Decision pursuant to 6.1, 2023 OIC CI 47
Date of decision: January 2024
Summary
An institution submitted an application seeking the Information Commissioner’s approval to decline to act on an access request under subsection 6.1(1) of the Access to Information Act. In the institution’s opinion, this request was vexatious, made in bad faith and an abuse of the right to make a request. The institution further claimed that it had met its duty to assist the requester prior to seeking approval to decline to act.
The Commissioner found that the institution showed that it had fulfilled its duty to assist the requester prior to seeking approval to decline to act. The Commissioner also found that the institution established that the access request was an abuse of the right to make a request.
The application is granted.
Application
Subsection 6.1(1)
Subsection 6.1(1) provides that the head of a government institution may seek the Information Commissioner’s written approval to decline to act on an access request if, in the opinion of the head of the institution, the request is vexatious, is made in bad faith or is otherwise an abuse of the right to make a request for access to records. The institution bears the burden of establishing that the request meets one or more of the requirements of subsection 6.1(1).
The right of access to information under the control of a government institution has been recognized as quasi-constitutional in nature (Blood Tribe (Department of Health) v. Canada (Privacy Commission), 2006 FCA 334 at para 24; see also Canada (Information Commissioner) v. Canada (Minister of National Defence), 2011 SCC 25 at para 40). Bearing this in mind, approval to decline an access request will only be provided if there is clear and compelling evidence to support the institution’s position that the access request is vexatious, made in bad faith or is otherwise an abuse of the right to make a request for access to records. (See, for example: Saskatchewan (Advanced Education) (Re), 2010 CanLII 28547 (SK IPC) at paras. 43–47; Northwest Territories (Public Body) (Re), 2017 CanLII 73304).
If the institution does establish that one or more of the requirements of subsection 6.1(1) apply, the Commissioner must further determine whether the circumstances warrant her exercising her discretionary power to grant the institution’s application to decline to act on the request.
Access Request at issue
On October 12, 2023, an institution sought my approval to decline to act on an access request it had received on June 27, 2023. The access request was for the following information:
- Two institutions have been actively monitoring and reviewing reports of adverse events following immunization with COVID-19 vaccines reported to the Canada Vigilance Program and Canadian Adverse Events Following Immunization Surveillance System. In addition, one of them receives, and reviews reports of AEFI from PTs [provinces and territories] as reported by health care providers through the Canadian Adverse Events Following Immunization Surveillance System (CAEFISS). All signals are monitored and investigated.
- One of these institutions continues to regularly review safety information from a variety of sources, including safety data of COVID-19 vaccines provided by the manufacturer.
From Jan 1, 2021, to Dec 31, 2022, please provide copies of all internal/external communications (such as emails, briefs, text messages, records of telephone conversations, memorandums, drafts, documents, press releases and presentations) arising from or leading up to “monitoring” of adverse events outside of Canada following immunization in relation to external sources including:
- U.K.’s Yellow Card findings
- CDC’s/USA’s Vaccine Adverse Events Reporting system (VAERS)
- European Union’s Eudravigilance reporting system
Exclude publicly available information.
- Order paper #1448 states: “The Department also monitors and considers the breadth of available and credible information when assessing product risk information. It is important to note that reports of adverse events following immunization, including reports with fatal outcomes, do not necessarily imply a relationship between the adverse event and the vaccine.” The response continues, “However, these reports (of adverse events) do not necessarily imply that a causal relationship between the event and the vaccine has been established as it can be expected that other unrelated medical events will occur by chance after immunization.”
From Jan 1, 2021, to Dec 31, 2022, please provide copies of all internal/external communications (such as emails, briefs, text messages, records of telephone conversations, memorandums, drafts, documents, press releases and presentations), research findings, and results with respect to 1) causation (or lack thereof) between the COVID-19 vaccines and fatalities post vaccination, and 2) causation (or lack thereof) between the COVID-19 vaccines and serious adverse events [SAE] (based on the institution definition of a SAE). Exclude publicly available information.
According to the institution, the access request was vexatious, made in bad faith and amounted to an abuse of the right to make a request for access to records.
Timeliness of the application
The requester asserted that because the institution refused to provide a response or claim a valid extension of time within 30 days of its receipt of the request on June 27, 2023, it was deemed to have refused access to the requested records as of July 27, 2023. In other words, in the requester’s view, the institution was therefore not in a position, on October 6, 2023, to seek approval to decline to act on the request under subsection 6.1(1), because it was already deemed to have refused access. In support of their position, the requester referenced a decision rendered by Alberta’s Information and Privacy Commissioner in Alberta Health Services (Re), 2021 CanLII 20390 (AB OIPC), (F2021-RTD-01). While decisions from provincial or territorial jurisdictions can be drawn upon to help determine a matter such as this, they are not binding on the Commissioner.
In the Commissioner’s opinion, this decision raised by the requester and rendered by her Alberta counterpart is distinguishable from the present matter and does not support the requester’s submission that this application under subsection 6.1(1) should be dismissed on the basis that it is out of time. In Alberta Health Services (Re), supra, the public body applied for authorization to disregard the request under the Alberta Freedom of Information and Protection of Privacy Act after it had already provided a response to the access request, and during a pending review of its response by the Alberta Information and Privacy Commissioner. That is not the case in the matter before the Commissioner.
While recognizing that section 6.1 envisions that the time limits within which an institution is to respond to a request under the Act is suspended upon an institution seeking the Commissioner’s approval to decline to act on an access request under subsection 6.1(1), it does not impose a mandatory timeline by which the Commissioner’s authorization should be sought. While an application seeking the Commissioner’s authorization should generally be made within the first 30 days of the institution receiving a request, the Commissioner accepts that the timeliness of an application may be affected by the circumstances of each case. Although the timeliness of a subsection 6.1(1) application does not prevent the Commissioner from considering it, it is nevertheless a factor that she can consider in exercising her discretion to grant or refuse her authorization under section 6.1(1) of the Act.
Based on the evidence before the Commissioner, it is clear that up until September 13, 2023, both parties made attempts to clarify and / or refine the scope of the request in order to render the request more manageable and / or diminish its prospective impact upon the institution's operations. As of that date, the institution maintained that the request, as modified since June 27, 2023, would “take a very long time” to process. Three weeks later, the institution submitted its subsection 6.1(1) application to decline to act on the request. the Commissioner therefore finds that the institution engaged, on a timely basis, in an effort to meaningfully assist the requester in clarifying and / or refining the scope of the request so as to ensure that the request would be capable of being responded to without causing the institution undue strain over an extended period of time to the detriment of the rights of others.
In view of the above circumstances, the time taken by the institution to submit its application under subsection 6.1(1) was not unreasonable, and should therefore not weigh against the exercise of the Commissioner’s discretion to grant the present application.
Did the institution meet its obligation to assist the requester?
Before seeking the Commissioner’s approval, institutions should make every reasonable effort to help requesters with the access request, as per their responsibilities under subsection 4(2.1).
Subsection 4(2.1) sets out a general duty to assist requesters. The scope of the duty to assist is broad and extends as far as it would be reasonable for the institution to provide assistance. What constitutes “every reasonable effort” to assist a requester with their request in any given case depends on the relevant facts and circumstances. In turn, whether an institution has met its obligations under subsection 4(2.1) is fact dependent and must be assessed case-by-case.
In support of its application, the institution provided a number of emails it had exchanged with the requester. These communications showed that the institution informed the requester from the outset that the original access request would yield an extremely large number of records. The institution explained that, as a result, it had provided assistance and advice to help the requester reformulate the request and gave them several opportunities to reduce its scope.
A series of email exchanges took place during July 2023. In these, the institution informed the requester that responding to the access request would require a lengthy extension and time for processing. Therefore, the institution suggested to the requester the following options to narrow the scope of the access request:
- setting an authority level for communications (e.g., director general and above)
- limiting emails to the to/from lines to exclude emails where the Director General is copied, but capturing everything that went to the Director General for approval
- clarifying the types of documents the requester sought
- removing drafts
- limiting the timeframe
- identifying the specific adverse events and reviews in which the requester was interested
- identifying specific vaccine manufacturers.
In response, the requester indicated that they were looking for reviews of any risk that had been identified as being caused by any of the COVID-19 vaccines used in Canada. The requester agreed to limit the timeframe to the period from January 1, 2021, to December 31, 2022, and to limit the request to four manufacturers. However, the requester refused to limit the briefs and memos to final versions and to limit the communications to those at the director level, since there might have been “important information moving up to the ranks.”
The email exchanges also showed that the institution provided a list of publicly available information responsive to the access request, which led the requester to agree to exclude this information from the access request.
The institution indicated to the Commissioner that, despite its various attempts to narrow the scope of the access request, the limits the requester agreed to would not have significantly reduced the number of responsive records.
The institution submitted emails that showed that its Access to Information and Privacy (ATIP) office worked with the program areas in August 2023 to come up with new options. On September 13, 2023, the institution informed the requester that the access request would generate roughly 600,000 pages and made the following additional suggestions to the requester of ways to limit the request so the records could be provided in a timely fashion:
- limiting the access request to the top 19 adverse events that resulted in labelling changes out of the more than 10,000 events associated with the vaccines
- limiting the type of records to internal reviews and communications with the manufacturers regarding these adverse events.
The institution explained that its intention was to help the requester prioritize and select the adverse events of interest to them. It could then provide to the requester internal documents, review reports and all communications with manufacturers related to the potential safety signals of interest.
The requester informed the institution that they were not just interested in the top 19 adverse events, but in the more than 10,000 adverse events associated with these vaccines.
The requester also stated in its response to the institution’s application that they were reluctant to accept records about only the 19 adverse events that resulted in labelling changes, since there were far more safety signals than those 19. The requester explained that they had expected the institution to provide a list of all the adverse events and that they would have been willing to choose from this list. However, no evidence suggested that the requester had informed the institution, before this application was submitted, of this willingness, although they were asked about the possibility in September 2023.
Recognizing that the request could generate a large number of pages, the requester recommended that the institution split the access request into four parts and to provide records via interim releases. Although a junior ATIP analyst had suggested splitting the request, the institution refused because doing so would not have reduced the total page count. The institution also indicated to the requester that providing interim releases would have made it difficult to keep track of which records the program areas had provided, which were relevant, which had already been processed, whether there were duplicate records and whether records needed to be sent to a third party for consultation. Finally, the institution reiterated that responding to the access request would take a very long time.
The requester claimed to have engaged in the numerous discussions that took place with the institution in good faith, and the Commissioner has no reason to doubt this. However, the requester was unwilling, in September 2023, to limit the scope of the access request to the 19 adverse events that resulted in labelling changes and to choose the events they wanted to prioritize. The requester also still sought all internal and external communications (i.e. emails, briefs, text messages, records of telephone conversations, memos, drafts, documents, press releases and presentations).
The Commissioner finds that, in providing multiple options on two occasions for reformulating the access request, the institution made every reasonable effort in the circumstances to assist the requester. The Commissioner concludes that the institution established that it had met its duty to assist the requester before seeking her approval to decline to act on this access request.
Is the request an abuse of the right to make a request to access records?
The Act provides requesters with a significant statutory right to access information under government institutions’ control. However, all rights come with responsibilities. The right of access must not be abused.
An abuse of the right to make an access request occurs when a requester uses their right of access in an abusive or inappropriate manner.
This may be the case when an access request is directed towards a purpose other than obtaining documents or information. It may also be the case when a request is contrary to the public interest in that it overburdens an institution, hinders other requesters’ right of access and/or unnecessarily increases the costs and time spent by institutions to meet their statutory obligations.
The factors listed above are not exhaustive; other relevant factors may be considered depending on the circumstances of each case. Whether an access request amounts to an abuse of the right of access must therefore be assessed case by case.
Burden on institution and interference with operations
The institution maintained that the access request constituted an abuse of the right to make a request because responding to it would significantly interfere with the operations of the program areas and its ATIP office.
The institution explained that the access request would generate a conservatively estimated 700,000 pages. It assessed that roughly 625,988 of these pages would come from one branch, with program areas within the branch accounting for the following:
- A first directorate: 560,000 pages (121,000 emails and post-authorization documents)
- Assistant Deputy Minister’s Office: 35,388 pages (5,700 documents)
- A second directorate: 11,000 pages (2,900 documents)
- A third directorate: 19,600 pages of scientific records
The institution explained that the records are complex, which would add to the time required to process them. In addition, a large number of the records are emails. Although searching for them would be relatively easy, it would take the branch employees (approximately 70 individuals) considerable time to populate the records, clean them up and review them for relevance—all before providing the records to the ATIP office.
In 2021 and 2022, the first directorate reviewed approximately 125 post-authorization documents for COVID-19 vaccines submitted by market authorization holders. These documents could each contain fewer than 100 pages or up to more than 8,000 pages. Each of the directorate’s internal review reports adds between 30 and 200 pages. Conservatively, then, these 125 post-authorization documents and their respective reviews would alone account for 40,000 pages.
The institution stated that these records would require significant consultations with third parties and other governments, which would add to the complexity and time required for processing.
The institution also maintained that the access request would overwhelm the branch in terms of retrieving the records and the ATIP office in terms of processing them.
According to the institution, the breadth of the access request would add a layer of complexity to the search, since the scope encompasses virtually all records the program areas have. The subject matter of the access request pertains to the day-to-day work of each of the 70 employees expected to have responsive records and covers the majority of records they created during the entirety of the period the request covers.
The branch would need to temporarily reassign employees to work on this one access request. This reallocation would have a substantial impact on day-to-day regulatory activities and other operational priorities, and could jeopardize whether the institution could respect deadlines it must meet.
The institution further explained that the first directorate would be particularly affected by this access request, since it holds approximately 90 percent of the records likely to be responsive. This directorate monitors the safety of COVID-19 vaccines and requires manufacturers to submit safety reports (at various frequencies such as monthly, bi-monthly or bi-annually) and to report adverse events and assessments of whether there is any new safety information that may affect the benefit-risk profile of these vaccines. The directorate reviews adverse events following immunization reported to the Canada Vigilance Program while also considering information in the Canadian Adverse Events Following Immunization Surveillance System, as well as data from international partners. The access request seeks all communications, all submissions from market authorization holders and all adverse events—effectively the entirety of the directorate’s work during 2021 and 2022.
The directorate has about 300 employees, about 45 of whom would be involved in retrieving and processing records to respond to the access request. While these employees were assigned to these tasks, they would not be able to fulfill their normal functions (i.e. regulating, assessing and overseeing the risk for health of products such as vaccines).
Hindrance of other requesters’ right to access information
The institution informed the Commissioner that, in addition to taking employees from their regular duties, processing the large volume of complex records that would respond to the access request would affect the branch’s ability to respond to other access requests.
The work of the quality-control office would also be affected. This office is responsible for quality control of retrieved records and performs the following tasks:
- ensuring records are not password protected
- identifying and providing embedded attachments
- verifying document integrity
- removing duplicates
- ensuring documents are in acceptable formats
- deleting blank pages
- extracting emails from PDF portfolios and converting them.
The institution estimates that the office’s 12 full-time employees can review about 250 pages per day each, for a total of 3,000. The quality control of the estimated 700,000 pages expected to be responsive to the access request would, therefore, require approximately 233 days (or 208 days for 625,988 pages) if all employees were to work full time on this file.
The institution also explained that the operations of the ATIP office would be seriously affected by this access request. The office employs 104 employees, 13 of whom work specifically on COVID-19-related access requests. The ATIP COVID-19 team was already processing 537 access requests, for a total of 3.3 million pages, when it received the request that is the subject of this application. These included 29 other access requests the requester had made since the beginning of 2023. The institution indicated that a response had been provided to five of these requests, and that the remaining 24 were expected to generate a total of 531,249 pages. At least nine analysts are processing these pages. During 2022–23, the team reviewed 500,362 pages related to access requests. Adding the latest request to its caseload would more than double the count of pages the ATIP office would have to process.
According to the institution, therefore, processing the request that is the subject of this application would significantly increase the already large burden on this team and interfere with its operations, thus hindering its ability to process access requests from others.
Discussion
Much of the requester’s submission in response to the institution’s application focussed on the fundamental importance and quasi-constitutionality of the right to access information and on how the requested information would be extremely important and relevant to all Canadians. This information, the requester noted, would help Canadian researchers examining the COVID-19 pandemic and inform recommendations in the wake of Canada’s pandemic response.
The requester did not dispute the institution’s argument that the access request was broad and that responding to it would interfere with operations and harm the right of access of others. However, the requester stated that the Commissioner ought to give little weight to the institution’s submissions on the complexity and volume of the responsive records, given that the primary motive for refusing access was the institution’s concerns about the consequences of the disclosure of the information. The requester also stated that, in any event, the volume of responsive records was not sufficient reason on its own to grant the application.
The requester claimed that the institution seemed to be more concerned with the consequences, including the legal consequences, of disclosing the information than with the volume of records. While notes taken during a meeting between the branch and the ATIP office suggested that a branch employee expressed some concerns about litigation were the records to be disclosed, the Commissioner is not convinced that this is the reason why the institution submitted its application.
As indicated above, an abuse of the right to make an access request occurs when a requester uses their right of access in an abusive or inappropriate manner. This may be the case when a request overburdens an institution, unreasonably interferes with an institution’s operations or hinders other requesters’ right of access.
In this case, the requester essentially wanted all communications, whether they were internal or external, in any medium, including reviews, reports and drafts:
- arising from or leading up to “monitoring and reviewing reports of thousands of adverse events following immunization with COVID-19 vaccines”
- arising from or leading up to “regular review of safety information from a variety of sources including safety data provided by the manufacturer”
- arising from or leading up to “monitoring” of adverse events outside of Canada following immunization in relation to external sources
- with respect to causation (or lack thereof) between the COVID-19 vaccines and fatalities post-vaccination and between the COVID-19 vaccines and serious adverse events.
The Commissioner finds that the access request, as framed, is very broad. Having considered the substantiation provided by the institution, the Commissioner is of the view that the request would likely generate the estimated number of records.
What constitutes unreasonable interference with an institution’s operations rests on an objective assessment of the facts. It varies depending on the nature of the access request, the size and type of operations, the work required to act on the access request and the impact on operations.
Based on the institution’s representations, the Commissioner is satisfied that the access request would unreasonably interfere with the operations of the branch, particularly of the first directorate, since most of the responsive records are held in this directorate. The Commissioner can see how the broad scope of the access request would result in a very time-consuming exercise for employees and how it could disrupt their normal activities by having to shift from their operational obligations as well as their obligations to other access requesters seeking information about COVID-19 vaccines and other health products.
The institution also convincingly explained how the time and effort needed to search, identify, retrieve and process the responsive records would unreasonably interfere with the operation of the ATIP office and the quality-control office. According to the institution, this interference would also affect the right of access of other requesters. While processing this file, the program areas and ATIP office would not be able to act on other individuals’ access requests. The Commissioner finds that spending all this effort and time on one access request would indeed unreasonably interfere with operations.
The Commissioner agrees with the requester that there is a public interest in the subject matter of the records sought and does not dispute the importance of information about COVID-19 vaccines. However, the intention of section 6.1 is to preserve the proper intent and functioning of the Act and to protect against the abuse of the right to make an access request so that others can also exercise their quasi-constitutional right to access information. The right to access information is not absolute, so requesters should avoid making broad access requests. In addition, there must be a reasonable limit on how much time and effort institutions dedicate to responding to one request.
The Commissioner is also mindful that the time and resources available to respond to access requests are not limitless, and that the requester is not the only one waiting for a response to their access request. The Commissioner finds that the time and effort needed to search, identify, retrieve and process the responsive records would have a negative impact on the right of access of other individuals.
Finally, as the institution pointed out, there is a risk that the 24 outstanding requests from the same requester will generate duplicate records because they also focus on COVID-19 and COVID-19 vaccines.
The requester denied the institution’s assertion that there is repetition between the access requests simply because “all of the requests are about COVID-19 and COVID-19 vaccines.” In particular, the requester expressed the view that this statement falls far short of the clear and compelling evidence required to support a claim that access requests are repetitive.
When examining the requests, the Commissioner is satisfied that there would likely be some overlap. For example, in the request at issue (A-2023-000439), the following information is sought:
From Jan 1, 2021, to Dec 31, 2022, please provide copies of all internal/external communications (such as emails, briefs, text messages, records of telephone conversations, memorandums, drafts, documents, press releases and presentations) arising from or leading up to “regular review of safety information from a variety of sources including safety data provided by the manufacturer” (Pfizer/BioNTech, Moderna, AstraZeneca, J&J) as referenced above.
Access request A-2023-000230, which the requester also made, reads as follows:
All documents submitted by BioNTech Manufacturing Company GmbH or Pfizer as part of the regulatory review that resulted in the Regulatory Decision Summary dated September 16, 2021, for the Comirnaty Vaccine (previously Pfizer-BioNTech COVID-19 Vaccine).
Both of these access requests concern the external communications Pfizer and BioNTech sent for the review of their vaccines and cover the same period.
The requester argued that the number of access requests made by an individual should not be the sole reason for a finding of abuse. This is true, but the fact that the access request at issue overlaps with other access requests suggests that it is repetitive and thus contributes to the request being an abuse of the right of access.
For all the reasons mentioned above, the Commissioner concludes that the access request was an abuse of the right to make a request to access records because processing it would unreasonably interfere with the institution’s operations and hinder other requesters’ right of access.
Given the Commissioner’s conclusion that the access request was an abuse of the right to request information, it was not necessary for her to consider whether the request was also vexatious or made in bad faith.
Decision
The institution established that the access request was an abuse of the right of access and met the requirements of subsection 6.1(1):
The original access request was overly broad. Despite the efforts of the institution and the requester to narrow the access request, it remains very broad. The requester was still requesting all internal and external communications, in any medium, including reviews, reports and drafts in case there might be “important information moving up to the ranks.”
The requester did not agree to pursue options the institution had proposed that would significantly decrease the number of pages the request would generate. The anticipated volume of records could have been decreasing by focussing on specific adverse events and working with the institution on ways to further narrow the scope of the information sought for specific adverse events and to better target the types of communications to which the requester wishes to have access.
Processing the access request with the anticipated volume of records would overburden and, thus, unreasonably interfere with the operations of the branch (particularly the first directorate).
The interference with operations would result primarily from employees in these offices having to turn from their regular duties for some months to devote all their time to responding to the access request, and making it difficult for the offices to carry out their main functions, including those related to vaccines.
Due to having to process this one large request, the ATIP office, the quality-control office and the first branch would be considerably hindered in their ability to respond to other access requests, from this requester and others, thus jeopardizing these requesters’ right of access.
The circumstances warrant that the Commissioner provides her approval to the institution to decline to act on the access request at issue.
Therefore, the application is granted.