“While technology is a powerful tool for innovation, its use must not infringe on the right of requesters to know what government is doing and to hold it accountable for its decisions.”
Suzanne Legault, Information Commissioner of Canada
Where did it all begin
In August 2012, the Information Commissioner launched a systemic investigation into the use and preservation of non-email, text-based messages[1] on government-issued wireless devices. The decision to launch this investigation was, in part, the result of a complaint against Indian and Northern Affairs Canada (now Aboriginal Affairs and Northern Development Canada). In that case, the complainant had received an email in which one government official asked another to use a “pin” instead of email to communicate. When Information Commissioner has investigated the complaint, they were informed that, prior to receiving the request for information, the relevant BlackBerrys had been replaced and subsequently destroyed. Thus, any information that might have existed and fallen within the scope of the access request was permanently lost.
Based on this complaint, as well as an increasing number of complaints related to missing records and “pins,” the Commissioner determined that there were reasonable grounds to self-initiate a complaint in order to investigate the impact of instant messaging, including PINs, on the right of access to information in Canada.
The investigation sought to answer two main questions: Does the use of instant messaging, including PINs, pose a risk to the rights of requesters to receive information under the Access to Information Act? Is there any operational requirement that would justify taking such a risk?
During the investigation the Commissioner has sent questionnaires to public institutions and ministerial offices, and has learned about their policies and procedures on information management, usage of wireless devices and instant messaging.
Instant Messaging in Freedom of Information legislation
According to the “Access to Information Act”“record” which is subject to access to information means “any documentary material, regardless of medium or form”.[2] In Canada records may be of business value or transitory in nature. “Records of business value” are those that record or communicate business decisions and support ongoing operations. “Transitory records” include those created to complete a routine action. Despite this, any record under the control of an institution at the time it receives a request must be retrieved, processed for access purposes and preserved.
What are the concerns about the current situation
Approximately 98,000 BlackBerrys have been issued to government institutions (as of August 2013, as per Shared Services Canada). Most are enabled to send instant messages, which, in turn, are not generally stored on corporate servers.
Only two institutions make automatic updates of instant messaging, in one case the updates are stored for audits and forensic investigations but not for information management purposes, and in another case only SMS, and not PIN-to-PIN messages are stored. Without enabling special function to store messages, wireless devices automatically delete instant messages after a set period of time, usually 30 days. None of the institutions has employed a technical means to ensure instant messages are preserved when wireless devices are disposed of or deactivated. Instead individual users determine whether messages are of business value and then store them in a corporate repository. Some institutions require wireless users to sign an agreement under which they must abide by policies on device use. However, only National Defence’s agreement makes explicit reference to instant messaging.
Conclusions of the Commissioner
Having investigated 11 federal institutions, Information Commissioner of Canada has concluded that
there is a real risk that information that should be accessible by requesters is being irremediably deleted or lost. No valid operational requirement was provided to me to justify this risk. The current use of instant messaging presents an unacceptable risk to the right of access to information in Canada and the operational requirements identified by government institutions do not explain or justify the risk created by the use of instant messaging.
Instant Messages are not automatically stored on institutional servers, institutions need to make active steps for this. Otherwise instant messages are automatically deleted after a set period of time, usually 30 days, and are, as a result, not recoverable.
Reliance on the goodwill of individual public servants and ministerial staff to identify, save and store records of business value is insufficient to address the risk that information that should be subject to the Act will be lost without a means of being recovered or retrieved.
According to Information Commissioner, the current treatment of instant messaging is that it limits the ability of their office to investigate complaints about missing records or no record responses. Given that it is usually at least 90 days (30 days to respond to a request and 60 days to make a complaint) before the Commissioner receives complaints about how institutions handled access requests, the chances that instant messages will still exist at that point are virtually nil. Besides, Missing records complaints amount to nearly half of complaints about refusals to grant access. The Office of the Information commissioner registered more than 400 missing records complaints in 2012–2013.
Institutions said that they enable instant messaging for three reasons:
In the opinion of the Commissioner, the first two reasons are clearly insufficient for institutions to justify an activity that puts the quasi-constitutional right of access at risk.
Conclusions:
Recommendations of the Commissioner
Based on the conducted research and the conclusions, the commissioner has prepared the following recommendations:
Response of the Government
The president of the Treasury Board did not accept recommendations of the commissioner, and stated, that “Non-email text-based messaging services such as pin-to-pin are a means of informal communication that are inherently transitory in nature.” He has also acknowledged that “non-transitory records of business value, which are the exception in non-email text-based messaging, must be preserved, for example by being forwarded into the email system.”
Conclusion
Messages of business value sent or received by public officials are subject to access to information in Georgia as well. In particular, according to the General Administrative Code of Georgia, public information is “official document (including electronic information) or information which is stored in public institution, also business information which is received, processed, created or sent by the public institution or public official.”[3] Thus, business information which is e.g. sent or received via work e-mail or mobile telephone of a public official is subject to classification and recording as public information, as much as any other document stored in the institution. Unfortunately, electronic business information is almost not recorded and managed in Georgia yet. IDFI plans to continue studying Georgian practice and also observe relevant international experience.
[1] “Pin” stands for “personal identification number.” PIN-to-PIN communications are non-email text-based messages sent and received using the unique eight-digit BlackBerry PIN. These and other similar types of message, such as those sent and received via BlackBerry Messenger and Short Messaging Service (SMS), are considered “instant messages” in this report. We also use that term and “PIN-to-PIN” or “PINs” interchangeably.
[2] “record” means any documentary material, regardless of medium or form;“ Access to Information Act, Canada, at http://laws-lois.justice.gc.ca/eng/acts/A-1/page-1.html?texthighlight=medium#s-3.
[3] General Administrative Code of Georgia, Article 2, M.
Presentation of Liziko Abzianidze's Diary
03.10.2024