V. Complaints

Part 3 of the Freedom of Information and Protection of Privacy Act sets out specific protections for the privacy of personal information in the custody or under the control of public bodies. Part 3 states that a public body may only collect, use, and disclose personal information according to the specific standards and guidelines set out in the Act. These standards are also commonly referred to as fair information practices. The Act further states that a public body must make reasonable security arrangements to protect the personal information in its custody or control.

Like requests for review, complaints made to the Commissioner's Office should be in writing. They should describe the facts of the complaint and name the public body that appears to have violated the applicant's privacy. They also should describe steps that any of the parties have taken so far as a result of the complaint. If the Commissioner's Office receives several similar complaints from a number of individuals, or if a complaint by one individual is of a significant or systemic nature, then it may become the subject of a larger investigation, which may result in a formal Investigation Report. Such reports are anonymized where appropriate to protect the privacy of individuals involved in the complaint, but are released to the public.

Portfolio Officers have authority from the Commissioner to investigate complaints and to make recommendations to the Commissioner and the public body for a resolution. If the Portfolio Officer finds that a public body has acted in contravention of the requirements of the Act, the Commissioner may require it to change the way it collects, uses, discloses or secures personal information. If the complaint raises issues affecting a significant number of people, the Commissioner may issue a formal Investigation Report describing the public body's responsibilities under the Act. If the findings of a Portfolio Officer's investigation do not support the complaint, then the Commissioner may dismiss it. The Act does not provide for compensation for a violation of privacy rights.

Ministry of Attorney General - Inappropriate Disclosure of a Custody and Access Report

A woman complained that a family court counsellor had released a Custody and Access Report to the principal of her daughter's school without the complainant's consent or knowledge. The complainant believed that this was a violation of her privacy rights under the Freedom of Information and Protection of Privacy Act.

The Office's investigation of the matter involved discussions with the family court counsellor in question and the Information and Privacy staff at the Corrections Branch office of the Ministry of Attorney General. The Office discovered that the counsellor, while well-intentioned, had disclosed the custody and access report without authorization under the Freedom of Information and Protection of Privacy Act. However, the incident, in part, appeared to stem from the Ministry's lack of resources to provide privacy training to all of its staff. This meant that some Ministry staff, such as those in the Family Court area, were not familiar with the Act's standards and requirements for the protection of personal information from unauthorized disclosure. The Office concluded that privacy training was required to prevent a recurrence of this situation.

Meanwhile, the complainant had also complained about the inappropriate disclosure directly to the Ministry. As a result of its own investigation of the woman's complaint, the Ministry, too, had determined that it should provide privacy training to the Family Court segment of its employees. The Office confirmed the Ministry's conclusion and recommended that it ensure that the training take place in the near future. The Ministry successfully carried out the appropriate privacy training shortly thereafter and the applicant was satisfied with this result.

Ministry of Attorney General - Involvement of Communications Staff in the Processing of FOI Requests

A reporter had complained about the Ministry of Attorney General's practice of disclosing the names of applicants to communications personnel during the processing of FOI Requests. The reporter believed that it was a breach of the Freedom of Information and Protection of Privacy Act for the Ministry's managers of information and privacy to pass along names of applicants and/or the general substance of FOI requests to the Ministry's Communications Branch, and to consult with them in processing the requests.

The Commissioner's Office investigation revealed that it was not the Ministry's practice to routinely disclose applicant's names. Further, although the Deputy Minister was routinely advised when a member of the media had made an access request, only the substance of the request was provided, not the name of applicant. The Office also found that if the Ministry considered a particular request to be sensitive or controversial, the request, minus the name of the applicant, was also referred to the Issues Management Team within the Ministry.

The Commissioner determined that this practice was not in violation of any section of the Freedom of Information and Protection of Privacy Act, and that in the rare circumstances where a name was passed along, it was done on a "need-to-know" basis. The Commissioner clarified the "need-to-know" principle as involving several factors, including release to staff whose duties may be affected by disclosure, to those needed to locate the records, and to the decision-maker. He also clarified that the sensitivity or controversial nature of the request was relevant in assessing a particular employee's need to know.

Ministry of Education, Skills and Training (Loan Administration Section) - Inappropriate Disclosure of Personal Information

An applicant complained to the Commissioner's Office concerning a disclosure of her personal credit history by the Loan Administration section of the Ministry of Education, Skills and Training to a Member of the Legislative Assembly (MLA). The disclosure occurred while the MLA, on behalf of the applicant, was inquiring into the applicant's husband's situation. The allegation was that Loan Administration was taking a collection action against the applicant's husband in a way that the applicant thought was unfair. Apparently, in order to give a complete factual history to the MLA, Loan Administration had released the credit history of both the husband and the wife to the MLA's representative, since each were debtors under the student loan program and were, for the purposes of the program, one economic unit.

The Commissioner's Office was able to resolve the complaint by suggesting that the Loan Administration section obtain written authorization from parties to disclose their personal information prior to disclosure in cases such as this. The Office noted, however, that Loan Administration had not breached the requirements of the Freedom of Information and Protection of Privacy Act by releasing the applicant's personal information to the MLA's representative. Its disclosure was consistent with its established policies for the handling of information in cases where it seeks to recover money from one or both people in a marital or common-law relationship.

Insurance Corporation of British Columbia - Consent

The Trial Lawyers Association of British Columbia complained about the Insurance Corporation of British Columbia's practice of reviewing previous insurance claim files on claimants who have made subsequent insurance claims, without obtaining the claimants' consent to do so.

After an investigation into ICBC's practices, the Commissioner's Office concluded that when ICBC reviews previous claim files in relation to a new insurance claim, its collection, use, and disclosure of personal information is governed by the Freedom of Information and Protection of Privacy Act. This means that ICBC must find a reason under the Act for accessing and using previous claim files, unless a court action has been launched. The Office concluded that ICBC has statutory authority under the Act to review previous insurance claim files when processing current claims by the same claimants. However, the Office recommended that ICBC ensure that claimants receive early notice when they give their personal information to an ICBC adjuster for the purposes of settling an insurance claim that the information may be used in subsequent insurance claims.

The Office also confirmed that when a court action has been launched, the Act does not limit the information and records available to ICBC in the course of the litigation process, since section 3(2) of the Act states that the Act does not limit information available to a party to a legal proceeding.

Workers' Compensation Board - Processing of FOI Requests

An applicant had complained about the processing of his FOI request by the Workers' Compensation Board. The applicant had requested a copy of his claim file, but was dismayed to learn that other files existed outside of his claim file that contained his personal information which had not been disclosed to him. The applicant believed that when a request for a claim file was made, the WCB should conduct a board-wide search for any other information that may exist concerning the requester.

After an investigation, the Commissioner's Office concluded that if a request was limited to records concerning the claim file, the WCB was under no obligation to conduct a board-wide search for other information pertaining to the applicant. If, however, the request was for "any and all" information concerning the applicant, then the WCB would be obliged to conduct a board-wide search.

As a result of investigation discussions, the WCB agreed to undertake several steps to improve their ability to respond openly and completely to requests requiring "any and all" information about an applicant, including expanding the number of program areas searched, clarifying search standards and conducting further training.

Hospital - Collection of Religious Information

A chaplain at a hospital complained to the Commissioner's Office that her hospital did not ask for a patient's religion upon admission to the hospital. She wanted to know why the hospital did not follow the practice of other hospitals in her area that ask for this information. She also asked about the hospital's practice of providing the patient list to the chaplain.

The Office clarified for the chaplain that under the Freedom of Information and Protection of Privacy Act, a hospital is required to ensure that it complies with the privacy principles of the Act. This includes ensuring that the hospital collects, uses, discloses, stores, and secures personal information appropriately. The Office also clarified that an individual should consent to the collection of his or her personal information and have a say in who may have access to it.

With respect to the collection of information about a patient's religion, the Office advised the chaplain that the issue for a hospital is whether the information is directly related to, and necessary for, the hospital providing health care or determining a patient's eligibility for benefits to cover the cost of the hospital stay. The Office clarified that, in the case of religious information, the purpose of the collection is for pastoral visits. In short, the hospital does not have a "need-to-know" this information, except to assist a member of the pastoral care team to visit a patient. Therefore, religious information may appropriately be collected only where a patient has clearly expressed a wish to see a member of the pastoral care team.

The Office also advised the chaplain that her right to access a hospital's list of patients was covered under the same principle. When patients provide their names and addresses to the hospital for the purpose of the provision of health care or administration of health care benefits, they would not reasonably expect that this information would be disclosed by the hospital to a member of the pastoral team when they have not indicated their desire for this to happen.

The Office emphasized that it is the Commissioner's view that when a patient indicates a desire for a pastoral visit, it is appropriate for the hospital to release the name, religion, and perhaps address (in order to determine the suitable person to visit) and location of the patient in the hospital to the appropriate member of the pastoral team. In addition, some hospitals have taken the proactive step of having cards available at bed-side for patients to request a visit.

Hospital - Distribution of Accident Investigation Report

The complainant was involved in a workplace accident at a hospital. The hospital completed an Accident Investigation Report and submitted it to the Workers' Compensation Board. The eight-page report, which contained the complainant's name, medical information, and a detailed discussion of the incident, was distributed to nine senior staff at the hospital, in addition to the WCB. The complainant was unhappy that she was not given the opportunity to sign or approve the report before it was released, and that it included her name. She also objected to the extent of the distribution.

During the investigation, the hospital pointed out that the report had been prepared according to hospital policy, that the content corresponded to the requirements of the Workers' Compensation Act, and that distribution was necessary so that all parties, either involved with the incident or in a position to initiate remedial action, were aware of the circumstances, outcome, and recommendations.

The Commissioner's Office confirmed that, under the Workers' Compensation Act, an employer is required to provide specific pieces of information, including the name of the injured worker, when filing an "Accident Investigation Report." However, the Act also indicates that "names of the injured may be deleted from published reports, if desired." The Act also requires that copies of the report be sent to the Industrial Health and Safety Committee and the nearest WCB office.

The Office concluded that, since disclosure of the complainant's personal information to the WCB was required by the Workers' Compensation Act, the disclosure was appropriate under section 33 of the Freedom of Information and Protection of Privacy Act. However, the Office also concluded that the preparation and further distribution of the report did not take into consideration the "fair information practices" which are the fundamental privacy principles governing the collection, use, and disclosure of personal information in Part 3 of the Act. Thus the Office found that the complainant's personal privacy had been unreasonably invaded by the actions of the hospital.

The Commissioner's Office recommended that the hospital review and revise its "Incident Reporting and Review Policy" with a view to creating an anonymized workplace accident report that is distributed on a "need-to-know" basis only. An anonymized report would benefit everyone's interests, since it permits a clear understanding of the circumstances of the accident while still respecting the privacy of those involved.

Hospital - Emergency Room Patient Tracking System

A complainant contacted the Commissioner's Office with a concern about patient confidentiality in the Emergency Unit of a hospital. After a member of the complainant's family had been treated in the Unit, the complainant noticed that personal information about her family member was recorded on a large white board that was visible to anyone who entered the Unit. The complainant felt that this display of patient information was an unreasonable invasion of her family member's privacy.

During the investigation, the hospital clarified that the "white board" is viewed by the Emergency Room Team as a critical tool for ensuring that proper triage and care of the patients occurs. At the time of the complaint, the policy was to include a patient's last name, diagnosis, name of physician/responsible staff, current status (for example, awaiting a bed), and laboratory tests on the board.

A survey of other hospitals revealed that unless the hospital had a sophisticated electronic data management system, which most did not, the white board was considered to be an essential element in providing effective patient care. Given the apparent necessity of having a readily-accessible patient tracking system and the fact that the current white board worked quite well, the Commissioner's Office looked to see how the board could be adapted to continue to meet the needs of hospital personnel and at the same time minimize any potential invasions of privacy.

After further consultation with hospital staff, the hospital agreed that current descriptions appearing under the Diagnosis and Laboratory Test categories would be replaced by a series of abbreviations and symbols that would be easily recognizable to staff, but not to the patients or visitors in the Emergency Unit. The Office was satisfied that these changes would resolve the complainant's privacy concerns. The Office continues, however, to review the use of white boards as patient tracking systems in all hospitals throughout the province.

Hospital - Identification for Tests

The Commissioner's Office received an anonymous complaint from an individual with respect to a hospital refusing to provide AIDS tests without positive identification from the test requester. Private laboratories in Victoria have been providing anonymous AIDS testing for some time.

During an investigation by the Commissioner's Office, the hospital expressed concerns that test results might end up with the wrong patient, unless they could be positively identified. After meetings between the hospital's senior executives and the Commissioner's Office, the hospital laboratory amended its policies to accept requisitions for AIDS tests from doctors if they contain unique codes by which doctors can identify their patients, but which allow patients to remain anonymous to the hospital.

Regional District - Processing of Requests

An applicant with a number of grievances against a regional district made a series of access requests by e-mail. In response to his latest e-mailed access requests, the Mayor wrote to the applicant to tell him that staff were not obligated to accept or respond to abuse and insults. The FOI coordinator for the district also wrote to the applicant to tell him that she would not respond to his requests until they were made in a proper and courteous manner. She had previously asked the applicant to use correct names for staff instead of the rude nicknames by which he had addressed some of them. The applicant complained to the Commissioner's Office that the District was unreasonable in "turning down a FOI request because it is not polite" and that the Mayor was on a campaign to portray him as a rude and obnoxious person.

The Office reviewed some of the applicant's correspondence and told the applicant that not only were his requests impolite, they were rude and obnoxious. The Office advised the applicant that, while the Commissioner had never been asked to decide whether to order a public body to reply to access requests which were not polite, he had commented unfavorably about applicants who tried to use the Freedom of Information and Protection of Privacy Act as a weapon against a public body. The Office stated further that public servants are not obligated to accept verbal abuse from anyone and that the applicant should make his access requests politely. The applicant complied.

Self-Governing Professional Bodies - Access to Policy Manuals

A member of a self-governing professional body complained that some information had been deleted from records he had requested about the professional body's policy on discipline matters. Since a public body must make policy manuals available under the Freedom of Information and Protection of Privacy Act without a formal FOI request, the member asked the Commissioner's Office to investigate.

The Office's investigation clarified that, under the Act, a public body has the discretion to sever certain information from policy manuals and statements before disclosure, if the information is what a public body may normally refuse to disclose under the Act in response to a formal access request, such as personal information and legal advice. The Office found that the professional body had appropriately withheld some information under the Act, but had neglected to explain the reasons for it to the member, as required by the Act. After some discussion, the public body agreed to disclose the severed records to the member again, with the reasons for each severance clearly identified, as required. The member was satisfied by this solution and the complaint was closed.

Self-Governing Professional Bodies - Disclosure of a Discipline Report Under Section 33(p)

Under section 33(p) of the Freedom of Information and Protection of Privacy Act, a self-governing professional body disclosed a copy of an individual's discipline hearing report to another public body in response to its request for the report. The individual learned of the disclosure when the public body notified him as required under section 33(p). The individual felt that the disclosure violated his privacy and requested that the Commissioner's Office determine whether the disclosure was appropriate under the requirements of the Act.

As part of its investigation, the Office reviewed the report and other relevant records, and interviewed a number of staff in both public bodies. The Office found that, although well-intentioned, the professional body that disclosed the report had not established that compelling circumstances existed to warrant its disclosure as required under section 33(p). The Office concluded that the professional body had failed to gather enough information for it adequately to assess the complainant's current circumstances, the urgency of the situation, and the risk that the complainant would repeat the actions which had led to the discipline hearing. The Office also found that that public body that requested the report should have provided more evidence to support its request for disclosure. All parties accepted the Office's findings.

Back to Previous Section

Forward to Next Section

Back to Table of Contents