|
|
 |
Manual
ADMINISTRATION OF THE ACT
This chapter contains the following topics:
Introduction
Head of An
Institution
Head in
Municipal Corporations
Head in Local
Boards and Institutions Other than a Municipal Corporation
Delegation of Head's
Authority
Conflict of
Interest
Responsibilities of
the Head
Additional
Obligations under FIPPA
Information
Available to the Public
Report to
Commissioner
Responsible
Minister
Freedom of
Information and Privacy Coordinators
Records
Management
Accountability
Security and
Confidentiality of Records
Determining
Security Requirements
Security
Measures
Information
Technology Security
Routine
Disclosure/Active Dissemination
Introduction
Both the Municipal Freedom of Information and Protection of Privacy
Act (MFIPPA) and the Freedom of Information and Protection of
Privacy Act (FIPPA) set requirements that must be met by each
institution. In many instances, the head of the institution is responsible
for fulfilling these requirements. The requirements concern:
- responding to requests for access to records;
- protecting records from inadvertent destruction or damage;
- protecting personal privacy;
- providing specific information to the Information and Privacy
Commissioner (Commissioner); and
- making information available to the public.
In addition, Management Board of Cabinet has issued the Freedom of
Information and Privacy Directive that specifies mandatory requirements
and responsibilities of institutions administering FIPPA.
Some administrative responsibilities such as publishing the Directory of
Records are shared between an institution's head and the Responsible
Minister. FIPPA outlines how the Responsible Minister, who has overall
administrative responsibility for FIPPA/MFIPPA, is to be chosen. Both Acts
set out duties of the Responsible Minister (known in MFIPPA as the
Minister/Chair of Management Board of Cabinet).
This chapter provides an overview of the administrative responsibilities
of the head of an institution, the Responsible Minister and other issues
dealing with the administration of FIPPA/MFIPPA.
Head of an Institution
s.2, 62
FIPPA / s.2, 3,
49 MFIPPA
The head of an institution is responsible for decisions made under
FIPPA/MFIPPA by the institution and for overseeing the administration of
that Act within the institution. This responsibility includes complying
with the access provisions of that Act, and ensuring that personal
information held by the institution is accurate, up to date and collected,
used and disclosed only as authorized. FIPPA/MFIPPA specify those
circumstances where information must be disclosed or access refused, and
those cases where the head may exercise discretion.
For FIPPA institutions, the head will either be the minister who presides
over a ministry or whomever is designated by regulation. For MFIPPA
institutions, the head is the council of a municipality or the board of a
local board.
Once the head has been determined, the powers or duties of the head can be
delegated to an officer or officers of the institution.
Head in Municipal Corporations
s.3(2)
MFIPPA
MFIPPA states that the members of a council of a municipal corporation
may designate from among themselves an individual or a committee of the
council to act as head for the purposes of this Act. This designation must
be enacted by by-law. If no person is designated as head under this
section, the head shall be the council.
This power gives a council flexibility in designating who will be the
head. The designated head could be an individual, such as the mayor,
warden, reeve or councillor, or the head could be a committee of council,
such as the executive committee or a special freedom of information and
privacy committee. Where an individual is designated, the designation
could be to a named individual or to a position, as appropriate.
Careful consideration should be given when deciding who will be designated
as the head. The Act requires decisions about access to information to be
made in a relatively short time, usually within 30 calendar days. Because
of this, the head must be available to make those decisions, unless some
or all of the head's duties and powers are delegated. Designating a large
committee as the head may present some problems if calling the members
together to make access decisions within the 30-day time limit is
impractical or difficult.
To revoke a designation, a council would have to revoke the by-law that
set out the designation.
Appendix I contains a
sample by-law municipalities can adapt to designate the head.
Head in Local Boards and Institutions Other
Than Municipal Corporations
s. 3(2)
MFIPPA
The Act gives powers similar to those of municipalities to boards and
other local institutions in that the members elected or appointed to a
board, commission or other body that is an institution may designate an
individual or a committee of the body to act as head. If there is no
designation, the head shall be the members elected or appointed to the
board, commission or other body.
The designation, if it occurs, must be in writing.
For example:
The board of a public utilities commission could pass a resolution in
writing designating the chair of the commission as the head of the
institution.
To cancel the designation, a body should do so in writing.
Appendix II contains a
sample written resolution local boards can adapt to designate the head.
Delegation of Head's Authority
s.62(1)
FIPPA / s.49(1) MFIPPA
The head, once determined, may delegate some or all powers and duties
under the Act. However, even if the powers or duties are delegated, the
head remains accountable for actions taken and decisions made under the
Act.
The head may delegate the powers and duties in writing to an officer or
officers of the institution or, under MFIPPA, of another institution. The
delegation would usually be to a position, rather than to a named
individual. The document that sets out the delegation should make clear
the duties and functions being delegated.
The head may also place limitations, restrictions, conditions or
requirements on the delegation. A head may wish to delegate only some of
the duties and retain certain decision making authority. Institutions must
adhere to the delegation of authority. Where circumstances change, the
institution must revise the delegation of authority.
For example:
The head may wish to delegate routine duties such as sending out notices
(e.g., acknowledgment letters, fee estimates), preparing the annual
report, and deciding the fees to be charged, but may retain particularly
important duties such as the authority to decide if an exemption from
disclosure applies.
Employees who issue notices required by the Act (especially decision
letters) must ensure they have the delegated authority to do so. Where an
employee of an institution denies partial access to records and does not
have the written authority to do so, the institution is deemed to have
refused complete access to the records.
Appendix III contains some
samples of written delegations under the Act, showing all the powers and
responsibilities that may be delegated.
It is important to delegate responsibilities to an officer or officers of
an institution who, if required, have access to decision makers and who
can act quickly within the time periods prescribed in the Act.
Conflict of Interest
A conflict of interest may exist where a public official knows that
he/she has a private interest that is sufficiently connected to his/her
public duties to influence those public duties. The focus for conflict of
interest is frequently financial matters. It may also arise when the head
is meeting his/her decision-making responsibilities under the Act.
A head may be in a conflict of interest situation where it is reasonable
to assume that he/she is making decisions based on their personal interest
rather than the public interest. In some instances, the conflict of
interest may be more apparent than real. It is recommended that
delegations of the head's powers reflect the possibility of conflict of
interest and provide for alternate decision-makers in those instances.
Responsibilities of the Head
s.10, 11,
24, 25,
26, 27,
27.1, 28,
29, 30,
33, 34,
36, 39,
40, 44,
46, 48,
57 FIPPA / s.4,
5, 17,
18, 19,
20, 21,
22, 25,
26, 28,
29, 30,
34,
35, 37,
45 MFIPPA
The head has certain responsibilities pursuant to the legislation,
including:
- adhering to time limits and notification requirements;
- considering representations from third parties;
- providing a response to access requests;
- determining the method of disclosure;
- responding to requests for correction of personal information;
- calculating and collecting fees;
- providing access by the public to manuals and guidelines prepared by
the institution;
- where necessary, defending decisions made under the Act at an
appeal; and
- administering the privacy protection provisions of the Act.
Additional Obligations under FIPPA
s.44, 46(3)
FIPPA
Under FIPPA the head also has an obligation to include in a personal
information bank all personal information under the institution's control
which is organized or intended to be retrieved by an individual's name or
by an identifying number or symbol.
When personal information is used/disclosed on a regular basis for a
purpose not listed in the FIPPA Directory of Records, the head must ensure
that this use/disclosure is included in the next edition of the Directory.
The head must also retain a record of any use by the institution of
personal information in a personal information bank and any new
use/disclosure not specified in the Directory of Records. This new
use/disclosure must be recorded and attached to the personal information.
Each of the above listed duties will be discussed in more detail elsewhere
in the Manual. As well, the duties shared with the Responsible Minister
and reporting requirements for the Commissioner are discussed further on
in this chapter.
Information Available to the Public
s.31, 32,
33, 35,
34, 36,
45 and 46
FIPPA / s.24, 25,
34 and 35
MFIPPA
A head of an institution must prepare and make available descriptions
of the institution's records and personal information banks. These
descriptions are intended for use by the public to determine the
information generally maintained by each institution. Accurate record
descriptions enable a requester to submit a more detailed request, thus
simplifying the response process.
For institutions covered by FIPPA, s.36 requires heads to provide to the
Responsible Minister, upon request, the information that the Responsible
Minister needs to prepare the Directory of Records required by s.31, 32
and 45 of the Act.
The records descriptions of MFIPPA institutions should be made available
in a publicly accessible place or a variety of places such as at the head
office of a board, in the clerk's office of a municipality and/or at a
public library. The descriptions of records can be prepared in a number of
ways and can take advantage of existing material. For instance,
municipalities and local boards can use annual reports or promotional
brochures that describe how their institution is structured and organized.
An institution's file plan can be used to prepare the record list.
MFIPPA heads must also ensure that the descriptions of records and
personal information banks are kept accurate and up to date.
The description of records and personal information banks must include:
- a description of the organization and responsibilities of the
institution;
- a listing of the general types or classes of records in the custody
or control of the institution;
- an index describing all the personal information banks in the
custody or control of an institution including:
the name and location of the personal information bank;
the legal authority for it;
a description of the types of personal information in the bank;
how the information is used on a regular basis;
to whom the personal information is disclosed on a regular basis;
the categories of individuals about whom personal information is
maintained;
the policies and practices about the retention and disposal of the
personal information;
the title, address and telephone number of the head; and
the address to which a request for access to records should be
made.
Institutions covered by FIPPA have some additional requirements to make
information available under s.31, 33, and 46:
- the location of manuals, directories and other material available
for public use;
- the location of any institution library or reading room available
for public use; and
- whenever personal information is used/disclosed on a regular basis
for a purpose not listed in the Directory of Records, the head must
notify the Responsible Minister forthwith of the use/disclosure.
Report to Commissioner
s.34 FIPPA
/ s.26 MFIPPA
The head is responsible for providing the Commissioner with an annual
report that sets out the following:
- the number of access requests received;
- the number of requests refused, the provisions of the Act relied
upon for refusal and the number of times each provision was invoked;
- for each provision of the Act, the number of appeals commenced;
- the number of times personal information was used or disclosed for a
purpose which is not included in the statements of uses and purposes
set forth under s.45(d) and (e) FIPPA / s.34 (1)(d) and (e) MFIPPA;
- the amount of fees collected under s.57 FIPPA / s.45 MFIPPA; and
- any other information indicating an effort by the institution to put
into practice the purposes of the Act.
The IPC will forward to institutions, the instructions and forms for
completing this report.
Responsible Minister
s.2, 3,
31, 32,
35, 39(2),
45
FIPPA / s.2,
23, 24,
29(2), 47
MFIPPA
O.Reg.460 /
O.Reg.823
The Lieutenant Governor in Council may by order designate a minister of
the Crown to be the Responsible Minister. The Responsible Minister
administers FIPPA/MFIPPA.
The Responsible Minister is required to:
- publish the Directory of Institutions, a compilation listing all
institutions, including information on where requests can be made and
whether institutions have a library or reading room available to the
public and if so, its address.
- publish annually a Directory of Records, an indexed listing of
general records and personal information banks for FIPPA institutions.
The Responsible Minister also prepares training packages and other
products including this Manual, to support the proper administration of
FIPPA/MFIPPA.
The Lieutenant Governor in Council may make regulations about such matters
as: procedures for access to original records or personal information,
forms and standards or safeguards for the security and confidentiality of
records and personal information under the control of institutions. The
regulations are prepared by the Responsible Minister.
The approval of the Responsible Minister is usually required before a head
may forego the legal requirement to notify the affected individual when
collecting their personal information. This approval document is called a
waiver of notice.
Documents Available to the Public in
Accessible Locations
s.33, 35
FIPPA
The head of an institution covered by FIPPA and the Responsible
Minister must work together to fulfill their responsibilities under the
Act. Cooperation is particularly necessary in making documents and records
accessible to the public.
The Responsible Minister must make available to the public generally and
in the reading room, library or office designated by each institution
covered by FIPPA, the following materials:
The head of a FIPPA institution must make available to the public in
the institution's reading room or designated office:
- the manuals, directives or guidelines prepared by the institution
which are issued to its officers and contain interpretations of the
provisions of the enactment or scheme administered by the institution;
- the instructions and guidelines for officers of the institution in
the procedures, methods or objectives in administering or enforcing
the provisions of any enactment or scheme administered by the
institution that affects the public; and
- the annual report to the Commissioner.
The manuals, directives or guidelines that must be made available are
those prepared and used by the institution's staff to determine the
eligibility of an individual for a program, changes in status or the
imposition of new conditions affecting an individual in a program, or the
imposition of obligations or liabilities on an individual under a program.
The requirement to make administrative instructions and guidelines
available to the public covers virtually every aspect of procedures,
methods or objectives of any program affecting the public.
Manuals and other materials relating only to the internal operation and
administration of the institution and not affecting the public, need not
be included. This covers instruction manuals for operating equipment or
procedures to follow when ordering office supplies.
Guidelines and manuals of administration are subject to the same
exemptions as other government records. Portions can be severed if they
are exempt from disclosure under FIPPA. Any deletion must include a
statement that a deletion has been made, the nature of the information
deleted and the provision of the Act authorizing the deletion.
For example:
A manual that deals with security precautions or protections for a
building that is open to the general public (such as a jail or a
laboratory) may have some sections or paragraphs severed for many
legitimate reasons.
Other materials not required by the Act that might be helpful in a reading
room include:
- record retention schedules;
- listings of publications in the institution's custody.
Freedom of Information and Privacy
Coordinator
Each institution should designate an individual to coordinate freedom
of information and privacy activities. This is an important function that
assists the institution in meeting its statutory obligations.
The coordinating responsibilities will vary depending on an
institution's size, mandate and organization. The function may be a
full-time responsibility or a part-time responsibility, assigned to an
employee with related duties. The Coordinator's responsibilities may
include:
- developing and monitoring procedures for administering the Act,
including tracking requests, statistical reporting and ensuring
adherence to legislative requirements;
- developing policy recommendations on issues related to the
legislation;
- staff training and orientation;
- consulting with line and senior management and legal advisors on
interpreting and administering the legislation;
- collecting information for the institution's entry in the Directory
of Record or for the General Classes of Records and Personal
Information Bank indexes;
- liaisons with the Corporate Freedom of Information and Privacy
Office, the IPC and other institutions and central agencies;
- making decisions on requests under the Act (on the delegated
authority of the head);
- providing consultation and support related to the Act for any
agencies related to the institution; and
- designing measures to ensure the privacy requirements of the Act are
honoured.
Records Management
Improvement in records management systems throughout institutions is
one of the major long-term benefits of the Act. The public has a right to expect
that each institution knows what records are in its custody or control and
where they are located so they can be retrieved.
The IPC has stressed the need for institutions to develop and maintain
up-to-date retention schedules. Search time is reduced significantly if an
institution can determine that a record has been destroyed by consulting a
records destruction certificate or other such document. Lengthy searches
need not be conducted to determine if a record still exists.
Please see the Access
chapter (Chapter 3) for further discussion of records management
related topics such as custody and control of records, including political
and other elected official's records.
Accountability
An important first step in managing an institution's records is to
assign responsibility and accountability for the security of the
institution's records. This assignment of responsibility and
accountability will vary, depending on size and complexity of the
institution. Usually, the manager with direct operational responsibility
for a program would be assigned responsibility for safeguarding the
records generated by that program.
In larger institutions, an internal auditor or other official could
coordinate security matters throughout the organization and provide
technical support to individual managers. Smaller organizations may wish
to assign responsibility for records security to the chief administrative
officer or other responsible position.
However an institution assigns responsibility, this assignment should
be documented, and appropriate training and awareness should be provided
to staff.
Security and Confidentiality of Records
s.60 FIPPA
/ s.47 MFIPPA
s.3 O.Reg.460 FIPPA / s.3 O.Reg 823
Regulations can be made setting standards for and requiring
administrative, technical and physical safeguards to ensure the security
and confidentiality of records and personal information under the control
of institutions.
O.Reg.460/823, s.3 requires measures to prevent unauthorized access to an
institution's records and to protect against inadvertent destruction of
records. The regulations are intended to apply to access and security
considerations in the day-to-day administration of an institution's
records, rather than access to records in response to requests under FIPPA/MFIPPA.
The head of an institution shall ensure that only those individuals who
need a record for the performance of their duties shall have access to it.
In most cases, the institution would determine which staff need to have
access to a particular class or series of records in the performance of
duties, and take steps to ensure that access is limited to those persons.
If records are inadvertently destroyed before their proper disposal date,
as specified on a retention schedule, requesters are deprived of their
right of access to those records. The head must therefore take all
reasonable steps to protect the institution's records from accidental
destruction.
In determining what are reasonable steps, the head should consider all
relevant factors, including:
- the media of the record (protective measures appropriate for paper
records, for instance, may not be appropriate for other media);
- whether copies of the record exist;
- whether the original copy of the record is inherently valuable (such
as archival records or signature documents);
- how vital the record is to the functions of the institution;
- the cost of replacing or recreating the record; and
- the cost of available protective measures.
Although measures to protect records from inadvertent destruction will
vary among institutions, some common steps that might be considered
include:
- making regular back-up copies (disks, photocopies, microfilm), with
a copy stored at a site separate from the original or working copy;
- using fire-resistant file cabinets;
- locating record storage/computer operations away from areas where
fire or water damage is more likely to occur (for instance away from
exposed pipes);
- raising records and records-producing equipment off the floor to
prevent flood damage;
- installing smoke detectors and fire-extinguishing equipment (it
should be noted that some automatic fire extinguishing systems such as
water sprinklers, may themselves pose a hazard to records and
computers); and
- ensuring that storage facilities and maintenance practices are
appropriate to the record's media (magnetic media, for instance, are
especially vulnerable to inadvertent destruction or damage through
improper storage). Similarly because magnetic media is often tied to a
particular operating system and set of hardware, data stored on that
media may not be usable if the operating system or hardware is no
longer available.
As with other measures, the institution should document steps to ensure
against inadvertent records destruction.
Determining Security Requirements
Before establishing measures protecting records from unauthorized
access, an institution should determine the degree to which access to its
records should be controlled. Although it may be necessary to determine
appropriate levels of access to individual documents or files, usually
this determination would be on the basis of record series. When
considering access controls for record series, the level of security
should be appropriate for the most sensitive information in the series.
All relevant factors should be taken into account in determining whether
access to records should be controlled, and the scope and extent of those
controls, including:
- whether or not exemptions are likely to apply to the records;
- the nature of the exemptions (mandatory or discretionary) which may
apply;
- the circumstances under which the records were supplied to or
created by the institution;
- possible harms which may result from unauthorized access;
- the need to protect the records from tampering; and
- the need to protect unique or original records.
Security Measures
In identifying security measures, the head should balance the cost and
complexity of such measures against the possible harms resulting from
unauthorized access. Security measures should be appropriate to the nature
of the record and to the level of security required.
For paper records, security measures can include:
- clean desk policies, where desks are locked when unattended;
- locking filing cabinets, which are locked when unattended, and where
key distribution is limited and documented;
- central file stations, with log-in and log-out procedures for files,
accompanied by restriction on the making of copies;
- locked file room with access controlled by file room staff;
- coded file labels, labels using numeric or alpha-numeric codes
rather than descriptive texts;
- inclusion of security provisions in contracts with outside suppliers
of records storage and disposal services;
- record distribution/circulation policies which limit the production
and circulation of records to staff on a need-to-know basis; and
- policies and procedures for using facsimile machines, including
policies on types of information which should not be faxed, staff
access to and physical placement of the fax machine. Checking
procedures such as ensuring that the document is being sent to the
correct number prior to sending documents should also be developed.
The IPC has prepared guidelines on the use of facsimile machines which
may be consulted.
Information Technology Security
For FIPPA Institutions, Management Board of Cabinet, has approved the:
"Information Technology Security Directive". The purpose of this
directive is:
- To ensure that ministries and agencies safeguard confidential
information as well as the integrity and availability of data while it
is created, entered, processed, communicated, transported,
disseminated, stored or disposed of through information technology.
- To promote and maintain among ministry and agency staff an awareness
of the security requirements of information technology resources.
- To define the responsibilities and mandatory requirements for
developing, implementing and managing security measures for
information technology resources.
This directive applies to all ministries and all Schedule 1 agencies
unless exempted in a Memorandum of Understanding.
This directive applies to:
1. Ministry and agency information in electronic form;
2. All ministry and agency information in paper form or otherwise not in
electric form, when such information is under the operational control of a
provider of information technology services.
Note: A guideline entitled "Information Technology Security: A
Manager's Guide" has also been published to assist in putting the
directive into practice.
Factors for all institutions to consider in determining whether access to
records should be controlled, and the scope and extent of those controls,
include:
- positioning terminals in such a manner that passers-by cannot read
information displayed on screen;
- password protection for computer hardware, with policies in place
governing the assignment, use and deletion of user identifications and
passwords;
- encryption of transmitted data or developing guidelines for
transmitting confidential information, for example, guidelines for the
use of electronic mail;
- tracking systems which monitor the use of data, and which identify
system user; and
- inclusion of security provisions in contracts with outside suppliers
of information technology services.
Routine Disclosure/Active Dissemination (RD/AD)
RD/AD are separate concepts but are both ways of providing greater
access to government information. Routine disclosure occurs when a request
for a general record can be granted routinely either inside or outside of
the formal access process prescribed by FIPPA or MFIPPA. Active
dissemination occurs when information or records are periodically released
(without any request) pursuant to a specific strategy for release of
information.
RD/AD can be an important part of an institution's commitment to easier,
faster and more cost-effective access to records. While not specifically
mandated in FIPPA/ MFIPPA, s.63(1) FIPPA / s.50(1) MFIPPA provide for the
disclosure of information outside of the formal access process - for
example, through oral requests or in the absence of requests.
The IPC and MBS jointly published 2 papers that provide advice and
examples on enhancing access to government information through the
employment of RD/AD practices. These publications are available through
the IPC.
|
OCIPO 