Manitoba judge implores common sense approach to privacy protection

On November 11th of last year, the Manitoba Court of Kings Bench ordered the City of Winnipeg to release information sought by an FOI requester, rejecting a claim that the information constituted “personal information.”

The media requester sought access to records of breaches and penalties imposed on Winnipeg police officers for breach of police service regulations. The City recorded this information in quarterly reports without names or other direct identifiers, and routinely published the reports internally to approximately 2,000 civilian and police service members.

In answering the request, the City redacted information about penalties imposed for each violation (identified only by regulation number) under the “unjustified invasion of personal privacy” exemption. It claimed that to include penalty information would render the information personal information, the disclosure of which constituted an unjustified invasion of personal privacy. Here is the City’s re-identification risk argument:

[7] Some of the penalties in the Routine Orders are unique and significant and might be apparent to family and close friends of the member who received the penalty. If a member received a penalty of loss of days, family or close friends of the member could be aware of a change of routine because the member has reduced pay or less leave. Family or close friends who saw the penalty in combination with the timeframe on the Routine Order in which the penalty was registered might make the connection and realize that their friend or relative was investigated by their employer and what the particular charge was.

And more:

[9] Some of the charges in the Routine Orders are specific and could result in public identification of the member by that fact alone. For example, witnesses, and complainants could be aware of the circumstances that resulted in the Regulatory charge and if they saw the charge and the Routine Orders in combination with the timeframe on the Routine Order in which the penalty was registered, could then become aware of the penalty imposed.

The Court rejected this argument and found that the information was not personal information based on the well-established reasonable expectations test – a test that asks whether a proposed disclosure, in conjunction with other available information, could reasonably be expected to identify an individual. Notably, the court held that this standard imposes the same evidentiary burden articulated by the Supreme Court of Canada in Merck Frosst – a burden that requires proof of a non-speculative event considerably more likely than a mere possibility but not necessarily proof of an event that is likely.

Like most public sector access and privacy statutes, the Manitoba Freedom of Information and Protection of Privacy Act does not shield personal information from the right of public access entirely – it only protects against unjustified invasions. The judge noted this, noted the City’s broad internal publication of the penalty information at issue and urged those charged with facilitating access to records to approach their task “with a healthy dose of common sense.”

Annable (CBC) v. City of Winnipeg, 2022 MBKB 222 (CanLII).

Ontario CA addresses claims arising out of IT security exploit

On January 11th, the Court of Appeal for Ontario dismissed an appeal of a decision that struck various pleadings of a former senior IT employee of Ontario and his family members, who the province alleges stole over $10 million by making fraudulent COVID benefit claims.

The Support for Families Program (SFFP) was launched quickly in April 2020 to help families with the cost of at-home learning. The IT employee helped develop the applications for the program, including its online application portal.

The province sued the employee and his family for allegedly stealing funds by making fraudulent applications and diverting them to bank accounts opened in the employee’s and his family members’ names – presumably by exploiting vulnerabilities known to the employee because of his duties. The province also alleges that the employee participated in and profited from a kick back scheme tied to the SFFP.

The employee has defended, and denies the allegations. In his defence, he pleaded contributory negligence – i.e., that the province was negligent in protecting itself against his alleged fraud. The family members – represented by the same counsel – say that the employee told them he used their personal information to open bank accounts in which to deposit the proceeds of fraud. Although they did not crossclaim against the employee, they counterclaimed against he province in intrusion upon seclusion and negligence.

The Court of Appeal affirmed the striking of these claims.

It held that a defendant to a fraud or unjust enrichment claim cannot raise contributory negligence as a defence. The Court explained that allowing for the defence would suggest that crime pays and unfairly punish organizations who do not take adequate steps to protect themselves.

It held that the intrusion upon seclusion claim is untenable because it is based on the employee’s alleged misuse of information entrusted to him by his family, not the employer’s enterprise or a risk created or excaberated by that enterprise.

It held that a negligence pleading properly framed to address the Crown’s immunity from tort liability would fail for a lack duty/proximity given the family members claimed to have no interaction with the province other than in respect of the province’s money that the employee transferred into their accounts.

Sometimes the best defence is a good offence. That was likely the motivation for these novel claims – perhaps an attempt to capitalize upon the province’s sensitivity to mismanagement claims. They were rightly struck, and organizations in Ontario who are defrauded by insiders can continue to breathe easy.

Ontario v. Madan, 2023 ONCA 18 (CanLII).

IPC/Ontario addresses legibility and the duty to accommodate FOI requesters

On December 23rd, the Information and Privacy Commissioner/Ontario issued an order that illustrates the Ontario law governing the legibility of records and institution’s duty to accommodate freedom of information requesters with disabilities.

These issues are governed by section 48(4) of the provincial act and section 37(3) of the municipal act. They read as follows:

Where access to personal information is to be given, the head shall ensure that the personal information is provided to the individual in a comprehensible form and in a manner which indicates the general terms and conditions under which the personal information is stored and used.

The IPC has held that these sections require institutions to provide reasonable quality copies, though not to transcribe or provide records in an alterative format subject to a duty to accommodate. Regarding accommodation, the IPC has held that institutions have a duty to provide disabled requesters with their personal information in a format that is comprehensible or intelligible to them. This duty is to be informed by the duty to accommodate in respect of service provision as established by the Human Rights Code, and presumably has a similar scope.

As with accommodation requests made under the Code, requesters who seek accommodation have a duty to establish the existence of a disability and their related medical needs. In its December order, the IPC dismissed an appeal that claimed a university had a duty to provide handwritten notes in an alternative format because the requester’s disability rendered the notes illegible. The requester did not provide sufficient evidence of his medical needs to establish a right to accommodation.

McMaster University (Re), 2022 CanLII 123506 (ON IPC).

Alberta CA interprets intergovernmental relations FOI exemption broadly

On December 6th, the Court of Appeal for Alberta held that a record supplied by a local police service to another local police service is amenable to withholding under the intergovernmental relations exemption in the Alberta Freedom of Information and Protection of Privacy Act.

The document at issue was a threat assessment report supplied by the RCMP to the Edmonton Police Service. The RCMP was acting under contract to provide local police services, which led the Alberta OIPC to find that it was an agency of the province. The OIPC relied on the heading “disclosure harmful to intergovernmental relations” and held that information supplied to a public body by an entity within Alberta could not qualify for exemption.

The Court held that the OIPC erred in its narrow interpretation of the exemption and by finding that the RCMP was an agency of the province. In the circumstances, the RCMP was to be treated as any other police service – a “local government body” – and one who could benefit from the exemption in disclosing information to another local public body. The OIPC put too much weight on the “intergovernmental relations” heading, it said, and ignored the plain wording of the Act.

Edmonton Police Service v Alberta (Information and Privacy Commissioner), 2022 ABCA 397 (CanLII).

Newfoundland court recognizes intrusion upon seclusion tort

In somewhat strange circumstances, the Supreme Court of Newfoundland and Labrador has recognized the intrusion upon seclusion privacy tort.

The Court made its recognition in deciding a procedural motion in a Municipal Elections Act appeal by two City of Mount Pearl councillors who were sanctioned for not disclosing a conflict of interest. The alleged conflict arose out of their discussions with the Town’s former CAO while he was on administrative leave and the subject of a harassment investigation.

The City had discovered the conflict after it seized the CAO’s work iPad, which was still sending snippets of messages from the CAO’s personal Facebook Messenger account to the iPad’s home screen. Staff from IT saw the troubling messages, gave the iPad to the Clerk who saw more troubling messages, and the City eventually downloaded the messages for its use as evidence. At some point later, the messages were leaked to the CBC.

Whether the common law right of action for intrusion upon seclusion exists in Newfoundland had not yet been determined but was certified as a common issue in Hynes v. Western Regional Integrated Health Authority, 2014 NLTD(G) 137. Here, the Court held that the province has “a common law tort for intrusion upon seclusion” and that it “coexists with rights created under the [Newfoundland and Labrador] Privacy Act.”

Not surprisingly, in light of the Supreme Court of Canada decision in R v Cole, the Court found a privacy expectation that warranted protection, though its analysis on this point bleeds into its finding that the City’s actions were “highly offensive.” It went on to exclude the messages from the appeal record on the basis of its procedural power.

I might have thought this was a closer case than the outcome suggests, but privacy is such a subjective concept that it’s hard to predict how a judge will view a matter. It’s also another case about using a work computer to access content in a private cloud account, which apparently touches a judicial nerve.

Hindsight is 20/20, but as the judge said, the City could have stopped once it viewed the snippets and used the observations made by IT and the Clerk to request access from the CAO (who was presumably still employed and with a duty to cooperate and who faced a possible adverse inference). I would be concerned about the potential destruction of evidence – all stored in the CAO controlled account – but (unfortunately) the Court did not consider this factor.

Power v. Mount Pearl (City), 2022 NLSC 129 (CanLII).

SKCA lays down law regarding redaction of producible documents, orders disclosure of complainant’s identity

On October 11th, the Court of Appeal for Saskatchewan ordered a defendant to produce an un-redacted copy of an e-mail, thereby providing the plaintiff with the identity of an individual who had reported him as a potential threat.

The Court reviewed the Canadian jurisprudence on redacting information from producible documents, and adopted a modified version of the prevailing view (outside of Alberta and Nova Scotia):

[55] In summary, a party seeking to justify a redaction from a producible document must show that: (a) the information removed from the document is not relevant to an issue in the action; (b) there is, in the evidence or record, a compelling reason for the redaction; and (c) the existing protections provided for in the Rules, and as may be supplemented by other measures, are insufficient to protect the interest that is said to justify the redaction.

The underlying action was brought by a former employee of SaskPower . SaskPower had received a bomb threat, and as part of its response, identified the plaintiff as a suspect to the local police. The plaintiff sued SaskPower for malicious prosecution and breach of privacy.

SaskPower produced the internal e-mail that identified the plaintiff as a threat, but redacted the name of an employee who had earlier raised concerns – “However [redacted text] came to me with concerns (even before we were aware other the threat came from someone with an accent).”

The Court dismissed the defendant’s argument that relied on informer privilege because SaskPower was not the police and held (in a rather cursory manner) that SaskPower had not met its burden.

The outcome is a good illustration of the test, which is a one-way test that puts the burden on the party resisting production. If the test put more emphasis on the value of the evidence to the proceeding (and balancing), there may have been a different outcome given the public interest in fostering the making of these types of reports.

SaskPower has nice, simple facts for an attempted appeal, the law of production has been in flux in the last decade, and the differing Alberta and Nova Scotia law might help.

Omorogbe v Saskatchewan Power Corporation, 2022 SKCA 116 (CanLII)

IPC/Ontario affirms $140,000 fee estimate for e-mail request

On September 28th, the Information and Privacy Commissioner/Ontario affirmed a $140,132 fee estimate and decision to deny a request to waive the same.

The requester was interested in matters related to the expenditure of funds on a new hospital site in Windsor. In relation to this interest, he sought hospital e-mails from 17 accounts that spanned a nine year period. The requester provided 100 search terms that were broad and seemingly un-targeted at the subject matter of interest.

The hospital generated its estimate based on an application of the requester’s terms. It estimated 145,000 pages of responsive records and calculated the estimate based on the (standard) two minutes of preparation time per page. It did not include time for its search.

The IPC upheld the fee estimate and the fee waiver denial. It said, “a fee waiver would shift an unreasonable burden of the cost to hospital.”

I’ve been tracking “e-FOI” decisions for many years, and believe this to be the highest estimate the IPC has affirmed. In general, and thankfully, the IPC has been pragmatic in handling fee, fee estimate and fee waiver appeals. This is important given how expensive it can be to process e-mail requests and because the law ought to encourage requesters to work with institutions to tailor their requests.

Windsor Regional Hospital (Re), 2022 CanLII 91591 (ON IPC).

Three key issues from the Ontario cyber security Expert Panel report

On October 3rd, the Ontario’s cyber security Expert Panel issued its report to Minister of Public and Business Service Delivery, Kaleed Rasheed.

His Honour said, “The Expert Panel’s recommendations will form the foundation of our cyber security policies and help develop best practices shared across all sectors as well as inform future targeted investments in our cyber capabilities and defences.”

Those recommendations are:

  1. Regarding governance: Ontario should reinforce existing governance structures to enable effective cyber security risk management across the BPS.
  2. Regarding education and training: Ontario should continue to develop diverse and inclusive cyber security awareness and training initiatives across all age-levels of learning, supported by a variety of common and tailored content and hands-on activities.
  3. Regarding communication: Ontario should implement a framework that encourages BPS entities to share information related to cyber security securely amongst each other with ease.
  4. Regarding shared services: Ontario should continue to develop, improve, and expand shared services and contracts for cyber resiliency across the BPS, considering sector-specific needs where required.

Here are three issues of significance to public sector instutions and their insurers.

FIRST, the governance recommendation contemplates more government oversight, including through “a single oversight body, employing a common operating model [and] clearly establishing accountabilities.”

Institutions require more funding to address cyber security risks. This recommendation is positive because it will lay the necessary groundwork.

As suggested by the Expert Panel, the current relationship between government and institutions is somewhat confused. Government is engaged an informal kind of oversight that lacks effectiveness and can rightly put institutions on guard because its measures are unclear. Institutions will benefit from clear and simple accountabilities and – did I say it already? – the funding to meet those accountabilities.

SECOND, the communication recommendation encompasses threat information sharing, with the Expert Panel stating, “Ontario should establish a unified critical information sharing protocol to ensure quick communication of cyber incidents, threat intelligence, and vulnerabilities amongst BPS organizations.”

This is to rectify what the Expert Panel says is the “unidirectional” flow of threat information, which is reported to government but is not yet “broadly shared across the BPS.” Institutions know that government currently craves the early reporting of threat information, but the perceived benefit is still minimal. The Expert Panel recommendation is positive in that it may lead to their receipt of more timely, more enriched threat information.

THIRD, the shared services recommendation addresses the cyber insurance coverage problem now faced by the public sector. The expert panel states:

Ontario should investigate options for establishing a self-funded cyber insurance program to support the delivery of services such as breach coaching, incident response, and recovery to which all BPS organizations can subscribe.

There is a form of self-funded cyber coverage available various parts of the Ontario public sector through insurance reciprocals. This coverage is expanding, and the role of reciprocals is becoming more important now that the insurance market has become so hard. Primary coverage by reciprocals, even if limited in scope, can make secondary coverage more obtainable for public sector institutions.

The “breach coaching” reference above gives me pause, though I understand it to be indicative of how the role of expert legal counsel in incident response was borne out of the cyber insurance market (with the term coined by cyber risk and insurance company NetDiligence, I believe).

Breach coaching is simply expert legal advice by another name. It is funded by cyber insurance for those who have coverage, and insurers have required their insureds to use vetted and approved legal advisors in responding to incidents because they understand the risk mitigating (and cost reducing) value of this specialized legal service. Public sector institutions without coverage bear all the same risks as those with coverage, and without proper advice are at great peril. The need for proper legal advice one reason is why it is so important to solve the public sector coverage problem, though institutions dealing with a major cyber incident should not consider legal advice to be optional.

Federal Court dismisses awkward solicitor-client privilege claim

Earlier this year, the Federal Court dismissed a claim that a column in a spreadsheet was subject to solicitor-client privilege because disclosure would reveal legal advice obtained prior to its development.

Solicitor-client privilege (literally) protects advisory communications between a solicitor and its client, and it can protect such communications if they find their way into other documents. For example, if two employees of a lawyer’s client discuss the (corporate) lawyer’s advice confidentially via e-mail, their description of the advice may be redacted in response to a production requirement because its disclosure would reveal the solicitor-client communication.

In this case, a corporate taxpayer argued that a column in a spreadsheet was protected by solicitor-client privilege based on the same rationale. It relied on an affidavit that explained that it received legal advice prior to the development of the column and that disclosure of the column would reveal it “by what is being computed, how the computation is done,” and “by associated text in the reacted column.” The Court exercised its discretion to review the prior legal advice and held that the column was simply the “operational outcome or end product of legal advice” and not protected.

This is a fact specific, though illustrative outcome. Even the fact of obtaining legal advice on a particular matter is sensitive and ought normally be kept secret because, once disclosed, inferences can be drawn about advice taken based on the “operational outcome” or “end product” of the advice. Of course, a lawyer’s legal advice can be either be accepted or rejected or followed precisely or loosely, but clients are often drawn to back the legitimacy of their actions by reference to their careful adherence to legal advice. That’s plainly a risk.

In this case, it is unclear whether something precipitated the (more basic) disclosure of an advisory relationship, but one can see how arguing the resulting inference can be very awkward and risky. The only way to do it is to “double down” and disclose more about the advisory relationship and the resulting inference. If not it inviting of waiver in the underlying advice (which the Court did not find here), it seems to be one step down a slippery slope to that outcome.

Canada (National Revenue) v. BMO Nesbitt Burns Inc., 2022 FC 157.

No Charter-protected expectation of privacy in vehicle operation data

On July 20th, the Court of Appeal for Saskatchewan held that an accused person who drove his pickup truck through a highway intersection and stuck a semi-truck did not have a reasonable expectation of privacy that precluded the police from seizing a control module and its data from his vehicle before it was towed away.

The accident was horrible. There were six people in the truck with the accused, three of whom died, two of whom were children. The police charged the accused with dangerous driving and criminal negligence, and the prosecution relied on evidence retrieved from the wrecked pickup truck at the scene of the accident. Specifically, the police seized the truck’s Airbag Control Module (ACM) from under the driver’s seat. The ACM contained an Event Data Recorder (EDR) with data about the vehicle’s operation during the five seconds before impact in tenth of a second intervals – specifically, speed, accelerator pedal (% full), manifold pressure and service brake (on/off), seatbelt pretensioner readings, airbag deployment readings.

There are competing lines of Canadian jurisprudence regarding the warrantless seizure of on board vehicle computers and their data. The leading Ontario case is Hamilton, a Ontario Superior Court of Justice case that recognizes a reasonable expectation of (informational) privacy. In Yogeswaran, though, the Ontario Superior Court of Justice held that the territorial privacy interest in one’s vehicle is enough to preclude police search and seizure without prior judicial authorization.

Conversely, in Fedan, the Court of Appeal for British Columbia held that one’s territorial privacy interest in their vehicle is extinguished when the vehicle is seized and that EDR data is not associated with a strong enough informational privacy interest to warrant Charter protection.

The Court of Appeal for Saskatchewan followed Fedan. It reasoned that the accused’s truck, being totally destroyed on the side of a public roadway, was in the total control of the police whether or not it was yet to be formally seized based on section 489(2) of the Criminal Code. It concluded:

…the claim to a territorial privacy interest by Mr. Major in that component of his vehicle is weak. While a warrant could have been obtained, that does not mean one was required. I find that the state of the vehicle, Mr. Major’s loss of control over it, the nature of the ACM as a mechanical safety component installed by the manufacturer, and the focused task by Cpl. Green in locating and removing only it, do not support the continued existence of an objectively reasonable territorial privacy interest at the point when the vehicle was entered

Regarding informational privacy, the Court made the point that not all digital evidence is equally sensitive or revealing of one’s “biographical core.” EDR data of the kind at issue is limited to data about the operation of a vehicle immediately before an accident, and provides no “longer-term information about the driving habits of the owner or operator of a vehicle.” The Court concluded:

After considering the two lines of cases regarding EDR data, I find myself in substantial agreement with the reasoning from Fedan for the characterization of the data stored in the EDR. As in Fedan, the data here “contained no intimate details of the driver’s biographical core, lifestyle or personal choices, or information that could be said to directly compromise his ‘dignity, integrity and autonomy’” (at para 82, quoting Plant at 293). It revealed no personal identifiers or details at all. It was not invasive of Mr. Major’s personal life. The anonymous driving data disclosed virtually nothing about the lifestyle or private decisions of the operator of the Dodge Ram pickup. It is hard to conceive that Mr. Major intended to keep his manner of driving private, given that the other occupants of the vehicle – which included an adult employee – and complete strangers, who were contemporaneously using the public roadways or adjacent to it, could readily observe him. His highly regulated driving behaviour was “exposed to the public” (Tessling at para 47), although not to the precise degree with which the limited EDR data, as interpreted by the Bosch CDR software, purports to do. While it is only a small point, I further observe that a police officer on traffic patrol would have been entitled to capture Mr. Major’s precise speed on their speed detection equipment without raising any privacy concerns.

R v Major, 2022 SKCA 80 (CanLII).