BCCA finds statutory right of access to personal health information too broad

On April 24th, the Court of Appeal for British Columbia held that section 96(1) of the British Columbia Child, Family and Community Service Act infringes the Charter right against unreasonable search and seizure.

Section 96(1) gives British Columbia directors of child protection a right of access to information in the custody or control of public bodies, including health care bodies. Although for child protection purposes in the main, section 96(1) is worded broadly as follows:

96 (1)   A director has the right to any information that

(a)     is in the custody or control of a public body as defined in the Freedom of Information and Protection of Privacy Act, and

(b)     is necessary to enable the director to exercise [their] powers or perform [their] duties or functions under this Act.

The Court held that “necessity,” in particular given section 96(1)’s child protection purpose, imposes only a limited restriction – confining the right of access to “any information in the custody or control of a public body that the ‘“’Director considers necessary.'”

Interpreted as such, and based on a balancing of parents’ interest in informational privacy against the competing state interest in protecting children from harm, the Court held that section 96(1) was unreasonable.

The Court held that the application judge erred by focusing to heavily on the manner of intrusion – which does not invite an intrusion upon the body, entry into a private dwelling or ongoing surveillance – without giving due weight to the sensitivity of the information at issue. It said:

In applying the second Goodwin factor, a judge must consider not only the extent to which a particular methodology directly engages with the target of the search or seizure and interferes with their bodily integrity or personal surroundings, but the impact of the state action on their reasonable expectations of privacy in light of the nature of the items or information involved. In his earlier-cited article, Professor Penney describes the intrusiveness analysis in this manner: it is an assessment of the “degree to which [the search or seizure] discloses intimate personal information or compromises dignity, autonomy, or bodily integrity”: at p. 96, emphasis added. I agree.

The Court also held that the application judge erred in finding that section 96(1) has sufficient safeguards. Importantly, it said that prior judicial authorization or prior notice is not required to meet section 8’s standard of reasonableness, but held that section 96(1) lacks other features that renders it unreasonable. The Court (oddly) criticized the clarity of section 96(1) and suggested that the province replace the necessity requirement with a reasonableness requirement (?). More plainly, the Court said that the province must at least provide for after the fact notice and a meaningful oversight mechanism.

The Court declared section 96(1) to be of no force an effect to the extent that it authorizes the production of personal information, suspended the declaration for 12 months and ordered that the declaration be prospective only.

T.L. v. British Columbia (Attorney General), 2023 BCCA 167 (CanLII).

Hat tip to Ian Mackenzie.

Arbitrator distinguishes Hooper, gives counsel direct access to disability management file

The Ontario law governing disability management and occupational health records is in disarray, though it did not stop an Ontario arbitrator from reaching the correct outcome in a decision released in November of last year. Arbitrator Colin Johnston held that neither the Personal Health Information Act nor the Occupational Health and Safety Act precluded a hospital from providing its disability management file to its legal counsel so counsel could review it for production purposes.

Although the right outcome, Arbitrator Johnston reached it through (understandably) conservative means, distinguishing the Orillia Soldiers’ Memorial Hospital case which precluded such a disclosure and the Divisional Court decision in Hooper. Further correction is required, as I argue here.

Health Sciences North v Ontario Nurses’ Association, 2022 CanLII 106545 (ON LA).

Court says access parent’s right to information limited by children’s privacy rights

On October 12th of last year the Ontario Superior Court of Justice considered the interplay between an access parent’s right to information under section 20(5) of the Children’s Law Reform Act and the privacy rights granted by Personal Health Information Protection Act. It held that the right to information is qualified by a child’s best interest, and a privacy right claimed by a child with capacity under PHIPA is a relevant factor.

Section 20(5) of the CLRA says:

The entitlement to parenting time with respect to a child includes the right to visit with and be visited by the child, and includes the same right as a parent to make inquiries and to be given information about the child’s well-being, including in relation to the child’s health and education.

The Court addressed a motion brought by a father for access to his children’s health and counselling files. He had sought access under PHIPA and was denied because the children – both deemed to have capacity – withheld their consent. The father brought a motion in Family Court, relying both on Section 20(5) and seeking production of third-party records under the Family Law Rules, arguing the records were relevant to his claims of parental alienation and other parenting issues to be determined by the Court.

The Court read section 20(5) together with section 28(8), a new provision of the CLRA that qualifies the right information as being “subject to any applicable laws.” It said:

This new statutory reference to a Court being able to “order otherwise” is a specific reminder that the right in 20(5) is not absolute. Internally, the right must be interpreted through the lens of the best interest principle, as all decisions affecting children are: see again section 19(a) of the Children’s Law Reform Act; see 24(1); and see also Children’s Lawyer for Ontario v. Ontario (Information and Privacy Commissioner), 2018 ONCA 559 ¶58-61.

The new, statutory subjugation of the right in section 20(5) externally “to any applicable laws” codifies what was already happening, namely that courts should consider the operation of other laws, like the PHIPA, when considering the scope of the right. Another example of another “applicable law” that can interact with the right in section 20(5) would be the common law of privilege: see M.(A.) v. Ryan, 1997 CanLII 403 (SCC), [1997] 1 S.C.R. 157.

The reference to “subjugation” is somewhat misleading given the Court affirmed its power to make an order under the CLRA based on the best interests principle and affirmed that such an order would bind health information custodians despite PHIPA. Section 20(5) is only subjugated to PHIPA in that PHIPA rights are a factor (and arguably a strong factor) in the best interests analysis.

On the facts, the Court held there was no basis for an order under section 20(5) but there was a basis for a limited production order (based on fairness considerations) under the Family Law Rules.

L.S. v. B.S., 2022 ONSC 5796 (CanLII).

NLCA opts for narrow interpretation of third-party information exemption

On February 2nd, the Court of Appeal of Newfoundland and Labrador held that only a party who owns third-party information has standing to rely on the third-party information exemption in the Newfoundland Access to Information and Privacy Act.

The Newfoundland exemption is in section 39, and reads as follows:

39.(1) The head of a public body shall refuse to disclose to an applicant information

(a) that would reveal

(i) trade secrets of a third party, or

(ii) commercial, financial, labour relations, scientific or technical information of a third party;

(b) that is supplied, implicitly or explicitly, in confidence; and

(c) the disclosure of which could reasonably be expected to

(i) harm significantly the competitive position or interfere significantly with the negotiating position of the third party,

(ii) result in similar information no longer being supplied to the public body when it is in the public interest that similar information continue to be supplied,

(iii) result in undue financial loss or gain to any person, or

(iv) reveal information supplied to, or the report of, an arbitrator, mediator, labour relations officer or other person or body appointed to resolve or inquire into alabour relations dispute.

The words “of a third party” are not common to all FOI statutes. Ontario’s statutes, for example, simply say, “A head shall refuse to disclose a record that reveals a trade secret or scientific, technical, commercial, financial or labour relations information supplied…”

The Court of Appeal gave effect to these words in an appeal about a request for a table listing all video lottery terminal (VLT) operators in Newfoundland and Labrador with their retailer operating name, location, and the total net revenue generated by VLTs at that location. The Atlantic Lottery Corporation supplied this information to the Department of Finance, who received the request. After the Atlantic Lottery Corporation had lost an appeal to court in its attempt to shield the information from the right of public access, the Beverage Industry Association of Newfoundland (the BIA) and Labrador asserted third party standing on behalf of the VLT operators.

The Court held that the VLT operators had no standing because they did not own the information. It rejected the BIA argument that a beneficial interest in the information was sufficient to support standing given the purpose of the Act, which is to foster transparency.

The Court also held that this point was so clear that neither the Department (pursuant to its mandatory duty to notify affected third parties) nor the Information and Privacy Commissioner (as a matter of fairness and discretion) failed to meet their respective duties on account of not notifying the BIA.

Newfoundland and Labrador (Information and Privacy Commissioner) v Beverage Industry Association of Newfoundland and Labrador, 2023 NLCA 2 (CanLII).

Manitoba judge implores common sense approach to privacy protection

On November 11th of last year, the Manitoba Court of Kings Bench ordered the City of Winnipeg to release information sought by an FOI requester, rejecting a claim that the information constituted “personal information.”

The media requester sought access to records of breaches and penalties imposed on Winnipeg police officers for breach of police service regulations. The City recorded this information in quarterly reports without names or other direct identifiers, and routinely published the reports internally to approximately 2,000 civilian and police service members.

In answering the request, the City redacted information about penalties imposed for each violation (identified only by regulation number) under the “unjustified invasion of personal privacy” exemption. It claimed that to include penalty information would render the information personal information, the disclosure of which constituted an unjustified invasion of personal privacy. Here is the City’s re-identification risk argument:

[7] Some of the penalties in the Routine Orders are unique and significant and might be apparent to family and close friends of the member who received the penalty. If a member received a penalty of loss of days, family or close friends of the member could be aware of a change of routine because the member has reduced pay or less leave. Family or close friends who saw the penalty in combination with the timeframe on the Routine Order in which the penalty was registered might make the connection and realize that their friend or relative was investigated by their employer and what the particular charge was.

And more:

[9] Some of the charges in the Routine Orders are specific and could result in public identification of the member by that fact alone. For example, witnesses, and complainants could be aware of the circumstances that resulted in the Regulatory charge and if they saw the charge and the Routine Orders in combination with the timeframe on the Routine Order in which the penalty was registered, could then become aware of the penalty imposed.

The Court rejected this argument and found that the information was not personal information based on the well-established reasonable expectations test – a test that asks whether a proposed disclosure, in conjunction with other available information, could reasonably be expected to identify an individual. Notably, the court held that this standard imposes the same evidentiary burden articulated by the Supreme Court of Canada in Merck Frosst – a burden that requires proof of a non-speculative event considerably more likely than a mere possibility but not necessarily proof of an event that is likely.

Like most public sector access and privacy statutes, the Manitoba Freedom of Information and Protection of Privacy Act does not shield personal information from the right of public access entirely – it only protects against unjustified invasions. The judge noted this, noted the City’s broad internal publication of the penalty information at issue and urged those charged with facilitating access to records to approach their task “with a healthy dose of common sense.”

Annable (CBC) v. City of Winnipeg, 2022 MBKB 222 (CanLII).

Ontario CA addresses claims arising out of IT security exploit

On January 11th, the Court of Appeal for Ontario dismissed an appeal of a decision that struck various pleadings of a former senior IT employee of Ontario and his family members, who the province alleges stole over $10 million by making fraudulent COVID benefit claims.

The Support for Families Program (SFFP) was launched quickly in April 2020 to help families with the cost of at-home learning. The IT employee helped develop the applications for the program, including its online application portal.

The province sued the employee and his family for allegedly stealing funds by making fraudulent applications and diverting them to bank accounts opened in the employee’s and his family members’ names – presumably by exploiting vulnerabilities known to the employee because of his duties. The province also alleges that the employee participated in and profited from a kick back scheme tied to the SFFP.

The employee has defended, and denies the allegations. In his defence, he pleaded contributory negligence – i.e., that the province was negligent in protecting itself against his alleged fraud. The family members – represented by the same counsel – say that the employee told them he used their personal information to open bank accounts in which to deposit the proceeds of fraud. Although they did not crossclaim against the employee, they counterclaimed against he province in intrusion upon seclusion and negligence.

The Court of Appeal affirmed the striking of these claims.

It held that a defendant to a fraud or unjust enrichment claim cannot raise contributory negligence as a defence. The Court explained that allowing for the defence would suggest that crime pays and unfairly punish organizations who do not take adequate steps to protect themselves.

It held that the intrusion upon seclusion claim is untenable because it is based on the employee’s alleged misuse of information entrusted to him by his family, not the employer’s enterprise or a risk created or excaberated by that enterprise.

It held that a negligence pleading properly framed to address the Crown’s immunity from tort liability would fail for a lack duty/proximity given the family members claimed to have no interaction with the province other than in respect of the province’s money that the employee transferred into their accounts.

Sometimes the best defence is a good offence. That was likely the motivation for these novel claims – perhaps an attempt to capitalize upon the province’s sensitivity to mismanagement claims. They were rightly struck, and organizations in Ontario who are defrauded by insiders can continue to breathe easy.

Ontario v. Madan, 2023 ONCA 18 (CanLII).

IPC/Ontario addresses legibility and the duty to accommodate FOI requesters

On December 23rd, the Information and Privacy Commissioner/Ontario issued an order that illustrates the Ontario law governing the legibility of records and institution’s duty to accommodate freedom of information requesters with disabilities.

These issues are governed by section 48(4) of the provincial act and section 37(3) of the municipal act. They read as follows:

Where access to personal information is to be given, the head shall ensure that the personal information is provided to the individual in a comprehensible form and in a manner which indicates the general terms and conditions under which the personal information is stored and used.

The IPC has held that these sections require institutions to provide reasonable quality copies, though not to transcribe or provide records in an alterative format subject to a duty to accommodate. Regarding accommodation, the IPC has held that institutions have a duty to provide disabled requesters with their personal information in a format that is comprehensible or intelligible to them. This duty is to be informed by the duty to accommodate in respect of service provision as established by the Human Rights Code, and presumably has a similar scope.

As with accommodation requests made under the Code, requesters who seek accommodation have a duty to establish the existence of a disability and their related medical needs. In its December order, the IPC dismissed an appeal that claimed a university had a duty to provide handwritten notes in an alternative format because the requester’s disability rendered the notes illegible. The requester did not provide sufficient evidence of his medical needs to establish a right to accommodation.

McMaster University (Re), 2022 CanLII 123506 (ON IPC).

Alberta CA interprets intergovernmental relations FOI exemption broadly

On December 6th, the Court of Appeal for Alberta held that a record supplied by a local police service to another local police service is amenable to withholding under the intergovernmental relations exemption in the Alberta Freedom of Information and Protection of Privacy Act.

The document at issue was a threat assessment report supplied by the RCMP to the Edmonton Police Service. The RCMP was acting under contract to provide local police services, which led the Alberta OIPC to find that it was an agency of the province. The OIPC relied on the heading “disclosure harmful to intergovernmental relations” and held that information supplied to a public body by an entity within Alberta could not qualify for exemption.

The Court held that the OIPC erred in its narrow interpretation of the exemption and by finding that the RCMP was an agency of the province. In the circumstances, the RCMP was to be treated as any other police service – a “local government body” – and one who could benefit from the exemption in disclosing information to another local public body. The OIPC put too much weight on the “intergovernmental relations” heading, it said, and ignored the plain wording of the Act.

Edmonton Police Service v Alberta (Information and Privacy Commissioner), 2022 ABCA 397 (CanLII).

Newfoundland court recognizes intrusion upon seclusion tort

In somewhat strange circumstances, the Supreme Court of Newfoundland and Labrador has recognized the intrusion upon seclusion privacy tort.

The Court made its recognition in deciding a procedural motion in a Municipal Elections Act appeal by two City of Mount Pearl councillors who were sanctioned for not disclosing a conflict of interest. The alleged conflict arose out of their discussions with the Town’s former CAO while he was on administrative leave and the subject of a harassment investigation.

The City had discovered the conflict after it seized the CAO’s work iPad, which was still sending snippets of messages from the CAO’s personal Facebook Messenger account to the iPad’s home screen. Staff from IT saw the troubling messages, gave the iPad to the Clerk who saw more troubling messages, and the City eventually downloaded the messages for its use as evidence. At some point later, the messages were leaked to the CBC.

Whether the common law right of action for intrusion upon seclusion exists in Newfoundland had not yet been determined but was certified as a common issue in Hynes v. Western Regional Integrated Health Authority, 2014 NLTD(G) 137. Here, the Court held that the province has “a common law tort for intrusion upon seclusion” and that it “coexists with rights created under the [Newfoundland and Labrador] Privacy Act.”

Not surprisingly, in light of the Supreme Court of Canada decision in R v Cole, the Court found a privacy expectation that warranted protection, though its analysis on this point bleeds into its finding that the City’s actions were “highly offensive.” It went on to exclude the messages from the appeal record on the basis of its procedural power.

I might have thought this was a closer case than the outcome suggests, but privacy is such a subjective concept that it’s hard to predict how a judge will view a matter. It’s also another case about using a work computer to access content in a private cloud account, which apparently touches a judicial nerve.

Hindsight is 20/20, but as the judge said, the City could have stopped once it viewed the snippets and used the observations made by IT and the Clerk to request access from the CAO (who was presumably still employed and with a duty to cooperate and who faced a possible adverse inference). I would be concerned about the potential destruction of evidence – all stored in the CAO controlled account – but (unfortunately) the Court did not consider this factor.

Power v. Mount Pearl (City), 2022 NLSC 129 (CanLII).

SKCA lays down law regarding redaction of producible documents, orders disclosure of complainant’s identity

On October 11th, the Court of Appeal for Saskatchewan ordered a defendant to produce an un-redacted copy of an e-mail, thereby providing the plaintiff with the identity of an individual who had reported him as a potential threat.

The Court reviewed the Canadian jurisprudence on redacting information from producible documents, and adopted a modified version of the prevailing view (outside of Alberta and Nova Scotia):

[55] In summary, a party seeking to justify a redaction from a producible document must show that: (a) the information removed from the document is not relevant to an issue in the action; (b) there is, in the evidence or record, a compelling reason for the redaction; and (c) the existing protections provided for in the Rules, and as may be supplemented by other measures, are insufficient to protect the interest that is said to justify the redaction.

The underlying action was brought by a former employee of SaskPower . SaskPower had received a bomb threat, and as part of its response, identified the plaintiff as a suspect to the local police. The plaintiff sued SaskPower for malicious prosecution and breach of privacy.

SaskPower produced the internal e-mail that identified the plaintiff as a threat, but redacted the name of an employee who had earlier raised concerns – “However [redacted text] came to me with concerns (even before we were aware other the threat came from someone with an accent).”

The Court dismissed the defendant’s argument that relied on informer privilege because SaskPower was not the police and held (in a rather cursory manner) that SaskPower had not met its burden.

The outcome is a good illustration of the test, which is a one-way test that puts the burden on the party resisting production. If the test put more emphasis on the value of the evidence to the proceeding (and balancing), there may have been a different outcome given the public interest in fostering the making of these types of reports.

SaskPower has nice, simple facts for an attempted appeal, the law of production has been in flux in the last decade, and the differing Alberta and Nova Scotia law might help.

Omorogbe v Saskatchewan Power Corporation, 2022 SKCA 116 (CanLII)