SMS as Public Information (Case of Canada)

News | Publications | Open Governance and Anti-Corruption | Article 16 December 2013

“While technology is a powerful tool for innovation, its use must not infringe on the right of requesters to know what government is doing and to hold it accountable for its decisions.”

 

Suzanne Legault, Information Commissioner of Canada

 

 

 

 

 

Where did it all begin

 

In August 2012, the Information Commissioner launched a systemic investigation into the use and preservation of non-email, text-based messages[1] on government-issued wireless devices. The decision to launch this investigation was, in part, the result of a complaint against Indian and Northern Affairs Canada (now Aboriginal Affairs and Northern Development Canada). In that case, the complainant had received an email in which one government official asked another to use a “pin” instead of email to communicate. When Information Commissioner has investigated the complaint, they were informed that, prior to receiving the request for information, the relevant BlackBerrys had been replaced and subsequently destroyed. Thus, any information that might have existed and fallen within the scope of the access request was permanently lost.

Based on this complaint, as well as an increasing number of complaints related to missing records and “pins,” the Commissioner determined that there were reasonable grounds to self-initiate a complaint in order to investigate the impact of instant messaging, including PINs, on the right of access to information in Canada.

The investigation sought to answer two main questions: Does the use of instant messaging, including PINs, pose a risk to the rights of requesters to receive information under the Access to Information Act? Is there any operational requirement that would justify taking such a risk?

During the investigation the Commissioner has sent questionnaires to public institutions and ministerial offices, and has learned about their policies and procedures on information management, usage of wireless devices and instant messaging.

Instant Messaging in Freedom of Information legislation

According to the “Access to Information Act”“record” which is subject to access to information means “any documentary material, regardless of medium or form”.[2] In Canada records may be of business value or transitory in nature. “Records of business value” are those that record or communicate business decisions and support ongoing operations. “Transitory records” include those created to complete a routine action. Despite this, any record under the control of an institution at the time it receives a request must be retrieved, processed for access purposes and preserved.

What are the concerns about the current situation

Approximately 98,000 BlackBerrys have been issued to government institutions (as of August 2013, as per Shared Services Canada). Most are enabled to send instant messages, which, in turn, are not generally stored on corporate servers.

Only two institutions make automatic updates of instant messaging, in one case the updates are stored for audits and forensic investigations but not for information management purposes, and in another case only SMS, and not PIN-to-PIN messages are stored. Without enabling special function to store messages, wireless devices automatically delete instant messages after a set period of time, usually 30 days. None of the institutions has employed a technical means to ensure instant messages are preserved when wireless devices are disposed of or deactivated. Instead individual users determine whether messages are of business value and then store them in a corporate repository. Some institutions require wireless users to sign an agreement under which they must abide by policies on device use. However, only National Defence’s agreement makes explicit reference to instant messaging.

Conclusions of the Commissioner

Having investigated 11 federal institutions, Information Commissioner of Canada has concluded that

there is a real risk that information that should be accessible by requesters is being irremediably deleted or lost. No valid operational requirement was provided to me to justify this risk. The current use of instant messaging presents an unacceptable risk to the right of access to information in Canada and the operational requirements identified by government institutions do not explain or justify the risk created by the use of instant messaging.

Instant Messages are not automatically stored on institutional servers, institutions need to make active steps for this. Otherwise instant messages are automatically deleted after a set period of time, usually 30 days, and are, as a result, not recoverable.

Reliance on the goodwill of individual public servants and ministerial staff to identify, save and store records of business value is insufficient to address the risk that information that should be subject to the Act will be lost without a means of being recovered or retrieved.

According to Information Commissioner, the current treatment of instant messaging is that it limits the ability of their office to investigate complaints about missing records or no record responses. Given that it is usually at least 90 days (30 days to respond to a request and 60 days to make a complaint) before the Commissioner receives complaints about how institutions handled access requests, the chances that instant messages will still exist at that point are virtually nil. Besides, Missing records complaints amount to nearly half of complaints about refusals to grant access. The Office of the Information commissioner registered more than 400 missing records complaints in 2012–2013.

Institutions said that they enable instant messaging for three reasons:

  • Instant messages are transmitted more rapidly than emails.
  • Using instant messaging in remote locations or overseas avoids roaming charges.
  • Instant messages can be sent and received when institutional servers are unavailable. This provides officials with an additional means of communication and reporting during emergencies.

 

In the opinion of the Commissioner, the first two reasons are clearly insufficient for institutions to justify an activity that puts the quasi-constitutional right of access at risk.

Conclusions:

  1. The current use of instant messaging, without any technical safeguard, presents an unacceptable risk that government information in an institution or ministerial office will be permanently deleted with no means of being recovered or retrieved.
  2. Proposed or existing TBS policies, and training in institutions and ministerial offices do not adequately protect the right of access to information sent or received by instant message.
  3. The enabling of instant messaging in the absence of any technical safeguard undermines the right to an effective, independent review of complaints about institutions’ handling of access to information requests by our office.
  4. The quasi-constitutional right of access to information outweighs the supposed operational requirements for enabling instant messaging identified in the course of our investigation.

 

Recommendations of the Commissioner

Based on the conducted research and the conclusions, the commissioner has prepared the following recommendations:

  1. That Parliament amend the Access to Information Act to add a comprehensive legal duty to document decisions made by federal government institutions, with appropriate sanctions for non-compliance.
  2. That TBS develop and implement a government-wide policy that instructs government institutions to disable instant messaging on all government-issued wireless devices, save for when all of the following conditions are met:
    1. There is a bona fide operational need that cannot be satisfied by other means that warrants enabling instant messaging on an individual user’s wireless device.
    2. An adequate technical safeguard mechanism is both available and implemented to ensure that instant messages (whether or not of business value) are archived on a government server for a reasonable period of time.
    3. Individual wireless users, to whom the instant messaging function is enabled, based on a demonstrated bona fide operational need, do the following:
      1. undertake mandatory information management training focused on the information management risks associated with instant messaging, as well as the obligations and responsibilities imposed by the Access to Information Act; and
      2. sign a terms of use agreement, under which they agree to ensure that any instant message of business value and/or that falls within the scope of an access to information request is properly identified and retrieved.

 

Response of the Government

The president of the Treasury Board did not accept recommendations of the commissioner, and stated, that “Non-email text-based messaging services such as pin-to-pin are a means of informal communication that are inherently transitory in nature.” He has also acknowledged that “non-transitory records of business value, which are the exception in non-email text-based messaging, must be preserved, for example by being forwarded into the email system.”

Conclusion

Messages of business value sent or received by public officials are subject to access to information in Georgia as well. In particular, according to the General Administrative Code of Georgia, public information is “official document (including electronic information) or information which is stored in public institution, also business information which is received, processed, created or sent by the public institution or public official.”[3] Thus, business information which is e.g. sent or received via work e-mail or mobile telephone of a public official is subject to classification and recording as public information, as much as any other document stored in the institution. Unfortunately, electronic business information is almost not recorded and managed in Georgia yet. IDFI plans to continue studying Georgian practice and also observe relevant international experience.

 


[1] “Pin” stands for “personal identification number.” PIN-to-PIN communications are non-email text-based messages sent and received using the unique eight-digit BlackBerry PIN. These and other similar types of message, such as those sent and received via BlackBerry Messenger and Short Messaging Service (SMS), are considered “instant messages” in this report. We also use that term and “PIN-to-PIN” or “PINs” interchangeably.

 

[2] “record” means any documentary material, regardless of medium or form;“ Access to Information Act, Canada, at http://laws-lois.justice.gc.ca/eng/acts/A-1/page-1.html?texthighlight=medium#s-3.

[3] General Administrative Code of Georgia, Article 2, M. 

Other Publications on This Issue