 Order 01-26 FINANCIAL INSTITUTIONS COMMISSION David Loukidelis, Information and Privacy Commissioner June 11, 2001
Summary: Applicant sought access to list of companies which had been the subject of complaints to FICOM from 1995 to 2000. FICOM is not required to refuse access under s. 21 or s. 22. FICOM has not established that “commercial information” was supplied to it in confidence. Nor has it shown that disclosure could reasonably be expected to significantly harm third parties’ competitive positions nor a reasonable expectation that similar information would no longer be supplied. FICOM also failed to establish that disclosure would reveal the identities of complainants and thus s. 22 does not apply. Applicant failed to advance s. 25 arguments. Section 25 found in any case not to apply. Key Words: invasion of privacy – commercial information – supplied in confidence – competitive position – similar information no longer supplied – interfere significantly. Statutes Considered: Freedom of Information and Protection of Privacy Act, ss. 21, 22, 25; Financial Institutions Act, s. 218. Authorities Considered: B.C.: Order No. 32-1995, [1995] B.C.I.P.C.D. No. 3; Order No. 221-1998, [1998] B.C.I.P.C.D. No. 14; Order No. 226-1998, [1998] B.C.I.P.C.D. No. 19; Order No. 287-1998, [1998] B.C.I.P.C.D. No. 82; Order 00-01, [2000] B.C.I.P.C.D. No. 1; Order 00-08, [2000] B.C.I.P.C.D. No. 8; Order 00-10, [2000] B.C.I.P.C.D. No. 11; Order 00-11, [2000] B.C.I.P.C.D. No. 13. 1.0 INTRODUCTION [1] The applicant, a freelance journalist, asked for a list of all investigations done by the Financial Institutions Commission (“FICOM”) from January 1, 1995 to the date of his request, June 15, 2000. FICOM responded in early July of 2000, by confirming a conversation between the applicant and a FICOM employee, in which they had clarified the request to be for a list of all non-routine investigations performed by FICOM since January 1, 1995 (that is, not regular cyclical examinations of financial institutions). The material before me also indicates that the applicant intended his request to be for a list of companies investigated and not individuals. [2] FICOM then told the applicant it was denying him access to this list under ss. 21 and 22 of the Freedom of Information and Protection of Privacy Act (“Act”). Citing s. 25 of the Act, the applicant requested a review of this decision by my Office soon afterward. Mediation was unsuccessful, so I held a written inquiry under s. 56 of the Act. 2.0 ISSUES [3] The issues in this inquiry are whether FICOM was required by ss. 21 and 22 of the Act to withhold the requested information and whether s. 25 applies to the record in dispute. [4] Under s. 57(1), FICOM has the burden of proof regarding s. 21. Because I find that the business names in issue do not constitute personal information and would not indirectly disclose such information, the question of the burden of proof under s. 22(1) does not arise. Consistent with previous orders, the applicant has the burden of showing that s. 25 applies to the record in question. 3.0 DISCUSSION [5] 3.1 Nature of Disputed Records – The record comprises a 64-page list entitled “Corporate Complaint Reports Received after Jan 1/95 and Closed before June 18/00”. At para. 28 of its initial submission, FICOM describes this list as containing the names of trust companies, credit unions, insurance companies and mortgage brokerage firms. All were the subject of complaints from the public, the financial services industry (including competitors and employees), police and government employees. [6] Each page has four columns of information headed, from left to right: “Line #”; “Filename” (this column consists of the names of companies – FICOM says there are approximately 2,200 names); “Date Opened”; and “Date Closed”. As the column names suggest, the list contains only line numbers, company names and the dates on which files, or complaints, were opened and closed. The names of complainants are not recorded. Nor are the sources of complaints disclosed (e.g., according to whether the complainant was with a police agency, was a government employee or was a consumer). The list does not disclose the nature of the complaints. The header on each page of the list merely records that the list contains “corporate complaint reports”. Nothing is said about the merits of each complaint or its disposition by FICOM. [7] 3.2 Does Section 25 Apply? – Although the applicant referred to s. 25 in his request for review, it was not listed as an issue in the Office’s Notice of Written Inquiry or Portfolio Officer’s Fact Report. Nor did the applicant submit any arguments on this point during the inquiry. As he had the burden regarding s. 25, I find he has failed to meet that burden and that s. 25 does not apply. It is however, difficult to see how s. 25 would apply here. It seems to me there is no urgent or compelling public interest in disclosing the requested record in this case without delay and I find s. 25 does not require disclosure. [8] 3.3 FICOM’s Mandate – FICOM told me that it administers 10 statutes, including the Financial Institutions Act (“FIA”), the Credit Union Incorporation Act, the Insurance Act and the Mortgage Brokers Act. It also provided me with the following outline of its mandate, as follows:
[10] 3.4 Personal Privacy of Third Parties – FICOM cites ss. 22(1), 22(2)(a), (f) and (h) and 22(3)(b) as the basis for withholding the entire list. Those sections read as follows: [11] It argues, at para. 50 of its initial submission, that it refused disclosure under s. 22 because it might be possible to discern the identity of complainants in some cases. As FICOM put it: This is most likely if the company has done limited business in British Columbia and the number of complaints is not much smaller than the number of clients.[12] FICOM goes on to say the following, at para. 51: It would be impossible for the Financial Institutions Commission to filter out situations such as these from the list and the individual may be exposed to harm, e.g. complications on the renewal of insurance.[13] FICOM also cites orders of my predecessor which confirmed the confidential nature of complaint records and confirmed decisions by self-governing bodies to protect information related to practice or conduct reviews involving their members. It relies on Order No. 32-1995, [1995] B.C.I.P.C.D. No. 3; Order No. 287-1998, [1998] B.C.I.P.C.D. No. 82; and Order No. 221-1998, [1998] B.C.I.P.C.D. No. 14. [14] These orders do not apply here. They relate to conduct-review or practice-review records regarding individual members of self-governing bodies, not corporate entities. Moreover, while FICOM suggests that it might be possible, using the names of businesses which were the subject of complaints, to deduce the identities of an employee who lodged a complaint about his or her own employer, FICOM does not describe how one might do so. It says, at para. 51, that the “release of some names” on the list would be an “invasion of privacy”, but does not say which names these might be or how disclosure would be an “invasion of privacy”. [15]It is not at all evident, from the contents of the records themselves or the other material before me, how an employer might deduce from the list the identity of an employee or other complainant who complained to FICOM. Accordingly, I do not see how the business names in the list could be said to be, or to disclose indirectly, “recorded information about an identifiable individual”, as required by the Act’s definition of “personal information”. I find that none of the information in dispute is personal information for the purposes of the Act. It follows that s. 22 does not apply and need not be considered further. [16] 3.5 Third-Party Business Interests – FICOM applied s. 21(1) of the Act to the list. Section 21(1) requires public bodies to withhold certain third-party business information where its disclosure would result in one or more harms listed in s. 21(1). All three elements of the s. 21(1) test must be satisfied before a public body is required to withhold information. Section 21(1) reads as follows:
[17] The first question in this case is whether the list constitutes the “commercial information” of the companies in the list. FICOM argues as follows as para. 32 of its initial submission: ... [T]here exists a proprietary interest in the company name itself. Given that the context of the request is the names of the companies in a list of companies that have had complaints investigated by the Regulator, we submit that this puts the company names in question squarely within the definition of commercial information. [18] Other arguments made by FICOM in its discussion of “commercial information” relate more properly to whether disclosure would cause the companies harm. [19] The Act does not define the term “commercial information” and, while my predecessor and I have each considered whether third party information is “commercial” for the purposes of s. 21(1)(a)(ii), this has generally been in conjunction with “financial information”. Business, or trade, names are, by definition, public information. That does not mean they have no value or that they do not constitute information that pertains to commerce. A business name is the name under which a business carries on commerce and is therefore associated with the commercial activities of the business. A business name has value, not least because of the goodwill that is associated with it. The value in a business name is protected by trade mark laws, the common law tort of passing-off and other means. In this light, business names have commercial value and are information pertaining to a particular commercial enterprise. [20] It does not necessarily follow, however, that business names are “commercial information” under s. 21(1)(a), either generally or, specifically, where they are supplied in confidence in circumstances such as those before me. Given my findings on the second and third branches of the s. 21(1) test, however, it is not necessary for me to decide this point and I decline to do so in this case. Supply in Confidence [21] FICOM says that the complainants submitted the names of the companies in confidence, either in writing or by telephone, such that s. 21(1)(b) of the Act has been met. It relies, first, on s. 218 of the FIA, which reads as follows: Confidential information [22] FICOM acknowledges that there is no provision in the FIA that overrides the Act, but argues, at paras. 18 and 19 of its initial submission, that ... this provision should be considered by the Commissioner in support of our position of non-disclosure. The rationale behind this, and most other confidentiality provisions in legislation, relate[s] to a recognized need for an organization to conduct its business with some degree of confidentiality. This principle is especially important in the context of a public body with a regulatory mandate such as the Financial Institutions Commission. [23] FICOM says that I acknowledged in Order 00-08, [2000] B.C.I.P.C.D. No. 8, that, in Order No. 226-1998, [1998] B.C.I.P.C.D. No. 19, my predecessor recognized s. 70 of the Medical Practitioners Act (a confidentiality clause which the public body in that case argued overrode the Act) as a relevant confidentiality marker. [24] Section 218 of the FIA does not assist FICOM. It is a general confidentiality provision that applies only to specified kinds of records or information, i.e., records or information obtained by FICOM in response to a “request” for records or information made by the regulator under the FIA or records or information disclosed to the regulator under an obligation imposed by the FIA. I note that Division (1) of Part 7 of the FIA gives the Superintendent of Financial Institutions the power to require the production of information or records and otherwise to investigate compliance with the FIA. In my view, a complaint that is made about a regulated business is not information obtained in a manner contemplated by s. 218. The section does not, I conclude, apply. Nor does the fact that I alluded to Order No. 226-1998 in Order 00-08 assist FICOM. At pp. 34-35 of Order 00-08, I said that s. 70 of the Medical Practitioners Act did not preclude disclosure of records in response to an access request and that Order No. 226-1998 did not assist the public body in that case. Order No. 226-1998 does not assist FICOM. [25] A few words are in order, in passing, about FICOM’s argument that it is especially important that regulatory organizations be able to operate in confidence. One could observe that an appropriate measure of transparency and accountability are also important goals for regulatory organizations. Indeed, the answer to FICOM’s concern is that the Act affords FICOM the degree of confidentiality that the Legislature considered necessary and appropriate. Through the Act’s provisions, the Legislature has articulated what it considers to be the appropriate balance between confidentiality and openness for regulatory bodies and the interests of third parties caught up in regulatory processes. [26] Returning to the question of confidential supply, FICOM submitted an affidavit sworn by W. Alan Clark, its Executive Director of Investigations, in which he deposed that one of FICOM’s functions is to receive and investigate complaints relating to the statutes it administers. He deposed that all investigations that FICOM undertook regarding the companies in the requested list were initiated by complaints from the public, industry, police or government employees. He also deposed that all complaints that FICOM receives are, as he put it, “supplied in confidence” and are treated confidentially by FICOM staff. According to FICOM, therefore, the name of each business found in the list “was supplied by the complainant in confidence”, including because the names of the businesses “may have been explicitly categorized as confidential by the writer/caller” (para. 35, initial submission). [27] FICOM provided no other evidence to support its contention that all of this information was supplied in confidence. It did not provide any policies on complaints, copies of any complaint letters or forms, representations from any of the businesses named in the list — or from complainants — or any other documentation to support its assertion that these names were “supplied in confidence”, either explicitly or implicitly. [28] Alan Clark’s evidence that complaints to FICOM are – it appears, generally and almost by definition – “supplied in confidence” expresses a conclusion on the very issue before me under s. 21(1)(b). There is no basis in the material before me on which I am able to conclude that each and every name in the list was, explicitly or implicitly, intended or expected to be communicated to, and received by, FICOM in confidence. Even if one assumes that, especially in the case of employee-complainants, some complainants intended their own identities to be confidential, it does not follow that there was any intention or expectation of confidentiality on their parts respecting the names of the businesses they complained about. Indeed, one might reasonably surmise that most, if not all, of the complainants expected FICOM to investigate their complaints and to make public, or not treat as confidential, the names of the businesses they had complained about. They may, in other words, have intended and expected confidentiality for themselves, but the contrary for the businesses. In the end, the general assertion in Alan Clark’s affidavit that all of the disputed information was “supplied in confidence” does not suffice to establish confidential supply within the meaning of s. 21(1)(b). I am therefore not persuaded, on the material before me, that the names of the businesses complained about were supplied in confidence for the purposes of s. 21(1)(a). [29] I should note here that it makes no difference, in my view, that the third parties —the businesses complained about — did not supply the information to FICOM. Nothing in the language of s. 21(1)(b) limits it to cases where the information has been supplied by the third party whose information it is. The fact that information has been supplied to a public body by someone else, and not the third party, does not matter. [30] Last, I find that the other information in the list was not supplied to FICOM as contemplated by s. 21(1)(b). Specifically, the line numbers, file or matter opening and closing dates, and other information in the list were, it is clear, generated by FICOM itself as part of its work on the various complaints. Harm to Third Party Business Interests [31] The final branch of the s. 21(1) test is whether disclosure could reasonably be expected to result in one of the harms set out in s. 21(1)(c). [32] As I have said in previous decisions, the standard of proof for harms-based exceptions is to be found in the wording of the Act. In the case of s. 21(1)(c), the test is whether a disclosure of information could reasonably be expected to cause the specific harm to be protected against under that section. As I have said before, evidence of speculative harm will not meet the harm, but it is not necessary to establish certainty of harm. The quality and cogency of the evidence must be commensurate with a reasonable person’s expectation that the disclosure of the requested information could cause the harm specified in the exception. [33] As I observed in Order 00-10, [2000] B.C.I.P.C.D. No. 11, it is neither possible nor wise to attempt an exhaustive definition of the term “harm significantly” in s. 21(1)(c)(i). The phrase clearly connotes something more than mere harm, but it is difficult to go further in defining what it means. At a minimum, the party bearing the burden of proof must establish that the anticipated harm is, when looked at in light of the circumstances affecting the third party’s competitive position or negotiating position, a material harm to that party’s competitive position. It may be relevant, in determining whether an anticipated harm is “significant”, to consider the extent of the harm in relation to the assets or revenues of the third party. There will be many cases – Order 00-10 is an example – where it is not possible to analyze the issue in quantifiable financial terms. The feared harm – and the evidence produced in support – may necessarily be more qualitative than quantitative in such cases, since it may not be possible to quantify with any precision, in monetary terms, any feared gain, loss or harm. But this will not mean that a party cannot establish a reasonable expectation of significant harm to competitive position for the purposes of s. 21(1)(c). [34] FICOM says the following regarding s. 21(1)(c)(i), at paras. 38 & 39 of its initial submission: [I]t is reasonable to expect that information on numbers of complaints might be used in some way that would meet this test. It does seem reasonable to expect the Applicant or a competitor to tally the complaints and compare companies. It would then be logical for that party to ascribe some interpretation to those numbers so as to classify a company as a ‘poor performer’ in a consumer protection oriented article, or as a targeted competitor in marketing activity. In either case, one may reasonabl[y] expect a company’s market position to be undermined and thus, in the language of the FOI Act, [its] competitive position to be harmed and financial losses to accrue. [35] FICOM goes on to say that the information is “akin to market intelligence information for which industry players pay substantial sums ... there is every reason to believe that the statistical information can contribute to changes in economic competitiveness.” [36] FICOM acknowledges, at para. 42 of its initial submission, that what is not ... evident from only the name of the company is whether or not these complaints lodged against them were substantiated. We submit that the harm that would ensue from disclosing this list relates from this uncertainty of the outcome, and puts companies, particularly those where the complaint was unfounded, at risk to their reputation that could affect their competitive positions and/or result in undue financial loss to the organization. [37] FICOM also raises the notion of complaint information of this kind as marketing information, which competitors could use to their advantage. It also says that businesses work hard to build consumer trust and that they conventionally restrict the release of information on complaints, in light of the harm such information can cause to the reputation of financial institutions. [38] In his reply submission, the applicant says it is not FICOM’s role to protect the images of these companies. He suggests these companies should have nothing to fear from publication of audit information if they are proud of their work. He realizes, he says, that a large number of complaints about one institution could be unfounded and could come from one person and bears this in mind in his work so that there will be no unjustified loss of business. The applicant’s assurances as to how he carries out his work as a journalist are not a compelling response to FICOM’s concerns about possible misinterpretation, or misuses, of the information in the list, but this does not mean the s. 21(1)(c)(i) harm test has been met. [39] The disputed list contains the names of various financial institutions, some large, some small, some appearing more than once. As I noted earlier, there is nothing in the list to indicate the subject of any complaint, whether it was trivial or major, whether it was substantiated, or what the company said or did in response to the complaint. FICOM seems, however, to suggest that the list provides an incomplete and possibly misleading perspective on the complaints. It does not say, however, how many of the 2,200 complaints were substantiated nor, beyond the assertions cited above, does it provide any evidence to support its argument that disclosure could reasonably be expected to cause harm, much less significant harm, to these companies’ competitive positions. FICOM has also not supplied any direct representations or evidence from any of the companies on the list to support its arguments. [40] It is not possible, in my view, to draw any useful conclusions from this bare-bones list as to the nature of any of the complaints, the outcome of any resulting investigations or any other implications. The only thing that can be said, based on the list, is that a complaint of some sort was made against each identified business. The most that the applicant, or a competitor, could do with this information is make it known that one or more complaints (of an undescribed nature) has or have, at some time, been made against a particular business. The average person, it is reasonable to conclude, is unlikely to attach much importance to this information in the absence of any details as to the nature of the complaint or any confirmation that the complaint was investigated and substantiated. I therefore am not persuaded that disclosure could reasonably be expected to harm significantly the competitive position of any particular business. Moreover, even if, for the sake of argument, one accepts that a negative inference of some kind would be drawn from the bare information in the list, by the average person, I am still not persuaded that this could reasonably be expected to significantly harm the competitive position of any business. [41] FICOM has not established that disclosure of the names of these companies could reasonably be expected to harm “significantly” the competitive position of any one of the listed businesses. I find that FICOM has not established a reasonable expectation of harm within the meaning of s. 21(1)(c)(i). Supply of Similar Information [42] FICOM advanced a brief argument on s. 21(1)(c)(ii), to the effect that disclosure of the list would have a “chilling effect” on complainants’ willingness to come forward with complaints. This is of particular concern, FICOM says, where complainants are employees of the corporate entities that are the subject of a complaint. I have some difficulty following how disclosure of this information could deter employees from coming forward. [43] In any case, I considered and rejected this type of argument in Order 00-11, [2000] B.C.I.P.C.D. No. 13, at page 9: The thrust of the College’s case is that disclosure of the information to which it has applied s. 15(1)(a) is likely to have a chilling effect. It will discourage doctors from participating in the College’s complaints review and investigation process, since information they provide in confidence will be disclosed. Since confidentiality is at the core of the system, disclosure will harm that system and thus a law enforcement matter. [44] I also rejected such an argument in Order 00-08. For the same reasons, I do not accept FICOM’s argument on this point and find that it has not satisfied s. 21(1)(c)(ii). [45] 3.6 Notice to Third-Party Businesses – FICOM says that it has not notified any of the approximately 2,200 companies on the list in question. It says that, if I determine that FICOM is not required to withhold the record, the roughly 2,200 third parties should have the opportunity under s. 23 of the Act to make representations before I dispose of this matter. [46] Section 23(1) of the Act provides that, where a public body intends to give access to a record that it has reason to believe may contain information protected under s. 21 (or s. 22), the public body must give notice to any affected third parties and receive representations from them. Where the public body intends to refuse access under s. 21 or s. 22, s. 23(2) says it may nonetheless give notice to the affected third parties and receive representations. In light of FICOM’s decision to refuse access under s. 21, it could have given notice under s. 23(2), but chose not to. To do so would have been quite a daunting task. But that is a task that FICOM now wishes me to undertake. [47] A similar situation arose in the inquiry which led to Order 00-01, [2000] B.C.I.P.C.D. No. 1, where the Township of Langley invited me to invoke the s. 23 third-party notification process in a case where it had not applied s. 22 initially, but later argued that s. 22 applied during the inquiry. I declined to issue a s. 23 notice to the third parties in that case after the close of the inquiry, saying it was up to public bodies to comply with the Act and to follow the third-party process where appropriate. [48] I do not accept FICOM’s suggestion that I should invite comments from the numerous third parties at this time. If FICOM thought notice to the third parties was appropriate, it should have asked, at the time the Notice of Written Inquiry was issued by this Office, that I give notice under s. 54(b) of the Act to affected third parties. This is not to say that I would have found it appropriate, as contemplated by s. 54(b), to invite all 2,200 third parties to participate. [49] As I have found that s. 25 does not apply to the record in question, no order is necessary with respect to that section. For the reasons given above, under s. 58(2)(a) of the Act, I require the Financial Institutions Commission to give the applicant access to the record in question. June 11, 2001 ORIGINAL SIGNED BY David Loukidelis Information and Privacy Commissioner for British Columbia |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 June 11, 2001 Information and Privacy Commissioner of British Columbia |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||