NLCA opts for narrow interpretation of third-party information exemption

On February 2nd, the Court of Appeal of Newfoundland and Labrador held that only a party who owns third-party information has standing to rely on the third-party information exemption in the Newfoundland Access to Information and Privacy Act.

The Newfoundland exemption is in section 39, and reads as follows:

39.(1) The head of a public body shall refuse to disclose to an applicant information

(a) that would reveal

(i) trade secrets of a third party, or

(ii) commercial, financial, labour relations, scientific or technical information of a third party;

(b) that is supplied, implicitly or explicitly, in confidence; and

(c) the disclosure of which could reasonably be expected to

(i) harm significantly the competitive position or interfere significantly with the negotiating position of the third party,

(ii) result in similar information no longer being supplied to the public body when it is in the public interest that similar information continue to be supplied,

(iii) result in undue financial loss or gain to any person, or

(iv) reveal information supplied to, or the report of, an arbitrator, mediator, labour relations officer or other person or body appointed to resolve or inquire into alabour relations dispute.

The words “of a third party” are not common to all FOI statutes. Ontario’s statutes, for example, simply say, “A head shall refuse to disclose a record that reveals a trade secret or scientific, technical, commercial, financial or labour relations information supplied…”

The Court of Appeal gave effect to these words in an appeal about a request for a table listing all video lottery terminal (VLT) operators in Newfoundland and Labrador with their retailer operating name, location, and the total net revenue generated by VLTs at that location. The Atlantic Lottery Corporation supplied this information to the Department of Finance, who received the request. After the Atlantic Lottery Corporation had lost an appeal to court in its attempt to shield the information from the right of public access, the Beverage Industry Association of Newfoundland (the BIA) and Labrador asserted third party standing on behalf of the VLT operators.

The Court held that the VLT operators had no standing because they did not own the information. It rejected the BIA argument that a beneficial interest in the information was sufficient to support standing given the purpose of the Act, which is to foster transparency.

The Court also held that this point was so clear that neither the Department (pursuant to its mandatory duty to notify affected third parties) nor the Information and Privacy Commissioner (as a matter of fairness and discretion) failed to meet their respective duties on account of not notifying the BIA.

Newfoundland and Labrador (Information and Privacy Commissioner) v Beverage Industry Association of Newfoundland and Labrador, 2023 NLCA 2 (CanLII).

Manitoba judge implores common sense approach to privacy protection

On November 11th of last year, the Manitoba Court of Kings Bench ordered the City of Winnipeg to release information sought by an FOI requester, rejecting a claim that the information constituted “personal information.”

The media requester sought access to records of breaches and penalties imposed on Winnipeg police officers for breach of police service regulations. The City recorded this information in quarterly reports without names or other direct identifiers, and routinely published the reports internally to approximately 2,000 civilian and police service members.

In answering the request, the City redacted information about penalties imposed for each violation (identified only by regulation number) under the “unjustified invasion of personal privacy” exemption. It claimed that to include penalty information would render the information personal information, the disclosure of which constituted an unjustified invasion of personal privacy. Here is the City’s re-identification risk argument:

[7] Some of the penalties in the Routine Orders are unique and significant and might be apparent to family and close friends of the member who received the penalty. If a member received a penalty of loss of days, family or close friends of the member could be aware of a change of routine because the member has reduced pay or less leave. Family or close friends who saw the penalty in combination with the timeframe on the Routine Order in which the penalty was registered might make the connection and realize that their friend or relative was investigated by their employer and what the particular charge was.

And more:

[9] Some of the charges in the Routine Orders are specific and could result in public identification of the member by that fact alone. For example, witnesses, and complainants could be aware of the circumstances that resulted in the Regulatory charge and if they saw the charge and the Routine Orders in combination with the timeframe on the Routine Order in which the penalty was registered, could then become aware of the penalty imposed.

The Court rejected this argument and found that the information was not personal information based on the well-established reasonable expectations test – a test that asks whether a proposed disclosure, in conjunction with other available information, could reasonably be expected to identify an individual. Notably, the court held that this standard imposes the same evidentiary burden articulated by the Supreme Court of Canada in Merck Frosst – a burden that requires proof of a non-speculative event considerably more likely than a mere possibility but not necessarily proof of an event that is likely.

Like most public sector access and privacy statutes, the Manitoba Freedom of Information and Protection of Privacy Act does not shield personal information from the right of public access entirely – it only protects against unjustified invasions. The judge noted this, noted the City’s broad internal publication of the penalty information at issue and urged those charged with facilitating access to records to approach their task “with a healthy dose of common sense.”

Annable (CBC) v. City of Winnipeg, 2022 MBKB 222 (CanLII).

IPC/Ontario addresses legibility and the duty to accommodate FOI requesters

On December 23rd, the Information and Privacy Commissioner/Ontario issued an order that illustrates the Ontario law governing the legibility of records and institution’s duty to accommodate freedom of information requesters with disabilities.

These issues are governed by section 48(4) of the provincial act and section 37(3) of the municipal act. They read as follows:

Where access to personal information is to be given, the head shall ensure that the personal information is provided to the individual in a comprehensible form and in a manner which indicates the general terms and conditions under which the personal information is stored and used.

The IPC has held that these sections require institutions to provide reasonable quality copies, though not to transcribe or provide records in an alterative format subject to a duty to accommodate. Regarding accommodation, the IPC has held that institutions have a duty to provide disabled requesters with their personal information in a format that is comprehensible or intelligible to them. This duty is to be informed by the duty to accommodate in respect of service provision as established by the Human Rights Code, and presumably has a similar scope.

As with accommodation requests made under the Code, requesters who seek accommodation have a duty to establish the existence of a disability and their related medical needs. In its December order, the IPC dismissed an appeal that claimed a university had a duty to provide handwritten notes in an alternative format because the requester’s disability rendered the notes illegible. The requester did not provide sufficient evidence of his medical needs to establish a right to accommodation.

McMaster University (Re), 2022 CanLII 123506 (ON IPC).

Alberta CA interprets intergovernmental relations FOI exemption broadly

On December 6th, the Court of Appeal for Alberta held that a record supplied by a local police service to another local police service is amenable to withholding under the intergovernmental relations exemption in the Alberta Freedom of Information and Protection of Privacy Act.

The document at issue was a threat assessment report supplied by the RCMP to the Edmonton Police Service. The RCMP was acting under contract to provide local police services, which led the Alberta OIPC to find that it was an agency of the province. The OIPC relied on the heading “disclosure harmful to intergovernmental relations” and held that information supplied to a public body by an entity within Alberta could not qualify for exemption.

The Court held that the OIPC erred in its narrow interpretation of the exemption and by finding that the RCMP was an agency of the province. In the circumstances, the RCMP was to be treated as any other police service – a “local government body” – and one who could benefit from the exemption in disclosing information to another local public body. The OIPC put too much weight on the “intergovernmental relations” heading, it said, and ignored the plain wording of the Act.

Edmonton Police Service v Alberta (Information and Privacy Commissioner), 2022 ABCA 397 (CanLII).

IPC/Ontario affirms $140,000 fee estimate for e-mail request

On September 28th, the Information and Privacy Commissioner/Ontario affirmed a $140,132 fee estimate and decision to deny a request to waive the same.

The requester was interested in matters related to the expenditure of funds on a new hospital site in Windsor. In relation to this interest, he sought hospital e-mails from 17 accounts that spanned a nine year period. The requester provided 100 search terms that were broad and seemingly un-targeted at the subject matter of interest.

The hospital generated its estimate based on an application of the requester’s terms. It estimated 145,000 pages of responsive records and calculated the estimate based on the (standard) two minutes of preparation time per page. It did not include time for its search.

The IPC upheld the fee estimate and the fee waiver denial. It said, “a fee waiver would shift an unreasonable burden of the cost to hospital.”

I’ve been tracking “e-FOI” decisions for many years, and believe this to be the highest estimate the IPC has affirmed. In general, and thankfully, the IPC has been pragmatic in handling fee, fee estimate and fee waiver appeals. This is important given how expensive it can be to process e-mail requests and because the law ought to encourage requesters to work with institutions to tailor their requests.

Windsor Regional Hospital (Re), 2022 CanLII 91591 (ON IPC).

The perils of e-mail attachments and privilege claims

The Court of Appeal for Saskatchewan issued a freedom of information judgement last week that illustrates a good practice point for FOI practitioners: claim privilege over privileged e-mails and their attachments together.

“Record 1” was an e-mail sent to Ministry legal counsel for the purposes of obtaining legal advice about its attachments. Though part of the privileged communication, the Ministry indexed the attachments as “Record 2” and “Record 3.” It claimed that the attachments were privileged, and also exempt pursuant to the Saskatchewan exemption for “information obtained in confidence from other governments.”

By making its exemption claims in this way, the Ministry revealed that it sought legal advice on communications (and information) it received from other governments. Is it any surprise, then, that the Court affirmed a finding that the attachments were not protected by solicitor-client privilege?

While viewing the Court’s finding is understandable, I don’t agree that it is correct. The attachments to (privileged) Record 1 are clearly part of a privileged communication. As part of that communication (and not necessarily on their own), the attachments are privileged. The Ministry ought to have better protected its privilege by indexing Record 1 in its entirety and, if Records 2 and 3 were responsive on their own, indexing each separately.

Saskatchewan (Ministry of Health) v West, 2022 SKCA 18 (CanLII).

Privacy violation arises out of failure to notify of FOI request

On September 21st, the Information and Privacy Commissioner/Ontario held that a municipality breached the Municipal Freedom of Information and Protection of Privacy Act by failing to notify an affected person of an FOI request.

The complainant discovered that the municipality had released e-mails he had sent to councilors about a planning matter in responding to FOI requests and without providing notice. MFIPPA requires notification of a request for records containing personal information if the head has “reason to believe” their release “might constitute an unjustified invasion of personal privacy.”

The IPC held that the municipality had not met this requirement. It reasoned:

As indicated above, the County disclosed the complainant’s name, address and views and opinions about Hastings Drive without notifying him pursuant to section 21(1)(b). Given the nature of the complainant’s personal information at issue, in my view, the disclosure of at least some of this information might have constituted an unjustified invasion of his personal privacy.
In my view, the complainant should have been notified and given an opportunity to make representations as to why the Emails should not have been disclosed. As noted in Investigation Report MC-000019-1, except in the clearest of cases, fairness requires that the person with the greatest interest in the information, that is, the complainant, be given a chance to be heard. In this matter, he was not given that opportunity.

The complainant had sent his e-mails to politicians about a matter of apparent public interest. The standard for notification is low, but the notice requirement here was at least debatable.

Unfortunately, the IPC does not address the balancing of interests contemplated by the unjustified invasion exemption. For notice to be required there must be “a reason to believe” – a reason based on a provisional application of the unjustified invasion exemption. “Clearest of cases” is not the legal test, and it is wrong to notify simply because “at least some” information responsive to a request is bound to trigger the notification requirement.

This is a mild warning to institutions. There is a statutory immunity that offers some protection from civil claims for failure to notify, but the IPC has shown itself to be strict.

PRIVACY COMPLAINT MC17-35, 2020 CanLII 72822 (ON IPC).

“Employee’s” signature accessible to public – NLCA

On June 3rd, the Court of Appeal for Newfoundland and Labrador held that the signature of an “employee” who authorized a vacation leave payout to a senior administrator at a college campus in Qatar was accessible to the public even though the individual was hired by Qatar, and not the College.

The matter turned on the meaning of “employee” under Newfoundland’s now repealed and replaced FOI statute, which at the time exempted all personal information from the right of access subject to an exemption for “information… about a third party’s position, function or remuneration as an officer, employee or member of a public body.” The Court held that the term employee is broad enough to include some independent contractors. It explained:

The statutory context and the purpose of the Act, however, would appear to limit including independent contractors only to those who, by virtue of their contract, are required to perform services for the public body in a manner that involves them as a functional cog in the institutional structure of the organization. It is those persons whose personal information about position and functions which can be regarded as employees and still promote the purpose and object of the legislation. To restrict the definition further would be to shield information about certain aspects of the public body’s operations and functioning from potential public scrutiny. To expand the definition further would equally not promote the object and purpose of the Act because it would allow for disclosure of personal information that does not elucidate the institutional functioning of the public body which is to be held accountable.

The Court’s affirmation of the public’s right of access here is no surprise. For one, the record suggested that the College and Qatar were common employers. More fundamentally, the privacy interest in the signature that would justify the outcome sought by the College was simply too minimal to give its interpretation argument principled force. In Ontario, signatures made in one’s professional capacity are not even considered to be one’s personal information.

College of the North Atlantic v. Peter McBreairty and Information and Privacy Commissioner of Newfoundland and Labrador, 2020 NLCA 19.

FOI reconsideration order highlights important timing issue for Ontario institutions

On May 14th, the IPC/Ontario dismissed a request for reconsideration based on an asserted change of circumstances, a somewhat common happening given the lengthy period of time it now takes to process an FOI appeal.

The IPC had earlier affirmed a decision to deny access to certain information about the OPP’s use of cell site simulators on the basis that the information could reasonably be expected to “reveal investigative techniques and procedures currently in use in law enforcement.” After the IPC made this appeal decision, the requester learned that the OPP had switched to a new model of simulator, apparently after she made her request and before the IPC made its decision. The requester asked for reconsideration so she did not have to start again (by filing a new request and potentially re-arguing an appeal). The requester argued the Ministry’s exemption claim could not stand in light of the “new evidence.”

Assistant-Commissioner Liang declined the reconsideration request, but only on the basis that the newly proffered evidence would not have led her to make a different decision in any event. Assistant-Commissioner Liang noted that the Ministry had not deliberately withheld key evidence, which the IPC has treated as a basis for reconsideration. She did not comment on whether the Ministry ought to have brought forward the change in circumstances or whether its failure to do so might warrant reconsideration.

Appeal hearings are about the propriety of an access decision that is made at a point in time, though can invite respondent institutions to make representations about prospective harms. It goes without saying that institutions should not misrepresent the state of affairs in existence at the time they file their materials with the IPC. And if they have made accurate representations and the circumstances later change, there should be no duty to bring those circumstances to the attention of the IPC and no consequence for failing to do so. This would be a very heavy and impractical burden to bear, and would do harm to the finality owed to respondents. Requesters can and should be made to file new requests that can be the subject of fresh consideration and new access decisions.

Ontario (Solicitor General) (Re), 2020 CanLII 34928 (ON IPC).

Cyber, secrecy and the public body

Here’s a copy of a presentation I gave yesterday at the High Technology Crime Investigation Association virtual conference. It adresses the cyber security pressures on public bodies that arise out of access-to-information legislation, with a segment on how public sector incident response differs from incident response in the private sector