Frequently asked questions - Implementation of Bill C-58
Investigations, order-making, and publication of reports
The Information Commissioner now has the authority to issue binding orders. Under what circumstances will she issue an order?
If the Information Commissioner finds a complaint to be well-founded, she can issue any order she considers appropriate “in respect of a record.” She can issue orders regarding:
- Refusals of access, including that records be released or that an institution reconsider its decision to refuse access
- Time limits
- The format or language of records
- Institutions’ publication of their inventory of information holdings (i.e. Info Source)
If the Commissioner makes a decision to issue an order, it is because the Commissioner is not satisfied that the institution has properly applied the Act. In these cases, the order reflects the fact that a resolution could not be reached. In order to close a complaint, the Commissioner will not hesitate to issue an order if a resolution cannot be reached.
The Commissioner also retains her authority to issue recommendations.
What documents will be used during investigations by the OIC under Bill C-58’s new oversight model and what do they replace?
If, after investigating a complaint, the Information Commissioner finds a complaint to be well-founded, she will send an initial report to the government institution. The initial report may contain an intended order or a recommendation if necessary. This replaces the old section 37 letter.
All complaints are closed with a final report, replacing the old report of finding. The final report includes the results of the investigation. The final report may also contain the Commissioner’s order and/or recommendations.
Who will receive a copy of final reports (including final reports with orders)?
The complainant and institution will receive a copy of the final report. In addition, third parties and the Privacy Commissioner may also receive a copy in certain circumstances.
Within institutions, final reports that are not well founded or resolved will generally go to the ATIP Coordinator or the ATIP general mailbox (or whomever the institution has previously indicated should receive Reports of Finding from the OIC).
Final reports that are well founded will be sent to the head of the institution, with a copy to the ATIP office.
What options does the institution have when it receives an order from the Information Commissioner?
Orders issued by the Information Commissioner are legally binding, pursuant to section 100 (formerly section 76) of the Access to Information Act and the rule of law.
The Access to Information Act sets out two options upon receiving an order:
- Implement the order; or
- Apply for court review of any matter that is the subject of the order, which has the effect of staying the implementation of the order.
When deciding what to do after receiving a final report, what dates are important?
Several dates are important, depending on what parties were involved in the investigation:
- The date the final report is deemed to be received by the institution
- The fifth business day after the date of the final report
- The date the complainant and the institution may apply to Court for review
- Within 30 business days after the institution is deemed to have received the final report
- The date third parties and the Privacy Commissioner may apply to Court for review
- Within 10 business days after the initial 30 business days for institutions and complainants to apply for court review has expired
- The date the Commissioner’s order takes effect
- The 31st or 41st business day after the day the institution is deemed to receive the final report, where no court review has been initiated
Will resolving a complaint avoid a final report?
There will always be a final report if a complaint is investigated, even if a complaint is resolved. However, where complaints are resolved, this report will not contain an order or recommendation, since action was taken that would render an order or recommendation moot.
Will final reports and orders be sent separately?
No, orders will be included in final reports. However, not all final reports will include orders.
What will final reports and orders look like?
Final reports will generally be formatted under headings such as “Facts”, “Issues”, “Analysis”, “Conclusion” and, where warranted, “Order” or “Recommendation”. As is currently the case with reports of findings, final reports will be written in such a way to ensure no information is disclosed where an institution would be authorized to refuse to disclose or indicate whether that information exists.
The Information Commissioner now has the authority to publish her final reports upon completing an investigation. What criteria will be used to determine what gets published?
The OIC closes more than 2000 complaints a year. It will not be possible to publish all final reports.
Initially, most final reports that include an order will be published. Eventually, the OIC may choose not to publish orders related to procedural or administrative matters.
In addition, most complaints that result in a well-founded or not well-founded finding (i.e. those complaints that are not resolved), will be published initially. Again, the OIC may choose not to publish findings related to procedural or administrative matters.
In general, anything that may involve a legal precedent, or be of interpretive value, will be published. The goal is to publish final reports that will be useful, provide guidance to both institutions and complainants, and address specific principles of the law.
With time, as a body of case law develops, the OIC may find fewer final reports need to be published. If that occurs, the OIC may refine its criteria for publication and make these publicly known.
It is a priority for the OIC to ensure its work is open and transparent. To the greatest extent possible, the reasons and principles behind our decision-making will be made public.
What happens if the Privacy Commissioner is not in agreement with the Information Commissioner regarding the application of the exemption for personal information (section 19)?
The Access to Information Act was amended to provide two opportunities for the Privacy Commissioner to become involved in investigations where the exemption for personal information is contentious:
- During an investigation, the Information Commissioner may, in her discretion consult the Privacy Commissioner.
- The OIC must give the Privacy Commissioner a reasonably opportunity to provide representations any time the Information Commissioner intends to order the disclosure of information the institution considers to be “personal information”.
Can third parties complain to the Information Commissioner about an institution’s application of exemptions to their information?
No, third parties cannot complain to the Information Commissioner about an institution’s application of exemptions to their information. The process for institutions to notify and consult with third parties while processing a request under sections 27 and 28 of the Act has not changed under Bill C-58. Section 44 still gives third parties the right to apply for Federal Court review after they have received notice under section 28 from an institution of its decision to disclose
Declining to act on a request
In the event that an institution seeks approval to decline to act on a request from the Information Commissioner, what information will be shared with the parties involved?
Institutions must notify requesters when they are seeking approval from the Information Commissioner to decline to act on their request. This must be done at the same time that the institution initially communicates with our office.
The Office of the Information Commissioner will share with the requester all arguments and evidence (known as submissions) made by the institution to substantiate its application to decline to act on the request if the Information Commissioner determines that the application merits consideration for approval. This is for fairness reasons, to allow an opportunity for the requester to fully respond. Similarly, if the Information Commissioner deems it necessary, institutions will be able to see all submissions provided by the requester. Sharing of submissions will be facilitated through ePost Connect.
What happens if an institution disagrees with the Information Commissioner’s decision regarding an approval application to decline to act on a request? Is there a way to challenge the Information Commissioner’s decision?
If the Information Commissioner authorizes an institution to decline to act on an access request, it is because in her view the institution has met the criteria under section 6.1 to grant that authority.
If the institution disagrees with the Information Commissioner’s decision, it should seek legal advice on its options going forward.
If an institution refuses to act on a request, despite having been denied approval from the Information Commissioner to do so, the requester may complain about this refusal to the OIC.
Is there a form or template an institution must complete when asking for the Information Commissioner’s approval to decline to act on a request?
For the time being, there is no form or template to make an application to the Information Commissioner for her approval to decline to act on a request. In the future, the Office of the Information Commissioner may introduce an online form.
A process document has been created that sets out how to apply to the OIC to decline to act on a request.
All applications to decline to act on a request must include:
- a copy of the access request at issue;
- the requester’s name and contact information;
- the date the institution received the access request;
- the institution’s access request file number;
- confirmation that the institution gave written notice to the requester at the same time as they communicated with the Information Commissioner to seek approval to decline to act on the access request, as required by subsection 6.1(1.3) of the Act;
- all submissions and any supporting evidence the institution wishes to rely on to demonstrate that the access request meets the relevant criteria set out in subsection 6.1(1) of the Act.
- submissions and any supporting evidence that demonstrate the institution’s efforts to fulfill its duty to assist obligations in relation to the access request.
Is there a designated person within an institution who should make the application seeking approval to decline to act on a request and continue to correspond with the OIC? Does it need to be the same representative for the entirety of the application process?
This is up to the institution to decide. The OIC will communicate with the e-mail address from which the application was originally sent, regardless of who is administering this account.
Do institutions need to seek consent of the requester before sharing personal information with the OIC in an application to decline to act on a request?
Institution’s should seek legal advice to determine if the personal information they wish to share with the OIC in an application to decline to act on a request is in compliance with the Privacy Act and Treasury Board of Canada Secretariat’s guidance on consistent use.
Can evidence from before the date Bill C-58 came into effect be submitted to support an application to decline to act on a request?
Yes, evidence from before June 21, 2019 can be submitted, as long as the evidence relates directly to the access request at stake. However, institutions can only apply for the Information Commissioner’s approval to decline to act on access requests made on or after June 21, 2019.