Presentation to the Union of Municipalities of New Brunswick 2013 Annual Conference Fredericton, NB – October 4, 2013

 On September 1, 2010, a new law regarding access to information and protection of privacy came into effect: Right to Information and Protection of Privacy Act ◦ Designed for the public sector ◦ Promotes spirit of openness and transparency ◦ Grants right to request information relating to the public business of a public body ◦ Grants right to request one’s personal information ◦ Obligates public bodies to protect private information at all times ◦ Act “ Came to Town” on September 1, 2012

◦ Also created on September 1, 2010 ◦ Independent of government ◦ Commissioner: Officer of Legislative Assembly ◦ Impartial oversight body to ensure compliance with Right to Information and Protection of Privacy Act ( as well as Personal Health Information Privacy and Access Act )

 Interprets the Act  Informs the public of its rights  Promotes openness and transparency  Provides guidance on how best to apply the new rules  Ensures compliance with the Act

 Receives: ◦ General inquiries about the Act ◦ Complaints regarding responses to requests for access to information ◦ Notification of privacy concerns or breaches of the Act (the handling of personal information found in records during its collection, use, disclosure, retention, or destruction)  Investigates and Resolves: ◦ Complaints informally if at all possible  Publishes: ◦ Reports of Findings after investigations (when required)

RIGHT OF ACCESS Governed by rules found in Part 2 Request to access records that contain private information PROTECTION OF PRIVACY Governed by rules found in Part 3 Protects private information at all times

RIGHT OF ACCESS Only rules for protection of private information found under Part 2 can be considered in exceptions to disclosure PROTECTION OF PRIVACY Rules under Part 3 are applied by public bodies to protect private information on a regular basis – not for requests

 Personal information − protected based on unreasonable invasion of privacy  Business information − protected based on may cause harm to business ◦ Both types may still be subject to access (Subsections 21(3) &22(3)) − Because disclosure deemed not unreasonable invasion of privacy nor to cause harm ◦ Example: personal information about an officer or employee of a public body deemed subject to disclosure:  job classification  salary range  benefits  employment responsibilities or  travel expenses

 If information is protected under another statute, the Act will respect that protection unless there is conflict regarding its disclosure ◦ Example: where third party individual or business consents to release of own private information which is otherwise protected by other statute  Public procurement is a good example of such interaction

 Appropriate level of confidentiality of business and personal information while promoting transparency and accountability  Rules ensure that the public obtains access only to information it is entitled to receive  Where request made to access bid information after tender is awarded, municipality must ask the bidder for consent to release the bid information  See Guide for Municipalities on Public Procurement and the Act

RIGHT OF ACCESS  Grants public a right to request information contained in records held by public bodies ◦ Key words: access to information rather than access to records  Promotes disclosure of the information, subject to limited and specific exceptions  Imposes on public bodies an obligation to respect that right of access - duty to assist

 Codified in section 9 of the Act  Places a positive obligation for public body to assist applicant with the request, without delay, fully and in an open and accurate manner  Encourages public body to contact applicant: ◦ Clarifies request where unclear ◦ Identifies exact information sought ◦ Assists in reducing scope of broad request where possible ◦ Ensures applicant receives information to which entitled, satisfactory response

 All information regarding the public business of the public body, its activities and functions ◦ Found in its records  Example: information found in minutes of meetings, reports, decisions made, handwritten notes, correspondence, s of staff and officials, text messages, etc. Includes information created before the Act came into effect

 Process the request from the perspective that favours disclosure  Response should be meaningful  Right of access can only be restricted with specific and limited exceptions  Time limit to respond is 30 days, unless authorized to extend time limit

 Two types of exceptions: ◦ Mandatory: public body has no choice but to withhold the information requested ◦ Discretionary: head of the public body must come to a decision whether or not to disclose the information  Based on relevant considerations existing at the time of the request

 Examples of Mandatory exceptions to disclosure ◦ Information that reveals recommendations to Executive Council ◦ Information provided in confidence to a government ◦ Information from a harassment or personnel investigation ◦ Personal information where head is certain disclosure would be an unreasonable invasion of the individual’s privacy ◦ Business or financial interests of a third party where head is certain disclosure might cause harm

 Examples of Discretionary exceptions to disclosure ◦ Advice or recommendations made to a public body ◦ Solicitor-client privilege information ◦ Plans not yet implemented ◦ Confidential evaluations ◦ Information, if released, would be harmful to:  governmental relations  legal proceedings  an individual  public safety

 For any Discretionary exceptions to disclosure, head of the public body: ◦ Must first consider disclosing the information ◦ Ask for consent where applicable ◦ Must examine any relevant factor regarding the disclosure (or non disclosure) existing at time of request ◦ Only decide to withhold the information where refusing access can be substantiated  Decision of head is reviewable by Commissioner or the courts

Time limit for responding can be extended in two ways: ◦ Can self extend up to an additional 30 days if processing request falls within categories described in subsection 11(3) ◦ Can apply to Commissioner for an extension of time  Public body must establish reasons why more time is needed  Commissioner will encourage partial responses in meantime where appropriate

An applicant not satisfied with the response has two options:  Refer the matter to the Court of Queen’s Bench for review (legal application, must file within 30 days) Or  File a complaint with the Office of the Access to Information and Privacy Commissioner within:  60 days of receiving response, or  120 days from making request if did not receive a response

 Commissioner must investigate all complaints  Will first attempt to resolve the matter informally  To the satisfaction of both parties  In accordance with the Act  While providing guidance on application of rules  Have designed interactive complaint resolution process for municipalities  If informal resolution is unsuccessful, formal Report of Findings will be published  May contain recommendations

 When the Report contains recommendations, the public body must: ◦ Comply with the recommendations within 15 days, or ◦ Within 15 days, notify applicant and Commissioner of its decision not to accept the recommendations  Will trigger applicant’s right of appeal to the courts  When the Report does not contain any recommendation:  There is no right of appeal and only recourse is judicial review of Commissioner’s decision

 Consider the benefits of making information available to the public on a regular basis Examples: ◦ Agendas, ◦ Minutes of meetings, ◦ Travel expenses, Range of salaries, ◦ Reports and records on how decisions were made, ◦ Etc.

 Elected officials generate two types of records: Records that will be brought to a public body for further action These records are subject to the Act Constituency records – will not be brought to any public body for further action Not subject Privacy considerations

PROTECTION OF PRIVACY  Public bodies are responsible for protecting the personal information in their possession.  Act establishes rules governing the handling of personal information, including during its ◦ collection, ◦ retention, ◦ use, and ◦ disclosure.

 Guiding principles to collect, use and share personal information : ONLY THE MINIMUM AMOUNT NECESSARY and LIMITED TO THOSE WHO NEED TO KNOW TO CARRY OUT THE PURPOSE

 When personal information (that identifies a person) is: ◦ Lost ◦ Stolen ◦ Collected, used, shared or disposed of in an unauthorized manner or without consent, or ◦ Accessed by an unauthorized person

 Lack of attention, errors  sent to incorrect recipient  Envelope sent to wrong person with same name  Incorrect fax number not verified before sending  Loss or theft of the information  Lack of security safeguards  USB keys, portable computers - not password protected  Not keeping sensitive records in locked cabinets, storage areas  Unauthorized access or disclosure  Sharing personal information outside scope of work duties  “Snooping” – intentional violation

 Contain the breach  Assess the risk of harm  Notify affected persons  Notify Commissioner’s Office ◦ Provided guidance and assistance ◦ Mandatory for some – health care providers  Implement corrective measures to prevent future occurrences

 THINK before you speak!  CONSIDER before you write !  PAUSE before you click !

Regent Fredericton, NB E3B 7H8 Tel/Tél: Toll-free/Sans frais: Fax/Fac: /Courriel: