Mandate

The Office of the Information and Privacy Commissioner (OIPC) for the Province of Newfoundland and Labrador is an independent statutory office of the House of Assembly. The Commissioner has a broad range of responsibilities and powers under both the Access to Information and Protection of Privacy Act, 2015 (ATIPPA, 2015) and the Personal Health Information Act (PHIA).

Oversight of these Acts includes conducting reviews of decisions and investigating and attempting to resolve complaints about access to information and protection of privacy involving public bodies under ATIPPA, 2015 and custodians of personal health information under PHIA. The Commissioner may also make recommendations in order to uphold the Acts and encourage better compliance.

  1. ATIPPA, 2015

    Introduction

    The Access to Information and Protection of Privacy Act (ATIPPA) was passed by the Newfoundland and Labrador House of Assembly in March of 2002. It replaced the old Freedom of Information Act, which came into effect in 1981. ATIPPA’s access provisions were proclaimed into force on January 17, 2005 and its privacy provisions were proclaimed into force on January 16, 2008.

    In 2010, the legislation underwent a statutory review process, led by an independently appointed Review Commissioner, John R. Cummings, K.C. After the final report of Commissioner Cummings was published in January 2011, government drafted amendments to the Act known as Bill 29, which was passed after three days of filibuster debate by the 11 opposition members in June 2012. While government claimed Bill 29 would strengthen and enhance the provincial access and privacy law, experts in law, democracy, access, and privacy felt the bill would do the opposite – weaken and diminish the existing access and privacy rights of citizens. There was strong opposition as well from journalists and citizens and the resulting debate and conflict eventually led to a decision by Premier Tom Marshall to undertake another legislative review, with the goal of creating the best access and privacy statute in Canada, and one of the best in the world.

    The 2014 ATIPPA Review Committee consisted of Committee Chair, Clyde Wells (former Chief Justice, and former Premier of Newfoundland and Labrador), Jennifer Stoddart (former Privacy Commissioner of Canada), and retired journalist Doug Letto. The Committee spent many months reviewing the legislation and speaking with and reviewing the submissions of various interested parties and citizens before completing its Report in March 2015. The recommendations made by the Review Committee in its Report were accepted by government, leading to the adoption of a new access and privacy law, Access to Information and Protection of Privacy Act, 2015 (ATIPPA, 2015), which came into force on June 1, 2015.

    The 2020 ATIPPA Review was chaired by retired Supreme Court Justice David B. Orsborn. After conducting a fair and comprehensive review in an open and transparent manner, the final report was issued June 8, 2021.

    ATIPPA, 2015 governs access to records in the custody of or under the control of a public body, and sets out requirements for the collection, use, storage, and disclosure of personal information contained in the records each maintains. A public body is defined in section 2 of the legislation and includes provincial departments and agencies, school districts, public post-secondary institutions, health boards, and municipalities.

    A cornerstone of this legislation is the establishment of this Office as the independent review mechanism. As such, the Information and Privacy Commissioner has been given specific powers to investigate access and privacy complaints from individuals and groups who feel that their access to information or privacy rights, as provided for in ATIPPA, 2015, have been violated. The Commissioner can require a public body to produce any document relevant to an investigation, may enter an office of a public body and examine, and if necessary make copies of, a record in the custody of the public body, and has the power to make recommendations for better compliance with ATIPPA, 2015. In certain circumstances the Commissioner may file his recommendations with the Supreme Court Geveral Division and such an order is enforceable against a public body as if it were an order or judgment of the Court.

    It is important to note the distinction between the provincial ATIPP Office and the Office of the Information and Privacy Commissioner. The ATIPP Office, as part of Executive Council, is responsible for the overall administration and coordination of the legislation, while the Commissioner, as an Officer of the House of Assembly, acts as the independent review mechanism under the legislation. Specific information on the role of the ATIPP Office can be found on the ATIPP Office website.

    Purpose

    The chief purpose of Newfoundland and Labrador’s ATIPPA, 2015 is to facilitate democracy and highlight the importance of protecting personal information. Section 3(1) of the Act states:

    3(1) The purpose of this Act is to facilitate democracy through

    (a)   ensuring that citizens have the information required to participate meaningfully in the democratic process;

    (b)   increasing transparency in government and public bodies so that elected officials, officers and employees of public bodies remain accountable; and

    (c)   protecting the privacy of individuals with respect to personal information about themselves held and used by public bodies.

    This purpose is achieved through a number of measures outlined in section 3(2), including:

    • giving the public a right of access to records;
    • giving individuals a right of access to their own personal information and a right to request correction of that information;
    • specifying limited exceptions to the right of access;
    • preventing the unauthorized collection, use, or disclosure of personal information by public bodies; and
    • providing for independent review by an Officer of the House of Assembly of a decision, act, or failure to act on the part of a public body.

    Commissioner’s Powers and Duties

    The Commissioner may exercise powers and duties under ATIPPA, 2015 by:

    • investigating a decision, act, or failure to act of a public body that relates to an access request or a request to correct personal information;
    • investigating privacy complaints and initiating privacy investigations;
    • making recommendations to ensure compliance with the Act and Regulations;
    • informing the public about and facilitating public understanding of the Act;
    • receiving comments from the public about the administration of the Act;
    • commenting on the information and privacy implications of proposed legislation and programs;
    • commenting on the implications of record linkages and information technology on the protection of privacy;
    • informing the head of a public body about a failure to adequately assist an applicant;
    • making recommendations to public bodies or the minister responsible for this Act about the administration of the Act;
    • conducting audits and reporting findings of public bodies’ performance of duties and obligations under the Act;
    • reviewing and commenting on privacy impact assessments (PIAs), as required to be completed by government departments developing new programs and services;
    • researching access and privacy developments and advancements in technology related to access and privacy;
    • making special reports to the House of Assembly related to subjects within the scope of function and duties of OIPC; and
    • filing an order with the Court to compel compliance by public bodies with the Commissioner’s recommendations, as provided for under ATIPPA, 2015.

  2. PHIA

    Introduction

    Newfoundland and Labrador’s Personal Health Information Act (PHIA) is a law which establishes rules regarding how your personal health information is to be handled. It protects your privacy as well as your right of access to your own personal health information.

    PHIA governs information held by custodians of your personal health information, whether in the public sector, such as your nearest hospital, or the private sector, such as a dentist or pharmacist. Most personal health information, with few exceptions, is considered to be in the control or custody of a custodian and is therefore covered by PHIA. Examples of some major custodians include:

    • NL Health Services;
    • WorkplaceNL;
    • regulated health professionals in private practice, such as doctors, dentists, pharmacists, physiotherapists, etc.;
    • Faculty of Medicine and the Schools of Nursing, Pharmacy, and Human Kinetics and Recreation at Memorial University.

    PHIA recognizes that you expect your health information to remain confidential and that it should only be collected, used, or disclosed for purposes related to your care and treatment. However, PHIA also acknowledges that personal health information is sometimes needed to manage the health care system, for health research, and for other similar purposes. Furthermore, law enforcement officials, health officials, and others may also have a legitimate need to access personal health information under limited and specific circumstances. PHIA balances your right to privacy with the legitimate needs of persons and organizations providing health care services to collect, use, and disclose such information.

    If you wish to access your personal health information, or if you have an inquiry about how your personal health information is being collected, used, or disclosed, you may contact your health care provider. For more information about PHIA, visit the PHIA website of the Department of Health and Community Services.

    Purposes

    The purposes of PHIA are accomplished by:

    • establishing rules for the collection, use, and disclosure of personal health information to protect the confidentiality of the information as well as to protect individual privacy;
    • giving the public a right of access to personal health information about themselves;
    • giving the public a right to require correction or amendment of that information;
    • establishing measures to ensure accountability by custodians and to safeguard the security and integrity of personal health information;
    • providing for independent review of decisions and resolutions of complaints respecting personal health information; and
    • establishing measures to promote compliance with PHIA by custodians.

    Commissioner’s Powers and Duties

    The Commissioner may exercise powers and duties under PHIA by:

    • reviewing a complaint regarding a custodian’s refusal of a request for access to or correction of personal health information;
    • reviewing a complaint regarding a custodian’s contravention or potential contravention of the Act or Regulations with respect to personal health information;
    • making recommendations to ensure compliance with the Act;
    • informing the public about the Act;
    • receiving comments from the public about matters concerning the confidentiality of personal health information or access to that information;
    • commenting on the implications for access to or confidentiality of personal health information of proposed legislative schemes or programs or practices of custodians;
    • commenting on the implications for the confidentiality of personal health information, of using or disclosing personal health information for record linkage, or using information technology in the collection, storage, use, or transfer of personal health information; and
    • consulting with any person with experience or expertise in any matter related to the purposes of this Act.