Decision pursuant to 6.1, 2022 OIC 07

Date of decision: February 2022

Summary

An institution submitted 20 applications to the Information Commissioner, under subsection 6.1(1) of the Access to Information Act, for approval to decline to act on 20 separate access to information requests submitted by the same requester. The institution relied on the same representations in support of each application. In each application, the institution submitted that the request is vexatious, made in bad faith, and constitutes an abuse of the right of access. The institution further submitted in each application that it had met its duty to assist the requester in connection with the request.

The Commissioner found in each instance that the institution had not met its duty to assist obligations under subsection 4(2.1) prior to seeking approval to decline to act. The Commissioner also found that the institution did not meet its burden of establishing that any of the 20 access to information requests is vexatious, made in bad faith, or is an abuse of the right of access.

The applications are denied and the institution is required to act on the access requests.

The Access Requests

The institution received 20 access to information requests, submitted by the same requester, for the email, text and/or phone records of a named individual over various specified timeframes.

The named individual is an employee of the institution. The requester has alleged that this individual breached the requester’s privacy.

The institution has acknowledged that the requester’s personal information was used inappropriately. The requester’s allegations involving breaches of privacy are still at issue.

Discussion

Subsection 6.1(1) provides that the head of a government institution may seek the Information Commissioner’s written approval to decline to act on an access request if, in the opinion of the head of the institution, the request is vexatious, is made in bad faith or is otherwise an abuse of the right to make a request for access to records. The institution bears the burden of establishing that the request meets the requirements under subsection 6.1(1) of the Act.

The right of access to information to records under the control of a government institution has been recognized as quasi-constitutional in nature (Blood Tribe (Department of Health) v. Canada (Privacy Commission), 2006 FCA 334 at para 24; see also: Canada (Information Commissioner) v. Canada (Minister of National Defence), 2011 SCC 25 at para 40). Bearing this in mind, authorization to decline a request will only be granted if the application is supported by clear and compelling evidence (see, for example: Saskatchewan (Advanced Education) (Re), 2010 CanLII 28547 (SK IPC) at paras 43-47; Northwest Territories (Public Body) (Re), 2017 CanLII 73304).

Institutions, pursuant to subsection 4(2.1), also have an obligation to assist requesters in connection with their requests. As explained in the Guidance and Process documents issued by the Office of the Information Commissioner regarding 6.1 applications, institutions should only seek the Commissioner’s approval to decline to act on an access request after having made every reasonable effort to help the requester with the access request.

Duty to assist

The institution within its submissions referred to efforts made to assist the requester with previous requests. The institution, however, did not show that any efforts were made to assist the requester with the 20 requests for which approval to decline to act was sought.

According to the institution, this is because such attempts would be futile. By way of explanation, the institution stated that the requests are clear and that conversations with the requester have routinely escalated and resulted in the requester “making slanderous accusations […]”

The requester, within their submissions expressed that they would have been willing to enter into discussions and consolidate requests.

The Commissioner was not satisfied that the institution’s efforts to help the requester in relation to previous requests absolved the institution of its obligation to assist the requester with the 20 requests at issue. The Commissioner found that the institution did not fulfil its duty to assist obligations under subsection 4(2.1) prior to applying for approval to decline to act.

The institution’s failure to fulfill its duty to assist obligations was a sufficient basis for rejecting the applications to decline to act, however, the Commissioner went on to make the following findings regarding the institution’s claim that each of the requests is vexatious, made in bad faith, or is an abuse of the right of access.

Vexatious

The term “vexatious” is not defined in the Act. Although the term is generally understood to mean with intent to annoy, harass, embarrass or cause discomfort, Justice Stratas in Canada v. Olumide, 2017 FCA 42, noted that when defining “vexatious” it is best not to be overly precise.

Factors that may support a finding that a request is vexatious include:

1. excessive volume of access requests;
2. a request that is submitted over and over again by one individual or a group of individuals working in concern with each other;
3. a history or an ongoing pattern of access requests designed to harass or annoy a public body;
4. the timing of access requests.

These factors and all other relevant factors must be considered collectively when determining if a request is vexatious or not.

A request is not “vexatious” simply because a public body is annoyed or irked because the request is for information the release of which may be uncomfortable for the public body. (see for example: Saskatchewan (Advanced Education) (Re), 2010 CanLII 28547 (SK IPC), Insurance Corporation of British Columbia (Re), [2002] B.C.I.P.C.D. No. 57 (BC OIPC), at para 4). Conversely, a request will be considered “vexatious” if it is established that the primary purpose of the request is not to gain access to the information sought, but instead is to continually or repeatedly harass.

The institution, in support of its claim that the requests are vexatious, referred to the numerous requests submitted by the requester over time (i.e. 77 requests since December 2020). According to the institution: a number of the requests are similar and / or repetitive; the institution has already responded to similar requests; the requester has filed multiple complaints to the OIC against the institution; and the requester has already received all relevant information.

The institution also alleged that the primary intent of the requests is not to exercise the right of access, but instead is to “…annoy, harass, embarrass or cause discomfort”, including by targeting and harassing a specific employee(s).  In support of this claim, the institution stated that:

1. the requester could have combined the 20 requests into 3 requests;
2. the requester failed to ask that the institution conduct a server search to locate responsive records, as asked by the requester when submitting some requests in the past;
3. the requester communicated that they have already completed their fact-finding exercise of the alleged breaches of the requester’s privacy through Access to Information and Privacy (ATIP) requests;
4. the requester has communicated that they want to see people held accountable and penalized for the breaches of the requester’s privacy;
5. the requester’s pattern of communications “tends to contain deliberately hurtful remarks and unfounded allegations as to the competency of [its] employees”; and
6. the requester’s current request(s) is “an attempt to bypass official procedures” in the form of an ongoing investigation of alleged breaches of the requester’s privacy.

The institution’s claims that the requests are vexatious, however, were not supported by clear and compelling evidence.

The Commissioner concluded that the institution did not establish that the volume of requests was enough to make the requests “vexatious”. As noted by Saskatchewan’s former Information Commissioners “…a single applicant may submit a large number of access requests for various records to a government institution without making illegitimate use of the access rights afforded by [the Act]” (see for example: Saskatchewan (Advanced Education) (Re), supra.

While a number of the requests are similar (in that they seek records of communications involving the same named individual), the institution did not show that any were duplicative or repetitive. The fact that the institution did not find records responsive to some of the requester’s previous requests, therefore, did not evidence that the institution has previously responded to any of the 20 requests, or that the requester has already obtained the information sought.

With regard to the requester’s intent, the Commissioner was not satisfied that because the 20 requests might be capable of being combined into broader requests, this evidences an improper motive.

The Commissioner also was not satisfied that the requester’s failure to specify that the institution ought to retrieve responsive records via a server search established that the requester’s primary intention was not to gain access, but to target and harass a specific employee(s) and / or “….annoy, harass, embarrass or cause discomfort”. The Commissioner noted that the institution, within its submissions, had taken issue with the requester having previously specified the manner in which the institution should conduct its search. The Commissioner also noted that if the institution is concerned about the burden of the requests on the named individual, it is open to the institution to explore different means of conducting a reasonable search without the individual’s involvement, including through its Information Technology infrastructure.

While acknowledging that the requester had communicated to the institution that their fact-finding exercise through Access to Information and Privacy (ATIP) requests regarding alleged breaches of the requester’s privacy had been completed, the Commissioner pointed out that this communication post-dated the 20 requests. The requester’s statement therefore did not support a finding that at the time of the requests, the requester had already received all information sought and that the requests therefore were for an improper purpose.

The Commissioner was also not satisfied that the requester’s communication of wanting individuals held accountable or penalized for alleged breaches of the requester’s privacy establishes that the primary purpose of the requests is other than to gain access. Based on the totality of submissions and evidence received, the Commissioner opined that it was reasonable to infer that the primary intention of the 20 requests was to obtain information and / or evidence regarding the alleged privacy breaches and / or misuse of personal information. This objective, the Commissioner concluded, is not contrary to the Act’s intended purpose; a requester is entitled to seek information regarding the potential use or disclosure of their personal information and / or other matters believed to be inappropriate or unlawful.

The Commissioner further concluded that there was no clear and compelling evidence of any pattern of inappropriate communications on the part of the requester and that the institution had not substantiated its claim that the request is vexatious on the basis that the requests are “an attempt to bypass official procedures”. The Commissioner concluded that there was no apparent reason why the requests cannot be processed along side other procedures.

The institution did not meet its burden of establishing that any of the 20 requests are vexatious.

Bad faith

Black’s Law Dictionary, (10^th ed.), defines “bad faith” as “dishonesty of belief or purpose”. Generally speaking, a request made for a wrongful, dishonest or improper purpose would be considered a request made in “bad faith”.

In some instances, a request has been considered to be in bad faith when the requester has had an improper objective above and beyond a collateral intention to use the information in some legitimate manner (see, for example: Conseil scolaire public de district du Centre-Sud-Ouest (Re), CanLII 56386 (ON IPC)). As with “vexatiousness”, “bad faith” must be assessed case-by-case.

The institution relied on the same submissions made in support of its claim that the requests are vexatious, to support its position that the requests were also made in bad faith. As discussed above, those submissions were not supported by any clear and compelling evidence that the primary intent of the requests was other than to gain access.

The institution did not meet its burden of establishing that any of the 20 requests are made in bad faith.

Abuse of the right of access

“Abuse” is commonly understood to mean a misuse or improper use.

The volume of requests submitted does not alone substantiate a finding of abuse (see London Police Services Board (re) (1995), Order M-618 (Ontario IPC)). However, volume, along with other factors, may support a finding of abuse of the right of access.

In Saskatchewan, former Commissioner Gary Dickson identified some of these factors. He found that the repetitive nature of the requests, combined with the cyclical manner in which both access requests and request for review were submitted, amounted to a finding of abuse of process (see Saskatchewan (Advanced Education) (Re), 2010 CanLII 28547 (SK IPC)).

Abuse of the right of access must be looked at on a case by case basis and may in some situations arise based on a combination of factors.

In support of its position that the requests are an abuse of the right of access, the institution stated that:

1. the requester has 22 active requests with the institution;
2. the 20 requests, for which approval to decline to act is being sought, are all for one named individual’s communications;
3. “[the requester’s] actions demonstrate that gaining access to information is not [their] primary aim”;
4. “[d]espite being notified that no records exist for 4 previous requests, and that investigations have been launched into the alleged privacy breach, [the requester] continues to submit substantially similar requests targeting” the individual;
5. the requester has made several complaints about their requests; and
6. all relevant and available information has already been provided to the requester.

The Commissioner again noted that, although the requester has made multiple requests, the institution had not established that any of the 20 requests are duplicative or repetitive of other requests made. Other requests referred to within the applications were for different information and / or analogous information but for different timeframes. Therefore, the institution’s failure to identify records in response to some of the requester’s previous requests did not establish that the institution has already responded to the 20 requests or that the requester has already received the requested records.

The Commissioner found that the fact that the requester has made complaints about some of the institution’s responses to previous access requests did not evidence that any of the 20 requests are an abuse of the right of access.

The Commissioner, again, concluded that the institution did not establish that the requester’s actions demonstrate that their primary aim is not to gain access. The Commissioner stated that where an access request is motivated by an attempt to fact find or obtain proof of wrongdoing, these purposes cannot be considered unreasonable or illegitimate. Requesters may seek information to assist them in a dispute with a public body or to obtain information regarding what they consider inappropriate or unlawful behaviour.

The Commissioner further concluded that the institution did not establish that it is an abuse of the right of access to request information pertaining to matters potentially underlying parallel investigations. The requester is entitled to avail themselves of rights to complain under the Act. They also have rights to seek redress for alleged breaches of their personal information. Exercising those rights does not extinguish a right to make an access request for potentially related information or render such a request an abuse of the right of access.

The institution did not meet its burden of establishing that any of the 20 requests are an abuse of the right of access.

Result

The Commissioner denied the applications. The institution is required to act on the access requests.