On January 14, 2015, the British Columbia Information and Privacy Commissioner, Elizabeth Denham, issued a statement that addresses how freedom-of-information and privacy laws apply to the use of personal email accounts by public servants or officials.
In her statement, the Commissioner made it clear that the Freedom of Information and Protection of Privacy Act (“FIPPA”) applies to all work-related emails sent to, or received from, the personal email accounts of public servants and public officials. She advised that, while there are no freedom-of-information laws that directly prohibit public servants or officials from using personal email accounts for work matters, doing so poses two main concerns: 1) it makes it difficult to search for records that are responsive to an access to information request, and 2) the use of personal email can cause privacy and security risks if personal information is accessed or stored outside of Canada.
The Office of the Information and Privacy Commissioner published Guidelines that outline how B.C.’s freedom-of-information laws apply to personal email accounts, and the risks involved when such accounts are used for government business. The guidelines address the following three provisions in FIPPA: Sections 3(1). 6(1) and 30.
1) Section 3(1) – Scope of the Act
The guidelines point out that FIPPA’s application to “public records” is broad in scope and, depending on the circumstances, may encompass work-related emails sent from personal accounts. The issue that needs to be addressed in these cases is whether the personal email remains under the control of a public body.
The Supreme Court of Canada has established that where a record is not in the physical possession of a government body, it will remain under its control if the following questions are answered in the affirmative:
- Do the contents of the document relate to a departmental matter?
2) Could the government institution reasonably expect to obtain a copy of the document upon request?
As a precautionary measure, one should assume that any email that an employee sends or receives that’s within the context of their work duties, whether it be through a work or personal email account, will be considered to be a record under the public body’s control.
2) Section 6(1) – Duty to Assist Applicant
Section 6(1) of FIPPA requires public bodies to make every reasonable effort to assist the applicant with their request and to respond without delay to each applicant openly, accurately and completely. In order to so do, the public body has an obligation to perform a complete and adequate search of its records when responding to the access request. The public entity is required to take every reasonable step in its search to locate relevant records, including compelling the production of relevant records located personal email accounts.
As there are no provisions in FIPPA that directly prohibit public body employees from using their personal email accounts for work matters, the guidelines suggest that public bodies should create a policy on the use of personal email accounts for work purposes.
3) Section 30 – Reasonable Security Measures
The guidelines also call attention to the security risk to personal information that is associated with the use of personal email accounts. Public bodies are required under FIPPA to have in place reasonable security measures that will safeguard against unauthorized access, collection, use, disclosure or disposal of personal information. A personal email account, which is usually web-based, is unlikely to comply with the security requirements set out in section 30 of FIPPA. The guidelines address some of the obvious concerns that arise out of using a personal email account when attending to business, including third party access to content and inadequate security features for the personal webmail account.
In essence, the use of personal email accounts for work purposes will result in several challenges for public bodies under FIPPA. The guidelines were created to better illustrate these challenges and to recommend that public bodies put in place policies that address the use of personal email accounts for work purposes.