The the Ontario Court of Appeal has affirmed the IPC/Ontario’s position that records produced by replacing unique identifiers in a database with randomly generated numbers are “records” under Ontario freedom of information legislation.
The requester, a reporter from the Toronto Star, asked for access to information stored in two police databases. Presumably so he could accomplish his research without using personal information and engaging the unjustified invasion of privacy exemption, he asked that identifying information in the two databases be replaced with randomly generated and unique numbers. The evidence showed that the police board could extract the data in the form requested by writing an algorithm and relying upon its existing technical know-how, hardware and software.
In June 2007, the Divisional Court quashed an IPC order made in favour of the requester. The Court held that the request was not for “records” as defined in section 2(1)(b) of the Municipal Freedom of Information and Protection of Privacy Act:
2. (1) In this Act,
“record” means any record of information however recorded, whether in printed form, on film, by electronic means or otherwise, and includes,
(b) subject to the regulations, any record that is capable of being produced from a machine readable record under the control of an institution by means of computer hardware and software or any other information storage equipment and technical expertise normally used by the institution; (“document”)
Earlier today, the Ontario Court of Appeal reversed the Divisional Court’s judgement and restored the IPC order. The Court of Appeal decision is technically based on the standard of review – i.e. it only held that the IPC’s interpretation of the record definition was not unreasonable. This, however, hardly limits the force of the judgement. The Court reasoned that IPC’s order was consistent with the the text of the MFIPPA General Regulation, which has provisions that allow institutions to recover programing and related costs. It also applied a very strong purposive analysis in construing the definition. Consider the following dicta:
A contextual and purposive analysis of s. 2(1)(b) must also take into account the prevalence of computers in our society and their use by government institutions as the primary means by which records are kept and information is stored. This technological reality tells against an interpretation of s. 2(1)(b) that would minimize rather than maximize the public’s right of access to electronically recorded information.
In my view, a liberal and purposive interpretation of those regulations when read in conjunction with s. 2(1)(b), which opens with the phrase “subject to the regulations,” and in conjunction with s. 45(1), strongly supports the contention that the legislature contemplated precisely the situation that has arisen in this case. In some circumstances, new computer programs will have to be developed, using the institution’s available technical expertise and existing software, to produce a record from a machine readable record, with the requester being held accountable for the costs incurred in developing it.
This decision makes clear that Ontario institutions must ordinarily undertake programming tasks that enable them to provide access to information stored in databases, even to mask personal information by substituting de-personalized unique identifiers for identifying information. There are two clear limits to this rule: (1) a record only capable of being produced through a proces that “unreasonably interferes with the operations of an institution” is deemed not to be a record and (2) a record that can only be produced with technical expertise not “normally used by [an] institution” is deemed not to be a record. The Court left open whether a record that can only be produced with “hardware and software or any other information storage equipment” not normally used by an institution is deemed not to be a record but said this interpretation was “open to argument.”
The “creating records issue” is a significant one in civil litigation and in other circumstances where one has a simple right to a “record in custody or control” (see here, here and here for more). This case is based on very specific statutory language, but is nonetheless significant to Ontario FOI-regulated institutions.
Toronto Police Services Board v. (Ontario) Information and Privacy Commissioner, 2009 ONCA 20.