Red Privacy Button Keyboard
Image from Shutterstock.com

Access to government information and privacy are rights that often clash, with federal, provincial and municipal governments refusing to release personal data in its custody. But a British Columbia privacy decision shows that it can refuse to release even the email addresses of civil servants as part of a request for communications metadata.

In a ruling released this week an adjudicator with the Office of the Information and Privacy Commissioner of B.C. agreed the ministry of technology, innovation and citizen’s services not only had the right to refuse to disclose email logs as an unreasonable invasion of public servants’ personal privacy, it was also unreasonable to ask the government to cut out personal information and release the rest of the data.

The decision only applies in B.C. because it involves the province’s Freedom of Information and Protection of Privacy Act (FIPPA), whose language may be similar but not the same as legislation in other parts of the country. But Halifax lawyer David Fraser said in an interview this morning “all the privacy commissioners carefully follow what their colleagues are doing in other jurisdictions. And that’s a good thing because it makes sense to have consistency, particularly when they’re applying very similar if not identical statutes.”

The case involved an unnamed applicant who wanted information about the email addresses, and date and time of emails sent and received on all provincial email servers between every ministry 16 several public sector entities for the first six months of 2013. The decision says person wanted  “to obtain valuable insight into how the B.C. Government works by creating relationship maps that show the interactions between B.C. Government employees.”

The data sought included the date and time of the message, an “event field”, which states whether the email was sent or received, and a sender and recipient email address field. The province and the applicant agreed all non-government email addresses would be anonymized. Still, it would have had to produce 377 million lines of text, including the email addresses of all government employees.

Initially the government dismissed the request as frivolous, but was over-ruled by the privacy commissioner. The province then refused to release the data because it would include personal information of employees and therefore would be an unreasonable invasion of personal privacy under s. 22 of FIPPA. Mediation between the government and the applicant failed, so the privacy commissioner’s office was brought in.

The applicant agreed that there may be some personal information in the records, but according to the decision argued the release of the personal information is outweighed by the benefits of disclosure “in particular the ability to subject the B.C. Government to public scrutiny.”

Those addresses, the government notes, would have people’s full name because the format is firstname.lastname.gov.bc.ca. FIPPA allows the release of what it calls contact information of civil servants. The applicant said the email addresses are contact — not personal — information.

But adjudicator Hamish Flanagan sided with the province, saying that the email addresses in conjunction with the other metadata could disclose personal information — for example, if staff reply to email after office hours, or personal relationships between employees.  “The purpose of the definition of contact information … is to capture information “to enable an individual at a place of business to be contacted,” he wrote. But email addresses in data logs aren’t there for that; they are there because employees have sent and received emails.

While the applicant argued email addresses whose disclosure would be an unreasonable invasion of privacy could be automatically removed by the government, Flanagan agreed with the province the logs could still contain personal information.

Interestingly, Flanagan noted the province could have deleted all the email addresses and handed over the rest of the metadata. However, neither the government nor the applicant suggested that option.

Fraser believes civil servants should have a reduced expectation of privacy in their communications between each other. “You could very easily anonymize every single one of those email addresses (in this case) so it still connects to a person but you could still see the patterns of communications,” he said. “That wouldn’t take heroic effort to do and would provide interesting information about the use of IT resources in government.”

“To be clear, my conclusion does not mean that metadata in the logs can never be disclosed under FIPPA,” Flanagan added. “The breadth of the applicant’s request means that the volume of responsive information allows patterns to be discerned that make disclosure in this particular case an unreasonable invasion of personal privacy. In a smaller subset of the same type of information, such patterns may not be so easily discerned so the personal privacy issues may be different.”