Privacy violation arises out of failure to notify of FOI request

On September 21st, the Information and Privacy Commissioner/Ontario held that a municipality breached the Municipal Freedom of Information and Protection of Privacy Act by failing to notify an affected person of an FOI request.

The complainant discovered that the municipality had released e-mails he had sent to councilors about a planning matter in responding to FOI requests and without providing notice. MFIPPA requires notification of a request for records containing personal information if the head has “reason to believe” their release “might constitute an unjustified invasion of personal privacy.”

The IPC held that the municipality had not met this requirement. It reasoned:

As indicated above, the County disclosed the complainant’s name, address and views and opinions about Hastings Drive without notifying him pursuant to section 21(1)(b). Given the nature of the complainant’s personal information at issue, in my view, the disclosure of at least some of this information might have constituted an unjustified invasion of his personal privacy.

In my view, the complainant should have been notified and given an opportunity to make representations as to why the Emails should not have been disclosed. As noted in Investigation Report MC-000019-1, except in the clearest of cases, fairness requires that the person with the greatest interest in the information, that is, the complainant, be given a chance to be heard. In this matter, he was not given that opportunity.

The complainant had sent his e-mails to politicians about a matter of apparent public interest. The standard for notification is low, but the notice requirement here was at least debatable.

Unfortunately, the IPC does not address the balancing of interests contemplated by the unjustified invasion exemption. For notice to be required there must be “a reason to believe” – a reason based on a provisional application of the unjustified invasion exemption. “Clearest of cases” is not the legal test, and it is wrong to notify simply because “at least some” information responsive to a request is bound to trigger the notification requirement.

This is a mild warning to institutions. There is a statutory immunity that offers some protection from civil claims for failure to notify, but the IPC has shown itself to be strict.

PRIVACY COMPLAINT MC17-35, 2020 CanLII 72822 (ON IPC).

“Employee’s” signature accessible to public – NLCA

On June 3rd, the Court of Appeal for Newfoundland and Labrador held that the signature of an “employee” who authorized a vacation leave payout to a senior administrator at a college campus in Qatar was accessible to the public even though the individual was hired by Qatar, and not the College.

The matter turned on the meaning of “employee” under Newfoundland’s now repealed and replaced FOI statute, which at the time exempted all personal information from the right of access subject to an exemption for “information… about a third party’s position, function or remuneration as an officer, employee or member of a public body.” The Court held that the term employee is broad enough to include some independent contractors. It explained:

The statutory context and the purpose of the Act, however, would appear to limit including independent contractors only to those who, by virtue of their contract, are required to perform services for the public body in a manner that involves them as a functional cog in the institutional structure of the organization. It is those persons whose personal information about position and functions which can be regarded as employees and still promote the purpose and object of the legislation. To restrict the definition further would be to shield information about certain aspects of the public body’s operations and functioning from potential public scrutiny. To expand the definition further would equally not promote the object and purpose of the Act because it would allow for disclosure of personal information that does not elucidate the institutional functioning of the public body which is to be held accountable.

The Court’s affirmation of the public’s right of access here is no surprise. For one, the record suggested that the College and Qatar were common employers. More fundamentally, the privacy interest in the signature that would justify the outcome sought by the College was simply too minimal to give its interpretation argument principled force. In Ontario, signatures made in one’s professional capacity are not even considered to be one’s personal information.

College of the North Atlantic v. Peter McBreairty and Information and Privacy Commissioner of Newfoundland and Labrador, 2020 NLCA 19.

FOI reconsideration order highlights important timing issue for Ontario institutions

On May 14th, the IPC/Ontario dismissed a request for reconsideration based on an asserted change of circumstances, a somewhat common happening given the lengthy period of time it now takes to process an FOI appeal.

The IPC had earlier affirmed a decision to deny access to certain information about the OPP’s use of cell site simulators on the basis that the information could reasonably be expected to “reveal investigative techniques and procedures currently in use in law enforcement.” After the IPC made this appeal decision, the requester learned that the OPP had switched to a new model of simulator, apparently after she made her request and before the IPC made its decision. The requester asked for reconsideration so she did not have to start again (by filing a new request and potentially re-arguing an appeal). The requester argued the Ministry’s exemption claim could not stand in light of the “new evidence.”

Assistant-Commissioner Liang declined the reconsideration request, but only on the basis that the newly proffered evidence would not have led her to make a different decision in any event. Assistant-Commissioner Liang noted that the Ministry had not deliberately withheld key evidence, which the IPC has treated as a basis for reconsideration. She did not comment on whether the Ministry ought to have brought forward the change in circumstances or whether its failure to do so might warrant reconsideration.

Appeal hearings are about the propriety of an access decision that is made at a point in time, though can invite respondent institutions to make representations about prospective harms. It goes without saying that institutions should not misrepresent the state of affairs in existence at the time they file their materials with the IPC. And if they have made accurate representations and the circumstances later change, there should be no duty to bring those circumstances to the attention of the IPC and no consequence for failing to do so. This would be a very heavy and impractical burden to bear, and would do harm to the finality owed to respondents. Requesters can and should be made to file new requests that can be the subject of fresh consideration and new access decisions.

Ontario (Solicitor General) (Re), 2020 CanLII 34928 (ON IPC).

Cyber, secrecy and the public body

Here’s a copy of a presentation I gave yesterday at the High Technology Crime Investigation Association virtual conference. It adresses the cyber security pressures on public bodies that arise out of access-to-information legislation, with a segment on how public sector incident response differs from incident response in the private sector

Records stored on legacy system not “records” for FOI purposes

On January 27th, the IPC/Ontario held that records stored only on a legacy backup system were not “records” accessible under Ontario’s public sector access statute.

The requester asked for all records that showed access by a named employee to their own and their spouse’s service department records at a municipality.

The institution provided a fee estimate of $130 for data going back 28 months. For older data, the institution needed to restore data from tapes from a backup system that it had discontinued. It produced estimates (of $19,000 and $13,000) that included work to purchase a new tape drive and software, but on appeal argued the backup records were not accessible because they were not capable of being produced “by means of computer hardware and software or any other information storage equipment and technical expertise normally used by the institution.” The IPC agreed.

Sudbury (City of Greater) (Re), 2020 CanLII 8240 (ON IPC).

BC Supreme Court quashes decision ordering identification of RFQ evaluators

On December 9th, the British Columbia Supreme Court held that the British Columbia OIPC erred in its handling of a claim that the identities of BC Hydro employees who had evaluated an RFQ for services at a controversial hydroelectric project should be withheld. Hydro argued that identifying information may be withheld due to the potential harm to the employees’ physical and mental health.

The Court held that the OIPC improperly elevated the test for harm set out in the Supreme Court of Canada’s Merck decision – more than a possibility but less than a probability. Helpfully, it said the OIPC was wrong to suggest that Hydro “had to establish some employees were physically hurt or employees suffered from mental health issues before bringing itself within the [applicable exemption.” It also said, “I am also troubled by the Delegate’s comment that there was no evidence proffered from employees regarding how the disclosure of their names might threaten their mental health… It was unreasonable to expect such evidence in the circumstances.”

British Columbia Hydro and Power Authority v British Columbia (Information and Privacy Commissioner), 2019 BCSC 2128 (CanLII).

Threat Exchanges and FOI Legislation

Here’s the second paper that relates to the panel I will be sitting on later this week. It is a collection of FOI case digests about the hacking threat with a covering thesis about the need for greater protection from disclosure. This one particularly caught my interest and includes some ideas I will come back to. Enjoy, and again, please send comments by PM.

 

Federal Court says firearm serial numbers not personal information

On October 9th, Justice McHaffie of the Federal Court held that firearm serial numbers, on their own, are not personal information. His ratio is nicely stated in paragraphs 1 and 2, as follows:

Information that relates to an object rather than a person, such as the firearm serial numbers at issue in this case, is not by itself generally considered personal information”since it is not information about an identifiable individual. However, such information may still be personal information exempt from disclosure under the Access to Information Act, RSC 1985, c A-1 [ATIA] if there is a serious possibility that the information could be used to identify an individual, either on its own or when combined with other available information.

The assessment of whether information could be used to identify an individual is necessarily fact-driven and context-specific. The other available information relevant to the inquiry will depend on the nature of the information being considered for release. It will include information that is generally publicly available. Depending on the circumstances, it may also include information available to only a segment of the public. However, it will not typically include information that is only in the hands of government, given the purposes of both the ATIA and the personal information exemption.

This is not a bright line test, though Justice McHaffie did say that the threshold should be more privacy protective than if the “otherwise available information” requirement was limited to publicly available information or even information available to “an informed and knowledgeable member of the public.”

Canada (Information Commissioner) v Canada (Public Safety and Emergency Preparedness), 2019 FC 1279 (CanLII).

Transparency, open courts and administrative tribunals: implications of Toronto Star v AG Ontario

Here’s some commentary I submitted in support of my panel appearance on Wednesday at the above-named OBA conference.

It appears there are not too many fans of the Toronto Star decision among administrative tribunal practitioners, though the tribunals themselves seem to be more ambivalent. I’m among those who don’t like the policy implications of Toronto Star. For insight please read my commentary.

On Wednesday I spoke about the practical impact of practicing under truly presumptive, court-like openness in which no adjudicative decision (with due process rights) stands between a requester and a client’s filings. In short, it will invite the application of a new analysis prior to making any filing. What in here is confidential? Can I compromise – making my client’s case without it? At what cost? Is it better to seek a confidentiality order of some sort? At what cost? Does the media require notice of my motion? At what cost? Did I mention cost?

I encouraged tribunal staff in attendance to think about how critical a concern privacy has become and how individuals expect and are owed, at a minimum, due process. In my view requiring applications for access (made on notice) is a model for access that’s more consistent with the object of administrative justice – specialized, low cost, accessible justice.

Ont CA says doctor gross revenue information is not personal information

As reported widely, yesterday the Court of Appeal for Ontario affirmed an IPC/Ontario finding that gross revenue earned by Ontario’s top earning doctors was not their personal information.

There’s not much to the decision. (A number of the grounds for appeal were “optimistic.”) The decision illustrates that information must reveal something of a personal nature about an individual (in the relevant context) to be the individual’s personal information. In the doctors’ case, the link between gross income and the personal finances was not strong, as noted by the Court:

The information sought was the affected physicians’ gross revenue before allowable business expenses such as office, personnel, lab equipment, facility and hospital expenses. The evidence before the Adjudicator indicated, however, that, in the case of these 100 top billing physicians, those expenses were variable and considerable.

In another context, gross revenue information could be personal information. What is and is not personal information is a VERY contextual matter.

Ontario Medical Association v. Ontario (Information and Privacy Commissioner), 2018 ONCA 673.