THE OFFICES OF THE INFORMATION AND PRIVACY COMMISSIONERS: THE MERGER AND RELATED ISSUES
As the experience in the provinces and territories demonstrates, having a single office and commissioner for both access to information and privacy is a tenable model. The provincial commissioners and many of the experts I consulted generally agreed that the single commission model works well in the provinces. It does not necessarily follow, however, that it would be wise to switch to this model at the federal level. While the federal access to information and privacy regimes can and should be improved in a number of respects, they have served Canadians well. Over the past 22 years, users of these systems have become very familiar with the existing model, and on the whole they are satisfied with its structure. As discussed in Part III of this Report, the most pressing challenges facing the federal access and privacy regimes do not stem from the organization of the Information and Privacy Commissioners' offices. Merging the offices, or appointing one commissioner to preside over both, would do little to respond to these challenges. For these reasons, the burden of persuasion lies with those advocating the adoption of a single commissioner model.
There are two sets of arguments relevant to the proposal to adopt the one commissioner model at the federal level. The first relates to the potential for a merger or cross-appointment to generate financial and administrative efficiencies; that is, to either maintain the current level of productivity at a lower cost, or to increase productivity at current resource levels. The second set of arguments, which in my view lie at the heart of this debate, involve the question of whether a single commissioner model would better serve the policy aims of the access to information and privacy statutes.
As mentioned, the 1992 proposal to merge the offices of the Information and Privacy Commissioners was motivated in part by a desire to
"streamline" government and effect cost savings. Though the current Government has not indicated whether it believes that a merger would achieve these goals, the potential for a merger to increase the efficiency of the offices is worthy of exploration.
It must be stressed, however, that in the time available, I could not undertake a comprehensive assessment of the organization and management of the two offices. To the extent that efficiency is relied on as a justification for any merger, it will be critically important for such an analysis to be performed before any merger is pursued as, on the evidence available to me, it seems unlikely that a merger would achieve substantial efficiencies.
Neither the appointment of the Information Commissioner as Privacy Commissioner under section 55 of the Privacy Act nor the wholesale merger of the two offices would likely result in a significant reduction of expenditures. In the former case, the elimination of one commissioner would save the costs associated with the salary, benefits, and expenses associated with the position. However, the savings, as compared to the total combined expenditures of the two offices, would be modest. Moreover, the elimination of one commissioner would likely require the appointment of additional assistant or deputy commissioners to perform at least part of the work of that Commissioner.
The financial situation associated with a wholesale merger is somewhat more complicated. The operations of the two offices are similar in many respects. As detailed above, the core function of each office is to investigate and report on alleged violations of Canadians' access and privacy rights. In theory, a merger could effect savings in areas of duplication. A merged office would enable some investigators and lawyers, for example, to work on both access to information and privacy files.
In practice, however, it is likely that any such savings would be minimal. There is nothing to indicate that either office has any significant excess capacity among investigative, legal, or any other personnel. To the contrary, the evidence indicates that both offices are straining to fulfil their core mandates under current funding arrangements. While some degree of efficiency might be gained by allowing for greater flexibility in work assignments, this gain would not likely be large enough to either reduce current staffing levels (while maintaining productivity) or substantially increase productivity (while maintaining staffing levels).
It must also be borne in mind that a merger of two offices would generate its own up-front costs, including those associated with reallocating and relocating staff, integrating methodologies, integrating and purchasing new equipment, and so forth. A merger would also likely require significant short-term investments in public education campaigns to allay confusion and concern over the jurisdiction and powers of the new, combined office.
It should also be emphasized that, viewed in relation to overall government expenditures, the costs associated with the two offices are minimal. As mentioned, the combined budgets of the two offices for the 2004-2005 fiscal year were $15 million, representing less than 50 cents per Canadian. By way of comparison, the government's total expenditures for 2003-2004 were approximately $141 billion. In light of the modest costs associated with the two offices, as well as the challenges associated with achieving efficiencies through a merger, it seems unlikely that efficiency considerations could justify either the cross-appointment of a single commissioner to both offices or a full-fledged merger.
It remains to be considered whether significant efficiencies might be gained from having the two offices share corporate services personnel, as was the case from 1983 to 2002. During that period, the Director General of the corporate services branch reported to the Executive Director of the Office of the Privacy Commissioner and the Deputy Information Commissioner. While I was not able to conduct a detailed study of the financial implications of this alternative, presumably some degree of savings could be achieved. For the reasons articulated earlier, however, any savings would not likely be large. There is a danger, moreover, that a consolidation of corporate services personnel could result in divided loyalties and conflicts of interest among staff responsible to two co-equal masters. There is some indication that these problems existed to a degree when the two offices shared corporate services.
As in any bureaucracy, accountability and control are best achieved through clear lines of authority and responsibility. It may be possible to employ mechanisms, such as service level agreements, memoranda of understanding, and dispute resolution procedures, providing some degree of accountability for shared services. These mechanisms, however, carry their own costs, and may not be able to guarantee that shared corporate services personnel will not be subjected to conflicting demands by the two commissioners. In light of these difficulties, and the modest degree of savings likely to be generated, I recommend caution in proceeding with any attempt to merge the corporate services branches of the two offices.
Finally, it should be noted that over the past 22 years the two offices' management styles and organizational cultures have become quite distinct. At least in the short term, consolidation would likely produce significant disruption, dislocation, and discord. Moreover, these impacts would be felt at a time when both offices are facing a number of daunting challenges. As is well-known, the office of the Privacy Commissioner is in many respects still recovering from the scandals associated with the last permanent commissioner. During the same period, it has also been required to take on the vast new responsibility of overseeing the application of PIPEDA, a task that now comprises well over half of its workload. For his part, the Information Commissioner is currently deeply involved in discussions and debate surrounding the reform of the Access to Information Act. In these circumstances, any savings associated with the sharing of resources and services and the elimination of duplication would likely, at least in the short term, be offset by the diminishment of employee morale and productivity.
This is not to say, of course, that a merger should not be pursued simply because it would be disruptive. If it were clear that a merger would improve the effectiveness of the federal access to information and privacy regimes over the long term, then short term disruption could very well be justified. However, as discussed immediately below, it is far from clear that a merger would achieve this. In light of this, the disruption generated by consolidating the two offices must count in favour of maintaining the status quo.
Given the challenges associated with achieving cost savings through a merger of the offices of the Information and Privacy Commissioners, the case for merger must stand or fall on an assessment of whether a single
"Information and Privacy" commissioner would have a greater or lesser ability than the existing two commissioners to achieve the policy aims of the Access to Information Act, the Privacy Act, and the Personal Information Protection and Electronic Documents Act.
As I see it, there are four types of arguments related to this question. The first two support the adoption of the one commissioner model; the latter two favour retaining the current two commissioner system. The first argument contends that a single commissioner would provide more consistent and balanced advice to government institutions dealing with both access and privacy issues than is currently given by the two commissioners. The second posits that a single commissioner would have more success in persuading governments to comply with their obligations under the access and privacy statutes than is currently the case. The third argument asserts that a single commissioner would be predisposed to favour one principle at the expense of the other in cases where access and privacy come into conflict. And finally the fourth argument maintains that a single commissioner would be overburdened and hence have a diminished capacity to pursue the goals of protecting privacy and encouraging openness in government.
In addition to financial considerations, the Government's 1992 proposal to merge the Information and Privacy Commissioners' offices was grounded on the belief that having a single commission would
"encourage a balancing of interests between the two objectives of privacy and access to information." This argument was reiterated by Information Commissioner Reid in his 2003 merger proposal.
Government institutions are subject to both the Access to Information Act and the Privacy Act, and must weigh both access and privacy values when they conflict with one another. A single commissioner charged with upholding both values, it is argued, would give those institutions more balanced advice. Having a single commissioner would also, on this view, eliminate the problem of institutions receiving conflicting recommendations from the two commissioners.
There is some merit to this argument. The values of access and privacy do sometimes conflict, particularly in cases where a government institution refuses an access request on the basis that disclosure would reveal a third party's personal information. Having a single commissioner, moreover, would by definition eliminate the problem of government institutions receiving conflicting advice from two commissioners.
In my judgment, however, this argument overstates both the frequency and magnitude of conflict between government's access and privacy obligations. As mentioned, the most important source of conflict is section 19 of the Access to Information Act, which requires government institutions to
to disclose any record requested under this Act that contains personal
information as defined in section 3 of the Privacy Act." Complaints over the invocation of this exception to access are made to the Information Commissioner, and it is he, and not the Privacy Commissioner, who investigates the complaint and makes a recommendation to the institution.
It could be argued that it would be better for such a decision, which necessarily involves a conflict between access and privacy, to be made by a single person or body responsible for vindicating both values in equal measure. In theory, this might well be the preferable arrangement. There is little evidence, however, that the Information Commissioner is unable to make impartial assessments of the merits of complaints about section 19 exemptions. The Access to Information Act and the Privacy Act are structured to ensure that privacy is taken into account in all section 19 cases. The Information Commissioner is charged with overseeing the implementation of all of the values inhering in the Access to Information Act, including the privacy values incorporated by reference to the Privacy Act. Further, the courts have developed an extensive body of jurisprudence on the meaning of
"personal information," which to a considerable extent dictates the advice the Information Commissioner renders to institutions.
The available evidence indicates, moreover, that over the years Information Commissioners have done a good job at protecting privacy in section 19 cases. Both the Information Commissioner and the Privacy Commissioner advised me that while section 19 is one of the most frequently invoked exemptions under the Access to Information Act, the vast majority of cases are straightforward. The Information Commissioner indicated that in substantially more than half of section 19 complaints, he has supported the government institution's decision not to disclose information on the basis that it constitutes non-exempted personal information. And of the fourteen reported court decisions involving the review of refusals to release personal information, the Privacy Commissioner has intervened to oppose the position of the Information Commissioner in only two. In both cases,
the court agreed with the Information Commissioner that the information in dispute constituted an exemption to the definition of
"personal information" set out in section 3 of the Privacy Act and could therefore be disclosed.
If there is a flaw in this system, it is not a product of having two commissioners. Rather, it stems from the fact that neither the person to whom the information relates nor the Privacy Commissioner may seek redress from the courts for improper disclosures of personal information. Consider the following scenario. In reviewing a complaint regarding the refusal to disclose government information on the basis that it constitutes non-exempted personal information, the Information Commissioner concludes that the personal information exception does not apply. He therefore advises the government institution to release the information, and it agrees to do so. Any person to whom the information allegedly relates could complain to the Privacy Commissioner under s. 29(1)(a) of the Privacy Act, which requires the Privacy Commissioner to receive complaints
"from individuals who allege that personal information about themselves held by a government institution has been
used or disclosed otherwise than in accordance with section 7 or 8." The Privacy Commissioner might disagree with the Information Commissioner's determination that the information is not personal and advise the government institution not to disclose the information (if it had not already done so). However, under the Privacy Act, neither the Privacy Commissioner nor the complainant has the right to request the Federal Court to prohibit or provide any remedy for the disclosure. Indeed, neither even has a right to be notified that such a disclosure is being contemplated.
Therefore, to account for those few hard cases where it is not clear whether information requested under the Access to Information Act is personal, Parliament should consider amending the Act to ensure that the Privacy Commissioner is informed whenever: (i) a government institution that initially refused to disclose information on the basis that it constitutes personal information changes its mind to comply with the Information Commissioner's advice; or (ii) either the Information Commissioner or a complainant goes to court under the Access to Information Act to compel a government institution to release such information. Parliament should also consider amending the Privacy Act to give the Privacy Commissioner the discretion to inform the third party to whom the information arguably relates of the potential disclosure and give both the Privacy Commissioner and the third party the right to contest that disclosure in the federal courts. With these amendments in place, any conflict between the views of the Information and Privacy Commissioners could be resolved by the courts.
The Information and Privacy Commissioners may also come into conflict in giving differing advice to the Government and Parliament on the access and privacy implications of proposed and existing legislation and policies. In its 2001 report, the ad hoc parliamentary Committee on Access to Information supported its merger proposal largely on the basis that the public airing of divergent positions by the two commissioners constituted an
In my view, there is nothing unseemly in the fact that the commissioners may occasionally give conflicting advice to government, even when they express such differences in public fora. To the contrary, the exchange of reasoned debate between official advocates for differing politico-legal values promises to enliven and enrich our democracy. At times, legislators and government officials may be frustrated by the absence of a single, authoritative source of advice on matters involving both access and privacy. It does not follow, however, that the political decisions flowing from such advice would necessarily be sounder than those ensuing from healthy debate between opposing advocates. Many of the federal and provincial commissioners I consulted indicated that such debate has been very productive in improving a variety of legislative and policy proposals.
It should also be stressed that, as with complaints relating to section 19 of the Access to Information Act, there have been very few instances where the commissioners have given conflicting advice to government on legislative or policy matters. As the two federal (and many of the provincial) commissioners explained to me, access to information and privacy issues typically arise in very different circumstances.
Disagreements between government and the Information Commissioner over access issues do not typically involve questions of abstract policy. Most disputes arise over the application of that policy to individual cases. In other words, while the two sides usually agree on the basic principles relating to access to government information, they often disagree on the application of those principles to the facts of a complaint. The Commissioner and government institutions may also differ to some extent on the need for systemic and cultural changes in the way that institutions manage and distribute information. In neither type of dispute are privacy issues a primary concern.
The Privacy Commissioner, in contrast, is more frequently involved in high-level debates about the long-term, systemic, and often transnational effects on privacy of proposed and existing legislation and policy, such as the government's reaction to the threats of organized crime and terrorism and the privacy implications of novel surveillance and information gathering technologies. In most of these cases, the privacy issues centre on the collection and use by government agents of the personal information of ordinary Canadians - not the disclosure of personal information in response to access to information requests. While the federal government's use of search and surveillance technologies and its general response to domestic and foreign security threats may also raise important access to information concerns, such concerns are not likely to conflict with privacy interests. Indeed, to the extent that post-9/11 security measures pose a threat to the civil liberties of Canadians, the principles of privacy protection and open government would appear to be allied, not opposed.
In summary, I do not believe that the one commissioner model would necessarily be better than the two commissioner model in achieving reasonable accommodations between the principles of access and privacy. The mandates of the Information and Privacy Commissioners rarely conflict, and when they do Canadians are generally well served by having the commissioners' presenting contrasting views to the government, the courts, and the general public. Parliament should, however, seriously consider, enacting mechanisms to ensure that the Privacy Commissioner and affected third parties have access to the courts to contest the disclosure of what may constitute personal information.
- Date modified: