Ontario’s New Records Retention Rules – Implications for the Broader Public Sector and the Private Sector
David Young
Effective January 1, 2016, amendments mandating enhanced records retention procedures under Ontario’s two public sector privacy and access laws – the Freedom of Information and Protection of Privacy Act (“FIPPA”) and the Municipal Freedom of Information and Protection of Privacy Act (“MFIPPA”) – came into force. These new rules will have several significant impacts.
Impacts
Firstly, they effectively extend the existing records retention requirements under the Archives and Recordkeeping Act, 2006 (the “ARA”) – which apply to government departments, Ministers’ offices and specifically designated agencies, boards and commissions (all defined as “public bodies”) – to much of the broader public sector[1]. Many broader public sector organizations (such as hospitals and universities) are subject to the comprehensive rules governing access to information and privacy contained in FIPPA and MFIPPA, but not the ARA recordkeeping requirements.
Secondly, the new rules expand the scope of compliance requirements to encompass not only preservation of records, as set out in the records retention schedules mandated by the ARA, but also a requirement to develop and operationalize policies, procedures and accountability mechanisms – essentially to establish an accountability framework analogous to that mandated by privacy legislation.
This expansion in the scope of compliance requirements is significant: it represents the first time that “information management” has been recognized legislatively as public policy in any Canadian jurisdiction. Information management, while rooted in the key discipline of records (or document) retention, represents a much broader methodology, articulating responsibility for an organization-wide governance system for all information assets held by an organization. This wider discipline recognizes that information is a valuable asset of an organization that must not only be protected and preserved but also managed in accordance with the organization’s internal requirements as well as external rules and obligations. Key among external criteria are those stipulating when information is required to be disclosed – such as in response to access requests or litigation process.
The New Rules
The amendments create a simple stipulation: organizations (“institutions” under FIPPA/MFIPPA) must ensure that reasonable measures are developed, documented and put into place to ensure the preservation of records maintained or controlled by them, in accordance with any recordkeeping or records retention requirements applicable to the organization, whether legislative or otherwise.
The new rules resulted from an investigation by the Office of the Information and Privacy Commissioner (the “IPC”) into deletion of emails on transition of government. While the focus of records retention arose as a result of that specific circumstance, the rules that resulted have a much broader application. That the new rules go beyond simple records retention schedules is clear when one reads the guidance document issued by the IPC, FIPPA and MFIPPA: Bill 8 – The Record-Keeping Amendments. The recordkeeping amendments enact several of the recommendations made by the IPC in its report.[2]
In the words of the IPC’s guidance document, “reasonable measures” to preserve records will apply to all stages of the information lifecycle including when records are developed, maintained, retained, destroyed or archived, all in accordance with applicable requirements and policies. Reasonable measures must include in addition to records retention schedules, accountability and commitment by senior management, clearly written policies, comprehensive security measures, staff training, and regular reviews, spot checks and audits. Furthermore, the IPC makes clear that entities that have not adopted information management strategies on an organization-wide basis to enable compliance with the new rules should consider doing so. Clearly, the expectations for compliance extend beyond a simple dictate that records be “preserved”, to encompass a more holistic approach to information management.
Information Management
Information management is the discipline and practice of establishing a framework of processes and protections to ensure the effective, efficient and secure use of information within an organization. The discipline addresses all aspects of the management of information and records collected, used, maintained, disclosed and disposed of by an organization. Key precepts are information security and stewardship.
Policies and procedures include organizational responsibilities, asset management, security, relevant processes (e.g. records retention and destruction) and training. The framework reflects applicable legal requirements, recognized standards, relevant regulatory requirements and best practices – arguably all criteria that should be considered within the scope of the new rules.
Information management, or governance, has not to date been stipulated as a requirement mandated by legislation but is one that organizations may, and arguably, should adopt to ensure compliance with diverse rules and laws that apply to them as well as the broader purpose of protecting, maintaining and when appropriate securely disposing of their valuable information assets. Organizations that are mandated by legislation to maintain and protect information to support their operations – financial institutions and public company issuers of securities are examples – may determine that an information management strategy is the most effective and efficient means to establish due diligence compliance with such regimes. Underlying all information governance is the recognition that management of information is critical for organizational efficiency and effectiveness, for compliance purposes, and for preparedness in dispute resolution matters.
Extension to the Broader Public Sector
One of the significant aspects of the new rules is to extend records retention compliance requirements to many organizations within the broader public sector not previously subject to such requirements. The ARA mandates government ministries and designated agencies, boards and commissions to adopt (and have approved by the provincial Archivist) records retention schedules. However, to date, such a requirement has not applied to most organizations within the “broader public sector”. Now, under the new rules, such broader public sector organizations will need to identify the diverse, specific, records retention requirements that apply to them. Directed by these requirements, broader public sector organizations must establish appropriate schedules, policies and procedures that satisfy the dictate of “reasonable measures” to ensure ongoing compliance with such requirements. Significantly, the new rules also refer to compliance with rules and policies that may or may not be mandated by statute. They require compliance with “any recordkeeping or records retention requirements, rules or policies” whether legislative or otherwise.
For public bodies governed by the ARA, the new rules also will have significant impact. Whereas the only clear obligation under the ARA is for such entities to adopt appropriate and approved records retention schedules, the record-keeping amendments now will require them also to adopt a comprehensive accountability framework and, if the IPC’s guidance is to be followed, broader information management strategies.
Impact on the Private Sector
For private sector organizations, the new rules will have impact as well. Firstly, any organization providing services to or selling to the public sector will be required to accord with the public sector entity’s recordkeeping and information management requirements. This requirement will be critical for private sector organizations that provide a significant information processing and/or database management function to public sector bodies. Secondly, while there is no direct statutory obligation on private sector organizations to comply with the new rules, it is foreseeable that they will serve to establish a new industry standard for enhanced information management strategies, a standard that senior management and boards of directors will be expected to comply with.
Takeaways
The most important implications of the new records retention rules are two-fold.
Firstly, the application of this new more intensive compliance regime is extended beyond the specifically defined category of “public bodies” (Ministers’ offices, government departments, boards, commissions and Crown agencies) to now include many organizations within the “broader public sector” as defined in the government’s accountability legislation, including hospitals, universities and other entities receiving public funding as well as municipal entities governed by MFIPPA such as school boards.
Secondly, the scope of public sector compliance requirements for records retention has been intensified to encompass not only adoption of appropriate records retention schedules but also a requirement for a comprehensive accountability framework, including policies, procedures, training and review processes. This requirement for an accountability framework is analogous to that articulated by privacy legislation, as reflected in the CSA’s Model Code – Principle 1 – Accountability.
It can be anticipated that the new rules will provide a significant incentive to move toward comprehensive “Information Management” systems within the public and broader public sectors, as well as within the private sector – as public sector organizations move toward requiring their private sector information services to comply.
The enactment of the new records retention rules responds to a very specific issue: preservation of relevant records to comply with the diverse operational and legal requirements impacting an organization. However the resulting compliance expectation is much broader – an accountability framework for the management of all information within the organization.
[1] Reference to organizations within the “broader public sector” is to those designated as subject to the provisions of the Broader Public Sector Accountability Act, 2010.
[2] The issue of deletion of records by government entities in the context of access to information requests has resonated in several provinces. In October 2015 the Information and Privacy Commissioner for British Columbia issued a report, Access Denied: Record Retention and Disposal Practices of the Government of British Columbia, in response to the deletion of emails and other records in connection with access requests relating to murdered and missing women on the “Highway of Tears” in northern B.C. The government followed up on this report by engaging the former Commissioner, David Loukidelis, to provide advice in implementing the Commissioner’s recommendations which included records management, records retention, training and review processes. The Commissioner’s recommendations and Mr. Loukidelis’ advice echo the findings of the Ontario Commissioner.
For more information please contact:
David Young 416-968-6286 david@davidyounglaw.ca
Note: The foregoing does not constitute legal advice. Readers are cautioned that for application to specific situations, legal advice should be obtained.
© David Young Law 2016
Read the Full PDF
– Single Click to open. Right Click to Save Locally