Photo Credit: Getty Images

Frequently Asked Questions – FOIP Act

By: Lorne Randa, Partner; Rebecca Kos, Lawyer; James Work, Lawyer; and Molly Clark, Lawyer

Through our Municipal Helpline service and our Bear Pit question period at our annual Emerging Trends in Municipal Law seminar, we often receive similar questions respecting the Freedom of Information and Protection of Privacy Act (the “FOIP Act”).  In the article, we have taken the opportunity to answer several of these questions.

Click the link below to jump directly to that question:

1. What are a public body’s obligations with respect to third party service providers who are in control of information from the public body and experience a breach?
2. Are infrastructure schematics and similar information subject to an exception under the FOIP Act? Is financial information from a grant funder subject to an exception?
3. When is a councillor authorized to access information that is in the control of the municipality and how should access be given?
4. Can disciplinary information including Code of Conduct records be disclosed through a FOIP request?
5. Are there any other blanket exemptions from the FOIP Act similar to assessment information (MGA1)?
6. Can a municipality send out a newsletter to its ratepayers over email?
7. In the face of a massive FOIP request, is there any limit on requesting a 50% estimated deposit?
8. How should personal information be handled with regards to the public body’s emergency medical response departments? For example, in the case of body-worn cameras.
9. Can a conversation be recorded without the other party’s knowledge, or are you required to inform the other party you are recording?
10. If a member of council accidentally discloses personal information in a public forum, when they are not required to do so, is that a FOIP violation? If so, what are the remedies?
11. When can council convene and go in camera?
12. Can council discuss a draft bylaw in camera?
13. What is the legal position on dealing with ‘frequent flyer’ residents – those who send multiple letters, e-mails and phone calls demanding information on a daily basis. What is the municipality’s responsibility regarding response to the individual?

1. What are a public body’s obligations with respect to third party service providers who are in control of information from the public body and experience a breach?

In the circumstances described, a third party is collecting or using personal information on behalf of the public body and the public body maintains control over the records with the personal information.  As a result, if the third party has a privacy breach, it should be treated as if the public body experienced the breach.

While the FOIP Act includes some provisions that expressly apply to third party service providers, not all provisions of the FOIP Act automatically apply in this manner.  When entering into these types of third party arrangements, the public body should ensure that its contract with the third party services provider has provisions that require the provider to follow the same privacy obligations as the public body and to notify the public body in the event of a breach.  While there is no mandatory breach reporting for public bodies under the FOIP Act, it is often a good idea to voluntarily report privacy breaches, particularly where the information at issue is sensitive personal information.  If you have any questions with respect to a privacy breach, our office can provide privacy coaching (sometime through insurance if you have cyber security coverage and you request Brownlee’s services) and assistance respecting the appropriate steps to be taken.

2. Are infrastructure schematics and similar information subject to an exception under the FOIP Act? Is financial information from a grant funder subject to an exception?

Whether records are exempt from disclosure under the FOIP Act will depend on whether the criteria of one of the exceptions to disclosure in sections 16 to 29 of the FOIP Act have been met.  A line by line examination must be conducted of each record to determine how these exceptions apply.  As such, it is not possible to say with certainty that all of the requested infrastructure information or grant funding records are exempt from disclosure.

In the case of infrastructure information, such as engineering plans or drawings, section 16 of the FOIP Act, which provides that a public body must refuse to disclose information that the disclosure of which would be harmful to the business interests of a third party, may be applicable in certain circumstances – but not always.  However, other infrastructure information, such as Alberta One-Call information, may be publically available and be disclosed in its entirety.

Similarly, with respect to financial information from a grant funder, the specific criteria in the FOIP Act will need to be considered in determining whether the information can be disclosed or not.  Section 16 (disclosure harmful to business interests of a third party) requires certain financial information to not be disclosed if it is supplied explicitly or implicitly in confidence and the disclosure of the information could reasonably be expected to:

• harm significantly the competitive position or interfere significantly with the negotiating position of a third party,
• result in similar information no longer being supplied to the public body when it is in the public interest that similar information continue to be supplied,
• result in undue financial loss or gain to any person or organization, or reveal information supplied to, or the report of, an arbitrator, mediator, labour relations officer or other person or body appointed to resolve or inquire into a labour relations dispute.

Section 25 of the FOIP Act may also be applicable if it can be shown that the disclosure of the information could reasonably be expected to harm the economic interests of a public body or the Government of Alberta.

3. When is a councillor authorized to access information that is in the control of the municipality and how should access be given?

A councillor does not have unfettered access to any and all records of the municipality simply by virtue of holding office. Pursuant to section 153(d) of the Municipal Government Act (the “MGA”), councillors have a duty to obtain information about the operation or administration of the municipality from the chief administrative officer or a person designated by the chief administrative officer.  Section 153(d) only entitles a councillor to access information that is needed to fulfill his or her duties and obligations as a member of council.  Pursuant to the wording of this provision, access should be given by the chief administrative officer or a person designated by the chief administrative officer.  In accordance with section 153.1 of the MGA, where the chief administrative officer or a person designated by the chief administrative officer provides information referred to in section 153(d) to a councillor, the information must be provided to all other councillors as soon as is practicable.

If a councillor is requesting information not needed to fulfill his or her duties and obligations as a member of council, then it would be appropriate to handle that request as a request pursuant to the FOIP Act and apply all relevant exceptions to disclosure.

4. Can disciplinary information including Code of Conduct records be disclosed through a FOIP request?

The response to a FOIP request for disciplinary information will depend on the nature of disciplinary information sought.

Very generally, disciplinary information will include personal information.  Section 17(1) of the FOIP Act obligates a public body to refuse to disclose personal information if the disclosure would be an unreasonable invasion of a third party’s personal privacy.  Pursuant to section 17(4)(d) of the FOIP Act, a disclosure of personal information is presumed to be an unreasonable invasion of a third party’s personal privacy if the personal information relates to employment or educational history.  As such, if there is a request for employee disciplinary information, and the information is not about the applicant making the request, this presumption against disclosure will apply.  When considering whether this information can be disclosed, the head of the public body must then consider all the relevant circumstances, including those outlined in section 17(5) of the FOIP Act, such as whether:

• the disclosure is desirable for the purpose of subjecting the activities of the Government of Alberta or a public body to public scrutiny;
• the personal information is relevant to a fair determination of the applicant’s rights;
• the disclosure may unfairly damage the reputation of any person referred to in the record requested by the applicant, and the personal information was originally provided by the applicant.

With respect to councillor Code of Conduct investigations and reports, the law is still very much developing in this area and any disclosure will be specific to the facts of the matter.  As an elected official, the councillor is not an employee of the municipality, and so the analysis of whether section 17(1) applies is very much different than records related to disciplinary investigation and reports of an employee.  As such, if your municipality has received a request for information relating to disciplinary records arising out of a councillor Code of Conduct matter, we recommend contacting our office to receive more specific advice.

5. Are there any other blanket exemptions from the FOIP Act similar to assessment information (MGA s. 301.1)?

Section 5 of the FOIP Act authorizes statutory provisions to expressly prevail over the exemptions to disclosure. The current MGA contains three exceptions to the FOIP Act.  The first is section 301.1, as referenced in this question.  That provision provides that sections 299 to 301 of the MGA, respecting access to municipal and provincial assessment records and summaries of municipal and provincial assessments, prevail despite the FOIP Act.

Additionally, section 217(3) of the MGA requires the chief administrative officer to provide information on the salaries of councillors, the chief administrative officer and designated officers of the municipality, despite Division 2 of Part 1 of the FOIP Act.

Section 226.2(1) of the MGA also provides that despite any provision of the FOIP Act, personal information contained in a petition:

• must not be disclosed to anyone except the chief administrative officer and the chief administrative officer’s delegates, if any, and
• must not be used for any purpose other than validating the petition.

6. Can a municipality send out a newsletter to its ratepayers over email?

One of the concerns with a municipality setting up a newsletter that is distributed by email is whether the newsletter complies with the requirements of Canada’s Anti-Spam Legislation (CASL).  In particular, pursuant to CASL, an entity cannot send out a commercial electronic message to an individual without either express or implied consent.  This means that a municipality cannot use a pre-existing database of ratepayers’ emails to send a newsletter containing a “commercial electronic message.”  A “commercial electronic message” is one that has the purpose of encouraging participation in a commercial activity.  From a municipality’s perspective, this may include promoting recreational activities or programs or selling any good or service.

Therefore, prior to sending any such email, consent must first be obtained.  Any request for consent must be sufficiently clear; advise of the party that is seeking consent; provide contact information for the party seeking consent; and include a statement indicating that the person whose consent is being sought can withdraw their consent.

Alternatively, a municipality may be able to rely on the implied consent of a current client, this may apply where the individual is an existing utility customer or registrant of a community services/activity and the commercial electronic message is for a similar program of services.  The municipality will also want to ensure that all other requirements of CASL have been met when sending out the newsletter, including, amongst other things, that an unsubscribe mechanism is provided in the email.

7. In the face of a massive FOIP request, is there any limit on requesting a 50% estimated deposit?

Pursuant to section 11(4) of the Freedom of Information and Protection of Privacy Regulation (the “FOIP Regulation”), fee estimates may be provided where the costs to process the FOIP request will total more than $150.  The municipality must also have a FOIP Bylaw in place that authorizes the ability to charge fees.  The provision of a fee estimate is up to the discretion of the public body, but may encourage the requesting party to narrow down an overly broad FOIP request.  In order to rely on a fee estimate, the public body must provide the fee estimate in advance of processing the request.

Once a fee estimate is issued, the public body’s 30-day timeline to respond to the FOIP request is put on hold until the requesting party pays the 50% deposit.  Thereafter, the remaining 50% of the fees must be paid to the public body once the records have been compiled, and the fee estimate and actual fees have been reconciled.

The FOIP Regulation does limit the services for which a public body can charge when processing a request for access.  It also limits the maximum fees that may be charged for each applicable service.  While there is no specific dollar limit on a fee estimate, the fee structure established under the FOIP Act is premised, in part, on the principle that fees should be reasonable and fair and also that the estimate must not be more than the actual costs.  Fees should not present a barrier to applicants in exercising their right to access information under the FOIP Act.  In preparing a fee estimate, a public body should attempt to assess the amount of work required to respond to the request and the services that will be provided as accurately as possible.  In circumstances of an extensive request, it may be appropriate to sample files and base an estimate on the processing of these sample files.

8. How should personal information be handled with regards to the public body’s emergency medical response departments? For example, in the case of body-worn cameras.

If a public body is considering implementing the use of a recording device, like body-worn cameras, we strongly recommend that the public body seek specific advice on this matter and complete a privacy impact assessment prior to implementation.  A key issue in privacy protection is the regulation of the collection of personal information, thereby preventing unnecessary surveillance of individuals.  The use of body-worn cameras has wide reaching privacy concerns that cannot be fully addressed in this format.  Further, the ability to use recordings from body-worn cameras in such matters as enforcement or prosecution proceedings will depend on a number of factors.  This summary answer is not intended to address all of the potential issues that will need to be considered if a public body is considering using body-worn cameras or other surveillance systems.  However, what follows is a brief summary of the basics respecting the collection, use and disclosure of personal information collected by way of body-worn or surveillance cameras.

A body-worn or surveillance camera will capture images of individuals and other information that is identifiable of an individual.  A public body may only collect personal information if the FOIP Act allows for the collection of such information.  In particular, section 33 of the FOIP Act authorizes a public body to collect personal information when:

• the collection of that information is expressly authorized by an enactment of Alberta or Canada;
• that information is collected for the purposes of law enforcement; or that information relates directly to and is necessary for an operating program or activity of the public body.

In order to collect information through body-worn cameras, for example, a public body will need to be able to demonstrate that the collection of personal information through the cameras falls within one of the provisions in section 33 of the FOIP Act.  With regards to the use of body-worn cameras, likely by bylaw enforcement officers, the collection of personal information may be “for the purposes of law enforcement”.  However, any collection of personal information will need to be considered in the circumstances, and a municipality will need to confirm it has authority to collect personal information as a public body under the FOIP Act.

Generally speaking, a public body must consider what personal information it requires to fulfill a particular program or activity and then design its collection mechanisms to collect such information.  Only the personal information necessary to fulfill the requirements of the particular program or activity may be collected.  No further personal information may be collected, even if the public body takes the position that such information might be of assistance to another program or some future program or activity.  Given this, a recording collected through body-worn cameras should only be used for the purpose for which it was collected, and only the minimal amount required.

Except in limited circumstances, when collecting personal information directly from an individual, the public body must provide notification under section 34(2) of the FOIP Act.  This notification must include the purpose for which the information is collected; the legal authority for the collection; and the title and contact information of an officer or employee of the public body that can answer questions regarding the collection.  In the case of body-worn cameras, such notification can be provided by a badge on the inspecting officer or verbally both before and after the recording has started.

Sections 39 and 40 of the FOIP Act specify the situations in which a public body may use and disclose the personal information that has been collected.  Pursuant to section 39(1) of the FOIP Act, a public body may only use personal information:

• for the purpose for which the information was collected or compiled or for a use consistent with that purpose;
• if the individual the information is about has identified the information and consented, in the prescribed manner, to the use, or
• for a purpose for which that information may be disclosed to that public body under section 40, 42 or 43.

Only if one of the authorized disclosures under section 40 is met can a public body disclose personal information.  Permitted disclosure of personal information that would be relevant to body-worn cameras includes, but is not limited to:

• Disclosure to comply with an order, warrant or subpoena issued by a court, person or body having jurisdiction in Alberta to compel production of information;
• Disclosure that is necessary to assist in an investigation by law enforcement, which includes policing and any investigation (including bylaw enforcement and administrative investigations such as stop orders and enforcement under the MGA, and the complaint giving rise to such investigations) that could result in a penalty, sanction or fine;
• Disclosure between law enforcement agencies (such as the RCMP, a local police force or bylaw enforcement), where there is an arrangement or written agreement or statute or regulation that permits the sharing of personal information; and
• Disclosure for use in a proceeding before a court or quasi-judicial body (meaning a tribunal or board that is authorized to function similarly to a court).

Care must be exercised by a public body with respect to the personal information under their custody and control.  Particularly, the public body should not retain personal information for longer than necessary, and should have appropriate security measures in place to mitigate privacy breaches and unauthorized disclosures.  These security measures may dictate who has access to the personal information and who it may be disclosed to.

9. Can a conversation be recorded without the other party’s knowledge, or are you required to inform the other party you are recording?

This question is presumably referring to the provisions of the Criminal Code respecting the recording of privateconversations.  In the criminal context, recording private communications without at least one of the involved parties’ consent is an offence under the Criminal Code (i.e. illegal wire taps).  This means that an individual is able to legally record private communications that they are a party to, without the other parties’ knowledge, on the basis that the recording party consented to the recording.

However, where the recording is being taken by or on behalf of a public body, then the obligations under the FOIP Actapply.  If the recording includes the collection of personal information, then that collection is only authorized if done in accordance with section 33 of the FOIP Act.  That is, the collection of that information is expressly authorized by an enactment of Alberta or Canada; that information is collected for the purposes of law enforcement; or that information relates directly to and is necessary for an operating program or activity of the public body.

Further, when collecting personal information directly from an individual, the public body must provide notification under section 34(2) of the FOIP Act.  This notification must include the purpose for which the information is collected; the legal authority for the collection; and the title and contact information of an officer or employee of the public body that can answer questions regarding the collection.

As such, while “one-party consent” is often referred to with reference to the Criminal Code, when it comes to collection of personal information by way of a recording by or for a public body, the notification requirements under the FOIP Act will apply such that the individual being recorded will be aware of the collection of personal information.

10. If a member of council accidentally discloses personal information in a public forum, when they are not required to do so, is that a FOIP violation? If so, what are the remedies?

If an unauthorized disclosure of personal information occurs, it may be reported to the Office of the Information and Privacy Commissioner (the “OIPC”).  However, public bodies are not required by law to notify the OIPC of a privacy breach.  If an unauthorized disclosure of personal information occurs, the OIPC may investigate the alleged unauthorized disclosure.

Under the FOIP Act, where a person willfully discloses personal information in contravention of the requirements of the FOIP Act, a person may be found guilty of an offence and liable to a fine of not more than $10,000.

However, in most cases of an unauthorized disclosure of personal information, the OIPC will investigate the situation after receiving a complaint and will typically issue recommendations to the public body on ways to avoid such situations in the future.

11. When can council convene and go in camera?

The starting place under section 197 the MGA is that all council and council committee meetings are to be held in public.  However, council or council committees may close a meeting, or a portion of a meeting, to the public if an exception to disclosure in the FOIP Act is applicable.

Two of the exceptions to public disclosure under the FOIP Act are mandatory exceptions, and council must go in camera if there will be discussion that may be harmful to the business interests of a third party, or involve personal information that if disclosed would be an unreasonable invasion of third party’s personal privacy.  The remaining exceptions to public disclosure are discretionary, and council may go in camera, but is not required to.  The discretionary exceptions include, but are not limited to, individual or public safety, local public confidences such as draft bylaws or agents, law enforcement, privileged information, and economic interests of the public body.

Common matters that council or a council committee may go in camera to discuss are legal advice subject to privilege or employment matters relating to personal information.  Importantly, council must make a resolution providing the basis for which they are going in camera in order for the public to be adequately informed about why a “closed door” discussion is warranted.

Whether an exception is appropriately used for council to go in camera will depend on the factual circumstances.  Any reason for excluding the public from a council or committee meeting must fall under the exceptions to public disclosure.  The fact that a discussion is controversial or might attract public scrutiny is not a basis for excluding the public from a council or committee meeting.

12. Can council discuss a draft bylaw in camera?

Section 23 of the FOIP Act allows council to hold in camera meetings to discuss and deliberate on draft resolutions, bylaws, or other legal instruments.  This provides council with the opportunity to engage in preliminary discussions prior to allowing review of the bylaw or resolution by the public.  To be clear, this exception refers to actual draft bylaws or resolutions, not mere discussion about proposed bylaws or resolutions.  Importantly, council may not rely on this exception to go in camera where the draft resolution, bylaw, or other legal instrument has previously been considered in a public meeting, or is contained in a record that has been in existence for more than 15 years.

Additionally, section 24 of the FOIP Act permits council to go in camera for a meeting where they are receiving advice from administration, consultants or other parties.  This broadly includes advice, proposals, and recommendations for the public body.

As always, these exceptions to disclosure must be exercised carefully by council, and it is not appropriate for council to go in camera for the initial deliberations for every resolution, bylaw, or proposal put before council.

13. What is the legal position on dealing with ‘frequent flyer’ residents – those who send multiple letters, e-mails and phone calls demanding information on a daily basis. What is the municipality’s responsibility regarding response to the individual?

Municipal administration and councillors have no clear obligation to respond to all inquiries from the public.  However, there are certain types of requests that do require a response, such as requests for records or information contained in records (governed by the FOIP Act) as well as statutory appeals or statutory complaint processes (governed by bylaws, the MGA, etc.).

If your municipality is dealing with multiple individuals who are contacting the municipality on a regular basis with questions, comments or complaints, you may want to consider establishing a specific complaint line or online forum to which such comments can be directed and appropriately handled by the appropriate person within administration.

If a general complaint line or online forum is not sufficient, your municipality may also consider a specific protocol to be utilized in responding to certain individuals that continue to contact councillors or staff members directly.

In extreme matters, your municipality may have options available to it to address harassing correspondence from ratepayers or vexatious/frivolous requests for information.  Specifically with respect to requests pursuant to the FOIP Act, in exceptional circumstances, a public body may ask the Information and Privacy Commissioner for authorization to disregard certain requests, where the requests are either:

• epetitious and systematic, such that the request would unreasonably interfere with the operations of the public body or amount to an abuse of the right to make a request; or
• one or more of the requests are frivolous or vexatious (FOIP Act, s 55).