Thank you, Mr. Speaker.
Surging Reviews and Investigations
The IPC can open a file to review and investigate: GNWT decisions on access to information requests; Privacy complaints of improper collection, use, or disclosure of personal or health information; Privacy breach complaints; and
Any matter relating to the application of ATIPPA or HIA, whether or not an individual requested a review.
The IPC can also open a file to comment on the access and privacy implications of proposed legislation, policies, or programs.
Over the past 10 years, the number of files opened by the IPC has grown substantially. The number of files opened increased six-fold from 2011-2012 (27 files) to 2020-2021 (162 files). Much of the growth comes from files opened under the Health Information Act, which came into force in 2015-2016.
The growing number of files is not inherently bad. Recent IPC annual reports identify potential reasons driving the trend. The Health Information Act's coming into force increased the scope of privacy rights and responsibilities. The public's exercise of the right to access government information may be increasing. Similarly, the public may be more aware and protective of their personal privacy. Public bodies may also have become more aware of privacy issues and better at reporting privacy breaches. However, the high number of files is fiscally costly.
In the past 10 years, the IPC has had to spend more to keep up with the surging workload. Spending has increased by an order of magnitude from $90,000 in 2011-2012 to $547,000 in 2020-2021. Public bodies also incur costs to comply with ATIPPA and HIA. It is unclear how much the GNWT spends to comply and how that has changed over time. The government's activity reports on administering ATIPPA, which the GNWT has not published since 2016, do not report on costs.
Reduce Complaints and Costs with "Upstream" Measures
In his appearance before committee, the IPC explained that "upstream: Investments in the access and privacy regime can reduce "downstream" costs associated with access complaints and privacy breaches. As he put it more succinctly, public bodies must choose between a small expense now or a larger expense later.
"Upstream" measures address the reasons individuals request reviews of access decisions and public bodies breach personal information. Some examples include:
- Making more government records available by default.
- Training employees on the proper collection, use, and disclosure of personal information.
- Procuring technology for better records management; and
- Implementing administrative safeguards to protect personal information.
In fact, the IPC highlighted the early success of one such "upstream" measure. Since March 2021, the government has centralized some access to information functions at the new Access and Privacy Office. The IPC credited the APO's trained staff and centralized approach with promising early results. He has observed a slight decrease in the number of review requests and, as of February 2022, zero "deemed refusals" on APO files.
More "upstream" measures are needed. Committee is making four recommendations to that effect. The recommendations address persistent gaps in the access and privacy regime, raised by the IPC, that lead to complaints and privacy breaches. They also reinforce accountability for past committee recommendations that the Government has not implemented adequately.
Mr. Speaker, I will now pass this over to the Member for Thebacha. Thank you.