September 26, 2012

Confidentiality and FIPPA: considerations for regulatory bodies as requesters and disclosers of information

Administrative Law
Freedom of Information
Inquiry and Investigations
Professional Regulation

In this blog entry we continue to respond to the numerous questions we received from participants during the Q&A period of our June 7, 2012 Webinar on Privacy and Confidentiality, co-hosted by Lisa Fong and Angela Westmacott. If you missed the webinar, it can be purchased for viewing here.

The questions addressed below are miscellaneous in nature, but involve either the application of BC’s Freedom of Information and Protection of Privacy Act or issues of confidentiality that professional regulatory bodies otherwise face.

As always, the responses we offer highlight considerations that regulatory bodies may want to have in mind when addressing freedom of information requests or issues of confidentiality. However, legal questions as to when disclosure is available, or when freedom of information requests may be refused, are fact specific and likely require contextualized legal advice.

1. What right does a regulator have to request a copy of a confidential agreement that a registrant has entered into with an employer regarding the termination of their employment and which may have relevance to matters under investigation by a college/regulator?

A professional regulatory body may have investigatory powers it can exercise against its registrants without court order, such as the right to inspect the registrant’s practice records and make copies under section 28(1)(b) of the Health Professions Act, R.S.B.C. 1996, c. 183 (the “HPA”). When seeking access to a document in the possession of a third party, however, such as the employer of a registrant, the regulatory body may need to apply to the Supreme Court for an order for production under the authority and the conditions set out in the regulatory body’s enabling statute (for example, s. 29 of the HPA or s. 45 of the Engineers and Geoscientists Act, R.S.B.C. 1996, c. 116 (the “EGA”)). Although an agreement between a registrant and their employer may be subject to confidentiality provisions, such provisions will not be determinative of a court’s decision to order or refuse production, so long as a regulator can demonstrate an agreement’s relevance to a matter under investigation.

2. Are the names of members or delegates on committees of a regulatory body protected under s. 12(3)(b) of the Freedom of Information and Protection of Privacy Act, R.S.B.C. 1996, c. 165 (“FIPPA”)?

Section 12(3)(b) of FIPPA sets out an exemption from disclosure on the basis of deliberative secrecy, but this does not provide justification for the redaction of the names of committee members from disclosure in response to a request for records under section 5 of the Act. Section 12(3)(b) gives a public body discretion to refuse to disclose information to an applicant that would reveal “the substance of a meeting” of its elected officials, its governing body or a committee of its governing body when that meeting takes place in camera (without public access) so long as the public body has legislated authority to hold the meeting in camera. This exemption will not ordinarily justify a public body’s refusal to disclose any information on an in camera meeting that does not disclose the substance of the meeting, such as information on the time and place of the meeting and those who attended.

See Order F05-13; College of Psychologists of British Columbia (Re) [2005] B.C.I.P.C.D. No. 14 at para. 27.

See also Order 00-14; Vancouver (City) Police Board Inquiry (Re) [2000] B.C.I.P.C.D. No. 17 at para. 17.

3. Professional regulatory bodies collect personal and business contact information for their registrants. Third parties may seek this contact information for business purposes through requests under s. 5 of FIPPA, which may require data to be assembled by the regulatory body. Is a regulatory body obliged to assemble this sort of data for third parties?

A regulatory body will be obliged to provide business contact information of its registrants to an applicant under section 5 of FIPPA and may be required to assemble this information in response to such a request. If, however, the information is available publicly by way of a registry kept on the regulatory body’s website, the regulatory body may be able to direct an applicant to this resource rather than assembling the requested data in response to a s. 5 request.

A public body generally should not disclose the personal contact information of its registrants to a third party, especially for the  business purposes of mailing lists or solicitations, as doing so will presumptively constitute an unreasonable invasion of the registrant’s personal privacy under s. 22(3)(j) of FIPPA. On the other hand, business contact information does not constitute personal information for FIPPA purposes (as set out in the definitions of “personal information” and “contact information” in Schedule 1 of FIPPA) and a regulatory body cannot resist disclosure of this form of information on the basis of the personal privacy interests of the registrants.

Likewise, in responding to a request for records under s. 5 of FIPPA, a professional regulatory body has a duty to assist an applicant that may include creating a record for that applicant from electronic records in the custody or control of the regulator. Section 6(2) of FIPPA states that the head of a public body must create a record for an applicant if:

(a)    the record can be created from a machine readable record in the custody or under the control of the public body using its normal computer hardware and software and technical expertise, and

(b)   creating the record would not unreasonably interfere with the operations of the public body.

In its decision set out in Order F11-22 (BC College of Teachers (Re), [2011] B.C.I.P.C.D. No. 28), the BC Information and Privacy Commissioner considered a request from a journalist to the former BC College of Teachers for a spreadsheet listing the names of all registered teachers under that body, as well as the current certificate status and current practicing status of these teachers. The College sought to resist this application on the basis the information requested was already available to the public through its online database. However, the fact that the public needed to know the name of a teacher before information on their certificate and practicing status could be obtained was sufficient for a finding that the College did have an obligation to produce a spreadsheet setting out the requested information pursuant to s. 6(2) of FIPPA.

In terms of a request for business contact information under s. 5 of FIPPA, a regulatory body may be able to direct an applicant to publically available information on their website so long as this information is available in a form of database that can be accessed alphabetically without first knowing the name of the registrant. Notably, however, most regulatory bodies require a specific name to be searched before any business contact information is available, and in these circumstances a regulatory body may still need to collect and assemble the requested data for an applicant, as was the case in Order F11-22. The regulatory body can require a reasonable fee from the applicant for the purposes of preparing the record for disclosure, inter alia, pursuant to section 75 of FIPPA.

4. If we collect data on our registrants for a risk assessment system (e.g. complaints from the public and other compliance information) and then use this data to determine whether to conduct an audit – are we protected under section 15 from requests to disclose risk assessment info?

It is unlikely that the risk assessment data of a regulatory body can be protected from disclosure under FIPPA on the basis of section 15 of the Act, although this data may be protected under other sections of the Act such as section 22 which protects the personal privacy of third parties.

Section 15 of FIPPA provides discretion for the head of a public body to refuse disclosure of information requested under section 5 where disclosure could reasonably be expected to, inter alia, harm a law enforcement matter (s. 15(1)(a)) or harm the effectiveness of investigative techniques and procedures currently used, or likely to be used, in law enforcement (s. 15(1)(c)). FIPPA and past decisions of the BC Information and Privacy Commissioner are clear that a regulatory body’s investigative activities qualify as “law enforcement” since they can result in sanctions or penalties, and section 15 is frequently invoked by regulatory bodies in order to refuse to disclose information to an applicant. However, practice audit activities will not fall within this definition in Schedule 1 of the Act unless they can lead to a penalty or sanction. Furthermore, you will be hard pressed to find a single example of a professional regulatory body that has been successful in relying on this section to resist disclosure.

Section 15(1)(a) can only be relied on with respect to an investigation or disciplinary proceeding that is ongoing or “in reasonable prospect” (see Order No. 00-08; College of Physicians and Surgeons of British Columbia (Re:), [2000] B.C.I.P.C.D. No. 8 at para. 163). Section 15(1)(c) is limited in its application to protect the actual techniques and procedures used for investigation and not the information generated by these techniques except where disclosure will reveal the techniques or procedures (see Order F05-18, College of Psychologists of British Columbia (Re:), [2005] B.C.I.P.C.D. No. 26 at para. 21). Also notable is the principle that section 15(1)(c) cannot be invoked to protect common or publicly known investigative techniques (see, for example, Order 116-1996, College of Physicians and Surgeons of British Columbia (Re:), [1996] B.C.I.P.C.D. No. 43 at paras. 27-28). Disclosure of data collected as part of a risk assessment system, such as complaints from the public and compliance information, cannot be resisted on the basis of this section unless disclosure of the data will reveal the nature of the risk assessment system itself and the nature of that system is secret and revealing it may reasonably be expected to harm its effectiveness.

Without leaving the parameters of the question asked, it is worth noting in brief that section 22 of FIPPA may be relied upon to protect the personal privacy of third parties. Requests for risk assessment data such as complaints from the public and compliance information may be possible to resist on the basis of the personal privacy rights of complainants or a registrant, depending on who is making the request under section 5.

5. How broad are ‘public interest’ or ‘public duty’ exceptions in confidentiality provisions in governing statues?

The duties of confidentiality that apply to professional regulatory bodies may have exceptions for disclosures made in the public interest or pursuant to a public duty. Although there is little case law on the scope of these exceptions, a regulatory body may determine whether or not a particular disclosure is appropriate by assessing the public interest in such a disclosure, with a view to its objects and duties and its enabling legislation.

The enabling statutes for most professional regulatory bodies have a provision explicitly setting out the duty of confidentiality that applies to all information that comes to a person’s knowledge acting under that enabling statute. See, for example, section 53 of the HPA, section 46 of the EGA, or section 22 of the Accountants (Chartered) Act, R.S.B.C. 1996, c. 3. These broad statutory duties of confidentiality also tend to contain public interests exceptions. For example, s. 53(1)(b) of the HPA allows for  disclosure of otherwise confidential information where such disclosure is “authorized as being in the public interest by the board…” (s. 53(1)(b) of the HPA), and s. 46(1) of the EGA allows for disclosure where “public duty requires [it]”.

There is little case law to provide guidance on the breadth of these exceptions. With respect to section 53 of the HPA, there is no jurisprudence to date. For other bodies, in Hung v. Gardiner, 2002 BCSC 1234, the Institute of Chartered Accountants of BC relied on the “public duty” exception set out in s. 22 of their enabling statute to justify disclosure of confidential information to other regulatory bodies with jurisdiction over the same individual. The BC Supreme Court expressed its inclination to accept this position, but ultimately found an answer to be unnecessary as the issue was otherwise resolved in the Institute’s favour (para. 105).

The issue of whether or not disclosure of confidential information can be made in the public interest or in the exercise of a public duty will require above all an analysis of what constitutes the public interest in any given factual situation. Colleges regulated under BC’s HPA have relied on the “public interest” exception to section 53 in order to bolster publication with respect to investigated or disciplined members beyond the mandatory requirements set out in s. 39.3 of the Act. For example, with board authorization s. 53(1)(b) can be relied upon for publication of criminal convictions against a registrant or for the issuance of a citation against an investigated member. A professional regulatory body’s analysis of whether or not a particular disclosure is in the public interest should canvass the duty and objects for that regulatory body and whether the proposed action furthers them.

Missed your question? We believe we have now answered everyone’s questions from the webinar. But if we’ve accidentally missed your question, please email us here and we will respond to you directly.