Nova Scotia’s privacy and information commissioner is facing a “critical” backlog of cases as a result of limited resources and the office remains hamstrung by outdated legislation, according to the organization’s annual report published on Wednesday.
It’s the first annual report issued since Tricia Ralph took over the role in March and it echoes many of the themes voiced by her predecessor Catherine Tully.
During her tenure, Tully and the Office of the Information and Privacy Commissioner (OIPC) criticized the government’s decision to not follow her office’s recommendations and called for the province to bring its privacy and information access laws “into the 21st Century.”
‘Improvements…will take leadership’
In Ralph’s report issued on Wednesday, she says there remains “room for improvement” in the province’s access and privacy laws — a framework that protects residents’ private information and allows journalists, academics, businesses and activists to obtain government information that is normally withheld from the public.
“Living in a digital age has markedly changed the way we live from over 25 years ago when Nova Scotia created the Freedom of Information and Protection of Privacy Act,” wrote Ralph.
“That was a time when we lived in a world of paper records and without the ubiquitous access to the internet that we see today.”
The new commissioner also called on the province to modernize the Freedom of Information and Protection of Privacy (FOIPOP) Act.
Ralph admitted that it would be a “significant undertaking and will take time and consideration.”
“It will take leadership from politicians to update our access and privacy laws,” she wrote. “As citizens, we also have a role to play.
“It is up to us to become overseers of our own data and promoters for access to information and privacy reform.”
At least five pages in the 30-page report are dedicated to reviews or inquiries “that may not have been necessary or would have had different outcomes” had the office’s previous recommendations on changing the legislation been followed by the province.
Order-making power still needed
One of those changes is giving the OIPC order-making power.
Since the OIPC functions as an independent ombudsman for the legislation, it is able to recommend possible resolutions to disputes under the legislation.
However, since it doesn’t have order-making power, government bodies are not obliged to follow the recommendations and can ignore them if they wish.
The only solution for those who still disagree with the government’s decision is to go to court in an attempt to force the government to comply, a process which Ralph says is “expensive and more intimidating for applicants.”
Ralph notes that of those who appealed to the Nova Scotia Supreme Court, the court has sided with the OIPC’s decision 100 per cent of the time.
It’s notable that Stephen McNeil said in 2013 that he would expand the powers of the OIPC and grant the office order-making power if he became premier.
He has since called the pledge a mistake.
The Department of Justice did not provide comment responding to the report by publication deadline.
Multiple issues persist
Other issues that Ralph highlights include the increase in times the government has asked for a time extension when responding to FOIPOP requests and the province’s failure to have a mandated duty to document its actions.
That means that if the government chooses not to document a decision or deliberation then there will simply be no documents to turn over even if they are requested.
Ralph also highlights that public bodies are not required to report privacy breaches to anyone, despite a previous recommendation that this be changed by the OIPC.
“The lack of mandatory privacy breach reporting makes the full extent of privacy breaches that occur at Nova Scotia public bodies unknown,” Ralph notes.
This is compounded, she continues, with a failure in the Personal Health Information Act.
Under that piece of legislation, health organizations are mandated to tell an individual if there is a privacy breach that creates a potential for harm or embarrassment to the affected individual.
However, they are not required to inform the OIPC. That means when a woman called the information commissioner seeking assistance about a health-care breach it was the first time they heard about it, making its ability to offer advice limited.
According to the annual report, only three serious breaches were reported to the OIPC in the past year. However, there were 855 minor breaches for things such as lost records and faxing personal information to the wrong doctor.
She says that the number of cases waiting to be reviewed by the office has gotten to a “critical point”
“We have cases waiting to be assigned that were received as far back as 2016,” Ralph notes and the office has already tried “every known technique to achieve greater efficiency.”
Some applicants are waiting three years to have their review completed.
“Waiting that long to have ones review heard by this office raises serious access to justice concerns,” Ralph writes.
She says they’ll ask the government for more investigators next year.