of tools that are both interdependent and complementary to formal investigations. These tools involve proactive efforts directed to a broad range of stakeholders to promote access rights and develop partnerships.
Officials involved in the access to information process must understand the fundamental principles and requirements of the legislation and associated policies and be aware of citizens’ expectations of what information should be available to them and how it should be disseminated. Equally important, requesters must be aware of their rights and how to exercise them. Information Commissioners are the essential link between all the players and can facilitate compliance through information and strategic partnerships.
In cases of potential or alleged situations of non-compliance, conducting investigations into matters affecting access rights often encourages parties to comply without resorting to more drastic actions. In these cases, mediation and negotiation generally produce mutually satisfactory results that are less costly and less time consuming than adversarial measures. However, it important to emphasize that suasion and resolution must always be balanced with the full range of compliance tools.
To accomplish this objective we must ensure that we have the right talent pool within our staff. In particular, we need investigators who understand technology, database architecture, data-mining, new communications devices and enterprise-wide communications systems so that they can gather evidence in all forms and conduct thorough investigations. If we don’t keep up with the times, we ourselves will be ineffective in the fulfillment of our mandates.
Third, as Information Commissioners, we should set the example. To set an example, we should routinely disclose the maximum amount of our policy and operational information as possible. In addition, as a body subject to the same legislation we oversee, we should assess all access requests with the intent to making the information available proactively in the future. We do not need to wait for someone to make an access request. We can anticipate what information should be made available and design our dissemination systems accordingly.
In fact, our Office recently posted an external audit report, along with our management response and detailed action plan, on a “just-in-time” audit that was conducted for our intake and early resolution unit pilot project.
Lastly, and what I want to emphasize the most, is that we need to influence governments to adopt sensible information disclosure policies, practices and tools. One tool being promoted in Canada is Access Impact Assessments.
Access Impact Assessments are similar to Privacy Impact Assessments or PIAs. The latter have become a tool for governments to evaluate whether program and service initiatives involving the collection, use or disclosure of personal information comply with privacy requirements. They also help identify and resolve any outstanding privacy issues.
Legislative and policy requirements to conduct PIAs have been instrumental in building an awareness and appreciation of privacy principles among program managers. Considering privacy throughout the design and implementation stages of projects has gradually become a way of doing business.
Access Impact Assessments can be as instrumental in building an awareness and appreciation of access principles as PIAs have been in the privacy field by identifying opportunities to proactively disclose information as government programs and services are developed and implemented. An early proponent of the concept of Access Impact Assessments is the Ontario’s current Information and Privacy Commissioner. She contended that they should be a mandatory element in the creation of any new program and incorporated in the development of any new technology. This is consistent with our proposal to Parliament that the Information Commissioner be consulted on proposed legislative initiatives.
In his submission to the Special Committee to Review the Freedom of Information and Protection of Privacy Act, the Commissioner of British Columbia made a recommendation to amend the Act “to require public bodies to use prescribed access design principles in designing and adopting any information system or program.”
Access Impact Assessments that would require institutions to build access and dissemination capabilities into new programs and services would significantly influence information management practices which, in turn, would facilitate more rapid responses to access to information requests. Ultimately, they could lead to direct public access to particular categories of the government’s information holdings and help us move from reactive to proactive access to e-Information.
When we approach any publicly-funded project with a view of evaluating what impact the program will have in terms of the public’s ability to access the information, we end up building programs that ensure better citizen participation. We build more efficient systems.
These systems then get information out to the public more easily which reduces the time, effort, resources and costs associated with trying to release information. It’s a simple concept that could, in the end, save us millions of dollars, euros, pounds and coronas and lead to a true shift in government and public participation through the sharing of information.
The time is right for post-millennium Information Commissioners to affirm our roles as champions of access and information sharing in support of greater innovation and socioeconomic development. The traditional reactive mode of disclosing information has proven to be inefficient, costly and often confrontational. Technology and e-Information now afford public institutions the opportunity to directly engage citizens, to proactively disclose information and to support the renewal of the social contract between government and citizens.
In closing, Commissioners can be the 21st century Diogenes. Diogenes was an Ancient Greek philosopher who used his lantern to lead people on the path to wisdom. Information Commissioners and Ombudsman can be that guiding light on the path to promoting meaningful citizen participation.