Privacy Law and Policy Reporter
|
|
Home
| Databases
| WorldLII
| Search
| Feedback
Privacy Law and Policy Reporter |
|
Graham Greenleaf
‘Reporting privacy complaints Pt 1: ,a proposal for systemic reporting of complaints in Asia-Pacific jurisdictions’ appeared in (2002) 9(3) PLPR 41, while ‘Reporting privacy complaints Pt 2: complaint reporting practices of Asia-Pacific Privacy Commissioners’ appeared in (2002) 9(4) PLPR 74. ,This is the final part of this article.
Until 2001 the (Federal) Privacy Commissioner of Canada administered only the Privacy Act covering Federal agencies. Annual Reports up to 1999-2000 contained a small selection of rather journalistic renditions of complaints with few legal details included.[1] Agency respondents were named in complaint summaries and, in a list of ‘Top Ten Departments by Complaints Received’.[2] Details of the progress of cases about the Commissioner and the Privacy Act were also provided.[3] The Commissioner’s website provided no additional information about complaint resolution, and so any information about complaints or cases could only be found (by those who knew how to look for it) in rather erratically presented successive annual reports.[4] However, all annual reports are available in some form back to 1983-84.
Since 2001, under a new Commissioner and covering an additional Act affecting the private sector (the Personal Information Protection and Electronic Documents Act 2000 (PIPEDA)), substantial improvements have been made to both the print and website information about complaint resolution. Many good aspects of the Canadian Federal approach pre-date the 2000-01 Report, but the comments below are based on what is contained in that Report and the current website.
From June 2001 the website has now added the Privacy Commissioner’s findings on complaints[5] made under both federal privacy laws, published in advance of their inclusion in any annual report. Postings appear to be made every few weeks, on average, so it is quite up to date. This method of complaint reporting will make the complaint summaries in the annual report increasingly less relevant, except that the most important complaints will presumably be spot-lit in that way, and the annual reports reach a different audience than the website.
The Commissioner has formalised definitions explaining the meaning of complaint outcomes under the PIPEDA[6] (Not well-founded/Well-founded/ Resolved/Discontinued), and under the Privacy Act[7] (Not well-founded/Well-founded/Well-founded + Resolved/ Resolved/Settled/ Discontinued). This ,is very useful and provides a degree of consistency in reporting outcomes that is often lacking in other jurisdictions, in relation to both complaint reporting and complaint statistics.
The website complaint reporting has the following features.
One major potential improvement to the reporting of PIPEDA complaints (and to Privacy Act complaints when they start to be systematically reported) would be the addition of a proper citation to each complaint so that it can be referred to briefly and unambiguously. At present, the only possible citation of a PIPEDA casenote would be something like ‘Couple objects to agency’s delayed response to requests for credit histories (July 3, 2002)’. (A suggested citation system was outlined in Pt 1 of this article; see (2002) 9(3) 41 at 47.)
The HTML version of the first Annual Report (2000-01) of the new Commissioner also contains much more accessible details of complaints reported there, due to better quality HTML markup.
The Commissioner’s annual reports have for many years included an ‘In the Courts’ section,[8] which include brief details of cases before the courts under the Privacy Act and is now being extended to include PIPEDA cases. These cases are before various courts, and include appeals to the Federal Court under ss 41 and 42 of the Privacy Act concerning refusal of access to personal information. The summaries provided are very useful, and it is commendable that the Commissioner provides them.
One problem is that the cases are referred to only by name (that is, Privacy Commissioner v Canada Labour Relations Board) with no indication of where they are reported ,in print or on the World Wide Web. It should be possible to provide citations and/or URLs for all cases. and this would increase the utility of these summaries a great deal.
The Commissioner’s website does not make it clear from its table of contents that it contains information about such court decisions, although they are in fact available as part of the annual report. This defect would be easy to remedy (at least annually) simply by providing hypertext links to the relevant parts of the HTML version of the annual reports. It would be even better if an ongoing index of court decisions could be maintained online, in advance of each annual report.
Ontario’s Freedom of Information and Protection of Privacy Act 1990 (and the corresponding Act for municipal authorities)[9] covers freedom of information and also includes (in ,‘Pt III — Protection of Individual Privacy’)[10] a full set of IPPs. Individuals have enforceable rights of access and correction of their personal records, ,and can appeal to the Information and Privacy Commissioner against Ontario agencies in order to enforce such ,rights. In relation to other IPPs (use, disclosure, security and so on) the Commissioner may investigate but may only mediate, and individuals do not have any right to seek enforcement of the IPPs by other bodies.
The reporting practices of Ontario’s Commissioner are therefore primarily relevant as examples of reporting mediated complaints (or more accurately, where mediation fails — ,see below), not determined complaints (except in relation to access and correction). The Commissioner’s website provides online copies of orders, privacy complaint reports and judicial reviews.[11] It can be seen from the Privacy Complaint Reports listed under ss 37-53 of the Provincial Section Index[12] that the Commissioner has published reports since 1988 on more than 200 IPP complaints, excluding ,the hundreds of ‘refusal of access’ complaints under s 49. This is therefore one of the largest sources of reports ,of mediated complaints in the region.
An investigation report by the Commissioner’s Office, although it can only result in a recommendation by the Commissioner to the agency concerned to comply with one of the IPPs, nevertheless gives full details of the relevant facts, and all legal reasoning involved, with references to the relevant sections of the Act and any other legislation. It is a fully reasoned decision, little different from what it would be if the Commissioner had statutory power to enforce the recommendation.
In a number of high profile investigations, special reports have been published.[13] Extensive statistics on privacy complaints, and details of judicial reviews, are also included in ,the annual report.[14] The provincial government office responsible for freedom of information and privacy also provides access to the Commissioner’s published privacy reports.[15]
The ‘What’s New’ page[16] of the website lists ‘orders and privacy complaint reports issued this week’ (and the previous week), so the site is clearly updated frequently. A minor drawback is that is not possible to see a list of matters decided in chronological order beyond these two weeks.
The Commissioner does not publish on the World Wide Web details of all IPP complaints investigated, but only those which result in a recommendation being made to an agency (a ‘privacy complaint report’).[17] Complaints that are dismissed or are settled during investigation are not reported in this way. There is a danger in this practice, in that significant interpretations of the Act may not come to public notice if they are hidden in settled or dismissed complaints.
The Ontario Commissioner therefore has a high quality system for reporting complaints where mediation has not resulted in settlement, but not for reporting the outcomes of other significant complaints.
The Commissioner’s policy is that ‘[t]he final privacy complaint reports for unresolved files will include the name of the institution and be made available to the public on the IPC website, unless the privacy of the complainant might be compromised’.[18]
The Ontario Commissioner’s reports on IPP complaints include a numerical form of citation, examples of which are:
The brief numerical form of citation (‘PC-980049-1’, ‘I94-084P’) is the basis of the sophisticated complaint indexing by the Commissioner’s office.
The Commissioner’s website tracks any judicial review of privacy complaint reports,[19] but to date there have only been two such applications and both were abandoned.
There are also tables indicating progress and outcomes of judicial review of the Commissioner’s orders ,in freedom of information matters (including access to and correction of personal information),[20] which give citations to the resulting court decisions where available. The outcome of the review is stated (for example, ‘Institution’s appeal allowed by Court of Appeal August 8, 2001; IPC application for leave to appeal to the Supreme Court of Canada dismissed June 13, 2002’), but no summaries of the Court proceedings are available, since no court actions have yet transpired.[21] Links to World Wide Web reports of cases are not provided yet but will be soon.[22]
British Columbia’s Freedom of Information and Protection of Privacy Act 1996 is similar to that in Ontario for the purposes of this article. Part 3, ‘Protection of Privacy’, contains a set of IPPs (ss 26-36). The Information and Privacy Commissioner is authorised ,to investigate such breaches, and to attempt to mediate (s 42).
The Commissioner has authority ,to conduct investigations (following complaints or on own motion) into any alleged privacy breach by public bodies regarding collection, use or disclosure ,of personal information (that is, ‘IPP complaints’). The Commissioner states that investigation reports include ‘outcomes of investigations that are ,of significant public interest, or which could provide guidance to public bodies in order to prevent similar violations’. There have only been 17 such reports since 1994.[23] Another form of IPP report is under s 42, where the Commissioner has ‘power to authorise ,a public body to indirectly collect personal information about an individual’, but there has only been ,one such report.[24]
The website of the Information ,and Privacy Commissioner provides detailed reporting of orders and other decisions[25] (that is, FOI matters including access to and correction of personal records). An index of decisions by sections of the Act is provided,[26] and it lists about 40 decisions under Pt 3 of the Act.
The British Columbia Commissioner also has a very useful email subscription service for Commissioner’s reports, where the full text of reports are mailed to subscribers.
The Information and Privacy Commissioner of Alberta[27] has powers under s 69(1) of the Freedom of Information and Protection of Privacy Act 1994 (FIOP Act) and s 77(1) of the Health Information Act 2001 (HIA) ,to conduct an inquiry if a matter can-not be settled through mediation or investigation, and to dispose of inquiry issues by making a formal order ,(s 72(1) FIOP Act and s 80(1) of the HIA).
The Commissioner’s website provides the full text of all orders since 1996 (with summaries included in each order), investigation reports (IRs) since the Commissioner started making them in 1998, and external investigator reports (as yet there are only two). ,All are searchable by keywords or Order/IR number.
Judicial reviews of the Commissioner’s decisions are listed on the Commissioner’s website, but without a direct hypertext link to the text of each decision. However, a link is given to ,the front of the separate ‘Freedom of Information and Protection of Privacy’ website of the Alberta Government,[28] where the full text of the decisions by the Court of Queen’s Bench can be found.[29] There seems little reason why direct links could not be provided to these decisions from the Commissioner’s own site.
The Alberta Government site also contains both summaries and the full texts of all of the Commissioner’s orders, IRs and so on, and provides a more sophisticated search engine than that provided by the Commissioner’s own site. The Alberta Government website is therefore an example of (free access) secondary publication of the Commissioner’s decisions. Alberta residents seem to be well served by ,a choice of free access mechanisms ,to assist them to understand the operation of the province’s freedom ,of information and privacy laws.
Québec’s Commission d’Accès à l’information (CAI) has responsibilities in relation to both freedom of information and privacy disputes. Individuals have a right of recourse (appeal) to the CAI, called a ‘request for review’ (public sector) or an ‘application for examination of a disagreement’ (private sector).[31] The CAI resolves such disputes by mediation in more than half of all cases.[32] No details of such mediated complaints appear on the CAI’s website, and the discussion below relates only to ‘determined’ (adjudicated) complaints where the CAI makes an enforceable decision.
The CAI publishes a yearly digest entitled: ‘Décisions de la Commission d’accès à l’information’[33] which contains summaries of about 100 recent decisions by the CAI and by judicial tribunals. Prior to their appearance in the annual digest, the summaries appear quarterly in the journal, l’Accès à l’information Express. The annual digest also contains ‘a table of the names of the parties, a table of cited legislation, a table of cited cases, a table of cited doctrine, a classification plan, ,a table of interpretation (interpreted terms and laws), a table of correlation with l’Accès à l’information Express and a table of follow-ups’.[34] Appeals against CAI decisions (and their result ,if known) are also noted. CAI recommends that decisions in its ,digest be cited in the form ‘title , [2001] C.A.I. 134’.
For paid access, the case summaries are also available weekly, and with all summaries searchable back to 1986, ,in the database AZIMUT Judicial documentation online, in the RÉSUMÉS SOQUIJ database.[35] The full text of all CAI decisions (published or not) since 1993 are also available in the ‘service de texte integral’ (the full text service) of SOQUIJ. The SOQUIJ databases also contain the texts of the judicial decisions of appeals against CAI decisions. A CD-ROM Accès à l’information et protection des renseignements personnels, contains, among other things, the CAI summaries to 1997 and full text decisions 1992-97.
For free access, the CAI publishes the full text of some of its decisions on its website,[36] but not all decisions (full access is only available from SOQUIJ), and not the decisions of appellate judicial bodies. Only decisions made in the past 12 months are included on the CAI’s website — the rest, back to 1986, are only available from SOQUIJ. A search engine is provided. The decisions that are published are detailed statements of the facts and legal reasoning involved. No formal method of citation is given for the decisions ,on the CAI website. The CanLII[37] free access service does not include either decisions of the CAI, or appeals against its decisions.[38]
It appears therefore that free access ,to privacy decisions in Québec is considerably inferior to paid access, and would provide only limited assistance to anyone wishing to understand Québec’s privacy laws. This is in contrast with the generally high quality of free access in other Canadian jurisdictions.
The Manitoba Ombudsman has ,an Access and Privacy Division[39] ‘responsible for investigating complaints and reviewing compliance with access to information and protection of privacy rights under the Freedom of Information and Protection of Privacy Act (FIPPA) and the Personal Health Information Act (PHIA)’.[40] The Ombudsman’s website does not include formal reporting of dispute resolutions, but does include some press releases relating to particular disputes, and links to decisions by Manitoba courts.[41] ,In relation to disputes under the Manitoba’s PHIA, these press releases are quite detailed and accompanied by a background paper, and could easily be presented as formal reports of complaint resolutions.
Other Canadian jurisdictions have not been reviewed for this article.
Asia-Pacific Commissioners are ,not alone in needing to improve their reporting practices.
For example, the Commissioner in ,the largest English speaking country ,in Europe,[42] the UK Information Commissioner (formerly Data Protection Registrar), is starting to provide via her website[43] decisions by the Data Protection Tribunal (under ‘Guidance and Other Publications’ — only one decision is available as yet), but not any details of complaint determinations (or ‘assessments’ as they are now called). The Commissioner’s latest annual report[44] indicates that her office receives about 10,000 complaints annually, and about 5 per cent of these result in ‘verified assessments suggesting compliance unlikely’ (this is the closest the Commissioner gets to finding a breach of the Act).[45]
However, of these 500 annual ‘substantiated’ breaches, neither the annual report nor the website provide one useful summary. The annual report is populated with ‘soundbite’ size ‘case studies’ of less than 100 words. But these are too short to give anyone who is serious about understanding privacy law any useful information, particularly as they contain no references to relevant provisions of the Act. Many ,of the ‘case studies’ are headed ‘Convicted’, and the report indicates that there were 66 prosecutions resulting in 33 convictions during ,the year. However, there is no list ,or summary to be found of these obviously serious breaches of the Act. In contrast, 12 pages of the report are given over to extracts from recent developments in case law on the common law of privacy. This is very useful because such cases do affect the interpretation and administration of ,the Act, particularly in the context of European human rights law, and are the third category of case law that I suggest Commissioners should publicise. However, it indicates an unusual sense of priorities in relation ,to the near total absence of complaints and cases resolved under the Act and illustrating its day by day practical interpretation.
There does not seem to be any comprehensive reviews of the reporting practices of European Commissioners,[46] so it is difficult to make any general comparisions between European and Asia-Pacific practices. The review in ,this article is intended to provide a start for comparative studies of complaint reporting practices in one part of the world, but a global comparison, and development of global standards of good practice, is needed.
Graham Greenleaf, General Editor.
[1] Twelve in 1998-99 — see <www.privcom.gc.ca/information/ar/02_04_06_e.asp#005>.
[2] For 1998-99, see <www.privcom.gc.ca/information/ar/02_04_06_e.asp#,007>.
[3] For 1999-2000, see <www.privcom.gc.ca/information/ar/02_04_06_e.asp#,007>.
[4] I assume the annual reports ,were then on the website. They were erratically presented; for example, the 1999-2000 report had no internal navigation whereas earlier ones at ,least had some.
[5] See <www.privcom.gc.ca/cf-dc/index_e.asp>.
[6] See <www.privcom.gc.ca/cf-dc/def_e.asp>.
[7] See <www.privcom.gc.ca/cf-dc/def2_e.asp>.
[8] For 2000-01 see <www.privcom.gc.ca/information/ar/02_04_09_01_e.asp#031>.
[9] See <www.ipc.on.ca/english/acts/acts.htm>.
[10] See <www.ipc.on.ca/english/acts/prov-act.htm#partiii>.
[11] See <www.ipc.on.ca/english/orders/orders.htm>.
[12] See <www.ipc.on.ca/english/orders/p-index.htm> — go to <www.ipc.on.ca/english/orders/p-23-49.htm#s37> and scroll from s 37 to s 53.
[13] See <www.ipc.on.ca/english/pubpres/reports/reports.htm> for examples.
[14] For example, see <www.ipc.on.ca/english/pubpres/ann_reps/ar-01/ar-01e.htm#privacy>.
[15] See search provided by Management Board Secretariat at <www.gov.on.ca/MBS/english/fip/privacy.html>.
[16] See <www.ipc.on.ca/english/whatsnew/whatsnew.htm>.
[17] See <www.ipc.on.ca/english/our_role/how/cmpcht-e.htm>.
[18] See <www.ipc.on.ca/english/our_role/how/complain.htm>.
[19] See <www.ipc.on.ca/english/orders/jud-rev/jr-cr.htm>.
[20] See <www.ipc.on.ca/english/orders/orders.htm>.
[21] Personal communcation from ,the Commissioner’s office.
[22] Above note 21; the texts of FOI judicial reviews have scanned and will be published on the Commissioner’s site, so presumably the same would be done for privacy reviews by courts.
[23] See <www.oipcbc.org/orders/investigation_reports/reports.php>.
[24] See < www.oipcbc.org/orders/section42/>.
[25] See <www.oipcbc.org/orders/>.
[26] See <www.oipcbc.org/legislation/concordance.php> — referred to as a ‘Concordance’.
[27] See <www.oipc.ab.ca/orders/>,for the Commissioner’s website.
[28] See <www3.gov.ab.ca/foip/commissioners_orders/index.cfm>.
[29] See <www3.gov.ab.ca/foip/commissioners_orders/judicial_reviews/index.cfm>.
[30] Professor Karim Benyekhlef of the University of Montreal and his research assistant Nicolas Vermeys have assisted very significantly in obtaining the information on which this section is based, but responsibility for comments remains with the author.
[31] See <www.cai.gouv.qc.ca/eng/droits_en/dro_rec_en.htm> for a brief explanation.
[32] Above note 31.
[33] Nicolas Vermeys has translated the preface to the 2001 edition in order to assist in the preparation of this section.
[34] From the preface, above note 33.
[35] See <www.azimut.soquij.qc.ca>.
[36] See <www.cai.gouv.qc.ca/eng/cai_en/cai_en.htm>.
[37] Canadian Legal Information Institute at <www.canlii.org>.
[38] See <www.canlii.org/qc/index_fr.html> and search for ‘Commission d’Accès à l’information’ (boolean).
[39] See <www.ombudsman.mb.ca/access.htm>.
[40] Above note 39.
[41] See <www.ombudsman.mb.ca/reports.htm>.
[42] Not the only one of course, but this article does not cover Ireland or Jersey, The Isle of Man and so on.
[43] See <www.dataprotection.gov.uk/>.
[44] Information Commissioner Annual Report and Accounts for the year ending 31 March 2002 June 2002.
[45] At pp 75-76.
[46] Bygrave’s review does not indicate that European practices are any more systematic than those in the Asia-Pacific: see Bygrave L ‘Where have all the judges gone? Reflections on judicial involvement in developing data protection law’ Part I (2000) 7(1) PLPR 11 and Part II (2000) 7(2) PLPR 33.
AustLII:
Copyright Policy
|
Disclaimers
|
Privacy Policy
|
Feedback
URL: http://www.austlii.edu.au/au/journals/PrivLawPRpr/2002/47.html