Teaching is the best way of learning for some, including me. Here are two recent cyber security presentations that may be of interest:
- A presentation from last month on “the law of information” that I delivered to participants in the the Osgoode PDP program on cyber security
- Last week’s presentation for school boards – Critical Issues in School Board Cyber Security
If you have questions please get in touch!
Here is a copy of the presentation I delivered yesterday at the at the PISCC’s 2020 Ontario Connections Conference. As I told the audience, I’m a confessed FOI nerd. The exclusion is such a unique, important and misunderstood part of our Ontario FOI law that it was good to dive deep on it while in good company.
ALSO, BLG is launching a new webinar series for the provincial public sector called “nuts and bolts.” The first webinar will run in late November, please sign up here, or if you can’t attend in November and want me to put you on our mailing list please DM me.
On October 9th, Justice McHaffie of the Federal Court held that firearm serial numbers, on their own, are not personal information. His ratio is nicely stated in paragraphs 1 and 2, as follows:
Information that relates to an object rather than a person, such as the firearm serial numbers at issue in this case, is not by itself generally considered
personal information”since it is not information about an identifiable individual. However, such information may still be personal information exempt from disclosure under the Access to Information Act, RSC 1985, c A-1 [ATIA] if there is a serious possibility that the information could be used to identify an individual, either on its own or when combined with other available information.
The assessment of whether information could be used to identify an individual is necessarily fact-driven and context-specific. The
other available information relevant to the inquiry will depend on the nature of the information being considered for release. It will include information that is generally publicly available. Depending on the circumstances, it may also include information available to only a segment of the public. However, it will not typically include information that is only in the hands of government, given the purposes of both the ATIA and the personal information exemption.
This is not a bright line test, though Justice McHaffie did say that the threshold should be more privacy protective than if the “otherwise available information” requirement was limited to publicly available information or even information available to “an informed and knowledgeable member of the public.”
Canada (Information Commissioner) v Canada (Public Safety and Emergency Preparedness), 2019 FC 1279 (CanLII).
On June 22nd, the Federal Court of Appeal ordered Public Works and Government Services Canada to re-determine an access request because it decided that a third-party’s consent to disclose its commercial information ruled out an exemption claim.
The request was for personnel rates offered to government by a staffing company. The company agreed to a contract clause that the Court held constituted a consent to disclose the information to the public at large.
The Court held that PWGSC erred by treating the clause as an “outright bar” to the company’s reliance on the third-party information exemptions in the Access to Information Act. It held that PWGSC ought to have first determined if any of the third-party exemptions applied and then considered whether or not to disclose the information because of the consent [thereby exercising the discretion granted in section 20(5)].
The decision also includes helpful dicta on the kind of evidence that third-parties must adduce to establish probable economic harm – dicta that supports an argument that the likelihood of harm can oftentimes be inferred from rather basic facts about the competitive context. (Rate or unit price information, in particular, is associated with some rather obvious potential harms.)
Canada (Office of the Information Commissioner) v. Calian Ltd., 2017 FCA 135 (CanLII).
There’s been some talk about the Federal Court of Australia’s recent decision in the “Ben Grubb” case – Mr. Grubb being the journalist who requested and was denied access to certain data related to his mobile phone usage from his carrier. Although the data was linked to Mr. Grubb’s mobile phone usage, the Court held it was not “information about” Mr. Grubb and therefore was not “personal information” that Mr. Grubb could access under the Australia Privacy Act. The Court explained:
…in every case it is necessary to consider whether each item of personal information requested, individually or in combination with other items, is about an individual. This will require an evaluative conclusion, depending upon the facts of any individual case, just as a determination of whether the identity can reasonably be ascertained will require an evaluative conclusion.
In some instances the evaluative conclusion will not be diﬀicult. For example, although information was provided to Mr Grubb about the colour of his mobile phone and his network
type (3G), we do not consider that that information, by itself or together with other information, was about him. In other instances, the conclusion might be more diﬀicult. Further, whether information is “about an individual” might depend upon the breadth that is given to the expression “from the information or opinion”. In other words, the more loose the
causal connection required by the word “from”, the greater the amount of information which could potentially be “personal information” and the more likely it will be that the words
“about an individual” will exclude some of that information from National Privacy Principle 6.1
In other words, there must be more than a link between information and an individual for the information to be “personal” information. The information must also reveal something “about” the person in a way that engages a reasonable expectation of privacy. I am not sure whether this “guts” the rights provided by the Australia Privacy Act as reported, but this reasoning has been a feature of Canadian law, most notably supported in our Federal Court of Appeal’s Nav Canada case – an authority the Australian court relied upon in determining the outcome of Mr. Grubb’s access request.
Privacy Commissioner v Telstra Corporation Limited  FCAFC 4 (19 January 2017).
Whether information is “personal information” – information about an identifiable individual – depends on the context. The Court of Appeal of Alberta issued an illustrative judgement on April 14th. It held that a request for information about a person’s property was, in the context, a request for personal information. The Court explained:
In general terms, there is some universality to the conclusion in Leon’s Furniture that personal information has to be essentially “about a person”, and not “about an object”, even though most objects or properties have some relationship with persons. As the adjudicator recognized, this concept underlies the definitions in both the FOIPP Act and the Personal Information Protection Act. It was, however, reasonable for the adjudicator to observe that the line between the two is imprecise. Where the information related to property, but also had a “personal dimension”, it might sometimes properly be characterized as “personal information”. In this case, the essence of the request was for complaints and opinions expressed about Ms. McCloskey. The adjudicator’s conclusion (at paras. 49-51) that this type of request was “personal”, relating directly as it did to the conduct of the citizen, was one that was available on the facts and the law.
The requester wanted information about her property because she was looking for complaints related to her actions. The request was therefore for the requester’s personal information. Note the Court’s use of the word “sometimes”: context matters.
Edmonton (City) v Alberta (Information and Privacy Commissioner), 2016 ABCA 110 (CanLII).
On July 15th, Arbitrator Sheehan held that a police association did not have a right of access to a harassment investigation report.
Arbitrator Sheehan held that the employer denied access for “reasonable cause” – the need to encourage witness candour – and therefore acted consistently with its collective agreement. He also dealt with the broader premise for the association’s case and, in doing so, questioned the a finding in which the OLRB held that a union’s representational role justified a similar right of access He said:
I have some difficulty with extrapolating the reasoning in those cases, as support for a much broader proposition that a union will necessarily be entitled to otherwise private/confidential information associated with a particular operational decision of an employer; simply on the basis that the information in question will be of assistance to the union to fulfill its duty of fair representation obligations. Or more particularly, that the union is entitled to such information on the basis it would be helpful to the union in assessing whether it would be appropriate, in the circumstances, to file a grievance.
There are numerous scenarios where the employer has information in its possession that may be quite helpful to the union, in terms of assessing whether there has been a violation of the collective agreement; and therefore, a basis to file a grievance. For example, in a job promotion dispute, the employer typically has information which may involve the confidential evaluations or interview/test results of the candidates. Such information would, obviously, be useful for the union to review in terms of whether in fact a grievance should be filed on behalf of a senior employee not awarded the position. In that sense, the union has an “interest” in the disclosure of the information. The duty of fair representation obligations resting on the union, however, does not transform that “interest” in obtaining the information into a “right” of disclosure, which would obligate the employer to comply with a request to disclose; solely to assist the union, in their assessment of whether there is a basis to file a grievance.
The disclosure of employer documentation arising out of a disciplinary investigation may likewise be of particular assistance to the union in terms of evaluating whether in fact there is a basis to assert a violation of the collective agreement. Again, as has been previously discussed, if the request for the information should arise in the context of the adjudication of a grievance challenging the issued discipline, there would be a presumptive right (subject to a valid claim of privilege) for the union to obtain production of such arguably relevant documentation. It is, however, an entirely different proposition to suggest, that the employer prior to the filing of a grievance, is obligated to forward that information to the union; on the basis the information may be of assistance to the union, in its assessment of whether there is a basis for filing a grievance.
For similar reasoning see Arbitrator’s Lanyon’s decision in Mount Arrowsmith Teachers’ Association.
Halton Regional Police Services Board v Halton Regional Police Association, 2015 CanLII 47877 (ON LA).
Federally-regulated employers should pay heed to OPC report of findings 2013-004, issued in July 2013. It contains the most detailed guidance on how to administer requests for access to personal information about employees that is received from other employees in confidence – information sometimes called “mixed personal information.”
The OPC adopts the case-by-case balancing of interests approach endorsed by the Federal Court of Appeal in a Privacy Act case called Pirrie: “In determining the right to have access to this information under PIPEDA, the interests of the individuals concerned should be balanced against each other along with the public interest for and against disclosure.”
This test does not support a “bright line,” so the OPC guidance is welcome. It uses 2013-004 to distinguish between two scenarios:
- The OPC held that notes containing peer feedback that an employer received in conducting a routine performance feedback process were exempt from the right of access. It helped that the employer had provided the complainant with a high-level summary of feedback and helped that the complainant himself had expressly promised to his peers that their feedback would be given anonymously.
- The OPC distinguished its prior treatment of information gathered in an internal investigation from witnesses when the investigation led to the complainant’s dismissal from employment. The OPC affirmed the complainant’s right of access in this scenario, but specified that the complainant required access to her personal information “as part of her efforts to be re-instated in her position,” which suggests that the complainant had either commenced litigation or that litigation was reasonably contemplated. The OPC also noted, “there were no formal assurance made that the information the investigation participants provided would be kept confidential.”
This gives federally-regulated employers some indication of the OPC’s perspective on a common and significant access issue, though the analysis invited by the Pirrie test is very contextual and outcomes will differ based on a wide range of potentially relevant facts. While the OPC’s decision on access to information gathered from witnesses in an internal investigation might be of some concern to employers, employers cannot provide witnesses with an absolute promise of confidentiality given witness statements may be producible in litigation. If the OPC decision merely suggests that witness statements are likely to be accessible under PIPEDA when litigation is reasonably contemplated it will be rather harmless in its impact.
Bank provides former employee with insufficient access to his personal information, 2013 CanLII 71855 (PCC).
Those interested in access to government information and open data might like these presentations, given today at the CanLII conference in Ottawa.
I watched two sessions, one by federal information commissioner Suzanne Legault about legislative reform and another by Glen McGregor of the Ottawa Citizen about “data journalism.”
Ms. Legault’s clear focus of concern is on electronic communications, which contain data that is unstructured and extremely difficult to deal with. She calls instant messages “black holes into which information hides or disappears.” Ms. Legault ties this to the duty to record, a topic I’ve touched upon here.
Mr. McGregor relies heavily on access legislation in his (fascinating) work and gives a good reporter’s perspective on database requests – i.e., requests for structured data. He tells a good story about a database request that started with a $100,000 plus fee and ended with a $40 fee.
Ms. Legault is very negative. Mr. McGregor is very optimistic. The juxtaposition is notable.
On September 4th, the Federal Court of Appeal quashed an access decision made under the federal Privacy Act because an institution’s access decision, considered in light of the record put before the Court on judicial review, was inadequate.
The record before the Court consisted of:
- a decision letter that claimed two exemptions to the right of access without reasoning and that did not identify the decision-maker;
- a “relatively thin affidavit”; and
- copies of produced and withheld documents.
Although the adequacy of reasons jurisprudence now gives statutory decision-makers significant latitude in describing why they reach a decision, the Court nonetheless held that the record of the access decision before it was so devoid of substance that it rendered a meaningful review of the decision impossible. It then gave federal institutions general advice on how to ensure an adequate record of an access decision, ending with the following summary:
To reiterate, all that is needed is sufficient information for a reviewing court to discharge its role. In cases like this, this can be achieved by ensuring that there is information in the decision letter or the record that sets out the following: (1) who decided the matter; (2) their authority to decide the matter; (3) whether that person decided both the issue of the applicability of exemptions and the issue whether the information should, as a matter of discretion, nevertheless be released; (4) the criteria that were taken into account; and (5) whether those criteria were or were not met and why.
The Court also warned that institutions can only supplement their decision letters to a limited degree by filing affidavits in the judicial review procedure. It held that such affidavits may only “point out factual and contextual matters that are not evident elsewhere in the record that were obviously known to the decision-maker” and “provide the reviewing court with general orienting information.”
Leahy v Canada (Citizenship and Immigration), 2012 FCA 227 (CanLII).