Up to this point I’ve written many articles on the “finer points” of responding to Freedom of Information (FOI) requests. But today I would like to present an article addressed to all of those people who are just starting out as an FOI professional – who might appreciate a quick run-down of the basics to help them get started. And this article might also be useful for the “dabblers” – the hundreds of provincial and municipal employees for whom responding to FOI requests is not their main role, but rather something they do on a part-time basis, perhaps only infrequently.
What is an FOI request?
An FOI request is a written request for one or more documents held by a government institution. The request is generally submitted to the institution together with a small application fee (often $5).
If you work at a government institution, you may receive numerous FOI requests from the public. The reason that government institutions are obligated to respond to FOI requests stems from the basic idea that individuals have the right to know what their government is doing, and what kinds of information their government is storing. One way individuals can exercise their “right to know” is to request documents (records) from the government.
Government institutions in Canada generally have a legal obligation to disclose any records that are requested by members of the public, so long as the person requesting the records pays the applicable fees, and there is no exemption or exclusion that applies to the records.
How do I know if I have received an FOI request?
FOI requests are often, but not always, addressed to the “Freedom of Information”, “Access to Information” or “Privacy” office of a government institution, or sometimes to the Clerk or to the head of the institution. Under Ontario’s Freedom of Information and Protection of Privacy Act (FIPPA) and Ontario’s Municipal Freedom of Information and Protection of Privacy Act (MFIPPA), requests are supposed to specify that they are being made under the relevant Act (either FIPPA or MFIPPA), to provide sufficient detail to enable an experienced employee of the institution, upon a reasonable effort, can identify the requested record, and to include a $5 request fee. Requests which do not meet these requirements are not valid FOI requests under FIPPA/MFIPPA. That said, if you are not sure whether a request was intended to be an official FOI request made under FIPPA or MFIPPA, you should generally attempt to get in touch with the requestor to clarify their intent and to help them to formulate a valid FOI request, assuming that was their intention.
For more information on the requirements of a valid FOI request, see my earlier article “What are the requirements of a valid Freedom of Information (FOI) request?”
What kinds of organizations have to respond to FOI requests?
In Ontario, FIPPA and MFIPPA (the “Acts”) impose the obligation to respond to FOI requests on nearly every provincial and municipal government institution. (Note FOI professionals tend to use the word “institution” only for government institutions who have an obligation to respond to FOI requests, which is similar to how the word “institution” is defined in the Acts themselves.)
FIPPA imposes the obligation to process and respond to FOI requests on various provincial institutions including (with few exceptions) all ministries, agencies, boards and commissions, universities, colleges and hospitals. MFIPPA imposes the same obligation on municipal institutions, including city, town, county and regional governments, police boards and school boards.
Federal government institutions must also respond to FOI requests, but this obligation comes from different legislation: the Access To Information Act (ATIA), which is federal legislation.
In contrast, private businesses and individuals generally have no obligation to respond to “FOI” requests they may receive. That said, private businesses and individuals may have other disclosure obligations under, for example, securities laws, privacy laws, industry-specific legislation, or when participating in a lawsuit or other legal process.
For more information on who must respond to FOI requests, see my earlier article, “Is my organization legally obligated to respond to FOI requests?”
What are the steps involved in processing an FOI request?
At the highest level, the steps are generally:
- receive a request
- review it and ensure it is valid (in consultation with the requestor if necessary)
- search for records responsive to the request (the search may be conducted by the FOI professional themselves, or assigned to other employees of the institution)
- consider whether any exemptions or exclusions apply to the responsive records identified in the search (this step is usually performed by the FOI professional)
- prepare documents for disclosure (by redacting or otherwise removing any information that should not be included in the disclosure)
- send a decision letter to the requestor outlining the decision and requesting payment of any outstanding fees relating to the request; and then
- upon receipt of payment, send the “disclosure documents” to the requestor, that is, all of the documents that are responsive to the request, with the exception of any exempt or excluded information
Additional steps are occasionally involved in the process, including:
- rejecting a request as frivolous or vexatious
- verifying the identity of the requestor
- issuing an extension of time
- issuing a fee estimate, potentially including a request for a “fee deposit” from the requestor
- consulting affected third parties
- consulting experts
- coordinating with internal stakeholders and communications staff
- obtaining legal advice
For a good overview of the process under Ontario’s FIPPA and MFIPPA, I strongly recommend The FOI Request Process Poster. (Printed copies are still available.)
For a longer discussion of Ontario’s FOI process under FIPPA and MFIPPA, the Ministry of Government Services’ Freedom of Information and Protection of Privacy Manual provides a description of the various steps involved.
How long should an FOI request take to process?
Under FIPPA, MFIPPA and the ATIA, institutions have a basic 30-day deadline to respond to requests with a decision. That means if a request is received on August 1, 2019, generally, a decision letter must be sent to the requestor by August 31, 2019. However, there are exceptions to this rule, including:
- Under FIPPA and MFIPPA, if affected third parties need to be consulted before the institution is able to reach a decision on whether to disclose the requested records, the institution is given an additional 30 days to conduct this “affected person consultation process” (more on this below). In that case, the institution would have 60 days to respond to the request.
- Institutions can issue an “extension of time” if they need additional time to respond to a request, so long as the institution has a valid reason for doing so under the relevant Act.
For more information on how to count time and how to determine the deadline to respond, see my earlier article, “How to count time and how to determine the initial 30-day deadline”
When can time extensions be issued?
Under FIPPA (s.27) and MFIPPA (s.20), a time extension is permitted if:
- the request is for a large number of records or necessitates a search through a large number of records and meeting the time limit would unreasonably interfere with the operations of the institution; or
- consultations with a person outside the institution are necessary to comply with the request and cannot reasonably be completed within the time limit.
For more information on obtaining additional time to respond to a request, see my earlier article, “Stop the clock! How different actions affect the deadline”
How are time extensions issued?
Assuming the institution has a permissible reason for issuing a time extension (see the answer directly above), then under FIPPA and MFIPPA, the institution may issue a time extension before the deadline has passed by sending the requestor a written notice which sets out the length of the extension and the reason for the extension, and lets the requestor know that they are permitted to ask the Information and Privacy Commissioner of Ontario to review the extension.
Sample letters and templates
The Ontario Ministry of Government Services’ Freedom of Information and Protection of Privacy Manual provides a wealth of sample letters and templates. A direct link to the templates is here: https://www.ontario.ca/document/freedom-information-and-protection-privacy-manual/appendices#section-3
What kinds of records can be requested?
Generally, any records held by the institution can be requested, including written documents, electronic records, and even audio files, images and videos. However, exemptions or exceptions may apply which prevent the institution from disclosing certain records.
For more on the disclosure of electronic records, see my earlier articles “Do institutions have to disclose electronic versions of records?” and “I thought we deleted that!” Metadata and Hidden Data
What exemptions or exclusions may be applicable to requested records?
The basic rule is that an institution must disclose any record requested by a member of the public; however, a large number of exemptions and exclusions to this rule are included in FIPPA and MFIPPA. Some of these exemptions and exclusions have the effect of giving the institution discretion over whether or not to disclose a requested record; others are mandatory, in which case the institution is generally not permitted to disclose the requested record. (However, in some situations, a “public interest” in the disclosure of the record can trump even a mandatory exemption.)
For more information on exemptions and exclusions, see my earlier article “Exemptions vs. Exclusions: What is the difference?”
Can requestors ask for general records?
Another way to phrase this question would be to ask, “Can requestors ask for anything they want?” The answer is yes. FIPPA and MFIPPA both state that their purpose is to provide a right of access to information under the control of institutions in accordance with the principles that information should be available to the public, and that necessary exemptions from the right of access should be limited and specific. In other words, the default position for all information held by an institution is that it is public. The information requested does not have to relate directly or indirectly to the requestor, nor does the requestor have any obligation to provide any explanation as to why certain information is being requested.
Can requestors ask for personal information?
In accordance with FIPPA s.21 and MFIPPA s.14, institutions generally refuse to disclose personal information to any person other than the individual to whom the information relates, although there are exceptions to this rule. On the other hand, requestors generally do have the right to obtain copies of their own personal information held by the institution (unless another exception or exemption applies), as well as a right to correct their personal information held by the institution. Requestors may also authorize others to request personal information on their behalf.
For more information on requestors who are seeking their own personal information, see my earlier article, “Verifying the Identity of the Requestor”
What is an “affected third party” or an “affected person”?
The terms “affected third party” and “affected person” are generally used interchangeably. There is a special disclosure exemption in FIPPA (s.17) and MFIPPA (s.10) for “trade secret or scientific, technical, commercial, financial or labour relations information, supplied in confidence” whose disclosure could reasonably be expected to cause specific kinds of harm to a third party (that is, to an individual, company or other organization outside of the institution). To help institutions determine whether this disclosure exemption should apply, institutions are expected to consult any third parties who may be affected by the disclosure of the requested records. Usually, an “affected third party” will be a person or organization who originally supplied the requested record to the institution, who created the record, or to whom the record relates.
Similarly, if an institution is considering granting access to an individual’s personal information to someone else, then the individual whose personal information may be disclosed is considered an affected person and must be consulted prior to disclosure.
In either case, the process is similar. Generally, copies of the relevant records are sent to the affected person along with a cover letter requesting that the affected person provide representations to the institution regarding whether or not the affected person believes the institution should disclose the records to the requestor. The basic 30-day deadline is extended by an additional 30 days to give the institution time to run this affected person process on the following timeline: 20 days to seek and receive representations from all affected persons, and then 10 days to consider the representations and prepare a decision letter to the requestor.
Given the relatively short deadlines, and the potential for multiple affected parties to be involved and to each submit representations regarding overlapping ranges of documents, the affected third party process can be one of the more difficult and confusing aspects of the FOI process.
Do I need to retain legal counsel?
At most institutions, the majority of FOI requests are handled without the assistance of legal counsel. However, if an institution is not familiar with the FOI process, or if an FOI file brings up unfamiliar issues or issues that seem like they may require legal advice, then hiring a lawyer (or seeking advice from internal counsel) can be a good idea. Lawyers are more frequently involved on “high-stakes” FOI files (e.g., where highly sensitive information is being requested), or at the appeal stage (where there is a disagreement between the requestor and the institution about an FOI-related decision that the institution has made, and the requestor files an appeal with the Information and Privacy Commissioner of Ontario).
What about Annual Statistical Reporting?
All Ontario institutions responsible for responding to FOI requests under FIPPA, MFIPPA and/or the Personal Health Information Protection Act (PHIPA) are required by law to submit FOI statistics to the Information and Privacy Commissioner of Ontario on an annual basis, even if the institution received no FOI requests during the relevant year.
Much like filing a tax return, it can be a real time-saver to record the relevant statistical information throughout the year, as files are being processed, rather than trying to figure everything out shortly before the deadline.
See my article Year-End Statistical Reporting Doesn’t Have To Be Scary, which includes a “File Opening and Closing Worksheet” to help you keep track of the required information.
For even more information about the year-end statistical reporting requirement, visit the Annual Statistical Reporting page on the Information and Privacy Commissioner of Ontario’s website.
What other resources are available for FOI professionals in Ontario?
A useful list of resources can be found here: Resources for FOI Professionals in Ontario
Future Q-and-A’s for FOI professionals…
I am aiming to continue this question-and-answer format for FOI professionals in an upcoming post. If you have any questions you would like to see answered, or if you would like to share any information that you “wish you had known” back when you were just starting out, please let me know. I look forward to hearing from you.
With the new FOI AssistTM software, Ontario’s provincial and municipal institutions can process and respond to Freedom of Information requests quickly, easily, and in full compliance with applicable legislation and guidance. Read the release announcement.
To receive guidance and tips on processing FOI requests, as well as up-to-date information about the FOI Assist software, please follow the FOI Assist website. Simply enter your email address at the bottom of the page then click the follow button.
- What are the requirements of a valid Freedom of Information (FOI) request?
- Is my organization legally obligated to respond to FOI requests?
- The FOI Request Process Poster
- How to count time and how to determine the initial 30-day deadline
- Stop the clock! How actions affect the deadline
- Do institutions have to disclose electronic versions of records?
- “I thought we deleted that!” Metadata and Hidden Data
- Exemptions vs. Exclusions: What is the difference?
- Verifying the Identity of the Requestor
- Resources for FOI professionals in Ontario
Links to Resources:
Freedom of Information and Protection of Privacy Act (FIPPA) https://www.ontario.ca/laws/statute/90f31
Municipal Freedom of Information and Protection of Privacy Act (MFIPPA) https://www.ontario.ca/laws/statute/90m56
Personal Health Information Protection Act (PHIPA) https://www.ontario.ca/laws/statute/04p03
Freedom of Information and Protection of Privacy Manual https://www.ontario.ca/document/freedom-information-and-protection-privacy-manual/
Information and Privacy Commissioner of Ontario: Guidance Documents https://www.ipc.on.ca/guidance-documents/
Information and Privacy Commissioner of Ontario: Annual Statistical Reporting https://www.ipc.on.ca/access-organizations/annual-statistical-reporting/
Access To Information Act http://laws-lois.justice.gc.ca/eng/acts/A-1/