People who request access to information need better privacy protection from the federal government

Ottawa, Canada. Photo by Kishore Uthamaraj/ Unsplash

Inadvertent disclosures, the biased treatment of requests and harassment and intimidation are the potential consequences of the current soft rules on handling requests. 

by Matt Malone, Luke Conkin. Originally published on Policy Options
September 17, 2024

In November 2022, Royal Canadian Navy Lieutenant Patrick White told a parliamentary committee studying access to information laws that victims of sexual misconduct and other abuses in the Canadian Armed Forces are often thwarted by the very system that should be helping them seek redress for their suffering.

White explained how victims of misconduct from military personnel are often required to first disclose their own personal information before being able to request records that could help achieve accountability from their alleged abusers.

Legitimate fears of back-tracing and retaliation are common among those who want to file information requests. For those who have endured harrowing experiences that left them feeling vulnerable, being forced to reveal one’s identity and location deters many victims from pursuing the information they need to achieve redress.

This is all the more distressing given that occurrences related to sexual harassment and violence in workplaces within federal jurisdiction and its regulated industrial sectors jumped 62 per cent for the last year for which data are available (from 447 in 2021 to 722 in 2022).

Minor changes, unintended consequences

While this is not a new problem, it illustrates how, in the history of access to information in Canada, minor procedural changes have sometimes been used to gut the core purpose of the law.

For anyone who has never previously filed one of these requests, access to information and privacy (ATIP) coordinators in federal government departments routinely demand that requesters provide personal information. Many institutions even routinely ask citizens to email copies of their passports or require permanent residents send digital copies of their PR cards – hardly a best practice in cybersecurity.

The rationale for demanding this personal information is that it demonstrates the applicant’s right to make a request in the first place. Unlike in the United States, whose Freedom of Information Act allows anyone to make a request regardless of legal status, Canada’s Access to Information Act extends this right only to Canadian citizens and permanent residents.

When personal information is provided to a single ATIP unit, it may well be shared among government officials. Even though the law requires government to “make every reasonable effort to assist the person in connection with the request” and to do so “without regard to the identity of a person making the request,” even the privacy commissioner of Canada has underscored that “[t]here is no specific provision in the Access to Information Act (ATIA) that prohibits ATIP from divulging the name of a requester.”

And, make no mistake, this personal information is often divulged, intentionally or otherwise.

Last year, we saw an access to information request showing members of an ATIP unit referring to the requester, a prominent and well-respected journalist, as a “frequent flyer.” So much for the principle that ATIP teams are supposed to ignore requesters’ identities.

It is also hard to believe that requester identity does not factor into how requests are processed. In 2008 none other than information commissioner of Canada flagged that certain requests were being labelled as “sensitive,” “of interest,” or “amber light” in order to receive “special handling” of the request. The Stephen Harper government defended this practice, saying that the categorization was “based on the content of the records” and not the identity of the requester.

If that were true, why does the government need to know the applicant’s identity in the first place? One answer is that it helps the government anticipate potential embarrassment from a disclosure, and pre-emptively plan how to manage any fallout.

When ATIP becomes a tool for government damage control

In his book Behind the Headlines, Cecil Rosner recounts how in 2008 Canadian Press reporter Jim Bronskill — who has unearthed many news stories by using access to information — filed numerous information requests to the federal government relating to CIA aircraft activity in Canada. It later became clear that Bronskill’s identity as the requester had been shared all the way up to the Prime Minister’s Office of Stephen Harper, which was likely figuring out how to mitigate any bad press that could be fuelled by upcoming revelations.

Damage control efforts are also common on the front end of information requests, where political leaders and/or public servants seek to avoid creating documents in order to avoid accountability.

Chuck Guité, who in the 1990s headed the federal government’s scandal-plagued sponsorship program (and later went to prison for defrauding the government of about $2-million), once acknowledged: “The reason we kept minimum information on the file was in case we have an access to information (request).”

More recently, the information commissioner investigated a February 2023 instance where the comptroller general of Canada was alleged to have cautioned the chief financial officers of federal government institutions at a meeting: “Be careful what you write down. It will find its way through an ATIP.”

Aside from government officials who intentionally share applicants’ personal information with other departments, accidental disclosures are also a concern.

The authors of this article are part of a team that helps maintain the Open by Default database, the largest catalogue of never-before-released ATIP requests in Canada. Government response letters that we receive often inadvertently disclose the personal information of previous requesters, including their home addresses and phone numbers. Likewise, journalists have told us that our information has been carelessly shared with them, too.

Responsive Landing Page Templates

When personal information breaches occur, people can and should report them to the privacy commissioner. Government institutions are actually supposed to do that, but many routinely disregard those obligations — an outcome that is the natural result of a lack of legislation. While there are “soft law” policy instruments intended to stop these practices, requesters cannot use these rules directly to seek compliance.

These concerns are not abstract. As veteran journalist Dean Beeby has noted, information requesters in many other countries — journalists in particular — “have been intimidated or killed because they were outed after filing freedom-of-information requests. Those are extreme examples, but there’s a broad spectrum of roadblocks governments can erect to thwart investigative journalists whose identities are disseminated through the bureaucracy.”

This is why tougher rules to protect requesters’ privacy are necessary, including to offer them anonymity when they want. Apart from deterring vulnerable parties from potential intimidation or harm, anonymity ensures impartiality in the fulfillment of access rights. It reduces costs involved in verifying identities. Binding legislation is long overdue.

This article first appeared on Policy Options and is republished here under a Creative Commons license.

0 Shares