When an access request is received, it’s quite common for some of the requested records to contain the personal information of a “third party”, that is, a person who is neither the requestor nor the institution.
General Records Requests
For general records requests, the applicable exemption is section 21 of the Freedom of Information and Protection of Privacy Act (FIPPA) or its municipal equivalent, section 14 of the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA).
The language of FIPPA s.21(1) and MFIPPA s.14(1) is the same. Here’s the wording as set out in FIPPA s.21(1):
21 (1) A head shall refuse to disclose personal information to any person other than the individual to whom the information relates except,
(a) upon the prior written request or consent of the individual, if the record is one to which the individual is entitled to have access;
(b) in compelling circumstances affecting the health or safety of an individual, if upon disclosure notification thereof is mailed to the last known address of the individual to whom the information relates;
(c) personal information collected and maintained specifically for the purpose of creating a record available to the general public;
(d) under an Act of Ontario or Canada that expressly authorizes the disclosure;
(e) for a research purpose if,
(i) the disclosure is consistent with the conditions or reasonable expectations of disclosure under which the personal information was provided, collected or obtained,
(ii) the research purpose for which the disclosure is to be made cannot be reasonably accomplished unless the information is provided in individually identifiable form, and
(iii) the person who is to receive the record has agreed to comply with the conditions relating to security and confidentiality prescribed by the regulations; or
(f) if the disclosure does not constitute an unjustified invasion of personal privacy.Freedom of Information and Protection of Privacy Act, R.S.O. 1990, c. F.3
This exemption requires the institution not to disclose the personal information of one person to another person, unless:
- it first obtains the written consent of the individual to whom the information relates; or
- the disclosure falls under one of the categories listed in (1)(a) through (f).
Subsection (1)(f) is particularly noteworthy. This subsection permits disclosure “if the disclosure does not constitute an unjustified invasion of personal privacy”. This language is not very illuminating on its own; however, subsections (2), (3) and (4) of FIPPA s.21 / MFIPPA s.14 fill out many of the details about when a disclosure of personal information would or would not be an unjustified invasion of personal privacy. Additionally, there is a significant body of jurisprudence in the form of decisions of the Information and Privacy Commissioner of Ontario (IPCO) in which these subsections are further explained and applied.
Personal Information Requests
So it’s clear that institutions should use FIPPA s.21(1) and MFIPPA s.14(1) to exclude personal information from requests for general records. However, what about requests for access to the requestor’s own personal information? Specifically, what if the personal information of a third party (that is, an individual other than the requestor) appears in some of the records responsive to the request? Can the institution still use FIPPA s.21(1) / MFIPPA s.14(1) to exempt such third party personal information from disclosure?
The short answer is, “no”. The slightly longer answer is, “not exactly”.
Anyone who has worked on the Year-End Statistical Report may have noticed that according to IPCO’s “Workbook and Completion Guide“, institutions are not permitted to apply FIPPA s.21 / MFIPPA s.14 to requests for the requestor’s own personal information; under “personal requests”, this exemption is marked as “N/A”. The guide hints at the answer, though, because under “general requests”, FIPPA s.49 / MFIPPA s.38 are also marked as “N/A”. The reason for this is that FIPPA s.49(b) / MFIPPA s.38(b) serve as equivalents to FIPPA s.21(1) / MFIPPA s.14(1), but for personal information requests.
What all of these exemptions have in common is that they exempt the disclosure of personal information if doing so would result in an “unjustified invasion of another individual’s personal privacy”. This serves as something of a “catch-all” justification for refusing to disclose personal information.
However, while FIPPA s.21 / MFIPPA s.14 state that the institution “shall refuse to disclose personal information to any person other than the individual to whom the information relates”, and are applicable to general records requests, FIPPA s.49 / MFIPPA s.38 apply specifically to requests for one’s own personal information, clarifying that the institution “may” refuse to disclose even the requestor’s own personal information in certain situations, such as where such disclosure would constitute an unjustified invasion of another individual’s personal privacy.
In sum, FIPPA s.21(1) / MFIPPA s.14(1) are used to exempt personal information for general records requests, whereas FIPPA s.49(b) / MFIPPA s.38(b) are used to exempt the personal information of third parties from requests for access to the requestor’s own personal information.
Two recent IPCO decisions serve to help clarify that FIPPA s.21 / MFIPPA s.14 should not be used when the requested records contain the personal information of the requestor; rather, FIPPA s.49 / MFIPPA s.38 should be used instead.
Order MO-4163 (City of Ottawa) decided February 16, 2022
Here, the requestor asked for records “relating to him during a certain period of time, and specifically, for emails between any combination of four specified individuals.” The adjudicator found that “ The city relied on the mandatory personal privacy exemption at [MFIPPA] section 14(1) to withhold the personal information of individuals other than the appellant, but given my finding that all the records contain the personal information of the appellant, the relevant personal privacy exemption to consider is the discretionary personal privacy exemption at section 38(b) of the Act.”
The implication here is that if a request is for records which all contain the requestor’s personal information, then MFIPPA s.38(b) is applicable, not MFIPPA s.14(1). (And interestingly, the decision appears to suggest that the City of Ottawa made a mistake here by applying MFIPPA s.14(1) to a request for personal information.)
Order MO-4165 (Ottawa Police Service) decided February 17, 2022
In this decision, the Ottawa Police Service applied MFIPPA s.38(b) to a request for the disclosure of personal information. The adjudicator found that to determine whether MFIPPA s.38(b) was applicable, it was helpful to do an analysis of the various parts of MFIPPA s.14 in order to determine what would be an unjustified invasion of personal privacy:
Sections 14(1) to (4) provide guidance in deciding whether disclosure would be an unjustified invasion of the other individual’s personal privacy. If any of the section 14(1)(a) to (e) exceptions apply, disclosure would not be an unjustified invasion of personal privacy and the information is not exempt from disclosure under section 38(b).Order MO-4165 (Ottawa Police Service), para. 31
This suggests that when you are applying MFIPPA s.38(b), you’re really applying MFIPPA s.14 “behind the scenes”. In other words, when seeking guidance on how to apply MFIPPA s.38(b) / FIPPA s.49(b), you can and should consider cases and decisions which analyze MFIPPA s.14 / FIPPA s.21. (This is why I suggested earlier that the longer answer was “not exactly”.)
Keep in mind FIPPA s.49 and MFIPPA s.38 cover more than third-party personal information. FIPPA s.49(a) and MFIPPA s.38(a) list which other FIPPA and MFIPPA exemptions may be cited as the basis for refusing disclosure of the requestor’s own personal information. FIPPA s.49(c)-(f) and MFIPPA s.38(c)-(e) set out a few more exemptions which may be used to refuse disclosure of the requestor’s own personal information.
Combined Requests (General Records and Personal Information)
Based on the above, the Privacy Commissioner’s decision to “block out” FIPPA s.21 / MFIPPA s.14 for personal requests (and FIPPA s.49 / MFIPPA s.38 for general requests) in their Annual Report Workbook and Completion Guide does make sense, although it appears to assume a very clean distinction between “personal” and “general records” requests.
Of course, some requests may wind up covering both kinds of records: some which do contain the personal information of the requestor, and other records that do not. In these cases, the request is neither entirely a personal information access request nor a general records request. In such a case, you may wish to consider splitting up the request into a personal information request and a general records request for easier processing.
For more information on splitting up requests, see my previous article, Splitting Up an FOI Request.
If there’s one main takeaway from today’s article, it’s this: if you are processing a general records request, then FIPPA s.21 / MFIPPA s.14 are generally the correct exemptions to use to exempt personal information. However, if you are processing a request for access to personal information, and you are looking to exempt a third-party’s personal information from disclosure, then FIPPA s.49 / MFIPPA s.38 should normally be used instead.
Finally, if an FOI request appears to relate to both general records as well as records containing the requestor’s own personal information, then don’t hestiate to split the request into its constituent parts, that is, a request for general records, and a separate request for the requestor’s own personal information. Not only will this make the applying the right exemptions much easier, it will help you immensely when working out the applicable fees as well.