Ontario’s privacy regulator upheld a decision by the Financial Services Regulatory Authority of Ontario (FSRA), when it declined to provide a company with the details of a complaint against it that led to enforcement action.
According to a decision from the Information and Privacy Commissioner of Ontario (IPC), an unnamed company appealed FSRA’s decision to deny access to records stemming from a complaint against it, citing the need to protect the privacy of the complainant.
The decision indicated that, after the firm received a request for information from the regulator, it filed a request under access to information legislation seeking records relating to the complaint. The complaint led to FSRA opening an investigation into the company’s compliance with licensing requirements under insurance legislation.
That inquiry resulted in FSRA sending the company a warning letter ordering it to cease and desist from engaging in unlicensed insurance activities.
FSRA located a relevant record — a five-page email chain involving the original complaint — but it rejected the company’s request to release that record.
On appeal, the company argued that there, “… is a compelling public interest in the disclosure of the identity of the complainant,” the decision noted.
Specifically, it argued that disclosing the complainant’s identity would help prevent misuse of FSRA’s regulatory process.
“It submits that if the complainant is its direct competitor, disclosure of their identity would promote fair competition, deter regulatory abuse and maintain transparency and accountability so that the FSRA and its regulatory process is not leveraged for commercial gain,” the decision said.
However, an adjudicator with the IPC disagreed with the company, and rejected the argument that there was a compelling public interest in providing disclosure.
Indeed, it ruled that disclosing the complainant’s identity “could promote, rather than deter regulatory abuse.”
“If the identity of complainants were subject to disclosure, individuals and businesses would be less likely to come forward with information about potential misconduct, limiting the FSRA’s ability to carry out its mandate effectively,” the IPC said in its decision — adding that it concluded that, “there is a compelling public interest in maintaining the confidentiality of the identity of complainants, rather than their disclosure.”
The IPC also found that the complainant’s identity doesn’t provide any substantive information about FSRA’s operations, decision-making or accountability — and doesn’t help the public understand how the regulator carries out its investigations.
Instead, it noted that the complaint only led to the opening of an investigation. Then, FSRA “conducted its own independent investigation” and took its own compliance action.
“This demonstrates that the FSRA exercised its regulatory responsibilities independent of the complainant’s identity,” it said.
Ultimately, the IPC upheld FSRA’s decision, and dismissed the appeal, “finding that disclosure of the email chain would be an unjustified invasion” of the complainant’s personal privacy, and that there was no public interest justification for overriding that right.