The ins and outs of the e-FOI process
-
Upload
dan-michaluk -
Category
Technology
-
view
1.411 -
download
0
description
Transcript of The ins and outs of the e-FOI process
The ins and outs of the e-FOI process
Dan MichalukSeptember 26, 2013
2
Outline
• Electronically stored information• FOI and e-FOI compared• Handling database requests• Handling e-mail requests• The privacy problem
I’m not selling the e-FOI process today. Paper processing can work well. This is to open options, which may lead to efficiencies, reduce risks and reduce
disputes.
4
Electronically stored information
• The data you see is the data you get
• Hard to organize• We manually index or
code and link to each record by identification number
5
Electronically stored information
• ESI has dimensions
6
Electronically stored information
• ESI has dimensions
data
7
Electronically stored information
• ESI has dimensions
data
metadata
8
Electronically stored information
• ESI has dimensions
data
metadataMetadata describes various attributes of information objects
and gives them meaning, context, and organization.
9
FOI and e-FOI compared
Custodians “search”
Custodians copy
Coordinator reviews
Coordinator indexes
Coordinator “prepares”
10
FOI and e-FOI compared
11
FOI and e-FOI compared
Coordinator collects
Coordinator “processes” for responsiveness
Coordinator imports to review
tool
Coordinator tags and redacts for
exemptions
Coordinator produces
electronically
12
FOI and e-FOI compared
• Positive• You have greater control over search and retrieval
• You’ll have access to metadata and searchable text
• No more double or triple printing
• Limit• With unstructured data (e.g., e-mails), you can’t
avoid a record-by-record review
13
FOI and e-FOI compared
• But it’s likely your choice• Requester’s may make the “fox guarding the
henhouse” argument
• See, for example, MO-2634
• Order suggests that institutions and custodians
should be trusted absent a reason to mistrust
• Advice – be the benign skeptic, and never, never
say you’ve found all the e-mails
14
Database requests
15
Database requests
• Producing an “export” at point in time – usually “CSV” or “Tab Delimited”
• Common disputes• Fee and feasibility disputes – TPS case from 2009
• Identifiably disputes – see PO-3232 from July 2013
• Exemption of fields – see PO-3017 from Dec 2011
• Third-party disputes – see MO-2985 from June 2013
16
Database requests
• The limited definition of record• You have to create a record nowadays, unless the
information resides in your head (see M33)
• But there two (extraordinary) limits• Not capable of production by means… “normally
used by the institution”• “the process of producing [the record] would
unreasonably interfere with the operations of an institution.”
17
Database requests
• Toronto Police Services (Ontario CA, 2009)• Confirms a duty to export and mask identity
• If you can do it with means “normally used” you
must do it subject to “unreasonable interference”
• Still a question about whether the required use of
hardware and software not “normally used” is a
basis for declining to answer (though it is clear if you
don’t have normal use of the expertise you are
clear)
18
Database requests
• Order PO-2752 from January 2009• Example of the “unreasonable interference limit”
• OTIS request for data in “linkable” form
• 1,377.50 hours of work
• By specialized staff
• Legitimate security concerns
19
Database requests
• Tips on fee and feasibility issues• Build a relationship with IT
• Build a basic understanding of technical concepts
• Be very skeptical of large fees and claims that “it
can’t be done”
• Consider using an outside contractor to deal with
real operational concerns (chargeable at 100%)
• Provide detailed evidence to the IPC in an affidavit
20
Database requests
• Gombu (Divisional Court, 2002)• Database of electronic campaign contribution data
• Most of the information was already public, but in
physical form
• IPC finds and unjustified invasion on the balance
• Divisional Court - Production of electronic
information not reasonably associated with any
greater risk of misuse
21
Database requests
• The notification problem• What if the requester wants identifying information?
• Head’s duty mandatory – reason to believe might
(and SCC says give notice in Merck)
• Necessary, but costly and unfunded
• This will lead institutions to deny access
• IPC may bear the burden of notification on appeal,
as in PO-3017
22
E-mail requests
• The problems with e-mail• There are duplicates and near duplicates
• Search is expensive because they are unorganized
• Review for exemptions is unfunded, very time
consuming and very difficult to automate
• There is an interest in e-mails not stored “actively” –
i.e. in archive (good), on tape (bad) or
23
E-mail requests
• MO-2154• Requester asks for e-FOI, asks for deleted e-mails
• IPC denies cost of acquiring hardware
• Affirms $12,500 for fees to outside vendor
• Shows – requesters can get what they ask for
• Shows – use of outside vendors can be legitimate
• See also MO-2764 (also some evidence that
outsourcing was reasonable)
24
E-mail requests
• Deleted e-mails and e-mails on backup• Go back and talk to the requester about cost
• Talk about duplication in active storage
• Backup is probably a more cost effective alternative
to restoring deleted e-mails in most cases
• Identify the number of backup tapes from the event
to the date of the request
• Let’s go to the first tape before the story hit the news
25
E-mail requests
• PO-3050• In general, an access request for emails does not
require a routine search of backup tapes for deleted
emails unless there is a reason to assume that such
a search is required, based on evidence that
responsive records may have been deleted or lost.
26
E-mail requests
• Text messages• They are records subject to the two limits
• They can be logged and logs are easy to deal with
• If not logged, they may be stored on phones
• Can be exported from phones, but the process is
awkward given how people use text message
services
27
The privacy problem
• R v Cole• Establishes a limited ( “not entirely eliminated”)
expectation of privacy
• If there is personal use there will always be a
privacy issue, regardless of policy
• Employers can act reasonably for a legitimate
purpose
28
The privacy problem
• Policy prescriptions• Policy can’t eliminate privacy but can help
• Prepare your public sector employees for e-FOI!
• Tell them that the choice to engage in personal use
on a work system comes with a sacrifice
• Give an express warning about e-FOI
• Also warn – work is done on our system unless
pursuant to a reasonable BYOD policy
29
Dan Michaluk
(416) 864-7253
www.allaboutinformation.ca
The ins and outs of the e-FOI process
Dan MichalukSeptember 26, 2013