Institutions are sometimes faced with a request from someone who purports to be acting on behalf or with the consent of the individual whose personal information is being requested. The requestor in this case may be a lawyer, insurance company, or agent, or it may simply be a friend a relative who is helping the individual whose information is held by the institution.
The Ministry of Government Services’ Freedom of Information and Protection of Privacy Manual (the “FOI Manual”) summarizes the exercise of an individual’s rights by another person as follows:
The legislation allows an individual’s rights or powers to be exercised by:
- A person with the written consent of the individual that has been verified (e.g., agent, lawyer).
- A person having lawful custody of a child under the age of sixteen. A person with lawful custody of a child does not have absolute access rights. The exercise of any rights should be in the best interests of child and not for the personal objectives of the custodian.
- A guardian for an individual appointed by a court, or the individual’s attorney under power of attorney, or the Public Guardian and Trustee; under the Mental Health Act or Substitute Decisions Act.
- A personal representative of a deceased individual (e.g., executor named in a will, administrator or trustee appointed by a court) only if the exercise of the power relates to the administration of the individual’s estate.
In today’s article, we will be focusing mainly on the first type or requestor above, that is, a person who is relying on the written consent of another person to request personal information.
The Written Consent Requirement
The specific language which enables a person to request the personal information of another individual with his or her consent comes from s.21(1)(a) of the Freedom of Information and Protection of Privacy Act (FIPPA):
21(1) A head shall refuse to disclose personal information to any person other than the individual to whom the information relates except, (a) upon the prior written request or consent of the individual, if the record is one to which the individual is entitled to have access; […]
The same language appears as s.14(1)(a) of the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA).
It is important to note that the language from FIPPA/MFIPPA set out above requires not only the consent of the individual to whom the information relates, but also explicitly requires such consent to be given in writing.
The guidance set out in the FOI Manual states that the written consent must be “verified”, but this additional step does not appear in the written consent requirement as set out in FIPPA/MFIPPA. That said, in practice, it likely does make sense for institutions to verify that the person purporting to act with the consent of the individual whose information is being requested has actually obtained the individual’s consent in writing. As a practical matter, in many cases, the person acting on behalf of the individual whose information is being requested may not realize that the written consent of the individual is a legal requirement under FIPPA/MFIPPA before any personal information can be released by the institution (unless another disclosure justification applies). Specifically, mere verbal consent of the individual is not enough. Lawyers, in particular, may be accustomed to acting on verbal instructions, even in situations that may have serious consequences to the property or even to the liberty of their client. After getting used to relying on verbal instructions from their clients in various circumstances, lawyers may be surprised to discover that their only legal authority for requesting the personal information of a client from an institution under FIPPA or MFIPPA is an actual written consent from the client to do so.
The best practice, therefore, is to ask the lawyer (or other agent) for a copy of the written consent. This allows the institution to ensure it is meeting its own legal obligations not to disclose an individual’s personal information in the absence of such written consent.
The personal information of an individual can be thought of as something similar to the personal property of the individual. A bank wouldn’t let a lawyer (or other agent) access an individual’s savings in the absence of appropriate supporting documentation; likewise, a storage unit wouldn’t let a lawyer (or other agent) in to access an individual’s possessions on the basis of the agent’s word alone. Similarly, a lawyer or other agent has no general right to access the personal information of an individual without first obtaining proper written consent (or other appropriate documentation supporting the disclosure).
To the extent the Information and Privacy Commissioner of Ontario (IPCO) has considered the written consent requirement, its decisions have been supportive of requiring formal written consent before any personal information is disclosed to an agent under section 21(1)(a) of FIPPA (and by extension, under section 14(1)(a) of MFIPPA); in fact, in some circumstances, even the submission of a written consent to the institution is not always conclusive – IPCO has supported an institution’s decision to refuse to disclose personal information to anyone other than the person to whom the information relates, even after a written consent was presented to the institution by a purported agent.
Order PO-2489 (Ministry of Community Safety and Correctional Services)
In Order PO-2489 (Ministry of Community Safety and Correctional Services), a lawyer consented to the disclosure of their client’s personal information in an examination for discovery, and the lawyer’s consent was recorded in the transcript of the proceedings. IPCO Adjudicator Diane Smith found that “Verbal consent by counsel, recorded in a transcript, does not constitute written consent, and for that reason alone, it does not meet the requirements of section 21(1)(a).” Adjudicator Smith therefore concluded that the written consent exception set out in section 21(1)(a) of FIPPA did not apply in the circumstances of the appeal.
Order P-533 (Ministry of Health)
In Order P-533 (Ministry of Health), IPCO supported the decision of an institution not to rely on a written authorization it was presented when there were concerns about patient confidentiality. The Ministry was presented with written authorizations from an agent who purported to act on behalf of four individuals who are patients in a psychiatric institution. The agent was a patient at the same facility. The Ministry took the additional step of asking the patients to verify in writing that they wished to proceed with their requests on the basis that any information located would be released to them directly. No responses were received from the patients and the result was that the Ministry declined to further process the requests. The agent appealed the Ministry’s decisions not to accept the authorizations which had been signed by the patients. Finding support in an earlier decision (Order P-455, where IPCO refused to provide a daughter’s personal information upon the request of her father, despite an affidavit from the daughter purporting to give the father consent to request such information), Assistant Commissioner Irwin Glasberg upheld the Ministry’s decision not to disclose the patients’ information to the purported agent at the psychiatric institution, despite the existence of written consents to do so.
These decisions seem to suggest that even the existence of a written consent is not dispositive of the issue, and that institutions should consider attempting to deal with the individual whose information is being requested directly if they feel there is a good reason for doing so (such as a concern about the authority of the purported agent presenting a written consent from the individual to the institution).
Does the Clock Start Before the Written Consent is Received?
It’s not entirely clear whether the 30-day deadline to respond to a request should start as soon as the request is received, or only after the requested written consent has been verified by the institution, but the same arguments that suggest that the clock should not start until the requestor’s identity has been verified would seem to also imply that the clock should not start until the written consent of the individual has been verified as well. (These arguments were set out in the previous article on verifying the identity of the requestor.)
Additionally, it is still a good idea for the institution to request verification of the identity of the individual who provided the written consent. The FOI Manual suggests that institutions may be able to fulfill the identity verification requirement by receiving a photocopy of the requestor’s photo identification, but as noted in the previous article, institutions are expected to come up with a policy of their own for verifying the identity of FOI requestors that is tailored to the sensitivity of the information they are being asked to disclose and the circumstances of the request, among other factors. In some cases, an institution may be willing to accept alternative evidence, such as an affidavit from the lawyer’s office that they have verified the identity of their client. But in general, having the same identity verification requirements for both unrepresented requestors and individuals who are represented by counsel seems like a sensible approach. In other words, if an institution routinely asks for a photocopy of government-issued identification for unrepresented individuals, there’s no obvious reason not to impose the same identity verification requirement on individuals who are represented by counsel.
Examples of Consent Verification Requirements
Municipal institutions who adopt the practice of asking for both verification of the relevant individual’s identity as well as a copy of the written consent will be in good company. Consider these excerpts from the posted practices of a well-known municipal institutions in Ontario:
Toronto Community Housing
For personal information requests, requestors must “Provide a copy of valid photo ID”.
For requests on behalf of someone else, requestors must “submit written consent signed by the person whose information you want to access along with his or her photo ID.”
Town of Milton
For personal information requests, requestors must “provide identification with a signature (such as a driver’s license)”.
For requests on behalf of someone else, requestors must “include a signed consent form with your request that states that the individual is authorizing you to act on his/her behalf, as well as a photocopy of a piece of his/her identification with a signature (such as a driver’s license) for verification purposes.”
Town of Newmarket
For personal information requests, requestors must “include with your completed application form, a photocopy of a piece of identification (e.g. driver’s license) bearing your signature. This will allow Town Staff to verify your identity so that your personal information is not disclosed to someone other than yourself.”
For requests on behalf of someone else, requestors must “include with the completed application, a signed Consent to Release Form from that individual authorizing you to act on his/her behalf, as well as a photocopy of a piece of his/her identification (e.g. driver’s license) bearing his/her signature for verification purposes.”
All said, when a lawyer, agent, or other third party submits an FOI request for personal information to an institution under the authorization of a written consent from the relevant individual, the institution should require:
- A copy of the relevant individual’s written consent in favour of the lawyer, agent or other third party; and
- Verification of the identity of the individual to whom the information relates.
Of course, as noted earlier, there are a few other ways under FIPPA/MFIPPA in which one person may become authorized to request the information of another person, such as by having lawful custody of the individual, being their court-appointed guardian, or by acting under a power of attorney, or as the personal representative of a deceased individual. In these other cases, a written consent may not be required, and instead, the institution should be prepared to accept appropriate alternative documentation. But when an individual’s information is being requested by another person on the basis of the individual’s consent, then asking the requestor for a copy of the written consent of the individual, as well for verification of the identity of the consenting individual, is the correct course of action.
I encourage you to refer this article to a colleague, and to subscribe to the FOI Assist blog. Subscribing is easy: just enter your email address at the bottom of the page, then click the follow button.
Links to Resources:
Freedom of Information and Protection of Privacy Act (FIPPA) https://www.ontario.ca/laws/statute/90f31
Municipal Freedom of Information and Protection of Privacy Act (MFIPPA) https://www.ontario.ca/laws/statute/90m56
Freedom of Information and Protection of Privacy Manual https://www.ontario.ca/document/freedom-information-and-protection-privacy-manual
Information and Privacy Commissioner of Ontario (IPCO) Decisions https://decisions.ipc.on.ca/ipc-cipvp/en/nav.do