WxT Language switcher

Decision pursuant to 6.1, 2024 OIC 77

Date of decision: December 2024

Summary

An institution submitted an application seeking the Information Commissioner’s approval to decline to act on an access request under subsection 6.1(1) of the Access to Information Act. In the institution’s opinion, the request constitutes an abuse of the right to make a request.

The Commissioner finds that the institution established that the access request is an abuse of the right to make a request. Moreover, the circumstances warrant that she provides her approval to the institution to decline to act on this access request.

The application is granted.

Application

Under subsection 6.1(1) of the Access to Information Act, the head of a government institution may seek the Information Commissioner’s written approval to decline to act on an access request if, in the head of the institution’s opinion, the request is one or more of the following:

  • vexatious
  • made in bad faith
  • an abuse of the right to make a request for access to records.

Institutions may not decline to act on access requests for the sole reason that the requested information was already proactively published under Part 2 of the Act (subsection 6.1(1.1)).

The institution bears the burden of establishing that the access request meets one or more of the requirements under subsection 6.1(1).

If the institution establishes that one or more of the requirements of subsection 6.1(1) apply, the Commissioner must exercise her discretionary power to either grant or refuse the application.

In exercising her discretion, the Commissioner will consider all relevant factors and circumstances, including:

  • The quasi-constitutional nature of the right of access;
  • The public interest in the records sought;
  • Whether the institution met its obligations under subsection 4(2.1) to make every reasonable effort to assist a requester in connection with their request.

Access request at issue

On July 26, 2024, the institution sought the Commissioner’s approval to decline to act on an access request it had received on November 26, 2020. The access request is the following:

Although the time period request for this information is from when [the institution] was formed in 2011, first we would like released the information requested for the solicitations that meet the following criteria over the last 12 months, with a focus on the last 6 months. We would also like the ATIP to focus on points 1, 2, and 3, so we would like this information released first, because points 4, 5, 6 and 7 is information that will take much longer to search for. The last 6 months of information is the most critical.

Searchable PDF documents are required for the following:

  1. Copies of all tenders in any form including solicitations, RFPs, RFQs, Local Purchase Orders (LPO), Call-ups, etc. issued for products under all Procurement Vehicles, including Supply Arrangements and Standing Offers, that specified the requirement by OEM brand name and brand name product codes, that either allow equivalent products to be proposed, or do not allow equivalent products to be proposed. All internal government communications related to why each solicitations was not tendered on the Buy and Sell Canada website.
  2. Also, copies of all communications and information exchanged between [the institution] and their agents, and the OEM and their agents (IE: resellers) regarding this solicitation that occurred before, during and after contract award, including OEM quotes received by [the institution] that include the brand name product codes used to prepare the solicitation. All communications to and from [the institution] including emails, texts, and if there were phone calls with these OEMs and their agents, and the timing of this communication. The names of the Technical Authorities involved and the Contract Authorities involved in these solicitations, and all manager involved is required. Copies of the Technical Justification for using brand name product codes to describe operational requirements. Copies of the evaluation criteria and related technical requirements used to evaluate proposals, and all internal notes and correspondence, including emails related to the proposals and the bidders. Copies of National Security Exception (NSE) documentation, if any, for each solicitation, along with any internal signed approvals, and the name of the person with authority to sign the NSE for each solicitation.
  3. Also, the names of all companies invited to bid on these solicitations; the number of actual bidders that submitted proposals; copies of the bidders proposals and the brand names and product codes proposed by the bidders; the total price proposed by all bidders; and the rank of the bidders in the evaluation; and a copy of the resulting contract including total contract price excluding taxes.
  4. For each solicitation we request a list of the quantities, OEM brand names and OEM product codes of the existing equipment owned by Canada that match the OEM brand names and OEM product codes shown in the List of Deliverables section of each solicitation, usually called Annex A.
  5. For each solicitation we request a list of the quantities, OEM brand names, OEM product codes, firmware versions, operating system versions, and configurations of the multi-OEM devices that currently exist in the network that will be connected to the devices shown in the List of Deliverables section of each solicitation, usually called Annex A.
  6. For each solicitation we request a diagram of Canada’s existing network that shows the number of connections, and the speed of connections in Gbps, and types of cable (IE: Copper or Fibre) that will be connected to the devices shown in the List of Deliverables section of each solicitation, usually called Annex A, as well as photographs showing the racks they are installed in and how the devices are connected.
  7. For each solicitation we request a copy of any interoperability reports conducted by the government or any independent 3rd party testing companies regarding the OEM brand names and OEM product codes shown in the List of Deliverables section of each solicitation, usually called Annex A, interoperating with the existing equipment owned by Canada.

Searchable PDF documents are required for the following:

  1. Copies of all tenders in any form including solicitations, RFPs, RFQs, etc. issued for products on the Buy and Sell Canada website, or by invitation to selected bidders outside of the Buy and Sell Canada website (possibly through P2P) that specified the requirement by OEM brand name and brand name product codes, and did not allow equivalent products to be proposed. All internal government communications related to why each solicitation did not allow equivalent products to be proposed.
  2. Also, copies of all communications and information exchanged between [the institution] and their agents, and the OEM and their agents (IE: resellers) regarding this solicitation that occurred before, during and after contract award, including OEM quotes received by [the institution] that include the brand name product codes used to prepare the solicitation. All communications to and from [the institution] including emails, texts, and if there were phone calls with these OEMs and their agents, and the timing of this communication. The names of the Technical Authorities involved and the Contract Authorities involved in these solicitations, and all manager involved is required . Copies of the Technical Justification for using brand name product codes to describe operational requirements. Copies of the evaluation criteria and related technical requirements used to evaluate proposals, and all internal notes and correspondence, including emails related to the proposals and the bidders. Copies of National Security Exception (NSE) documentation, if any, for each solicitation, along with any internal signed approvals, and the name of the person with authority to sign the NSE for each solicitation.
  3. Also, the names of all companies invited to bid on these solicitations; the number of actual bidders that submitted proposals; copies of the bidders proposals and the brand names and product codes proposed by the bidders; the total price proposed by all bidders; and the rank of the bidders in the evaluation; and a copy of the resulting contract including total contract price excluding taxes.
  4. For each solicitation we request a list of the quantities, OEM brand names and OEM product codes of the existing equipment owned by Canada that match the OEM brand names and OEM product codes shown in the List of Deliverables section of each solicitation, usually called Annex A.
  5. For each solicitation we request a list of the quantities, OEM brand names, OEM product codes, firmware versions, operating system versions, and configurations of the multi-OEM devices that currently exist in the network that will be connected to the devices shown in the List of Deliverables section of each solicitation, usually called Annex A.
  6. For each solicitation we request a diagram of Canada’s existing network that shows the number of connections, and the speed of connections in Gbps, and types of cable (IE: Copper or Fibre) that will be connected to the devices shown in the List of Deliverables section of each solicitation, usually called Annex A, as well as photographs showing the racks they are installed in and how the devices are connected.
  7. For each solicitation we request a copy of any interoperability reports conducted by the government or any independent 3rd party testing companies regarding the OEM brand names and OEM product codes shown in the List of Deliverables section of each solicitation, usually called Annex A, interoperating with the existing equipment owned by Canada.

According to the institution, the access request constitutes an abuse of the right to make a request.

Is the request an abuse of the right to make a request to access records?

The Act provides requesters with a significant statutory right to access information under government institutions’ control. However, all rights come with responsibilities. The right of access must not be abused.

An abuse of the right to make an access request occurs when a requester uses their right of access in an abusive or inappropriate manner.

This may be the case when a request is directed towards a purpose other than obtaining documents or information. It may also be the case when a request is contrary to the public interest in that it overburdens an institution, hinders other requesters’ rights of access, and / or unnecessarily increases the costs and time spent by institutions to meet their statutory obligations.

The factors listed above are not exhaustive; other relevant factors may be considered depending on the circumstances of each case. Whether an access request amounts to an abuse of the right of access must therefore be assessed case-by-case.

The institution views the request as an abuse of the right to make a request for access to records, because the large number and complexity of records would overburden the Offices of primary interest (OPIs) and its Access to Information and Privacy (ATIP) office, which would in turn impact the right of access of other requesters.

Volume and complexity of records

The institution explains that the request, as currently written, seeks all documentation pertaining to contracts that specified an original equipment manufacturer (OEM) from its creation in 2011, to the date of the request (November 26, 2020). One of the institution’s main functions is the procurement of information technology (IT) for the Government of Canada. The majority of its contracts for software and hardware specify an OEM during the requested time period. As such, a request for all tenders in any form and all related documentation is tantamount to requesting the majority of the institution’s records from 2011 to 2020.

The institution further explained that the OPIs provided an estimate that amounted to 8,000,000 pages.

A first OPI estimated a page count of 2,170,169 pages. The estimation was based on previous ATIP requests and their page count, as well as an approximate number of 2200 solicitations per year, with each of them having approximately 100 pages. The second and third OPIs provided an estimate of 6,126,945 pages. This estimate is based on the number of pages provided by each of its directorates.

The institution also argues that the 8,000,000 pages are complex in nature and require extensive review by the OPIs for security concerns. In particular, the request is seeking all network diagrams and details on the institution’s infrastructure (see points 2, 5, and 6 of the request text), which adds a layer of complexity to the request.

Efforts to assist the requester

The institution argues that it has applied for the Commissioner’s permission not to act on the access request after all other options have been exhausted. The institution contacted the requester by phone upon receipt of the access request to explain that the broad scope would result in a large volume of records and to propose solutions to the requester that would allow specific records to be provided in a timely manner without imposing an undue burden on its operations. Unfortunately, the requester refused to clarify or limit the scope of the text of the request. The institution argues that instead of cooperating with its ATIP staff, the requester complained to the Office of the Information Commissioner (OIC). The institution further argues that it was clear that there would be no cooperation on the part of the requester to clarify the scope of their extraordinarily broad request.

The institution also mentions it has proactively opened two requests for records the requester wanted to receive sooner; namely, records concerning a specific contract, and released to this requester over 67,000 pages in response to other similar access requests.

In response to one access request, the requester received all contracts that were not published online from the creation of the institution until the date of the request. The institution argues that the requester could refer to the documentation provided in that request to select specific contracts that are of interest to them. Moreover, the requester has access to a list of the remainder of the institution’s contracts online and could choose specific contracts of interest to seek related information.

The institution argues that there is already abundant documentation available to the requester to narrow the scope of the access request at issue. In spite of that, the requester has opted to obtain all of the records they originally requested, with over 100,000 pages of records likely to overlap with the documents already processed in the other access requests.

The institution also argues that it offered to split, at no cost to the requester, another request which yielded 40,000 pages of records and to provide regular releases of information.

Finally, the institution mentions that the requester admits in communications that they know the specific information they are seeking, but are instead choosing to submit a broader request to avoid being identified. The requester claims that the institution would retaliate against them and another individual they are seeking information for if they were to clarify the request. The institution explained to the requester that its ATIP Office adheres to the Treasury Board of Canada Secretariat’s Interim Directive on the Administration of the Access to Information Act (replaced on July 13, 2022 by the Directive on Access to Information Requests) by protecting the identity of the requester and treating all requesters equally. The institution also explained that a condition of employment for employees is adherence to values and ethics, and the institution provides guidance to employees to ensure that these obligations are met.

Impact on the OPIs

The institution argues that the three OPIs that hold the records pertaining to the request would face an unreasonable burden on their operations, which would cause a major disruption to their services and ability to deliver the institution’s core mandate. The OPIs are essential to the operations of the institution as they are responsible for delivering vital IT, network and security services and hardware to the whole of the Government of Canada.

Current estimates provided by the institution show that the request would impact 1,045 employees of the OPIs. The institution estimates that 629 employees of one OPI will be impacted, which has responsibilities such as the implementation and maintenance of all network services and the acquisition of goods and services in IT security, computer networks, and digital services. Likewise, an estimated 138 employees of a second OPI will be impacted by the request. This OPI’s ability to provide many critical services would be impacted, including conferencing services for virtual collaboration, and email and telecommunications services. Finally, the access request would impact 278 employees of the third OPI and as such, services like the procurement of goods and services at the institution and for partners and the Procure-to-Pay Help Desk service.

Furthermore, the request is seeking all network diagrams and details on the institution’s infrastructure. The institution claims that its security experts will need to thoroughly review every record to provide recommendations to the ATIP Office, given that the information could be used by malicious threat actors to attack Government of Canada systems. Of the 767 employees within the two OPIs that are impacted, 739 employees are IT experts. This request would place a significant burden on the 739 IT security experts and take them away from performing their important work on ensuring the safety of the Government of Canada’s networks.

Impact on the ATIP office and others’ right of access

According to the institution, handling such a volume of complex documents would also impact its ATIP office’s ability to meet its obligations to all requesters under the Act.

The estimated volume of records is almost 20 times the number of pages that the institution released in the 2022-2023 fiscal year. During the 2022-2023 fiscal year, the ATIP office in its entirety processed 263,594 pages under the Act. If its entire ATIP office were to process only this request, based on the 2022-2023 fiscal year’s level of processing, it would take 30 years to complete the review of the request without working on any other requests. That shows, according to the institution, that processing this request would adversely affect the right of access of all other requesters for the next 30 years.

The institution further argues that a conservative estimate of the amount of time it would take its ATIP office to process this request while continuing to process requests from other requesters is 230 years. A request that requires a processing time beyond multiple lifespans of a human being is not in keeping with the spirit of the Act.

Discussion

Whether an access request would overburden an institution depends on an objective assessment of the facts. The assessment depends on the nature of the access request, the size and type of operations, the work required to act on the access request and the impact on operations. In some cases, acting on an access request that overburdens the institution will interfere with the ability of others to legitimately exercise their right of access. In those instances, the institution must also demonstrate the link between the burden of processing the access request and the interference with others’ right of access.

When considering the breadth of the request text and evidence before her, the Commissioner finds that the estimate of 8,000,000 pages of records is plausible, and that the access request will likely generate a very significant number of records. As noted by the institution, the access request seeks all records since its creation in 2011 pertaining to the majority of IT procurements (the procurement of IT being one of the institution’s main responsibilities). Moreover, these records are not limited to a specific type of records.

Based on the institution’s representations, the Commissioner is satisfied that the access request would overburden the three OPIs. She can see how the broad scope of the access request would result in a very time-consuming exercise for these units, given that they would not only have to retrieve the records but also to provide recommendations concerning security risks.

The institution also convincingly explained how the time and effort needed to process records would overburden the ATIP office. As explained, the number of records is equivalent to thirty times its annual capacity. Moreover, the Commissioner can also see how this would affect the right of access of other requesters. While processing this file, the OPIs and the ATIP office would not be able to act on other individuals’ access requests.

The Commissioner is mindful that the time and resources available to respond to access requests are not limitless, and that the requester is not the only one waiting for a response to their access request. She finds that the time and effort needed to search, identify, retrieve and process the responsive records would have a negative impact on the right of access of other individuals.

Part of the requester’s response to the institution’s application focuses on the reasons for requesting the information. The requester mentions, among other things, that the information is needed for some cases that are heard by the Canadian International Trade Tribunal (CITT), in which the requester is involved as counsel or witness. More specifically, the access request aimed at obtaining evidence that would be used at the CITT or in the courts.

The requester’s submission appears to be an attempt to show that there is no malicious intent behind their access request. The Commissioner has no reason to doubt this. That said, an abuse of the right of access does not require a malicious intent; it can occur whether or not the requester intends to abuse their right of access.

Based on the requester’s submission and the email threads provided by the institution, the Commissioner is not convinced that the requester has a genuine interest in obtaining all the information they have requested.

In their submission, the requester mentions that they made this access request to obtain evidence that could be used in cases that are heard by the CITT or the courts. Based on this, it is unclear to the Commissioner why the requester has not limited their access request to the contracts at issue in these cases. She notes that the institution has already provided to the requester tens of thousands of pages of records, pertaining to all the contracts granted by the institution. Thus, the requester appears to have sufficient information to identify more precisely the information that may be relevant to these court hearings.

In the email threads, the requester said the following:

I have worded my ATIP request in a way to protect my identity as much as possible. However, when I state in the first sentence “Copies of all tenders in any form including solicitations, RFPs, RFQs, Local Purchase Orders (LPO), Call-ups, etc. issued for products under all Procurement Vehicles, including Supply Arrangements and Standing Offers ….”, I have been as general as possible, firstly, if I am too specific [the institution] will likely figure out who has submitted this ATIP request and retaliate, and secondly, because I do not want to miss any of the “Procurement Vehicles, including Supply Arrangements and Standing Offers.”

It is not advisable to try to hide one’s identity by making a broad access request. The Supreme Court of Canada stated that institutions may not take into account the identity of the requestor or the purposes underlying an access request (2003 SCC 8 at para. 32). In the event that the requester’s identity has been taken into consideration in acting on their access request, they may submit a complaint to the OIC.

The requester also mentions that they have been as general as possible not to miss any procurement vehicles. It is unclear to the Commissioner how that would justify making the access request at issue. If the requester is interested in all the procurement vehicles, they may ask for this in a more precise way.

For all of the reasons mentioned above, the Commissioner is not convinced that the requester has a genuine interest in all the information they have requested in the access request at issue. This contributes to the access request being an abuse of the right of access.

For all these reasons, the Commissioner concludes that the access request is an abuse of the right to make a request to access records.

Do the circumstances warrant that the Commissioner provides her approval to decline to act on the access request?

Given that the institution established that one of the requirements of subsection 6.1(1) applies to the access request, the Commissioner must now exercise her discretionary power to either grant or refuse the application.

In exercising her discretion, she has considered all relevant factors and circumstances, including the following.

Obligation to assist the requester

Subsection 4(2.1) sets out a general duty to assist requesters. The scope of this duty is broad, requiring that an institution make “every reasonable effort” to assist a requester with their request. It extends as far as it would be reasonable for the institution to provide assistance. The duty to assist may include helping a requester: clarify their access request; narrow its scope in order to facilitate a more timely response to records sought; and provide information needed to enable an institution to identify requested record(s).

What will constitute “every reasonable effort” to assist a requester with their request in any given case will depend on the relevant facts and circumstances. In turn, whether an institution has met its obligations under subsection 4(2.1) is fact dependent and must be assessed on a case-by-case basis.

As mentioned above, the institution reached out to the requester when it received the access request, had a phone conversation with them, and made many suggestions to limit the scope of the request. The institution’s efforts were unsuccessful as the requester remained firm on the scope of the request.

The institution also opened two access requests for records that the requester wanted to receive sooner, and provided tens of thousands of pages of records in response to other access requests that overlap with the access request at issue.

In their response to the institution’s application, the requester argues that it has not fulfilled its duty to assist, because they have requested that the information be released in stages (the last 6 months first and then the last 12 months) and the institution has not accepted to do so. The requester added that after receipt of these documents they may be able to reduce the total time frame of the request, which could greatly reduce the scope of the request.

The Commissioner finds that it was reasonable for the institution not to accept the requester’s proposition for three reasons. First, the number of pages of records for the last six months alone would likely be around 440,000 pages, based on the estimate provided by the institution. Consequently, processing the last six months would still be a considerable task. Second, the requester mentions the following:

I had asked you to focus on the last six months of records, and then the last year of records, and we agreed on this approach, on the basis that if I was able to obtain the information that I needed for these time periods that I may ‘possibly’ be able to reduce the scope in terms of the total time frame of this request. I made no commitment to this in our call, but I stated that I was open to doing this.

Thus, even if the institution were to provide the records for the last six months, the scope of the access request might still not be reduced. It is unclear to what extent the requester is willing to cooperate with the institution. Third, as mentioned by the institution, tens of thousands of pages of records have already been provided to the requester in response to other access requests. These documents are also responsive to the access request at issue and, therefore, the requester appears to already have sufficient information to be able to reduce the scope of the request.

Based on the above, the Commissioner concludes that the institution established that it had met its duty to assist the requester.

Timeliness of the application

The institution received the access request on November 26, 2020, but only applied for the Commissioner’s permission to decline to act on the request on July 26, 2024, that is, 3 years and 8 months later.

The institution explained that, after its attempt to reduce the scope of the request and the requester’s response, which showed no willingness to adjust the scope of the request, it advised the requester that the request was on hold pending clarification.

The institution also explained that it did not take a time extension, because it was unable to provide a reasonable timeline due to the scope of the request. Given the conservative estimate of 8,000,000 pages of complex solicitation documents, it would take the its ATIP office more than 30 years to complete the review of the request without working on any other requests. The ATIP office would require 230 years to process this request with up to 8 resources working on the task while the remainder of employees continue to process requests from other requesters.

The institution also mentions that, on March 19, 2021, it received a notice of complaint from the OIC and was notified that an investigator would be assigned to the file. In the institution’s experience, an investigator from the OIC can sometimes assist in defining the scope of a request when the volume is unreasonable or the scope is too broad, particularly if communications between the requester and the department are not producing results. With respect to the current request, communications between the institution and the requester reached an impasse and no further steps were taken to refine the text of the request in collaboration with the requester until an OIC investigator was assigned to the file.

The institution expected the OIC to negotiate with the requester on its behalf, regardless of the time it would take to complete the investigation of the complaint. It is for this reason that the institution submitted its application to seek approval to decline to act on the request over 3 years after receipt of the request.

Finally, the institution mentions that while this specific request has not been actively addressed, in the meantime, its ATIP staff respected the requester’s right to information for several other requests for information, which were also associated with the documents in the access request at issue.

The Commissioner finds that the delay of 3 years and 8 months before the institution applied for her approval is not justifiable. The institution should not have waited for the intervention of the OIC investigator. While the OIC will engage in early intervention efforts in an attempt to negotiate successful outcomes for both parties by either narrowing the scope of the access requests, number of exemptions under complaint, or other, the institutions should not rely on these efforts when considering whether an access request meets one or more of the requirements of subsection 6.1(1). That said, the evidence does not show that the institution deliberately neglected to assist the requester during this period.

The reasons and circumstances that lead the Commissioner to conclude that the access request constitutes an abuse of the right to access information are such that she cannot deny the application because it was not made in a timely manner. She finds that the abuse of the right of access is too important in the present case.

Institutions should not assume, however, that this decision opens the door to the possibility of applying for her approval at any time. Applications must be submitted in a timely manner, which, in most cases, means as soon as the access request has been received and a preliminary assessment has been carried out.

Decision

The institution has established that the access request met one or more of the requirements of subsection 6.1(1):

  • The access request was overly broad and the efforts of the institution to clarify the request and narrow its scope were unsuccessful.
  • Processing the access request with the anticipated volume of records would overburden the three OPIs and ATIP office.
  • Due to having to process this one large request, the ATIP office and OPIs would be considerably hindered in their ability to respond to other access requests, thus jeopardizing other requesters’ right of access.

The circumstances warrant an exercise of the Commissioner’s discretionary power to authorize the institution to decline to act on the access request.

The application is granted.

Date modified:
Submit a complaint