Apply The Emergency Mind to cyber incident response

My BLG teammates and I take the privilege of guiding clients through the perils of cyber incidents seriously. To honour the privilege, we think deeply about various aspects of our performance, including how we can perform better under pressure. Dr. Dan Dworkis’s book, The Emergency Mind: Wiring Your Brain for Performance Under Pressure is now required reading.

Dr. Dworkis is a professor of medicine and an emergency physician. His book, published in 2021, is part of a project that includes a website, podcast and other supports for individuals and teams striving to perform better under pressure. Dr. Dworkis calls The Emergency Mind a “mental toolkit.” It’s comprised of 25 prescriptions for how to think and act in high pressure situations.

When I picked up The Emergency Mind and started in, I was immediately excited. For me, there’s no greater measure of a text than its relevance, and The Emergency Mind was packed with relevant ideas. I connected with them as a lawyer and an athlete, but drew most insight in respect of my role as a cyber incident coach and team lead. I took some notes while reading, and have turned them into the table below. The left hand column summarizes some key ideas from The Emergency Mind. The Right hand column are my notes (now edited) on their application to cyber incident response.

Practice the discipline of “suboptimal”
Idea: Bad outcomes and mistakes will happen. Identify (label) and accept the mistake, rapidly pivot to face the new reality, and learn from the event. Quote: “Personally, when I perform the labeling part of a response, I begin by saying, ‘Well, this is suboptimal.’ Labelling something as ‘suboptimal’ acknowledges the challenging nature of what is happening without pulling me or my team off-line the way that calling it ‘horrible’ or ‘hopeless’ might.”	Labelling thoughts and emotions is a well-known and effective mindfulness technique. To use it in incident response, one must first acknowledge that incident response can provoke emotion. This is true, especially when things go wrong. Evidence is sometimes deleted, information is leaked or conveyed to third parties prematurely, threat actors do not do what is predicted, and so on. When faced with these problems, the team must resist the urge to dwell on the matter of fault and continue to look forward. Learning comes later in the incident response process, at least after the acute phase has passed. I also appreciate Dr. Dworkis’s use of the term “suboptimal” because it mirrors the typical objective we set in guiding clients through an incident – to “optimize” the course of action in light of business, reputational and legal risks. Use of the terms “optimal” and “suboptimal” highlights the fluid nature of incident response. There are always multiple paths to the end.
Combine action and analysis
Idea: Have and foster an ability to apply the right mode of thinking and action – be it fast or slow. Quote: “When you are not forced to act, jumping into a response without further analysis of the emergency is sometimes a bit like throwing darts without looking at the dartboard. You might hit the board, but because you don’t understand where you are aiming, you’re much more likely to miss the target entirely and waste your darts.”	This is reminiscent of an idea I have shared with associates about practicing law fast and slow, adapted from Daniel Khaneman’s text Thinking Fast and Slow. We need to know when a legal problem deserves a quick handling – enabled by assumptions and qualifications – and when we must buy time for more robust analysis. In incident response, we are primarily in fast thinking, “action mode.” There are moments on calls when you need to pause, draw deep on experience and instinct, and declare how best to proceed. The qualification is implicit, though sometimes we explain that we are making a decision based on “gut.” At the same time, slowing the pace of decision making down is a major responsibility of a cyber incident coach. Dr. Dworkis’s dart board metaphor can illustrate the tendency of many inexperienced incident response teams to rush at the outset of a cyber incident. I’m not counselling inaction, but most teams will benefit from a pause and emotions check at the outset. There is more time available than you feel.
Favour praxis over theory
Idea: Identify solutions that can actually be applied in the moment whether or not they represent theoretical best practice. Favour praxis – the application of knowledge to real life. Quote: “One of the best ways you can start to consider the details of praxis and theory in your field is to explore deeply the actual mechanisms that must function correctly for you to deliver your skill. Get curious about how the sausage is made, so to speak. Lean into learning both deeply in your chosen skills, and laterally into the adjacent skills that help you and your team succeed.”	This is a good one for me, particularly as it pertains to the challenge of analyzing large, stolen data sets. Doing a proper analysis based on e-discovery is plainly the ideal, but e-discovery is expensive and time consuming, and time-to-notify is a very visible fact. Burning weeks and months on e-discovery can spoil an excellent early-stage response, leaving an organization who has spent the time and money to “do the job right” the subject of overwhelmingly negative judgement and outcry. So, before engaging in e-discovery, we build the best possible informal view of the data set, we build towards reasonable assumptions, and we see if classes of individuals can be notified without e-discovery. We help clients weigh the risk of “over notification” against the risk of delay. These solutions are neither precise nor pretty, but can be defensible.
Decide not to decide
Idea: Do not waste your decision-making resources. Devote them to the most important and difficult decisions. Quote: “During an emergency, the most critical decisions are those that irreversibly (or at least strongly) commit your team to a particular mental model or course of action.”	No cyber incident coach is happy to be brought into a matter and paired with an incident response forensics vendor who has already been retained. That single decision bears more on the outcome of an incident than any other in my view. This is because we must trust the chosen vendor, especially regarding the scope and depth of the investigation. There is a limited ability to consider and discuss the scope of forensic evidence collection, and deference to a vendor’s standard practice is the norm. These practices vary, and over and under scoping an investigation can have highly negative consequences.
Practice Wabi-sabi
Idea: Employ the Japanese concept of wabi-sabi, which emphasizes the values of simplicity, imperfection, and transience. Quote: “… if you deny that situations change, you create a potentially dangerous schism in your universe and the reality around you. As this gap increases, the solutions and plans you had generated before reality changed will be rapidly ineffective.”	My strong preference is to contact a threat actor early because it is a fast way to gather reliable information and because it is a means of enhancing control and keeping the primary adversary in view. Threat actors – perhaps frustrated by repeated engagement with organizations who are more interested in investigation than payment – have adopted countermeasures, becoming very stingy with their information. We also recently provided counsel on an incident in which our client had reliable intelligence that a threat actor would be slow to publish in the absence of contact, which meant it could delay a reach out while remaining in control. This perfectly illustrates Dr. Dworkis’s point. The Wabi-sabi way demands detachment from a tactic we have so often helped clients deploy to a successful end.
See the forest and the leaf
Idea: Default to an attention span that is zoomed in, but don’t lose sight of the whole field. Quote: “… emergency medical providers often find themselves handling multiple sick patients simultaneously. In these circumstances, it might not be possible, or desirable, to completely restrict your focus to a single patient. Here, communication and delegation are key, and cognitively offloading some of your thinking to skilled team members helps you deploy your focus where you need it most.”	At any given time, we will be working with ten to twenty clients who are responding to incidents – our patients. As a team lead, my attention is drawn most to those clients with incidents in the acute phase, which lasts from one to three weeks. Beyond that, incidents move into a slower phase that involves e-discovery, notification and reporting. We delegate much of the work in that phase to an excellent team of associates. These associates have a greater degree of technical knowledge about the latter phase of incident response than the partners who act as leads. Given the money spent on e-discovery and notification, the latter phase of incident response is not low risk, but it does move slower, and tasks can be delegated effectively with good communication. Good communication requires a lead to “run the board” regularly – re-building a view of all cases – and making course corrections before small latter phase problems grow.
Harness the wisdom of the room
Idea: To the extent possible, rely on information and knowledge from every individual on the team. Quote: “As a leader, you will frequently feel tension between your need to process multiple points of view and to move forward rapidly with a plan. At some points during a crisis, your emphasis should be on action and execution of your plan. At others, the emphasis might be on unifying your team’s vision through open discussion.”	Dr. Dworkis recommends asking the team, “What are we missing? What have we not tried yet?” I’ve done more of this questioning at his urging, and like how it affects the team dynamic. It’s an acknowledgement that incident response is complex, that there are few clear answers and that the perspective of the team matters. It’s an invitation to humility, and a humble crises leader is a good crises leader.

Preparation and performance under pressure go hand in hand, and we all know that preparation for cyber incidents is a critical best practice. My urging to cyber responders (lawyers and non-lawyers alike) is to expand your scope of preparation to encompass performance under pressure. This will help you develop fundamental skills and behaviors to that will have an impact on your and your teams’ performance. Reading The Emergency Mind would be a great start.

Court of Appeal for Saskatchewan reformulates guidance for ownership of lawyers’ files

On August 10th, the Court of Appeal for Saskatchewan held that the Saskatchewan Court of Queen’s Bench erroneously ordered “solicitor’s notes and inter-office memoranda” to be produced to a client because this categorization was over-broad. It reviewed the Canadian law and held that the authoritative text from Cordery’s Law relating to Solicitors is often misunderstood and unquestionably applied to provide lawyers ownership of their “working file.” It re-stated the test as follows:

Documents in existence prior to the retainer and provided by the client to the lawyer remain, in the absence of some proof to the contrary, the property of the client.
Documents prepared by a lawyer for the benefit of the client belong to the client. This would include, for instance: legal research memoranda; pleadings, briefs and other documents filed in court; witness statements; and notes of conversations with the client, other counsel or third parties concerning matters that relate to the substance of the file or to the business of advancing the file toward a conclusion.
Documents prepared by a lawyer for their own benefit or protection belong to the lawyer. This would include, by way of example, things such as accounting records, conflict searches, time entry records, and financial administration records like draft statements of account and cheque requisitions. Internal communications and notes concerning administrative matters such as the role that various lawyers and staff will play on the file may also fall into this category.
That said, documents will often be prepared for, or will serve, more than one purpose. For example, a file note setting out instructions received from a client will both benefit the client by helping to ensure that their wishes are clearly understood and benefit the lawyer by memorializing the mandate received from the client. In such circumstances, the predominant purpose should be controlling. Any doubt about the predominant purpose should be resolved in favour of the client with the result being that “documents prepared for the benefit of the lawyer” is likely to be quite a narrow class of material in most files. In this regard, one helpful way to assess if a document belongs to the client may be to ask whether, when it was created, a new lawyer taking over the file at that time would have wanted to have had the document in order to properly and efficiently manage the file and advance the client’s interests. If the answer is “yes”, and particularly if the client paid for the time involved in generating the document, then it should be seen as belonging to the client.
The fact that the client has been billed for the time involved in preparing a document will be a significant factor, but not necessarily a decisive one, weighing in favour of the conclusion that the document belongs to the client. In this regard, it is difficult to see how a document prepared for the benefit of the client and for which the client was billed would not be the property of the client. However, that said, I doubt that the same is true with respect to documents prepared for the benefit or protection of the lawyer. For example, and without endorsing this sort of billing practice, if the lawyer happens to record and charge out the time involved in doing a conflict of interest check to confirm that they can act for the client, the document reflecting the result of that conflict of interest check would nonetheless belong to the lawyer.
The burden of showing that a document in a file is the property of the lawyer should rest with the lawyer. They will understand the circumstances in which the document came to be created and will be in possession of the information about who it was intended to benefit.

Note the imposition of a predominant purpose test and a form of presumption in the fourth bullet above, which is at the crux of the Court’s decision.

CPC Networks Corp. v McDougall Gauley LLP, 2023 SKCA 90 (CanLII).

Federal Court of Appeal modifies test for application of open courts principle to administrative tribunals

On July 27th, the Federal Court of Appeal held that the Parole Board of Canada erred in denying the media access to recordings of its hearings.

The matter was about an application for copies of recordings of parole hearings involving notorious convicted criminals Paul Bernardo, William Shrubsall and Craig Monro. The Corrections and Conditional Release Act provides for parole hearings that the Supreme Court of Canada has said are inquisitorial in that the Board is bound to consider all evidence put before it in conducting a form of risk assessment. The Act also gives the public a presumptive right to attend hearings. The media can therefore (presumptively) attend and report on hearings, though the Act deems personal information in the recordings (and other documents on the record) not to be publicly available for for the purpose of the Access to Information Act and the Privacy Act.

The CBC relied on the open courts principle, though the Court ultimately determined the matter on administrative law grounds. It held the Board unreasonably reckoned with the odd scenario – that the media had already heard and reported on everything recorded even though it was deemed not to be publicly available – and erroneously refused to disclose the recordings “outright” based on an unreasonable amplification of the privacy risk. It suggested that there may be some privacy risks in providing access, but that they could be satisficed by imposing conditions on storage and republication.

As for the open courts principle, the Court accepted the following Board argument against application:

The Board says that it is not because its proceedings are inquisitorial – not adversarial – in that the Board is engaged in a risk assessment process in the course of which it receives information from Corrections Canada and submissions from the offender and victims. The offender is not opposed by a representative of the state, as is the case, for example, in a sentencing hearing. Similarly, the offender’s counsel, if they have one, has a limited role in Board hearings.

It also, however, modified and expanded the test for application, noting that the test should focus on the degree to which a tribunal presides over an adversarial proceeding rather than the procedural trappings of the proceeding. It explained:

It appears that, whatever other distinctions may exist between different kinds of administrative tribunals, the fact that a tribunal presides over adversarial proceedings as an adjudicative body is a reliable indicator that the tribunal is subject to the open court principle. It is the fact of adjudicating competing interests that imposes the duty of fairness and impartiality which gave rise to the description of some tribunals as quasi-judicial. In Toronto Star Newspapers Ltd. v. Ontario (Attorney General), 2018 ONSC 2586, 142 O.R. (3d) 266, such tribunals were described as adjudicative tribunals. The characteristic that gives rise to the application of the open court principle to an administrative tribunal is the presence of an adversarial process, as opposed to the formalities by which that adversarial process is conducted. In short, the open court principle applies to adjudicative tribunals.

The Court ordered the matter to be returned to the Board for reconsideration.

Canadian Broadcasting Corporation v. Canada (Parole Board), 2023 FCA 166 (CanLII).

Manitoba Law Reform Commission comes out against NDA legislation

On June 29th, the Manitoba Law Reform Commission issued its final report on its study of the use of non-disclosure agreements in the settlement of misconduct claims. The Commission “strongly recommended” that legislation governing the the content and use of NDAs in claims of misconduct should not be enacted in Manitoba at this time because such legislation “could cause serious, unintended consequences and negatively impact complainants.”

The Commission is established under a Manitoba statute to “inquire into and consider any matter relating to law in Manitoba with a view to making recommendations for the improvement, modernization and reform of law.” The Commission is currently comprised of two judges, two law professors and three practitioners, five of whom are female. It reached its conclusion after issuing a consultation paper last year and engaging in public consultation.

The Commission acknowledged that the issue is complex and subject to divergent views. It concluded that the model of legislation first implemented in Prince Edward Island and now reflected in numerous Canadian bills amounts to a virtual prohibition on the use of NDAs. The Prince Edward Island Non Disclosure Agreements Act, for example, deems an NDA to be unenforceable if it adversely affects the health and safety of a third-party or the public interest, a provision a reform advocate argued to the Commission rendered all NDAs unenforceable. Likewise, the Commission concluded that a requirement that permits survivors to walk away from a previously agreed to undertaking of confidentiality would preclude the use of NDAs altogether.

This effective ban, according to the Commission, goes too far given NDAs can serve the public interest and the interests of survivors. It underscored its position by presenting a lengthy quote from a childhood sexual abuse survivor, a quote also worthy of including here in full:

Given my past, I tend to focus first on the victim, on what’s best for the victim. That focus is so absolute that the only possible submission I could make here is that NDAs in these circumstances must be eliminated, right?

Wrong.

Because even though I live daily with my experience as a victim of the worst serial sexual abuse imaginable, I can’t shut down the other part of me that knows that I benefitted from an arrangement that involved an NDA that may not have been possible had there been a law preventing an NDA in my circumstances.

In short, there is no right answer, for as strong as all of the reasons why NDAs can be harmful and dangerous for victims are, things just might end up even worse for victims if NDAs are not allowed in these circumstances.

My submission would undoubtedly be different if we lived in a world where as much money and other resources is dedicated to rehabilitating victims as is made available for incarcerating and attempting to rehabilitate those who commit the crimes against these victims. But we don’t live in that world. Things are getting better, but we still don’t focus enough on making sure victims are rehabilitated. That can leave a victim desperate for whatever help and support he or she can get, financial or otherwise.

Unfortunately, NDAs are one side of a commercial transaction. It’s ugly to think of them that way, but that’s what is most often taking place. Silence is being traded for money. It’s awful, it’s disgusting. But it’s the reality. And, it’s an undeniable fact that without an NDA and the corresponding secrecy parties would have less incentive to enter into agreements with victims.

As bad as being constrained by an NDA might be, it isn’t for me to ever say that a victim would be better off being free from that burden if it meant having to give up a financial settlement that could possibly provide life-sustaining support. The unfortunate reality is that there would be fewer settlements available for victims if NDAs were not permitted in these instances.

I know what I want to write. I know what people want to hear from a victim like me. I want to be able to write that NDAs in these circumstances are reprehensible and should be precluded. And they are reprehensible. But just because they are reprehensible doesn’t mean that the alternative wouldn’t be worse. Eliminating NDAs would skew incentives in a way that would likely have an even worse impact on victims. And, I don’t think there is any meaningful way to legislate a way out of this basic conundrum.

We want to do good things, we want to better our world. We are angry that bad things happen to good people, that bad people get away with bad things. We want to change that. We are motivated for all of the right reasons. So we try to do something, anything, to try to make things better. NDAs seem bad, they feel bad, so they must be bad, we must enact a new law precluding them or limiting them.

But NDAs can facilitate what a victim needs. NDAs, as abhorrent as they may be, actually develop out of a process that tries to make things better for the victim. So I urge caution before any steps are taken that would potentially interfere with this unpalatable yet important part of our legal system involving victims.

Currently, aside from PEI, Ontario has enacted legislation meant to protect students at post-secondary educational instructions. There is now a broader private members bill at first reading in Ontario and bills before the legislatures British Columbia and Nova Scotia and before Federal Parliament. The Commission’s report is important because it features a view that is not popular and very difficult to convey, though it also raises a critical concern about the clear legislative trend.

BCSC quashes FOI decision about risk of harm to Airbnb hosts

On July 4th, the Supreme Court of British Columbia quashed a British Columbia OIPC order to provide an FOI requester with access to information about Airbnbs operating in the City of Vancouver.

The City licenses short term rentals. It publicly discloses license information, presumably to enable renter inquires. However, the City stopped publishing host names and rental addresses with license information in 2018 based on credible reports of safety risks. Evidence of the safety risks was on the record before the OIPC – general evidence about “concerned vigilante activity” and harassment, evidence about a particular stalking episode in 2019 and evidence that raised a concern about enabling criminals to determine when renters likely to be out of the country.

The OIPC nonetheless ordered the City to disclose:

License numbers of individuals;
Home addresses of all hosts (also principle residences given licensing requirements); and
License numbers associated with the home adresses.

It was common ground that the above information could be readily linked to hosts by using publicly available information, rendering the order upsetting to Airbnb’s means of protecting its hosts. Airbnb only discloses the general area of rentals on its platform, which allows hosts to screen renters before disclosing their address.

The Court affirmed the OIPC dismissal of the City’s safety concern as a reasonable application of the Merck test, but held that the OIPC erred on two other grounds.

First, the Court held that the OIPC unreasonably held that home address information was contact information rather than personal information. It failed to consider the context in making a simplistic finding that home address information was “contact information” because the home address was used as a place of business. The disclosure of the home address information, in the context, had a significant privacy impact that the OIPC ought to have considered.

Second, the Court held that the OIPC erred in not giving notice to the affected hosts – who numbered at least 20,000 – and for not providing reasons for its failure. The Court said this was a breach of procedural fairness, a breach punctuated by the evidence of a stalking and harassment risk that the OIPC acknowledged but held did not meet the Merck threshold.

This is a wonderful case that illustrates how judicial review works. In my view, the evidence about the risk of harm drove the outcome despite the Court’s affirmation of the OIPC finding. The Court simply found an easier way to address the problem with the OIPC’s outcome – a procedural fairness finding. The notice obligation is no small obligation in cases like this, but cannot be rightly ignored.

Airbnb Ireland UC v Vancouver City, 2023 BCSC 1137.

BCCA finds statutory right of access to personal health information too broad

On April 24th, the Court of Appeal for British Columbia held that section 96(1) of the British Columbia Child, Family and Community Service Act infringes the Charter right against unreasonable search and seizure.

Section 96(1) gives British Columbia directors of child protection a right of access to information in the custody or control of public bodies, including health care bodies. Although for child protection purposes in the main, section 96(1) is worded broadly as follows:

96 (1)   A director has the right to any information that

(a)     is in the custody or control of a public body as defined in the Freedom of Information and Protection of Privacy Act, and

(b)     is necessary to enable the director to exercise [their] powers or perform [their] duties or functions under this Act.

The Court held that “necessity,” in particular given section 96(1)’s child protection purpose, imposes only a limited restriction – confining the right of access to “any information in the custody or control of a public body that the ‘“’Director considers necessary.'”

Interpreted as such, and based on a balancing of parents’ interest in informational privacy against the competing state interest in protecting children from harm, the Court held that section 96(1) was unreasonable.

The Court held that the application judge erred by focusing to heavily on the manner of intrusion – which does not invite an intrusion upon the body, entry into a private dwelling or ongoing surveillance – without giving due weight to the sensitivity of the information at issue. It said:

In applying the second Goodwin factor, a judge must consider not only the extent to which a particular methodology directly engages with the target of the search or seizure and interferes with their bodily integrity or personal surroundings, but the impact of the state action on their reasonable expectations of privacy in light of the nature of the items or information involved. In his earlier-cited article, Professor Penney describes the intrusiveness analysis in this manner: it is an assessment of the “degree to which [the search or seizure] discloses intimate personal information or compromises dignity, autonomy, or bodily integrity”: at p. 96, emphasis added. I agree.

The Court also held that the application judge erred in finding that section 96(1) has sufficient safeguards. Importantly, it said that prior judicial authorization or prior notice is not required to meet section 8’s standard of reasonableness, but held that section 96(1) lacks other features that renders it unreasonable. The Court (oddly) criticized the clarity of section 96(1) and suggested that the province replace the necessity requirement with a reasonableness requirement (?). More plainly, the Court said that the province must at least provide for after the fact notice and a meaningful oversight mechanism.

The Court declared section 96(1) to be of no force an effect to the extent that it authorizes the production of personal information, suspended the declaration for 12 months and ordered that the declaration be prospective only.

T.L. v. British Columbia (Attorney General), 2023 BCCA 167 (CanLII).

Hat tip to Ian Mackenzie.

Arbitrator distinguishes Hooper, gives counsel direct access to disability management file

The Ontario law governing disability management and occupational health records is in disarray, though it did not stop an Ontario arbitrator from reaching the correct outcome in a decision released in November of last year. Arbitrator Colin Johnston held that neither the Personal Health Information Act nor the Occupational Health and Safety Act precluded a hospital from providing its disability management file to its legal counsel so counsel could review it for production purposes.

Although the right outcome, Arbitrator Johnston reached it through (understandably) conservative means, distinguishing the Orillia Soldiers’ Memorial Hospital case which precluded such a disclosure and the Divisional Court decision in Hooper. Further correction is required, as I argue here.

Health Sciences North v Ontario Nurses’ Association, 2022 CanLII 106545 (ON LA).

Court says access parent’s right to information limited by children’s privacy rights

On October 12th of last year the Ontario Superior Court of Justice considered the interplay between an access parent’s right to information under section 20(5) of the Children’s Law Reform Act and the privacy rights granted by Personal Health Information Protection Act. It held that the right to information is qualified by a child’s best interest, and a privacy right claimed by a child with capacity under PHIPA is a relevant factor.

Section 20(5) of the CLRA says:

The entitlement to parenting time with respect to a child includes the right to visit with and be visited by the child, and includes the same right as a parent to make inquiries and to be given information about the child’s well-being, including in relation to the child’s health and education.

The Court addressed a motion brought by a father for access to his children’s health and counselling files. He had sought access under PHIPA and was denied because the children – both deemed to have capacity – withheld their consent. The father brought a motion in Family Court, relying both on Section 20(5) and seeking production of third-party records under the Family Law Rules, arguing the records were relevant to his claims of parental alienation and other parenting issues to be determined by the Court.

The Court read section 20(5) together with section 28(8), a new provision of the CLRA that qualifies the right information as being “subject to any applicable laws.” It said:

This new statutory reference to a Court being able to “order otherwise” is a specific reminder that the right in 20(5) is not absolute. Internally, the right must be interpreted through the lens of the best interest principle, as all decisions affecting children are: see again section 19(a) of the Children’s Law Reform Act; see 24(1); and see also Children’s Lawyer for Ontario v. Ontario (Information and Privacy Commissioner), 2018 ONCA 559 ¶58-61.

The new, statutory subjugation of the right in section 20(5) externally “to any applicable laws” codifies what was already happening, namely that courts should consider the operation of other laws, like the PHIPA, when considering the scope of the right. Another example of another “applicable law” that can interact with the right in section 20(5) would be the common law of privilege: see M.(A.) v. Ryan, 1997 CanLII 403 (SCC), [1997] 1 S.C.R. 157.

The reference to “subjugation” is somewhat misleading given the Court affirmed its power to make an order under the CLRA based on the best interests principle and affirmed that such an order would bind health information custodians despite PHIPA. Section 20(5) is only subjugated to PHIPA in that PHIPA rights are a factor (and arguably a strong factor) in the best interests analysis.

On the facts, the Court held there was no basis for an order under section 20(5) but there was a basis for a limited production order (based on fairness considerations) under the Family Law Rules.

L.S. v. B.S., 2022 ONSC 5796 (CanLII).

NLCA opts for narrow interpretation of third-party information exemption

On February 2nd, the Court of Appeal of Newfoundland and Labrador held that only a party who owns third-party information has standing to rely on the third-party information exemption in the Newfoundland Access to Information and Privacy Act.

The Newfoundland exemption is in section 39, and reads as follows:

39.(1) The head of a public body shall refuse to disclose to an applicant information

(a) that would reveal

(i) trade secrets of a third party, or

(ii) commercial, financial, labour relations, scientific or technical information of a third party;

(b) that is supplied, implicitly or explicitly, in confidence; and

(c) the disclosure of which could reasonably be expected to

(i) harm significantly the competitive position or interfere significantly with the negotiating position of the third party,

(ii) result in similar information no longer being supplied to the public body when it is in the public interest that similar information continue to be supplied,

(iii) result in undue financial loss or gain to any person, or

(iv) reveal information supplied to, or the report of, an arbitrator, mediator, labour relations officer or other person or body appointed to resolve or inquire into alabour relations dispute.

The words “of a third party” are not common to all FOI statutes. Ontario’s statutes, for example, simply say, “A head shall refuse to disclose a record that reveals a trade secret or scientific, technical, commercial, financial or labour relations information supplied…”

The Court of Appeal gave effect to these words in an appeal about a request for a table listing all video lottery terminal (VLT) operators in Newfoundland and Labrador with their retailer operating name, location, and the total net revenue generated by VLTs at that location. The Atlantic Lottery Corporation supplied this information to the Department of Finance, who received the request. After the Atlantic Lottery Corporation had lost an appeal to court in its attempt to shield the information from the right of public access, the Beverage Industry Association of Newfoundland (the BIA) and Labrador asserted third party standing on behalf of the VLT operators.

The Court held that the VLT operators had no standing because they did not own the information. It rejected the BIA argument that a beneficial interest in the information was sufficient to support standing given the purpose of the Act, which is to foster transparency.

The Court also held that this point was so clear that neither the Department (pursuant to its mandatory duty to notify affected third parties) nor the Information and Privacy Commissioner (as a matter of fairness and discretion) failed to meet their respective duties on account of not notifying the BIA.

Newfoundland and Labrador (Information and Privacy Commissioner) v Beverage Industry Association of Newfoundland and Labrador, 2023 NLCA 2 (CanLII).

Manitoba judge implores common sense approach to privacy protection

On November 11th of last year, the Manitoba Court of Kings Bench ordered the City of Winnipeg to release information sought by an FOI requester, rejecting a claim that the information constituted “personal information.”

The media requester sought access to records of breaches and penalties imposed on Winnipeg police officers for breach of police service regulations. The City recorded this information in quarterly reports without names or other direct identifiers, and routinely published the reports internally to approximately 2,000 civilian and police service members.

In answering the request, the City redacted information about penalties imposed for each violation (identified only by regulation number) under the “unjustified invasion of personal privacy” exemption. It claimed that to include penalty information would render the information personal information, the disclosure of which constituted an unjustified invasion of personal privacy. Here is the City’s re-identification risk argument:

[7] Some of the penalties in the Routine Orders are unique and significant and might be apparent to family and close friends of the member who received the penalty. If a member received a penalty of loss of days, family or close friends of the member could be aware of a change of routine because the member has reduced pay or less leave. Family or close friends who saw the penalty in combination with the timeframe on the Routine Order in which the penalty was registered might make the connection and realize that their friend or relative was investigated by their employer and what the particular charge was.

And more:

[9] Some of the charges in the Routine Orders are specific and could result in public identification of the member by that fact alone. For example, witnesses, and complainants could be aware of the circumstances that resulted in the Regulatory charge and if they saw the charge and the Routine Orders in combination with the timeframe on the Routine Order in which the penalty was registered, could then become aware of the penalty imposed.

The Court rejected this argument and found that the information was not personal information based on the well-established reasonable expectations test – a test that asks whether a proposed disclosure, in conjunction with other available information, could reasonably be expected to identify an individual. Notably, the court held that this standard imposes the same evidentiary burden articulated by the Supreme Court of Canada in Merck Frosst – a burden that requires proof of a non-speculative event considerably more likely than a mere possibility but not necessarily proof of an event that is likely.

Like most public sector access and privacy statutes, the Manitoba Freedom of Information and Protection of Privacy Act does not shield personal information from the right of public access entirely – it only protects against unjustified invasions. The judge noted this, noted the City’s broad internal publication of the penalty information at issue and urged those charged with facilitating access to records to approach their task “with a healthy dose of common sense.”

Annable (CBC) v. City of Winnipeg, 2022 MBKB 222 (CanLII).