An impromptu visit from Sidney B. Linden, Ontario’s first Information and Privacy Commissioner

A few months ago, I was honoured to meet Ontario’s first information and privacy commissioner, Sidney B. Linden. The former commissioner was going through boxes of old materials for his memoirs when he happened upon his IPC box. In it, was a copy of the first IPC annual report among other memorabilia and important historical documents. He decided to pay me a visit and bring the documents along so we could have a chat about the office then and now. And what a fascinating chat it was!

The Office of the Information and Privacy Commissioner of Ontario was created in 1988 to usher in the province’s Freedom of Information and Protection of Privacy Act (FIPPA), which came into force on January first of that year. It was an exciting time for Ontarians, seeing their information rights come to life from the pages of the Williams Commission report. The report was grounded in the principles of transparency, accountability, public participation, personal privacy, fairness and cost efficiency. 

Among its recommendations, the Williams Commission recommended integrating both access to information and privacy in a single statute and creating a single oversight office charged with upholding both values and striking the proper balance between them. Having previously worked at the federal level where access to information and protection of privacy are governed by separate statutes and separate offices, I have come to truly appreciate the virtues of that integration. 

By the sounds of it, the IPC had very humble beginnings, with a staff of 10 that grew to 29 by the end of its first year of operations. That same year, they set up their physical offices as well as their policies and procedures, resulting in 141 closed appeals files. Thirty-six years later, with an expanded mandate that now also covers all health care providers and child and family service providers, our office has quintupled in size to close almost 3,000 access to information appeals and privacy complaints per year. 

Volumes of freedom of information (FOI) requests have certainly ballooned for institutions as well. In 1988, the total number of FOI requests received provincially was 4,784, compared to 27,238 in 2023! That number climbs to 66,422 when you add in FOI requests under the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA). In that first year of FIPPA implementation, the majority of these requests (80 per cent) were completed within the stipulated 30 days. By comparison, that 30-day provincial response rate dropped to 67.2 per cent in 2023. This is significantly lower than what it was in 1988, but much improved over 2022 when it dipped as low as 51.2 per cent.

In 1988, provincial institutions provided all or part of the requested information in 77.4 per cent of cases compared with 74 per cent in 2023. While those numbers have held relatively steady in the 36 intervening years, the breakdown tells a slightly different story. In 1988, institutions provided all of the requested information in 55.7 per cent of cases, and part of the information in 21.7 per cent of cases. In 2023, that proportion completely flips around with 22.6 per cent of responses provided in full, and 40.5 per cent of responses provided in part. 

In French, we have a saying: “plus ça change, plus c'est la même chose” (the more things change, the more they stay the same). That’s certainly what came to mind several times as I read through other parts of the IPC’s first annual report and reflected upon the three-plus decades between Mr. Linden’s mandate and my own. 

I was interested to read a description of the process the IPC developed in its first year of operation to deal with incoming access to information appeals. As Commissioner Linden wrote, “(w)hile the procedures followed during the appeal process will continue to evolve as the Commissioner’s Office gains more experience, they will always be guided by the overall principle of fairness.”

I remain just as committed to procedural fairness today, as Mr. Linden was back then. However, the office’s procedures for handling appeals did not evolve as Mr. Linden predicted they would. In fact, the IPC’s Code of Procedure for appeals under FIPPA and MFIPPA had not undergone a review until this past year when we undertook a major revision to update our processes and procedures. Our objectives were to:

• reflect the IPC’s current and future operations for considering appeals under FIPPA and MFIPPA
• improve timeliness for the processing of appeals
• maintain the fair and just consideration of appeals 
• provide greater transparency and understanding of the IPC’s procedures when considering appeals

After months of public consultation and valuable feedback from the community, I am very pleased to announce that our new code, together with revised practice directions and new policies took effect on September 9, 2024. In Mr. Linden’s words of many years ago, it was time for us “to evolve.” 

Another interesting observation in reading the Mr. Linden’s first annual report, was the positive rapport he had with government staff, and how gratified he was “by the positive working relationship that has developed between (the IPC) and the many Freedom of Information and Privacy Coordinators from various ministries and agencies who themselves were struggling to fulfil their own responsibilities and duties under this new legislation.” 

I feel very heartened that this culture of cooperation and goodwill among Ontario’s FOI community continues to this day. We may not always agree on the outcome of a case as we struggle to meet deadlines and service standards with finite resources. However, the founding principles of the Williams Commission report continue to ring true, reminding all of us of the values we commit to when we take on the charge of upholding Ontarians’ information rights.

In terms of the IPC’s privacy protection mandate, Mr. Linden referred to the Commissioner’s responsibility “for ensuring that the standards established by the act and its regulations are adhered to. If he (or she, in my case) finds, as a result of an investigation, that a government institution’s personal information practices contravene the act, the Commissioner is empowered to order the institution to cease a collection practice, or to destroy records containing personal information.” The inclusion of the word investigation here is very peculiar, as nowhere in the act is the word investigation mentioned in connection with privacy complaints. In fact, to this day, FIPPA is completely silent on the commissioner’s powers and authorities to investigate privacy breaches. To think, during all these years, the IPC has had to fill in the legislative blanks and investigate Ontarians’ privacy complaints with no playbook. 

It is for this reason that Bill 194, the Strengthening Cyber Security and Building Trust in the Public Sector Act is long overdue. Though far from perfect, the part of the bill amending FIPPA will finally introduce a proper investigation regime for handling privacy complaints, provide explicit investigative powers for the commissioner to do their job and expand the types of orders that can be issued in cases of non-compliance. As I stated in my office’s submission on the bill, while this is a positive step, we would like to see the bill amended to, among other things:

• broaden the right for Ontarians to bring privacy complaints, beyond only those individuals who receive a notification of a privacy breach
• expand the commissioner’s powers to be able to conduct a more thorough investigation, particularly in highly complex cases involving cyberattacks
• allow the commissioner to be able to publicly report on her findings so that Ontarians can know the outcome of these investigations

We look forward to participating in a thoughtful, inclusive, and democratic debate about all aspects of Bill 194 and how it could be further improved upon before adoption.

As I continue to reflect on IPC’s first annual report, there are many observations I can’t help but compare to my experience today. Most notably, I found Mr. Linden to be quite prophetic when, as far back as 1988, he characterized our “information society” in the following terms: 

“… innovative technologies continue to expand the role of information as a commercial, scientific and social decision-making tool. Although there are widely accepted benefits to this kind of technological advancement, the act recognizes the need to carefully monitor and assess the impact these changes will have on personal privacy and access to information.” 

Did Mr. Linden really know the full extent to which information technologies would completely transform how we live and work, how we relate to our public and private institutions, and to each another? Could he, or anyone in his position, have anticipated the disruptive impact that artificial intelligence would have in today’s digital society? Perhaps not, but he certainly had an inkling. 

As the current Information and Privacy Commissioner of Ontario, I too have a responsibility to look ahead and help prepare Ontarians for their digital future. That’s what I have tried to do in my 2023 annual report and will continue to strive to do throughout the remainder of my mandate.

Thank you, Mr. Linden, for coming to visit me. It was a real honour to meet you.