Court of Appeal affirms robust interpretation of academic freedom exclusion in Alberta

On October 28, 2025, the Court of Appeal of Alberta affirmed that the Alberta Office of the Information and Privacy Commissioner (the OIPC) acted unreasonably in narrowly construing the teaching and research records exclusion in the Alberta Freedom of Information and Protection of Privacy Act (FIPPA).

The request and OIPC decision

The request was for information pertaining to a complaint made by two University of Calgary law professors to the Canadian Judicial Council regarding Justice Robin Camp, who resigned from the bench in 2017 after the CJC recommended his removal for comments made in hearing a sexual assault case.

The OIPC construed the teaching and research records exclusion narrowly, and expressly stated, “There is no indication in the Act that these categories are determined via balancing interests in disclosure versus academic freedom.” The disputed records included e-mail discussions among professors about what might be taught in a particular course, which the OIPC held were not “teaching materials,” which it defined as “materials the substance of which imparts knowledge, skill, or instruction.” The OIPC also held that the disputed records were not comprised of “research information” when weighed against the “systematic investigation” definition of research adopted by the Ontario IPC.

The Court of Appeal decision

The Court of Appeal identified fundamental flaws in the IPC reasoning.

First, it held that the OIPC’S reasons “simply repeat[ed] statutory language, summariz[ed] arguments made, and then stat[ed] a peremptory conclusion.” The OIPC defined the terms as capturing mostly finished products ultimately presented in classrooms or publicly shared through publications. This, it said, “renders ss 4(1)(h) and (i) largely redundant, as a FOIPPA request would serve little purpose with respect to materials already in the public domain.”

Second, it held that the OIPC “arbitrarily chose definitions of ‘teaching materials’ and ‘research information’ without engaging in the necessary statutory interpretation,” failing to explain why restrictive interpretations were preferable and failing to reckon with legislative intent. Regarding this intent, the Court drew from the important Supreme Court of Canada “Mandate Letters Case” from 2024 in stating that freedom of information statutes “engage significant competing public interests and strike an important balance between the public’s need for transparency and visibility in the conduct of public agencies and the need for confidentiality and/or privacy protection for some of those very same institutions to perform their important public functions effectively.”

Discussion about the scope of research

The parties were joined by intervenors from the Faculty Association of the University of Calgary, the Canadian Association of University Teachers, and the Canadian Association of Law Teachers, all of whom took issue with certain obiter comments made by the chambers judge that suggested a distinction between academic study of social activism and direct participation in social activism, with participation falling outside the statutory exclusion.

The Court of Appeal rejected this approach, stating:

We agree that academic freedom exists to protect all scholarship, including that which may be unpopular or politically targeted. A distinction between participation in activism and study of activism may lead to definitions of “teaching materials” and “research information” which exclude novel teaching methodologies, teaching and research activities on particular topics involving what might be construed as participation in activism, and other direct engagement in the community outside the traditional classroom setting, as well as an academic’s participation relating to responsibilities or duties at their post-secondary institution.

This is a critical clarification. The exclusion protects the process of academic work, broadly defined.

Conclusion

The Court of Appeal’s decision is a decisive affirmation that academic freedom exclusions must be interpreted purposively, not formalistically. The OIPC’s narrow approach – treating these as mere carve-outs rather than affirmative protections for the academy’s core function – was fundamentally unreasonable. This approach is grounded in first principles and the Mandate Letters Case, in which Justice Karakatsanis wrote:

Freedom of information (FOI) legislation strikes a balance between the public’s need to know and the confidentiality the executive requires to govern effectively. Both are crucial to the proper functioning of our democracy.

It is therefore applicable beyond Alberta’s borders, notwithstanding the narrower view taken by Ontario IPC.

As a procedural matter, the University identified the records as teaching or research materials, so neither the University’s right of access to the records nor the question of custody and control were at issue. The matter of exclusion and a university’s entitlement to handle records and determine whether they are excluded are distinct. This case, by illustration, underscores the university entitlement.


Governors of the University of Calgary v Alberta (Information and Privacy Commissioner), 2025 ABCA 350 (CanLII), <https://canlii.ca/t/kg5f3>, retrieved on 2025-11-17

Notes on Nova Scotia’s FOIPOP Reform Bill

On Friday, the Nova Scotia legislature introduced Bill 150, a new statute that consolidates the province’s public sector access and privacy laws and introduces key modernization reforms. Below are some quick highlights from the bill.

Class-based exemption for security control information. I just posted last week about withholding information that could jeopardize network security. Nova Scotia’s proposed legislation includes a novel class-based exemption that permits a head to withhold “information the disclosure of which could reasonably be expected to reveal, or lead to the revealing of, measures put in place to protect the security of information stored in electronic form.” Having previously negotiated with regulators to exclude control-related details from investigation reports, I view this language as both protective and positive.

New privacy impact assessment requirement. Under Bill 150, public bodies will be required to conduct a privacy impact assessment (PIA) before initiating any “project, program, system, or other activity” that involves the collection, use, or disclosure of personal information. The PIA must also be updated if there is a substantial change to the activity. A key question is whether the term “other activity” is broad enough to include non-routine or minimal data collections—which public bodies may prefer not to assess.

Power to collect for threat assessment purposes. This touches on an issue I’ve followed for years: behavioral threat assessment and the conduct of so-called “threat inquiries.” Conducting a threat inquiry in response to concerning behavior to properly assess a human threat is a best practice that arose out of 2004 United States school shooting report. However, their legality has been questioned when conducted by institutions without a law enforcement mandate. Nova Scotia’s proposed legislation includes a new authorization to collect personal information—either directly or indirectly—for the purpose of reducing the risk that an individual will be the victim of intimate partner violence or human trafficking. This is a positive step, but it raises a key question: What about other forms of physical violence? The statute’s narrow focus may leave gaps in protection where threat assessments could be equally justified.

New offshoring rules. The new statute, if passed, will repeal the Personal Information International Disclosure Protection Act (PIIDPA)- Nova Scotia’s statute that prohibits public bodies and municipalities from storing, accessing, or disclosing personal information outside of Canada unless an exception applies. It will replace it with a new provision, however, that could be used to continue a similar prohibition. The new provision prohibits disclosing and storing personal information outside of Canada (as well as permitting personal information to be accessed from outside of Canada) unless in accordance with regulations. It does not contemplate regulation of service providers and their employees, which is a feature of PIIDPA.

New breach notification. The new statute, if passed, will include privacy breach notification and reporting, triggered when “it is reasonable to believe that an affected individual could experience significant harm as a result of the privacy breach.” This is equivalent to the “real risk of significant harm standard” in my view.

Supreme Court power to remedy breaches. The new statute, if passed, will give the Nova Scotia Supreme Court the power to issue orders when “personal information has been stolen or has been collected by or disclosed to a third party other than as authorized by this Act.” British Columbia has a more elaborate version of such a provision, which can help public bodies respond to breaches given ongoing legal uncertainty around the status of personal information as property.

Hat tip to David Fraser.

File path information, network security and FOI

On March 7, 2025, the Saskatchewan Court of King’s Bench affirmed the withholding of file path information from a requester who sought the information under Saskatchewan’s provincial freedom of information statute.

The Court described the information as “file path addresses/links and barcodes within the documents that describe the process of accessing information/data stored in specific databases on a computer system.”

Notably, the institution relied on the class-based exemption for information with proprietary value. Proof of a non-speculative risk of harm is not required to invoke such this exemption, but case law in Saskatchewan and Ontario narrows the class to information with “inherent monetary value” and a proprietary character (in my words). The Court held that the exception applied based on an affidavit that stated that granting access would provide, “an instruction manual for any person with access to SHA’s systems to quickly and effectively identify and access locations on SHA’s systems that contain sensitive personal and personal health information and other sensitive security information…”

In 2023, the IPC/Ontario rejected a claim made by the Ontario Ministry of Health that file path information was exempt from the right of access because the Ministry failed to prove a non-speculative risk of harm. It commented, “I do not accept that disclosure of the file path information (the location of a specific document in the ministry’s computer system) could reasonably be expected to compromise the security of the ministry’s computer system or allow unauthorized individuals to infiltrate the ministry’s computer systems. The ministry has not adequately explained how this information could be used to access the ministry’s computer system by an individual who is not a ministry employee.”

I’ve underlined the text above to highlight the flaw in the Ministry’s argument—though, to be fair, it was addressing only two lines of file path information. It is difficult to conceive how file path information could be used to compromise a network. However, one can easily see how such information could assist a malicious actor in quickly locating valuable data within a network. File path information should be exempt, and the new Saskatchewan case will help make that argument. It’s a particularly good case because it rests on a class based exemption and not amore circumstantial harms based exemption.

Note that the IPC/Ontario has withheld other information about a network to protect it from malicious actors. See Ontario Lottery and Gaming Corporation (Re), 2016 CanLII 85802 (ON IPC), <https://canlii.ca/t/gw1g6>, retrieved on 2025-09-23.

Schiller v Saskatchewan Health Authority, 2025 SKKB 37 (CanLII), <https://canlii.ca/t/kb2fh>, retrieved on 2025-09-23.

Ont CA finds compliance with a reasonable record retention policy weighs against unacceptable negligence finding

On September 15, the Court of Appeal for Ontario dismissed an appeal seeking a Charter remedy for lost evidence in a criminal matter.

The Crown withdrew charges against the appellant after he absconded to the United States and was convicted on separate charges, making a return to Canada unlikely until 2040. Also, the complainant used a pseudonym, and the police lost contact with her. The police purged the Crown brief in 2013, but the appellant was unexpectedly paroled and returned to Canada in 2015. He was then charged, tried, and convicted.

Regarding the lost evidence application and appeal, the Court said:

Context mattered. By 2013, the Murdock charges had been withdrawn for eight years; TPS had long lost contact with “Caramel Holiday”; robust contemporaneous advice in 2000 said early parole in 2013 was unlikely, with 2040 as the next potential release; and storage practices for concluded matters were governed by a content-neutral retention policy that was reasonable at the time. The trial judge reasonably concluded that, in those circumstances, purging a withdrawn brief in accordance with policy was not unacceptable negligence. This conclusion accords with the governing legal principles. Not only does compliance with a reasonable record retention policy weigh against finding unacceptable negligence, but the police cannot be expected to retain evidence indefinitely where they reasonably believed that dropped charges would not be re-laid: R. v. B. (F.C.)2000 NSCA 35, 182 N.S.R. (2d) 215, at para. 26, leave to appeal refused, [2000] S.C.C.A. No. 194; Sheng, at para. 40.

Record retention policies serve to guard against inferences of intentional evidence destruction—commonly referred to as “spoliation.” This case shows that they can also protect against claims that allege negligence with resulting prejudice.

Relatedly, the reference to “robust contemporaneous advice” shows that a court will look to the due diligence applied in removing a “litigation hold” (though the decision does not frame the issue in this way). Do your record retention policies invite such diligence?

R. v. Burke, 2025 ONCA 619 (CanLII), <https://canlii.ca/t/kf9h1>, retrieved on 2025-09-17.

System monitoring decision stresses employees’ informed choice

In December of last year, Arbitrator Abramsky upheld a grievance that challenged the reasonableness of system monitoring conducted by an employer, though only to the extent the employer’s workplace monitoring policy (which is required in Ontario) did not provide clear enough notice. She accepted the employer’s argument that employee personal use of workplace systems is a matter of informed choice, reasoning in part as follows:

The Union asserts that it is common for employees to check their personal emails while at work. I am sure that is true, but employees can choose how they send and receive personal emails while at work, and on what device. With knowledge of the Employer’s monitoring practices, an employee may make an informed choice. Having to use a personal device for personal emails may represent a change for some, it is not an undue burden. If an employee considers it to be so, however, they can choose to use the Employer’s equipment, WiFi or network, with the knowledge that the email may be monitored. Consequently, I am persuaded that the Employer’s EMP in regard to emails is a reasonable exercise of management rights, with one exception beyond clarifying how it determines if a private email pertains to Rideauwood.

Maintenance of network security is of utmost concern, and is supported by robust monitoring of employee system use. Most employers, however, allow personal use of their systems that attracts a limited expectation of privacy. So long this personal use is a privilege and not a right, the privacy interest associated with it cannot prevail over an employer’s interest in monitoring, and the provision of clear notice ought to be the only legal requirement for lawful monitoring. This decision supports this argument.

Ontario Public Service Employees Union v Rideauwood Addiction and Family Services, 2024 CanLII 120507 (ON LA).

IPC decision highlights issues about threat assessment and PHIPA application

On January 31, 2024, the IPC/Ontario ordered the Ontario Medical Association’s Physician Health Program to provide a complainant with access to a draft assessment report, though it permitted the OMA to withhold behavioral information collected in preparing the report.

Many institutions have processes that support behavioral threat assessment – a process by which multi-disciplinary teams (often including medical clinicians) conduct a threat inquiry to gather behavioral information (usually indirectly), assess behaviors and determine whether someone poses a threat to themselves and/or others. The assessment can lead to interventions, medical and otherwise, that are of benefit to the person being assessed.

The OMA’s Physician Health Program appears to be a threat assessment program, though its mandate is vague, and involves “education; support and referral; assessment; and monitoring and advocacy.” And in responding to an IPC complaint about its access request denial, the OMA argued it was a health information custodian engaged primarily in the provision of health care. The IPC re-articulated the position as follows:

[16]      The OMA PHP describes its monitoring function as “first and foremost a clinical service provided to an individual physician or learner to assist in the maintenance of their health in the context of recovery from a mental health or substance use disorder.” This may involve collecting clinical information, providing clinical opinions, and reviewing urine, hair, blood, or other toxicological tests.

[17]      Overall, the OMA PHP states that its employees provide services “to maintain an individual’s mental condition, … to promote health, and in the case of clients already diagnosed, to prevent disease in the form of recurrence, all of which it states fall under the definition of “health care.”

This position drove the outcome given PHIPA has a very broad right of access to personal health information. The OMA was left with no valid basis to shield its draft report, even though the IPC has held that assessment is different than providing health care. The IPC did find that the (critical and sensitive) behavioral reports made to the OMA could be withheld on the basis of section 52(3), which applies to records “not… dedicated primarily to personal health information about the individual requesting access” and permits reasonable severance.

Threat assessment can and should be framed as beneficial to the person being assessed, which is important because it aligns threat assessment with the duty not to discriminate against individuals with disabilities. In other words, threat assessment is an aspect of accommodating disability and meeting institutional health and safety duties. Threat assessment is both a lawful and critical process.

This framing does not make threat assessment health care, nor should it ever be treated as health care in my view. The interventions that threat assessment invites are meant to help in the long and medium term, but in the short term they are about the restriction privileges (e.g., of practicing, working, attending school) based on the assessed risk. There is therefore a conflict in striving to be both a heath care provider and a threat assessor, and individuals under assessment must know the true nature of the process with which they are engaged. Are you my doctor? Or are you working for the institution? If threat assessment is framed as assessment, even if it is conducted by medical clinicians, PHIPA will not apply.

Ontario Medical Association Physician Health Program (Re), 2025 CanLII 9695 (ON IPC), <https://canlii.ca/t/k9ftg>, retrieved on 2025-07-17.

Critical Cyber Systems Protection Act is back – seven points for designated operators

It is no surprise that the federal government has brought back its federal critical infrastructure cyber security bill, a bill labeled C-8 that will enact the Critical Cyber Systems Protection Act. When the prior government first proposed this law in 2022 as bill C-26, its stated objective was to “address longstanding gaps” in its ability to protect systems and services of national importance. Industry is generally onside, mobilized by the by the 2021 ransomware attack against Colonial Pipelines that highlighted the fragility of North American supply chains.

The CCSPA – which will apply to “designated operators” of federally regulated critical cyber systems – has come back in much the same form as introduced with Bill C-26. In lieu of providing a summary of the entirety of Bill C-8, here are seven points for designated operators to consider.

  1. The CSSPA will be framework legislation with very limited substance or clear guidance. Designated operators can assess only the high-level requirements relating to cyber security program establishment, implementation and maintenance, with the required substance of cyber security programs likely to be dealt with in detail by regulation
  2. The “critical cyber system” definition will delineate the scope of obligations, and is very broad: “a cyber system that, if its confidentiality, integrity or availability were compromised, could affect the continuity or security of a vital service or vital system.” The words “could affect” establish a low criticality threshold. In its current form, Bill C-8 likely encompasses control systems and a wide range of other systems.
  3. It appears that designated operators will be permitted to prioritize and schedule their risk mitigation commitments, with the exception of risk mitigation commitments relating to supply chain risks. Bill C-8 prioritizes supply chain risks by stipulating that designated organizations must take steps to mitigate such risks “as soon as” they are identified. This distinction does not appear to be risk-based, noir is the rationale is clear.
  4. Incident reporting (to the Communications Security Establishment) is to be done within 72 hours, presumably of validation. The incident definition, however, is broad: “an incident, including an act, omission or circumstance, that interferes or may interfere with… the continuity or security of a vital service or vital system… or the confidentiality, integrity or availability of the critical cyber system.” Operationalizing an obligation to report an occurrence that “may” have an impact will be difficult. Designated operators will struggle to distinguish between the many immaterial “cyber events” – e.g., alerts and false positive reports – that they identify and cyber incidents that must be reported. Designated operators may also rush to report and over-report given the Bill does not contemplate a period of assessment or investigation.
  5. The government’s power to issue binding directions is broad, and not expressly constrained by pre-conditions such as necessity or reasonableness. There is no requirement to consult with designated operators about potential operational impact or other concerns prior to or after issuing a direction nor will directions be subject to the same vetting process that applies to regulations under the Statutory Instruments Act.
  6. Designated operators may seek judicial review of directions by applying to Federal Court. In one of the few changes implemented with Bill C-8, the government has (positively) removed provisions that contemplated the hearing of these review applications ex parte and in camera.
  7. Like its predecessor, Bill C-8 provides for government use and disclosure of information provided by designated operators and, to protect the security and business interests of designated operators, deems certain information confidential. The question is whether the balance struck by the Bill is proper and fair to designated operators given the sharing allowances in the Bill are broad.

Government is legitimately concerned with the need for a responsive regime that encourages the protection of critical infrastruture from adversaries, though there are legitimate and important questions for critical infrastructure owners and operators to consider about whether Bill C-8 strikes an appropriate balance.

Sask CA says how to interpret access rights, and addresses various standards for proof of harm

On January 28, 2025, the Court of Appeal for Saskatchewan held that Saskatchewan Government Insurance could rightly withhold a report that questioned an individual’s fitness to drive based on a Health Information Protection Act discretionary exemption that permits a trustee to refuse access if “disclosure of the information could interfere with a lawful investigation or be injurious to the enforcement of an Act or regulation.”

The Court firstly held that the lower court erred in reading the exemption to apply only if the disclosure could interfere with “an existing or identifiable prospective investigation.” In doing so, the Court made an important point about purposive analysis and access-granting statutes, finding that one ought not give weight to the purpose of an access-granting statute without also giving weight to the purpose of the applicable exception to the granted right of access. It said:

[45] …in a case pitting a right of access against an exception to it, a court must not let the broad purpose of legislation granting rights of access overtake the exercise of properly interpreting provisions that provide exemptions. As always, the modern approach demands that the court must begin the interpretative exercise with attention to the words of the statute, as used in the context of the statute. It also requires that the interpreter consider statutory purpose in a somewhat broader sense than did the judge in this case. This idea is explained in Sullivan, as follows:

§9.02[1]           IntroductionIn its broadest sense, legislative purpose refers not only to the material goals the legislature hoped to achieve but also to the reasons underlying each feature of the implementing scheme. It asks the question why: why this legislation? why this arrangement of powers? why this direction or rule? why this turn of phrase? In purposive analysis every feature of legislation from the overall conception to the smallest linguistic detail is presumed to be there for a reason. It is presumed to address a concern, anticipate a difficulty, or in some way promote the legislature’s goals.

[43]           In short, in a case like this, the interpreter must have regard not only to the purpose of the legislation as a means to extend rights of access to information but also must be mindful of the objectives that stand behind the exceptions themselves. This is because exemptions, such as found in s. 38(1)(f), are the mechanism chosen by the Legislature to achieve the balance between, on the one hand, rights of access and, on the other hand, society’s interest in maintaining the confidentiality of some types of information. In this case, the judge’s singular focus on the purpose that lies behind the right of access found in s. 32 of HIPA was therefore too narrow.

The court also interpreted the word “could” in the applicable exemption to impose an “objective possibility” proof of harm standard, a lower standard than the standard that arises from the words “could reasonably expected to” (which the Supreme Court of Canada said in Merck requires proof of harm that is “more than a mere possibility”).

The question for privacy lawyers, then, is whether a “real risk” (as in “real risk of significant harm”) requires proof of an “objective possibility” of harm or proof of harm that is “more than a mere possibility.” The text might go either way in my view, and as in this case, one ought not let the purpose of breach notification eclipse the purpose the standard itself, which is to set a threshold and protect against notification fatigue and other harms associated with over notification.

Saskatchewan Government Insurance v Giesbrecht, 2025 SKCA 10 (CanLII).

In praise of cyber response transparency (and in defence of the “breach coach”)

Wired Magazine published an article last week about school cyber attacks in the United States that was wholly denigrating of the role of cyber incident response counsel – “breach coaches.” Wired’s theme was that schools are using their lawyers to deprive parents, students, and the public of information. Wired has inspired this post, though I will say little more about it than “Don’t believe everything you read.” Rather, I will be positive, and explain that transparency is at the center of good cyber incident response and that breach counsel enable transparency through clear, accurate, and timely communication.

We must communicate to manage

Let us start with the object of incident response. Sure, we want to contain and eradicate quickly. Sure, we want to restore services as fast as possible. But without making light of it, I will say that there is lots of “drama” associated with most major cyber incidents today that renders incident response about more than containment and eradication.

Major incidents are visible, high stakes affairs in which reputation and relationships are at stake. You will have many stakeholders descending on you from time zero, and every one of them wants one thing – information. You do not have a lot of that to give them, in the early days at least, but you have got to give them what you can.

In other words, you need to do the right thing and be seen to do the right thing. This means being clear about what has happened and what you are doing about it. It means reporting to law enforcement. It means sharing threat information with peers. It means getting your message out.

This is crises communication best practice. If smoke is billowing from your house and the public has questions, the public will make its own story about your fire if you say nothing, and any obfuscation risks blowback. You must, as best you can, get your message out.

Let’s get privilege straight

Lawyers love privilege, but we may not do a good enough job at helping the public understand why it is so important, and why it is not inimical to transparency.

There are two types of privilege.

Solicitor-client privilege is the strongest form of privilege. A confidential communication between lawyer and client that relates to the giving or receiving of legal advice (in the broadest sense) is privileged.

Litigation privilege works a little differently, and is quite important for giving a person who is in litigation or who contemplates litigation a “zone of privacy” in which to prepare, strategize and plan free from an adversary’s scrutiny.

Privilege is a powerful tool for organizations because it shields communications from everyone – an adversary in litigation, a freedom of information requester, a regulator.

This is for good reason: privilege allows for good legal advice on complicated, high stakes problems. If litigation is pending or anticipated, it also allows for the adversaries to be adversaries, which contributes to the truth seeking function of adjudication. Privileged is hallowed, and recognized by our courts as central to rule of law.

Privilege, though, applies to communications, not to facts that have an independent existence. Is your head exploding yet? Let me explain this tricky idea.

Say an incident leads to the discovery of four facts – Fact A, Fact B, Fact C and Fact D. There is a question about whether those four facts prove data exfiltration of a particular set of data. Lawyer and client can communicate with each other to develop an understanding of that legal question. The lawyer can advise the client about what the evidence means, whether inferences can be drawn, and how the evidence is likely to be interpreted by a judge or a regulator. The lawyer may give an answer – “no exfiltration” – but also explain the strengths and weaknesses of taking that position. All the evaluation and advice – the communication – is privileged, but Fact A, Fact B, Fact C, and Fact D are not. In incident response, those facts are normally embodied in the forensic artifacts collected and preserved by the forensic investigator or collected in communications with the threat actor(s). Those artefacts and communications are producible in litigation and producible to a regulator, which allows others to examine them, engage in analysis (that may replicate the analysis that occurred under privilege), and draw their own conclusions. What an adversary or regulator cannot do is piggyback on solicitor-client communications to understand how the lawyer and client viewed all the nuance of the issue.

This is an important point to understand because it answers some unfounded concerns that privilege is a tool of obfuscation. It is not.

Privilege must be respected, though. There’s a now famous case in Canada in which an organization attempted to claim that recorded dialog with a threat actor was privileged because the communication was conveyed to counsel by an expert retained by counsel. The Court rightly held this was over reach. The threat actor dialog itself is fact. The same goes for forensic timelines. They are privileged because they are recorded in privileged reports. In litigation, this does help put some burden on an adversary to analyze the evidence themselves and develop their own timeline. But it’s unwise to tell a regulator, “I’m not giving you a timeline because the only place its recorded is in my privileged report.” Withhold the precise framing of the timeline in your report. Keep any conclusory elements, evaluations, and qualifications confidential, too. But give the regulator the facts. That’s all they want, and it should spare you a pointless privilege dispute.

From the zone of privilege to the public

I explain to our incident response clients that we work with them in a zone of privacy or privilege that is a safe communication zone. It is like a staging area for evidence, where we can sit with evidence, understand it, and determine what is and is not fact. The picture of an incident is formed slowly over time based on investigation. Things that seem the case are often not the case, and assumptions are to be relied upon cautiously.

It is our role, as counsel, to advise the client on what is safe to treat as fact. Once fact, it can be pushed out of the zone of privilege to the public in communications. It is at this point the communication will live on the public record and be used as evidence, so we carefully vet all such communication by asking four questions:

  • Is there any speculation? Are all facts accurately described? Are all facts clearly described?
  • Are there commitments/promises? Are they achievable?
  • Does the communication accurately convey the risk? If it raises alarm or encourages action, is that justified? Or will we cause stress for no good reason?
  • Does the communication reveal anything said under privilege (which can waive privilege)?

Our duty is to our client, and our filter is to protect our client, but it also benefits the public because it ensures that incident communications are clear and reliable. This is hard work, and the heavy scrutiny that always comes later can reveal weaknesses in word choice, even. But by and whole, organizations with qualified incident response counsel achieve transparency and engender stakeholder and public understanding and confidence.

Good notification takes time

Any organization whose network is compromised can contain the incident, and then an hour later announce, “If you have ever been employed with us or been a client of our your information may have been stolen.” This will almost always be a true statement, but it’s also a meaningless and vast over notification. Good legal counsel lead their clients to investigate.

Investigation takes time. Determining what has been taken, if anything, is the first step. If you do that well, it can take about a week. But that is only the start. Imagine looking at a 453,000 file listing, delivered to you by a threat actor without any file path metadata. The question: who is affected? Your file share is encrypted, so you do not even have readable copies of the files yet.

Is it any wonder that organizations notify weeks and months after they are attacked? You cannot rightly blame the lawyers or their clients for this. It is hard work. If an organization elects to spend six figures and four months on e-discovery to conduct file level analysis, it will be able to send a letter to each affected individual that sets out a tailored list of exposed data elements. Our regulator in Ontario has called this “the standard,” at the same time opening the door to more generalized notifications. We are moving now to population based notifications, while still trying to be meaningful. Consider the following:

All individuals who received service x between date 1 and date 2 are affected. The contact information of all such individuals has been exposed (phone, e-mail and address as provided). About a third of the individuals in this population provided an emergency contact. The identity of this person and their phone number was also exposed.

I am explaining this because time to notify is the easiest thing on which to criticize an organization. Time to notification visible, and far easier to understand than it is to explain to mas audiences with the kind of descriptions I have made here. Believe me, though, it is a very demanding challenge on which incident response counsel spend significant time and energy with their clients and data processing vendors, all with the aim of giving earlier and meaningful notifications.

Conclusion

Cyber incident response counsel are essential for effective and transparent incident management. They facilitate clear communication, crucial for stakeholder confidence and the fulfilment of obligations. Privilege, often misunderstood, enables open lawyer-client communication, improving decision-making. It’s not a tool to hide facts. Counsel guide clients through investigations and notifications, ensuring accuracy and avoiding speculation. Notification delays often stem from the complex process of determining breach scope and identifying affected individuals. Counsel help balance speed and quality of notification, serving their clients first, but also the public.

Alberta Court says Charter precludes statutory compulsion to identify scrap metal sellers

On January 23rd, the Alberta Court of Justice held that the provisions of the Alberta Scrap Metal Dealers and Recyclers Identification Act that require scrap metal dealers to identify scrap metal sellers and transmit their information to government for law enforcement purposes violate the Charter prohibition against unreasonable search.

The Act requires sellers of scrap metal to identify themselves by the provision of the following information: first name, surname, current municipal address, government-approved identification, the name of the individual seller’s business, if applicable, and the specific make, model, colour, and license plate of the vehicle in which the scrap metal was transported to the dealer by the individual.

For, transactions involving “restricted metals” (including materials containing bronze and copper), dealers must transmit this information within 24 hours. To whom this transmission goes is significant. The Act says the transmission is to go to law enforcement in the manner prescribed. The regulation, though, establishes the government as the data holder and stipulates:

The Minister may require that peace officers and law enforcement agencies are granted access to the database referred to in subsection (2), provided that the disclosure of information in the database pertains to the discharge of the peace officer’s or law enforcement agency’s powers, duties or obligations under the Act.

The Court said the defence met its onus to prove the search was unreasonable. It noted that the Crown had not adduced evidence – in the form of “studies” – to justify the scheme, and held that the law that affords government latitude in regulatory searches ought no longer apply and, in any event, did not apply because the scrap metal scheme is targeted at everyone in the province rather than those who choose to enter a regulated sphere. The Court suggested that Albertans have no option to dispose of scrap metal without selling it, ultimately finding a violation and declining to apply the Act because the scheme was overbroad, intrusive and unjustified.

I’m prepared to assume a scrap metal theft problem in Alberta, and don’t have a conceptual problem with the identification of scrap metal sellers. I am not convinced by the Court’s handling of the regulatory context jurisprudence. The idea of routine transmission of transaction data directly to law enforcement does cause me pause, but the statute doesn’t quite invite that given the provision I’ve quoted above. This is a a point the Court did not address.

The decision is reminiscent of the Court Court of Appeal for Ontario’s decision in Cash Converters, in which it nullified a City of Oshawa bylaw as conflicting with MFIPPA, at the same time adopting and endorsing the IPC’s strict necessity test. The onus in Cash Converters, notably, was on the City.

R v Khairullah, 2025 ABCJ 14 (CanLII).