Under both Ontario’s Freedom of Information and Protection of Privacy Act (FIPPA) and Municipal Freedom of Information and Protection of Privacy Act (MFIPPA), statutory powers and duties are vested in the “head” of the institution (as that term is defined in the Acts), who acts on behalf of the institution in administering access and privacy obligations.
Some Freedom of Information (FOI) regimes may frame obligations primarily at the institutional level (e.g., the public authority or agency), with implementation by designated officials. In contrast, in Ontario—as in most Canadian provinces—the legislation assigns statutory responsibility to an identified head, who carries out (or oversees) the institution’s obligations under the Acts.
A head may delegate powers and duties in writing under FIPPA s.62(1) and MFIPPA s.49(1), but remains ultimately responsible. This design reflects Ontario’s intent that there be a clearly identifiable decision-maker—such as a deputy minister, CAO, municipal clerk, or a police chief—who is responsible for balancing access and privacy rights.
The concern
Processing an FOI request can involve hundreds or even thousands of decisions, each with the potential for error. Some of the most common errors include:
- Missed deadlines
- Failure to respond to requestors (deemed refusals)
- Disclosing information that should not be disclosed, or to the wrong person
- Failing to disclose information that should have been disclosed
- Errors or omissions in required notices or other FOI correspondence
Given that the Acts assign responsibility for responding to FOI requests personally to the heads of institutions and their delegates, individuals involved in processing requests may reasonably wonder whether their actions—intentional or not—could result in personal civil liability. In other words, could a head, or even a front-line employee, be sued personally for failing to respond to an FOI request, improperly disclosing or withholding information, or making other FOI-related mistakes?
Protection from civil proceeding
Fortunately, both FIPPA and MFIPPA include a civil-liability shield to address this concern. The relevant subsection is FIPPA s.62(2) and MFIPPA s.49(2) (the wording is the same in both Acts):
Protection from civil proceeding
(2) No action or other proceeding lies against a head, or against a person acting on behalf or under the direction of the head, for damages resulting from the disclosure or non-disclosure in good faith of a record or any part of a record under this Act, or from the failure to give a notice required under this Act if reasonable care is taken to give the required notice.
This provision shields heads of institutions (and those acting for them) from civil claims (lawsuits) by requestors or other affected persons where the improper disclosure/non-disclosure was made in good faith or a notice failure occurred despite reasonable care. It is not a blanket immunity: it pertains to actions taken under the Acts, and the protection does not apply where good faith is absent or when reasonable care was not taken.
As explained in the Annotated Ontario Freedom of Information and Protection of Privacy Acts:
Section 62(2) establishes that no civil claim can be made against the head of an institution, or his or her delegate, for damages that anyone may have suffered as a result of such disclosure or non-disclosure, provided it was in good faith or as a result of failure to give a required notice if reasonable care was taken to give the notice. The provision does not protect heads and delegates from civil liability in the absence of good faith or reasonable care. However, it will be difficult in the normal course for any person to establish that good faith or reasonable care was not exercised in a particular case.
David Goodis, The 2023–2024 Annotated Ontario Freedom of Information and Protection of Privacy Acts, s.62:1 Commentary
Relevant Decisions
Relatively few decisions have considered the extent and limits of this statutory protection.
IPCO Order M-273
In Information and Privacy Commissioner of Ontario (IPCO) Order M-273 (February 23, 1994), Inquiry Officer Holly Big Canoe mentioned MFIPPA s.49(2) in passing, finding that an institution could not rely on the “economic and other interests” exemption to withhold records based on “[a] belief by an institution that it may be sued if the records are released,” since s.49(2) provides a shield against “damages resulting from the disclosure or non-disclosure in good faith of a record or any part of a record.”
In other words, an institution can’t use fear of a lawsuit as a justification to refuse to disclose records, since s.49(2) will shield the institution from liability for any FOI disclosures made in good faith.
Ellacott v. Waterloo Police Board, 2025 ONCA 687
In a recent Ontario Court of Appeal decision, Ellacott v. Waterloo (Police Board), 2025 ONCA 687 (October 8, 2025), the plaintiff sued the Waterloo Regional Police Service (WRPS), naming both the police service and three employees—the police chief and two constables—personally. The plaintiff alleged that they had unlawfully disclosed to her employer that she was married to a federal parolee, causing her to lose her job as a supervisor at a halfway house for federal parolees.
The Court of Appeal unanimously affirmed that the personal information was disclosed “for good reason” and was permitted under s.41(1.2) of the Police Services Act. And even if the disclosure had been improper, the Court affirmed that under s.49(2) of MFIPPA, “the police chief and Waterloo Police [were] shielded from liability for such disclosure provided it was made in good faith.”
This decision demonstrates that the statutory protection from civil proceedings applies even to institutional employees acting outside the narrow context of FOI requests and confirms that the liability shield covers both individual employees as well as the institution itself.
“Good Faith” and “Reasonable Care”
Neither FIPPA nor MFIPPA defines the terms “Good Faith” or “Reasonable Care”. That said, their meanings have become established in Canadian law, though sometimes evading precise definition.
Good faith generally refers to acting with honest intention—without malice, negligence, or intent to deceive. A person acts in good faith when they genuinely believe their actions are appropriate under the law and are taken for a legitimate purpose. In the FOI context, this could mean the head or delegate made an access or disclosure decision honestly and based on a sincere understanding of their statutory obligations, even if that decision is later found to be incorrect.
Examples of good faith actions include:
- Interpreting an exemption or exclusion based on available IPCO guidance or legal advice at the time
- Making a disclosure to protect public safety or prevent harm, in reliance on statutory authority
- Withholding records where staff genuinely believed an exemption applied
Reasonable care refers to the diligence and prudence that a reasonable person in the same role would exercise in similar circumstances. In practice, this includes establishing and following procedures for processing FOI requests, documenting decisions and rationales, double-checking notices and correspondence, and tracking statutory timelines and extensions.
Reasonable care can also include having appropriate systems and tools in place to help staff manage requests accurately and consistently. For example, purpose-built FOI software can guide users through statutory steps, help prepare compliant notices, and provide reminders and reports that support the FOI process. The use of an automated system that tracks deadlines, generates notices, and walks users through the FOI workflow can help demonstrate that reasonable care was exercised.
Together, these concepts create a balanced standard: the legislation does not require perfection—only honest, diligent, and conscientious effort. As noted in the Goodis excerpt above, “it will be difficult in the normal course for any person to establish that good faith or reasonable care was not exercised in a particular case.” In most cases, mistakes arising from human error, misunderstanding, or oversight will still be protected under s.62(2) of FIPPA and s.49(2) of MFIPPA, so long as the actions were taken in good faith and with reasonable care.
Conclusion
Ontario’s approach under FIPPA and MFIPPA emphasizes clear accountability by vesting statutory responsibility in the institution’s “head” (who acts on the institution’s behalf and may delegate in writing). At the same time, the Acts balance that accountability with robust protections. So long as decisions are made in good faith and with reasonable care—supported by sound procedures, proper training, and effective systems—heads of institutions and their staff can be confident that the law protects them from personal liability for honest mistakes made in the course of administering access and privacy rights.
Stay Informed
If you enjoyed this article, subscribe to the FOI Assist Knowledge Base using the Subscribe button below to receive future FOI articles by email. New articles feature practical insights, guidance, and examples to help Ontario institutions stay compliant and efficient in administering access and privacy rights.
The FOI Assist Software
Take reasonable care in the implementation of your FOI program with the FOI Assist software. Developed by an experienced Ontario FOI lawyer, the software includes built-in checklists, templates, and compliance tools to help ensure your institution’s FOI process is consistent, well-organized, and fully documented—reducing the risk of appeals and other proceedings and putting your institution in the best position to succeed.
FOI Assist Knowledge Base 
Leave a comment