ANSWER:

As noted in the last Bulletin, FIPPA applies to records in the custody or under the control of an institution. Although neither term is defined in FIPPA, there are a number of Orders of the Office of the Information and Privacy Commissioner/Ontario (IPC) interpreting these concepts as well as the concept of "bare possession".

CUSTODY/CONTROL

In Order 120 (November 1989), the IPC found that "...it is not possible to establish a precise definition of the words "custody" or "control" as they are used in the Act, and then simply apply those definitions in each case". Custody and control of a particular record is a function of how a record is created, maintained and used and accordingly, determined on a case-by-case basis.

Order 120 provides guidance in the form of criteria which may be applied to assist in determining whether a record is in the custody or under the control of an institution. The criteria include, although are not limited to:

  • whether the record was created by an officer or employee of the institution;
  • the intended purpose for which the record was created;
  • whether the institution has possession of the record and if so, whether it was provided voluntarily or by law;
  • if the institution does not have possession of the record, whether it is being held by an officer or employee of the institution for the purposes of his or her duties;
  • whether the record relates to the institution's mandate and functions;
  • whether the institution has the authority to regulate the record's use;
  • the extent to which the record has been relied upon by the institution;
  • the extent to which the record is integrated with other records held by the institution; and
  • whether the institution has the right to dispose of the record.

BARE POSSESSION

Records may be in the possession of an institution without being in its "custody". As noted by the IPC in Order 120:

... although mere possession of a record by an institution may not constitute custody or control in all circumstances, physical possession of a record is the best evidence of custody, and only in rare cases could it successfully be argued that an institution did not have custody of a record in its actual possession.

In Order P-239 (September 1991), the IPC was required to determine whether records in the possession of an institution (Ministry of Government Services), which were prepared by an organization that was not subject to FIPPA (Ombudsman), were in the institution's custody. The IPC found that:

"...bare possession does not amount to custody for the purposes of the Act. ... there must be some right to deal with the records and some responsibility for their care and protection.

The concept of "bare possession" was discussed more recently and in detail, in an appeal of an Order of the IPC to the Ontario Superior Court of Justice.

CITY OF OTTAWA V. ONTARIO (IPC)

The records in question were personal emails related to an employee's work with a charity that he had transmitted through and stored in a segregated file on the City's email server. When a request was made for access to the emails, the City took the position that they were not in its custody or control. The IPC disagreed with the City. The Court upheld the City's position.

The Court examined the purpose of access to information legislation (enhancing the democratic process), relevant orders of the IPC and case law, and found that in the circumstances, the emails could not be said to be within the custody or under the control of the City. The Court analogized the emails to personal communications and documents of employees that are stored in paper form in their desk at the office. The Court also found that the measure of control over the emails exercised by the City for the purpose of ensuring the appropriate use and security of its electronic information systems was not determinative of custody or control for the purposes of FIPPA.

PRACTICAL TIPS

  • Consider the extent of personal use authorized users are permitted to make of the hospital's information system (HIS).
  • Ensure that there is a clear policy setting out the rules to which all authorized users are referred, including the conditions under which the HIS may be used for personal email and Internet access.
  • Ensure that any personal information that authorized users are permitted to transmit or store through/on the HIS is segregated from hospital information.
  • Ensure that any records maintained in the hospital, for example by health professionals to whom the hospital leases space, are the subject of a written agreement that clearly establishes their ownership.

About BLG

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.