Verifying the Identity of the Requestor

Posted byJustin PetrilloPosted inUncategorizedTags:, , , , , , , , , , , , , , ,

A Sort of Umbrella (Anne Claude Philippe de Tubières, comte de Caylus)The Freedom of Information and Protection of Privacy Manual (the “FOI Manual”) notes that when a requestor asks an institution for the requestor’s own personal information, the institution must first verify the identity of the requestor before any personal information is disclosed.  The FOI Manual suggests that an institution may be able to fulfill the identity verification requirement by receiving a photocopy of the requestor’s photo identification.  However, the Manual never goes so far as to say that merely obtaining a photocopy of the requestor’s government identification is right answer for every institution.  In fact, a series of decisions of the Information and Privacy Commissioner of Ontario (IPCO) make it clear that institutions are expected to develop their own identity verification policies tailored to the sensitivity of the information they are being asked to disclose and the circumstances of the request, among other factors.  In other words, institutions handling sensitive information may need to go beyond simply asking for a photocopy of the requestor’s ID.

In today’s article, we’re going to look more closely at the requirement to verify the requestor’s identity. We’ll take a close look at the relevant language from the Freedom of Information and Protection of Privacy Act (“FIPPA”) and the Municipal Freedom of Information and Protection of Privacy Act (“MFIPPA”) and the regulations thereunder.  We’ll also consider a series of decisions from IPCO which review the identity verification policies of various institutions and offer helpful guidance to institutions to develop reasonable identity verification policies of their own.  We will see that in recent years, IPCO has extended great deference to institutions’ own identity verification policies, even where institutions have imposed somewhat onerous requirements, such as requiring requestors to appear in-person with their photo identification to pick up the documents they have requested.

Requests for General Records

Under both the Freedom of Information and Protection of Privacy Act (“FIPPA”) and the Municipal Freedom of Information and Protection of Privacy Act (“MFIPPA”), the right to access the records held by an institution is a right of “every person”.

Because every person has the same right to the general records of the institution, for general records requests, the identity of the requestor is normally of no relevance to the institution, except as a point of contact for processing of request.  In fact, employees of the institution are generally better off not knowing the identity of the requestor.  When employees involved in processing an FOI request are unaware of the identity of the requestor, they are effectively shielded from allegations related to the identity of the requestor.  (E.G., a journalist might allege that an institution acted in bad faith by refusing to provide her with responsive records because she is notorious for writing articles critical of the institution.  If the employee who made the relevant disclosure decision could establish that he or she had no knowledge of the identity of the requestor, this would serve as a powerful defence to the journalist’s allegation.)

Further, the fact that a particular individual is requesting records might itself be sensitive information.  It is not uncommon for a requestor to have an existing relationship with the institution (for example, the requestor may be an RFP respondent, or a client of the institution, or a journalist known to the institution).  The requestor should not have to worry about their request affecting their relationship with the institution.  Consistent with this, the FOI Manual advises institutions “to safeguard all information about a requester’s identity” and to keep the request confidential.

Requests for the Requestor’s Own Personal Information

However, if a requestor is requesting their own personal information (or records which might in part include their own personal information) then the identity of the requestor becomes essential to the request.  This is because requestors are allowed to access their own personal information, even if the institution would refuse to disclose such information to third parties.  Both s.21(1) of FIPPA and s.14(1) of MFIPPA state that the institution “shall refuse to disclose personal information to any person other than the individual to whom the information relates”. [emphasis added]  (Note there are a number of exceptions to this basic rule, including “upon the prior written request or consent of the individual, if the record is one to which the individual is entitled to have access”, which allows an individual to consent to the disclosure of their personal information to another person.)

Generally, under s.21(1) of FIPPA and s.14(1) of MFIPPA, an institution should withhold or redact personal information, even if such information is responsive to a request.  However, if the personal information appears in records requested by the individual to whom the information relates (or if the institution has obtained the consent of the individual to whom the information relates) then the institution is expected to disclose such information to the requestor, unless a separate exception or exemption applies.

What should an institution do when a request comes in for a requestor’s own personal information?  In general, the process is the same as a request for general records.  The request must be in writing; it must include sufficient detail; it must indicate it is being made under the relevant legislation; and it must include the $5.00 application fee.  But for requests for personal information, there is an additional step: the institution is expected to verify the identify of the requestor.  This requirement is found in section 3.(3) of FIPPA Regulation 460: “A head shall verify the identity of a person seeking access to his or her own personal information before giving the person access to it.”  And the same language appears in section 2.(3) of MFIPPA Regulation 823.

Notably, both regulations set out the same requirement to “verify the identity of a person”, but neither provides any specific guidance on what steps an institution is required to take to satisfy this requirement.  Rather, institutions are expected to come up with their own policy regarding verifying the identity of FOI requestors.

The FOI Manual’s Guidance

The FOI Manual provides the following guidance on verifying a requestor’s identity:

“An individual requesting their personal information must also provide valid identification to the institution prior to receipt of a record. Valid identification may include government issued photo identification such as drivers licence [sic] or passport. In instances where no official identification is available, the institution should work with the requester to verify their identity.”  (FOI Manual, Chapter 6, Request Requirements, p.97)

The FOI Manual’s guidance here is not exactly unhelpful, but I think it’s fair to say it perhaps raises more questions than it answers.  Since FOI requests are generally conducted by mail, how is the institution expected to examine the driver’s licence or passport of the requestor?  Should an institution require all FOI requestors seeking their own personal information to appear in person with their photo identification in hand before the request can proceed past the intake stage?  Or is it sufficient for the requestor to send in a photocopy of their government-issued photo identification?  If a photocopy is sufficient, should the institution require a notarized copy, or will a regular photocopy suffice?  Are there any other acceptable means for an institution to confirm the identity of the requestor?  The FOI Manual states that the institution can “work with” the requestor to verify their identity in instances where no official identification is available – but exactly what does this mean?

The FOI Manual includes a sample letter acknowledging a personal information request (FOI  Manual, Appendix 4, Letter 4.4) providing a little further detail.  Here, the identity verification requirement is described to the requestor as follows: “Please provide our office with a photocopy of one piece of valid government issued photograph identification.”  From the guidance set out earlier and the wording of the sample letter, it appears that the Ministry of Government Services (who publishes the FOI Manual) is satisfied that the receipt of a regular photocopy of government-issued identification is sufficient as evidence of the requestor’s identity, at least in most situations.  But as we’ll see below, institutions shouldn’t consider the FOI Manual’s guidance here to be the final word on the matter, because IPCO decisions have been supportive of stronger identity verification requirements when an institution deems them necessary.

Alternative Means of Verifying Identity

The same FOI Manual Letter (Letter 4.4) also offers requestors the option of contacting the institution if they require an alternative method of verifying their identity.  This is intended to acknowledge that there are individuals who do not possess photo identification or who may not be willing to share such identification with the institution.  Other options are available to institutions to confirm the identity of an individual besides photo identification.

Suggestions that may help an institution identify an individual in the absence of photo identification include:

  • the requestor may already be known to the institution
  • the requestor may already have their address and/or signature on file with the institution
  • the institution may have other personal information on file that the requestor can use to verify their identity to the institution
  • a trusted third party may be able to confirm the requestor’s identity (with the consent of the requestor)

It may even be open to the institution to provide an individual with a password that the individual can use in future interactions with the institution to confirm their identity.

Does the Clock Start Before the Requestor’s Identity is Verified?

It’s not clear whether the 30-day deadline to respond to a request should start as soon as the request is received, or only after the identity of the requestor has been verified.  Generally, if a request is unclear, it is considered to be an invalid request, and the clock does not start.  An institution might consider taking the position that the request is not clear (i.e., the institution does not have sufficient information to process the request) until the requestor’s identity has been verified.  This argument would be made on the basis that the requestor’s failure to provide proof of their identity affects what records are subject to disclosure under the request.  In other words, the institution is effectively saying to the requestor “until we have received verification of your identity, we can’t be sure what records we are permitted to disclose to you—therefore, we consider your request to be unclear, that is, to lack sufficient detail for us to prepare a set of records to disclose to you, until you have verified your identity.”  On the other hand, the requirements of a valid FOI request are set out in both FIPPA s.24(1) and MFIPPA s.17(1) and these requirements do not include verification of the requestor’s identity.  The requirement to verify the identity of the requestor appears only in the general regulation under each Act, and a regulation cannot override its enabling statute.  IPCO could potentially take the position that an institution is free to start processing a request on the basis that the requestor can always verify their identity later on, before the records are disclosed.

Although not binding on IPCO, the FOI Manual takes a position here that is very helpful to institutions.  In its sample letter acknowledging a request and requiring proof of identity (Letter 4.4), the Manual’s recommended language states, “Please provide our office with a photocopy of one piece of valid government issued photographic identification.  Once we have received verification of our identity, we will proceed with processing your request.”  This language is similar to the language used in the FOI Manual’s “Clarification Required” sample letter (Letter 4.3) which states “Please supply the following information so that we may begin to process your request.”  Considering the language of these two letters, I would say it appears to be the position of the Ministry of Government Services (author of the FOI Manual) that the clock does not start until verification of the requestor’s identity has been received.  In my opinion, this is a sensible result, since it would be an inefficient use of an institution’s resources to start the FOI process before obtaining some confirmation of the requestor’s identity.  And the timing of the receipt of such confirmation of identity from the requestor is entirely out of the institution’s hands—if a requestor takes 3 weeks to send in a copy of their drivers’ license, in my opinion, this should not count against the institution’s 30-day deadline.  Another argument in support of not starting the clock before the requestor’s identity has been verified is that in many cases even the decision letter itself may contain personal information which should not be disclosed until he identity of the requestor is verified.  For example, even if the requested documents themselves are not disclosed, the decision letter may reveal that documents have been found which, by their mere existence, confirm that a particular individual is known to the institution or employs the services of the institution, which in some cases may include sensitive health-related services or social services.  This would seem to bar the institution from even issuing a decision letter until the requestor’s identity has been verified.  Since the decision letter itself can’t be sent until the identity of the requestor has been verified, it would seem something of a contradiction to say that the 30-day countdown to issue a decision letter and disclose the requested documentation should start before the identity of the requestor has even been confirmed.

All that said, it may be open to IPCO to reach a different conclusion.

Preliminary Verification of Identity

An institution may consider requiring some preliminary proof of identity at the start of a file (such as a photocopy of the requestor’s photo identification) but then require more conclusive evidence of the requestor’s identity (such as a notarized copy of the requestor’s identification, or even presenting their identification in person) before the requested personal information is actually provided to the requestor.  If an institution takes this approach, it would be advisable to let the requestor know what will be required from as early in the process as possible.  For example, if the institution sends the requestor a letter asking for a photocopy of their photo identification in order to start the FOI process, it would be advisable to let the requestor know in that same letter if the institution intends to ask for further verification of identity (such as a notarized copy, or having to present identification in-person) before it will actually disclose the requested personal information to the requestor.

Relevant IPCO Decisions

Going now beyond the guidance provided by the legislation and by the FOI Manual, it is apparent, based on a series of decisions of the Information and Privacy Commissioner of Ontario (IPCO), that it is up to each institution to determine what proof of identification each deems acceptable for requests for personal information requests, and that the level of proof may vary depending on the sensitivity of the information requested as well as the circumstances surrounding the request.

Of course, the decision of an institution to accept or reject particular evidence of a requestor’s identity is subject to appeal to IPCO.  (The legal basis for this appeal would come from s.50 of FIPPA and the corresponding s.39(1) of MFIPPA, which allow a requestor to appeal any decision of the head of an institution.)  There are a few competing factors at play here:  If the institution is too permissive in what it accepts as evidence of the requestor’s identity, it may face a privacy breach complaint when personal information is disclosed to someone who had no right to receive it (i.e., an impostor who impersonates another individual’s identify in order to obtain their personal information from the institution).  However, if the institution is too strict in the requirements it imposes on requestors to prove their identity, the institution’s rules may be overruled by IPCO as imposing unfair barriers on requestor’s rights to obtain their own personal information.  Given the choice between these two consequences, I would personally be inclined to lean more towards stricter identification requirements, increasing the chances of my institution’s verification policy being overruled by IPCO, but avoiding taking on greater risks of the possibility of a privacy breach.  However, other practical considerations also come into play – for example, stricter identification requirements may be more difficult for an institution to administer, requiring more resources and staff time, and unfortunately such time cannot be charged to the requestor in the form of FOI processing fees.  Finally, there is potentially the concern that overly strict identification requirements may have the effect of discouraging requestors from making FOI requests.  As a hypothetical, a provincial institution’s policy that required requestors to appear in person at the main office of the institution before allowing a file to proceed would presumably deter the vast majority of personal information requests, especially given the vast size of the province and the difficulty most of its residents would have making the trip.  This kind of barrier to access affecting the majority of the residents of the province would seem hard to justify (and ripe for reversal by IPCO).  On the other hand, a requirement to appear in person to pick up the requested disclosure may be justifiable if implemented by a municipal institution, where it may be more reasonable to expect that the vast majority of requests will be made by people who live somewhat near the institution.  (In fact, as we will see in the cases below, a requirement to present photo identification in person to pick up documents containing personal information has been endorsed by IPCO in at least one decision relating to a municipal police service.)

IPCO Order 29 (Ministry of Health) decided December 15, 1988

Perhaps the most helpful IPCO decision with the clearest guidance is one of its earliest decisions, Order 29 (Ministry of Health), decided by then Commissioner Sidney B. Linden on December 15, 1988, barely a year after the introduction of the Freedom of Information and Protection of Privacy Act.  A requestor asked the Ministry of Health for a copy of “all personal information” in the possession of the Ministry concerning the requestor.  The Ministry granted the request, but informed the requestor that he would need to “phone our office collect in order to make arrangements for you to pick up your records from our office or another government office nearest your location. It is required that you obtain your records personally by providing a photo identification (ie. driver’s license, passport) and signing a release form.”  The requestor objected to being asked to come in person to pick up the requested records and appealed to IPCO.  During the appeal, the requestor stated that he had no photo identification.  The Ministry took the position that he should still have to appear in person with some other form of identification, such as a social insurance card or an OHIP card.  This was not acceptable to the requestor, who insisted on receiving the records by mail.

In his reasons, Commissioner Linden noted:

By its very nature a request for access to personal information places a high level of responsibility on the institution. In order to protect the privacy of the individual to whom the information relates, the institution must take steps to ensure, as best it reasonably can, that the requester is indeed the person whom he or she purports to be. The institution must then provide access to the personal information in a manner that is not unnecessarily restrictive.

And he continued his decision with helpful guidance about what requirements institutions should be taking to confirm the identity of a requestor:

Responsibilities With Respect To Privacy Protection.

The responsibility for verifying the identity of the requester of personal information can be fulfilled using more than one technique. An institution is in the best position to determine, on a case by case basis, what it will take to satisfy itself as to a requester’s identity. Each institution must give serious thought to the manner by which it verifies the identity of a requester.

An obvious preliminary step involves comparing identifying information on the request form itself with information that is in the institution’s possession. Spelling of names, address, telephone number, signature, handwriting, etc. should be reviewed and compared with the information that an institution may have on file. Any discrepancies should trigger further inquiry.

Even when a check of the identifying information on a written request form with that in the institution’s possession reveals no discrepancies, I recommend that at least one additional step in verifying the identity of the requester is appropriate. The nature of this step will vary given the particular circumstances of the request and/or the institution involved. An example of the type of verification I am suggesting is questioning a requester on unique personal information contained in a record itself. For some institutions this may involve simply verifying identifying numbers used by the institution. For example, the Ministry of Health, in this appeal, verified the identity of the requester by asking for his OHIP number. Other techniques may be developed that will accommodate the needs of both the requester and the institution.

One of the most reliable ways to verify the identity of a requester is to require his or her personal attendance and the presentation of some document of identification. My concern with this method is that it may be an overly restrictive requirement that would place barriers on an individual’s right to access. Further, there are many individuals who do not possess photo identification and/or identification with a signature. For these reasons, personal attendance should not be the standard form of verification used by an institution.

There may be cases where an institution is highly suspicious of the requester’s identity or where discrepancies have arisen while verifying identity through other means. In these situations, I feel that an institution must take whatever reasonable steps it believes will satisfy itself as to the identity of the requester. This is especially true where the record in question contains particularly sensitive information.

In such a situation, a requirement of personal attendance may very well be the only reasonable way to verify identification.

Commissioner Linden decided that in the case before him, it was appropriate for the institution to send the information to the requestor in the manner requested by him, namely, ordinary mail.  But he noted that the Ministry of Health had not raised the identify of the applicant as an issue and believed that the Ministry was satisfied that the requestor was who he claimed to be.  The requestor did provide his OHIP number to the institution on his original request form.  There was some discussion of potential risks to the information being transmitted by ordinary mail, however the Commissioner noted that the requestor “has put himself on public record as consenting to the transmission of his personal health information by ordinary mail and thereby assumes any potential risks to his privacy rights that may arise because of his choice.”

I think this is a very helpful decision for outlining the framework IPCO will use when assessing institutions’ identity verification policies, but a couple of important points should be noted – first of all, it would appear that the Ministry did not raise doubts in the appeal about the identity of the requestor, and the Commissioner relied heavily on this fact to justify ordering the Ministry to send out the requested records ny mail without requiring the requestor to present photo identification (or even a copy of such identification).  The Commissioner stated he believed that the Ministry did not hold reservations in regard to whether the requestor was actually who he claimed to be.  If the Ministry had raised concerns that the requestor might actually be an imposter, it seems quite likely that this decision would have gone differently.  The second point is that this decision was issued in 1988, before email and the internet were in common use.  With privacy breaches and data leaks so much more common now as compared to 1988, the value of merely including an OHIP number with an FOI request as proof of identity has likely diminished.

IPCO Order M-937 (Metropolitan Toronto Police Services Board) decided May 13, 1997

In Order M-937 (Metropolitan Toronto Police Services Board), decided by Inquiry Officer Laurel Cropley on May 13, 1997, the requestor asked for “all information relating to the requester’s arrest which occurred on a specified date”.

The decision noted that the Police took steps in order to verify the requestor’s identity at the time of his request, which included a comparison of his name, address, telephone number, date of birth and the signature on the arrest form with that in his request letter. Following these verification checks, the police provided the requestor with some of his personal information relating to his arrest.

The issue at appeal was the requestor’s fingerprint information, which the police refused to release unless the requestor attended in person at the Forensic Identification Services to verify his identity by providing another set of fingerprints in order to verify their identity before receiving access to such records.

As noted in the Order, “[t]o support their position, the Police explain that every year, several hundred individuals arrested by the Police are ultimately identified as someone other than whom they have purported themselves to be. Since fingerprint analysis is a highly specialized segment of law enforcement, police employees working in any capacity other than Forensic Identification may also be duped by these individuals. For this reason, no method of identity verification is acceptable to Forensic Identification Services except through fingerprint analysis and comparison.”

The IPCO found the police’s identification requirements were overly strict in this case.  Inquiry Officer Laurel Cropley stated that after carefully reviewing the steps taken by the Police in order to verify the appellant’s identity, “I find them to be reasonable and appropriate given the nature of the information requested. As I indicated above, the Police satisfied themselves as to the identity of the appellant before releasing other records containing his personal information to him. In the circumstances of this appeal, I find that it is not necessary for them to undertake any further verifications before releasing a copy of his fingerprints to him.”

IPCO Order MO-2038 (Ottawa Police Service) decided March 31, 2006

So far, I’ve described two decisions where IPCO disagreed with the institution’s identification requirements, finding them to be too strict.  However, both of those decisions were from more than 20 years ago.  I believe the more recent cases show a trend of IPCO becoming more accepting of relatively stricter identification requirements imposed by institutions.  The cases below were both decided within the last 13 years.

In Order MO-2038 (Ottawa Police Service), decided by Adjudicator Catherine Corban on March 31, 2006, the requestor asked for the complete police report regarding the towing of her car from a private parking spot.  The requestor purported to have received permission to park from the owner of the spot.  The police granted partial access to the record.  However, the requestor was informed that it was the policy of the policy of the Ottawa Police Service not to provide copies of record by mail.  “Rather, a requester is now required to come to the police station to pick up the record in person, and access to the record will be granted upon production of identification.”  The appellant advised the IPCO mediator that she had made several appointments to attend at the police station but that she had had to cancel them due to her demanding job.

The Adjudicator found in favour of the police services’ decision to require the requestor to appear in person to pick up the requested records.  The Adjudicator’s reasons contain language that would be very helpful to any institution seeking to defend its own identification requirement policies:

I disagree with the appellant’s position that by requiring her to attend at the police station to retrieve the copies of the record to which she is granted access the Police are in breach of their obligation to provide access to the record under section 23 of the Act [MFIPPA]. As required by section 23(1) the Police are prepared to give her a copy of the record to be disclosed to her; however, they are imposing the limitation that she attend at the police station to retrieve them, in order to verify her identity given that the record relates to her personal information.

Although the Act does not specify how access should be granted to records containing personal information (for example: by mail, by courier, in person), it is clear that personal information is to be safeguarded. Section 2(3) of Regulation 823 made under the Act states:

A head shall verify the identity of a person seeking access to his or her own personal information before giving the person access to it.

In my view, because the record at issue contains the personal information of the appellant, the Police may, and are indeed required by section 2(3) of Regulation 823, to take whatever steps they feel are necessary to safeguard the security of the personal information contained in the record to ensure that the recipient is indeed the appellant. If, to do so, the Police have chosen to create a policy that requires requesters to attend at their offices to provide identification to police staff prior to their release of the record, in my view they are entitled to impose such a requirement. Moreover, the Police have made it clear that they have made arrangements to facilitate, as much as possible, the appellant’s retrieval of the copies of the record to which she has been granted access by making them available for pick up at any time that is convenient for her. By taking these steps, I am satisfied that the Police have complied with their obligations under the Act both to provide access under section 23 to copies of the record to which the appellant is entitled, while at the same time ensuring that they meet their obligations under section 2(3) of Regulation 823, to safeguard personal information.[emphasis added]

This language from Order MO-2038 likely represents the high-water mark of deference by IPCO to the identity verification policies institutions develop on their own.  I think it should be noted that the “whatever steps they feel are necessary” language in Order MO-2038 is not entirely consistent with the earlier decisions summarized above.  Regardless, this language does serve to emphasize that institutions themselves are generally the best arbiter of what kind of proof of identification should be required before information is released to a requestor, and illustrates that there is no single rule or policy that will apply across all institutions to which FIPPA and MFIPPA apply.

IPCO Order MO-2910 (Niagara Regional Police Services Board) decided June 28, 2013

In Order MO-2910 (Niagara Regional Police Services Board), decided by Senior Adjudicator Sherry Liang on June 28, 2013, IPCO again upheld the identity verification scheme imposed by a police service.  The requestor asked for a named constable’s notes on an Ontario Ministry of Transportation survey and the constable’s notes on the requestor.  The requestor lived in a different municipality from the Niagara Police – approximately 160 kilometres away.   The requestor asked the Niagara Police to mail the responsive documents.  They refused, instead mailing them to the York Police, who covered the requestor’s community.  The requestor was informed he could pick up the materials by producing suitable identification to the York Police at a specified location.  Alternatively, the Niagara Police would have been willing to mail the documents to the requestor upon the receipt of a notarized copy of his photo identification.

Senior Adjudicator Sherry Liang found that “by giving the applicant the two options for obtaining the records, the police complied with its obligations to “give” the records to him.”  She noted that the police “offered a reasonable rationale for this policy”, which, unfortunately, do not appear in the decision itself.  Order MO-2910 thus provides another example of deference to an institution’s own identity verification requirements.

The Trend Toward Stricter Verification Requirements and Greater Deference to Institutions

Although the two most recent orders outlined above both relate to identity verification procedures imposed by police services, I believe they may be indicative of a general trend of deference by IPCO toward institutions’ adoption stricter identity verification procedures in more recent times.  There has been a growing understanding in the last 10-15 years of the increasing frequency and scope of privacy breaches.  We now all know that there is a reasonable chance our own identifying numbers are “out there” – almost certainly our credit card numbers, but also potentially our driver’s licence, OHIP and passport numbers as well.  In this digital age, even actual images of our photo identification may wind up in the hands of fraudsters and criminals.  Back in 1988, IPCO might have been willing to accept a mere OHIP number as proof of a requestor’s identity, but I doubt it would make the same determination today.

Although IPCO does not want to encourage additional barriers to access by individuals to their own personal information held at government institutions, it likely harbours an even greater concern of overruling an institution’s own identity verification policies and thereby increasing the risk of a privacy breach where documents are provided to an impostor.  If an institution’s own identify verification policy were overruled by IPCO and replaced by a new, more permissive system which led to documents being disclosed to an impostor, the result could be scandalous.  IPCO is therefore likely to tread lightly when reviewing institution’s own systems for verifying the identities of requestors.

Conclusions/Takeaways

This article has touched on a number of points related to the identity of the requestor:

  • If a requestor is merely seeking access to general records, and not their own personal information, then their identity should be of little to no importance to the organization, and there’s really no need to verify the identity of the requestor. In fact, the institution should safeguard the identity of the requestor, since most of the employees working on processing the request will likely have no need to know it.
  • On the other hand, if a requestor is seeking their own personal information, their identity becomes of paramount importance, because they are requesting information that no-one else is allowed to have.
  • To prevent impostors from obtaining the personal information of others, it is important to verify the identity of the requestor.
  • The FOI Manual suggests obtaining a photocopy of the requestor’s photo ID as a basic verification strategy. However, this may not be suitable or sufficient for all institutions.
  • Other strategies may be employed for requestors who are unable or unwilling to produce photo identification.
  • It’s not entirely clear whether the 30-day deadline starts as soon as the request is received, or only after the identity of the requestor has been verified, but there are good arguments that the clock should not start until identity verification has been received.
  • Institutions are permitted to create identity verification policies of their own which take into account the sensitivity of the information being requested as well as any other relevant circumstances. They may wish to consider accepting some basic form of identify verification to get a file started, and then asking for more fulsome identity verification before any personal information is actually disclosed to the requestor.
  • In its early days, IPCO would sometimes overrule institutions’ own identity verification policies as too onerous, but more recently there has been a trend of deference towards the identity verification policies that institutions deem appropriate for themselves, up to and including asking requestors to appeal in person with their photo identification to pick up the disclosure they have requested (in appropriate circumstances).

How to correctly verify the identity of a requestor is a fascinating aspect of the FOI process and it is also one of the steps in the process that is most likely to be overlooked.  In an upcoming article, I intend to consider the issues around the delegation an individual’s right of access to their own personal information to a third party, such as an attorney or an estate representative.  In the meantime, I hope you find this guidance to be a valuable resource for your institution.

I encourage you to refer this article to a colleague, and to subscribe to the FOI Assist blog.  Subscribing is easy:  just enter your email address at the bottom of the page, then click the follow button.

Links to Resources:

Freedom of Information and Protection of Privacy Act (FIPPA) https://www.ontario.ca/laws/statute/90f31

Freedom of Information and Protection of Privacy Act, R.R.O. 1990, REGULATION 460 (GENERAL) https://www.ontario.ca/laws/regulation/900460

Municipal Freedom of Information and Protection of Privacy Act (MFIPPA) https://www.ontario.ca/laws/statute/90m56

Municipal Freedom of Information and Protection of Privacy Act, R.R.O. 1990, REGULATION 823 (GENERAL) https://www.ontario.ca/laws/regulation/900460

Freedom of Information and Protection of Privacy Manual https://www.ontario.ca/document/freedom-information-and-protection-privacy-manual

Information and Privacy Commissioner of Ontario (IPCO) Decisions https://decisions.ipc.on.ca/ipc-cipvp/en/nav.do

Published by Justin Petrillo

I have created the FOI Assist™ software to help Ontario’s provincial and municipal government institutions of all sizes track and respond to Freedom of Information (FOI) requests. For most of my career I have been a lawyer, advising clients on commercial, intellectual property and FOI/privacy issues. From 2013 to 2015, I managed the FOI program for the Toronto 2015 Pan/Parapan Am Games Organizing Committee while serving as Legal Counsel to the Games. Prior to becoming a lawyer, I obtained a computer science degree and worked as a software developer at several well-known technology companies.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

%d bloggers like this: