Ont CA says doctor gross revenue information is not personal information

4 Aug

As reported widely, yesterday the Court of Appeal for Ontario affirmed an IPC/Ontario finding that gross revenue earned by Ontario’s top earning doctors was not their personal information.

There’s not much to the decision. (A number of the grounds for appeal were “optimistic.”) The decision illustrates that information must reveal something of a personal nature about an individual (in the relevant context) to be the individual’s personal information. In the doctors’ case, the link between gross income and the personal finances was not strong, as noted by the Court:

The information sought was the affected physicians’ gross revenue before allowable business expenses such as office, personnel, lab equipment, facility and hospital expenses. The evidence before the Adjudicator indicated, however, that, in the case of these 100 top billing physicians, those expenses were variable and considerable.

In another context, gross revenue information could be personal information. What is and is not personal information is a VERY contextual matter.

Ontario Medical Association v. Ontario (Information and Privacy Commissioner), 2018 ONCA 673.

Advertisements

OCA says Children’s Lawyer records not under MAG’s custody or control

23 Jun

On June 18th the Court of Appeal for Ontario held that the Ministry of the Attorney General is not in custody or control of records in a Children’s Lawyer litigation file even though the Children’s Lawyer, for administrative purposes, is part of MAG. The finding turns on the Children’s Lawyer’s independence and the privacy interests of the children it represents. These kind of contextual factors are important to the custody or control analysis. As stated by the Court, “an organization’s administrative structure is not determinative of custody or control for purposes of FIPPA.”

This decision is consistent with other law that suggests records within an institution are not always in custody or control of an institution – e.g., certain faculty records and personal e-mails. Custody or control is therefore no simple concept to administer and is prone to dispute. At least for now IPC decisions will be subject to judicial review on the correctness standard, another (surprising) finding the Court of Appeal made in rendering its decision.

Ontario (Children’s Lawyer) v. Ontario (Information and Privacy Commissioner), 2018 ONCA 559 (CanLII).

 

Sask CA says Commissioner’s request for privileged communications unnecessary

18 May

On May 16th the Court of Appeal for Saskatchewan held that the Office of the Information and Privacy Commissioner, Saskatchewan should not have required the University of Saskatchewan to produce communications that it claimed were subject to solicitor-client privilege.

The Commissioner began by inviting the University to provide evidence that supported its privilege claim. The University filed an affidavit from a non-lawyer stating that legal counsel had advised that “some” of the withheld documents are subject to solicitor-client privilege. It did not file an index of records.

This led the Commissioner to immediately request the records. Although the Commissioner had asked the University for a index of records, it did not ask again – an omission that the Court held to breach the principle that demands an adjudicator only review solicitor-client communications when absolutely necessary to assess a privilege claim.

This fact-specific decision illustrates how strictly the absolute necessity principle will be enforced. The Court also spoke about what privilege claimants ought to be required to present in support of their claims. In doing so, it suggested that an index that identifies records will ordinarily provide an adequate basis for assessing a privilege claim in the absence of any evidence suggesting a claim is “ill founded”.

University of Saskatchewan v Saskatchewan (Information privacy Commissioner), 2018 SKCA 34.

Ontario Court says FOI statute fails in providing access to administrative tribunal records

29 Apr

Yesterday the Ontario Superior Court of Justice held that the Ontario Freedom of Information and Protection of Privacy Act violates section 2(b) of the Charter because it goes too far to protect the privacy of parties, witnesses and others in matters heard by the Ontario Human Rights Tribunal, Ontario Labour Relations Boards and other statutory tribunals.

The Toronto Star brought the Charter application. It argued that the access regime created by FIPPA is too restrictive and too slow to meet its Charter-based right of access to “adjudicative records” – records of things filed before tribunals like pleadings and exhibits as well as tribunal decisions. A number of Ontario tribunals process requests for adjudicative records formally under FIPPA while others provide access more informally. The Star argued that the informal process must be the norm.

Justice Morgan allowed the application and declared that FIPPA violates the Charter by imposing a presumption of non-disclosure of “personal information” in adjudicative records. It is a puzzling decision for two reasons.

First, there is virtually no discussion about whether the open courts principle ought to apply to administrative tribunals. The Court’s application of the open courts principle appears to be derived from a provision requiring openness in the Statutory Powers Procedure Act:

All parties acknowledge that administrative hearings governed by the Statutory Powers Procedure Act (“SPPA”) are required to be open to the public. In principle, therefore, it is uncontroversial that “[t]he ‘open court’ principle” – at least in some version – “is a cornerstone of accountability for decision-making tribunals and courts.”

One might argue that the Court elevates a statutory presumption (which ought to be read in harmony with FIPPA) into a constitutional right. One might also argue that there are policy imperatives for administrative justice that weigh against recognition, in respect of tribunals, of the same level of openness that applies to courts – expediency and ease of access, for example. These two imperatives in particular are likely to suffer if administrative tribunal records are treated similarly to court records.

Second, the Court’s decision rests on what it says is a flawed “presumption of non-disclosure” – one that makes personal information in adjudicative records presumptively inaccessible. According to the Court this presumption arises out of the framing of FIPPA’s section 21 “unjustified invasion of privacy exemption,” which states that personal information shall be withheld unless its disclosure would not constitute an “unjustified invasion of privacy.”

It is too strong to call this a presumption, particularly in light of section 53 of FIPPA, which states, “Where a head refuses access to a record or a part of a record, the burden of proof that the record or the part falls within one of the specified exemptions in this Act lies upon the head.” To the contrary, all records in an institution’s custody or control are presumptively accessible under FIPPA, with limitations on the right of access dictated to be “limited and specific” as stipulated FIPPA’s purpose provision.

It’s quite arguable that FIPPA grants a right of access subject to a balancing of interests that has been carefully calibrated by the legislature and ultimately governed by an expert tribunal – the Information Privacy Commissioner/Ontario. Justice Morgan did not hide his views about the IPC, stating “In terms of the expertise of the institution heads and, in particular, the IPC, it is fair to say that the jury is still out. ”

 Toronto Star v. AG Ontario, 2018 ONSC 2586.

BCCA addresses public right of access to “a record of a question”

21 Apr

On April 13th, the Court of Appeal for British Columbia held that a rubric for an undergraduate admissions test administered by UBC was excluded from British Columbia’s public sector access and privacy act as a “record of a question.” It interpreted this phrase purposely, as encompassing “anything that is inregral to the question such that disclosure would defeat the purpose of the question for future use.”

University of British Columbia v. Lister, 2018 BCCA 139 (CanLII).

Financial institution compliance presentation – privacy, data security and anti-spam

31 Mar

I’ve been doing a survey presentation in the Osgoode PDP program on financial institution compliance for the last five years now. Here’s this year’s deck.

What’s new? The V-Tech security measures report by the Office of the Privacy Commissioner of Canada, the Canadian Securities Administrators Staff Notice 33-321 (and some much more meaty guidance by the CSA) and the reduction of the Compufinder fine under CASL. See below for more.

 

The right to be forgotten comes to Canada

28 Jan

On Friday, the Office of the Privacy Commissioner of Canada issued a new position on the protection of online reputation. In doing so the OPC recognized a right to have personal information de-indexed from search engine results if it is inaccurate, incomplete or out-of-date. Although the position is in draft, is nonetheless of critical significance to Canadians’ use of the internet – creating a broader variant of the so-called European “right to be forgotten.”

The OPC says the right arises out of two longstanding parts of the Personal Information Protection and Electronic Documents Act – Principle 4.6 and section 5(3).

Principle 4.6 is the accuracy principle. It reads as follows:

4.6 Principle 6 — Accuracy

Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.

4.6.1

The extent to which personal information shall be accurate, complete, and up-to-date will depend upon the use of the information, taking into account the interests of the individual. Information shall be sufficiently accurate, complete, and up-to-date to minimize the possibility that inappropriate information may be used to make a decision about the individual.

4.6.2

An organization shall not routinely update personal information, unless such a process is necessary to fulfil the purposes for which the information was collected.

4.6.3

Personal information that is used on an ongoing basis, including information that is disclosed to third parties, should generally be accurate and up-to-date, unless limits to the requirement for accuracy are clearly set out.

Principle 4.6 dovetails in part with Principle 4.9, which requires organizations to “amend” personal information if it is demonstrably “inaccurate or incomplete.” (Principle 4.9 does not mention currency.)

The OPC’s reasoning is simple. Search engines use and disclose personal information to “provide people with access to relevant information from the most reliable sources available.” This purpose is not served by presenting search results that are not accurate, complete or up-to-date. Though accuracy, completeness and currency are they key concepts, the OPC says that search engines should interpret and apply them in light of the how materially the impugned content affects individuals’ interests and the countervailing (public) interest in continued accessibility.

Section 5(3) of PIPEDA restricts organizations to handling personal information for purposes that a “reasonable person would consider are appropriate under the circumstances.” The OPC says that section 5(3) could also be the basis of a valid de-indexing request, giving the following two examples:

  • Where content is unlawful, or unlawfully published (e.g. where it contravenes a publication ban, is defamatory, or violates copyright; etc.)
  • Where the accessibility of the information may cause significant harm to the individual, and there is either no public interest associated with the display of the search result, or the harm, considering its magnitude and likelihood of occurrence, outweighs any public interest

This newly-recognized right invites de-indexing requests to search engines as the primary means of obtaining relief from online reputational harm, though the OPC has also recognized a right to take down content. The right to take down content is a more limited right, in part because the OPC only has jurisdiction over those who publish personal information “in the course of commercial activity.”

The significance of the new position cannot be understated; there are many Canadians who feel plagued by internet posts that are unflattering if not disparaging. Search engines will not embrace this development – leaving a possibility of an enforcement dispute (and Federal Court input) and vigorous lobbying for a legislative amendment. It may take some time, but watch for a Charter challenge.

You can read the draft report here.