File path information, network security and FOI

On March 7, 2025, the Saskatchewan Court of King’s Bench affirmed the withholding of file path information from a requester who sought the information under Saskatchewan’s provincial freedom of information statute.

The Court described the information as “file path addresses/links and barcodes within the documents that describe the process of accessing information/data stored in specific databases on a computer system.”

Notably, the institution relied on the class-based exemption for information with proprietary value. Proof of a non-speculative risk of harm is not required to invoke such this exemption, but case law in Saskatchewan and Ontario narrows the class to information with “inherent monetary value” and a proprietary character (in my words). The Court held that the exception applied based on an affidavit that stated that granting access would provide, “an instruction manual for any person with access to SHA’s systems to quickly and effectively identify and access locations on SHA’s systems that contain sensitive personal and personal health information and other sensitive security information…”

In 2023, the IPC/Ontario rejected a claim made by the Ontario Ministry of Health that file path information was exempt from the right of access because the Ministry failed to prove a non-speculative risk of harm. It commented, “I do not accept that disclosure of the file path information (the location of a specific document in the ministry’s computer system) could reasonably be expected to compromise the security of the ministry’s computer system or allow unauthorized individuals to infiltrate the ministry’s computer systems. The ministry has not adequately explained how this information could be used to access the ministry’s computer system by an individual who is not a ministry employee.”

I’ve underlined the text above to highlight the flaw in the Ministry’s argument—though, to be fair, it was addressing only two lines of file path information. It is difficult to conceive how file path information could be used to compromise a network. However, one can easily see how such information could assist a malicious actor in quickly locating valuable data within a network. File path information should be exempt, and the new Saskatchewan case will help make that argument. It’s a particularly good case because it rests on a class based exemption and not amore circumstantial harms based exemption.

Note that the IPC/Ontario has withheld other information about a network to protect it from malicious actors. See Ontario Lottery and Gaming Corporation (Re), 2016 CanLII 85802 (ON IPC), <https://canlii.ca/t/gw1g6>, retrieved on 2025-09-23.

Schiller v Saskatchewan Health Authority, 2025 SKKB 37 (CanLII), <https://canlii.ca/t/kb2fh>, retrieved on 2025-09-23.

Court shields file path information from the public (and threat actors), addresses scope of s-c privilege

On November 7th, the Newfoundland and Labrador Supreme Court issued an access to information decision with some notable points.

First, the Court held that a public body validly redacted file path information from a document set based on the security of a computer system exemption to the public right of access. The public body adduced good evidence that the paths could be used by threat actors to (a) randomly generate usernames amendable to brute forcing or similar attacks (b) identify domain administrators, and (c) map the network, all creating a real and non-speculative risk of attack. The finding is based on the evidence, but there is nothing unique about the the risk that the Court recognized.

Second, the Court affirmed a decision to apply the privilege exemption based on a solicitor-client privilege claim and despite a dispute between the public body and the Newfoundland Information and Privacy Commissioner about the scope of the so called “continuum of communication.” The Court held the following communications were within the protected continuum:

E-mail messages between non-lawyers that were subsequent to the direct giving and receiving of legal advice about “process and timing” (and up the e-mail thread).
Drafts of documents known to be subject to editing by legal counsel and from which “an informed reader could readily infer what legal counsel had advised.”
Notes, questions and references in documents made by an individual who gave evidence that she received legal advice in relation to all the notes, questions and references.

This finding is as sound as it is protective in my view.

Newfoundland and Labrador (Treasury Board) v. Newfoundland and Labrador (Information and Privacy Commissioner), 2024 NLSC 147 (CanLII)

BCCA sends notice issue back to BC OIPC

On September 25th, the Court of Appeal for British Columbia partially upheld Airbnb’s successful judicial review of a British Columbia OIPC decision that required the City of Vancouver to disclose short term rental addresses along with related information, but vacated the application judge’s order to notify over 20,000 affected individuals.

Background

The City licenses short term rentals. It publicly discloses license information, presumably to enable renter inquires. However, the City stopped publishing host names and rental addresses with license information in 2018 based on credible reports of safety risks. Evidence of the safety risks was on the record before the OIPC – general evidence about “concerned vigilante activity” and harassment, evidence about a particular stalking episode in 2019 and evidence that raised a concern about enabling criminals to determine when renters likely to be out of the country.

The OIPC nonetheless ordered the City to disclose:

License numbers of individuals;
Home addresses of all hosts (also principle residences given licensing requirements); and
License numbers associated with the home addresses.

It was common ground that the above information could be readily linked to hosts by using publicly available information, rendering the order upsetting to Airbnb’s means of protecting its hosts. Airbnb only discloses the general area of rentals on its platform, which allows hosts to screen renters before disclosing their address.

Supreme Court Decision

The application judge affirmed the OIPC dismissal of the City’s safety concern as a reasonable application of the Merck test, but held that the OIPC erred on two other grounds.

First, the Court held that the OIPC unreasonably held that home address information was contact information rather than personal information. It failed to consider the context in making a simplistic finding that home address information was “contact information” because the home address was used as a place of business. The disclosure of the home address information, in the context, had a significant privacy impact that the OIPC ought to have considered.

Second, the Court held that the OIPC erred in not giving notice to the affected hosts – who numbered at least 20,000 – and for not providing reasons for its failure. The Court said this was a breach of procedural fairness, a breach punctuated by the evidence of a stalking and harassment risk that the OIPC acknowledged but held did not meet the Merck threshold.

Appeal Court Decision

The Court of Appeal affirmed the lower court’s contact information finding. It also held that the matter of notice to third parties ought to have been raised before the OIPC at the first instance, and that the application judge ought not to have ordered notice to be given. It stressed the OIPC’s discretion, and said:

Relevant facts that may inform the analysis include the nature of the records in issue, the number of potentially affected third parties, the practical logistics of providing notice, whether there are alternative means of doing so, and potential institutional resource issues.

Analysis

Giving notice and an opportunity to make submissions to 20,000 affected individuals is no small matter. In this case, valid electronic contact information was likely available. However, even a 2% response rate would generated 400 submissions, each of which deserving of due consideration.

Many institutions, thinking practically, would simply deny access as a means of avoiding this burden and respecting affected party rights, bearing in mind that the Supreme Court of Canada cautioned in Merck that notice should be given prior to disclosure in all but “clear cases.” When an institution denies access to avoid a massive notification burden, that burden transfers to the relevant commissioner/adjudicator, and even recognizing “practical logistics” and “institutional resource issues,” is see no reason why the “clear cases” rule from Merck should not be the governing test.

The Office of the Information and Privacy Commissioner for British Columbia v. Airbnb Ireland UC, 2024 BCCA 333.

NSCA outlines the “law of redaction”

Exactly when should an entire document be withheld because redaction is not reaonable?

Freedom of information adjudicators have used the concept of “disconnected snippets” to delineate; if redaction would leave a reader with meaningless “disconnected snippets,” entire records can rightly be withheld.

The Nova Scotia Court of Appeal, on August 7th, applied similar logic in determining that a set of affidavits “could not be redacted without sacrificing their intelligibility and therefore the utility of public access.” It therefore held that the affidavits could be sealed in whole in compliance with the necessity component of the test from Sherman Estate.

Notably, the Court reviewed cases that establish a second basis for full record withholding – cost. In Patient X v College of Physicians and Surgeons of Nova Scotia, the Nova Scotia Supreme Court held that redacting a 120-page records would be too “painstaking and prone to error” given it included a significant number of handwritten notes. And in Khan v College of Physicians and Surgeons of Ontario, the Ontario Superior Court of Justice reached a similar finding given the record requiring redaction was almost 4,500 pages in length, requiring an error prone hunt for (sensitive) patient information.

Back to freedom of information, where costs are passed through to requesters. In Ontario, the norm is to charge through two minutes a page for redaction. Should a premium be chargeable for handwritten records or records that contain very sensitive information?

Dempsey v. Pagefreezer Software Inc., 2024 NSCA 76 (CanLII).

Notable quote from recent EWCA freedom of information judgement

On November 22, 2023, the Court of Appeal (England and Wales) held that the Freedom of Information Act 2000 permits the public interest in maintaining non-absolute exemptions to be weighed in the aggregate against the public interest in disclosure.

This decision is technical, and about the unique structure of the United Kingdom’s freedom of information statute. Lady Justice Andrews even remarked, “I anticipate that it will rarely be the case that the issue of statutory construction that we have been asked to resolve would make a practical difference to the outcome of an application for disclosure under FOIA.” The ICO is apparently appealing nonetheless.

I am blogging about the decision because Lord Justice Lewis provides us with this good quote that challenges the idea that a purposive interpretation of an access statute necessarily favours access. He says:

…it is too simplistic to say, as the Upper Tribunal did and as the respondents do, that aggregation of the different public interests in non-disclosure would lead to less disclosure of information and so run counter to the purpose of FOIA which is to promote openness. Similarly, it is unduly simplistic to take the view that FOIA is to be interpreted in as liberal a manner as possible in order to promote the right to information. As Lord Hope recognised in the Common Services Agency case, the right to information is qualified in significant respects and appropriate weight must be given to those qualifications as the “scope and nature of the various exemptions plays a key role within the Act’s complex analytical framework” (see paragraph 34 above). A similar approach to FOIA has been recognised by Lord Walker in BBC v Sugar (No.2) [2012] UKSC 4, [2012] 1 WLR 439, especially at paragraphs 76 to 84 and in Kennedy by Lord Mance and Lord Sumption (with whom Lord Neuberger and Lord Clarke agreed) in the quotations set out at paragraphs 35 and 36 above. Rather, the wording of section 2(2) should be considered, in the light of the statutory context, to determine how Parliament intended the system of exempting information from disclosure to operate.

Bear in mind that the purpose sections in Ontario’s freedom of information statutes expressly state that statutory “exemptions” from the public right of access should be “limited and specific.” The Divisional Court, however, has also held that the statutory purpose of FIPPA and MFIPPA weights in favour of narrowly construing exclusions – the provisions that remove certain records entirely from the scope of the right of access. I question that approach for the reasons articulated by Lord Justice Lewis; it is too simplistic an approach to discerning legislative intent.

Dept for Business and Trade v IC and Montague [2023] EWCA Civ 1378.

BCSC addresses university possession and control of research records

On November 6th, the Supreme Court of British Columbia affirmed a British Columbia OIPC finding that a university was in possession and control of e-mails sent and received by a faculty member that the University claimed related to research. The Court nonetheless quashed the OIPC’s order to issue a decision in respect of the e-mails on the basis that they were not excluded from the public right of access.

The request was for e-mail correspondence between a faculty member and his research collaborator in Japan over a lengthy time period. The University denied the request based on the statutory exclusion for “research information” in British Columbia FIPPA – an exclusion meant to safeguard academic freedom.

On appeal to the OIPC, the University relied on an affidavit from the targeted professor that stated all of the requested communications were related to ongoing research. The affidavit also described the general nature of the communciations, but did not include an index.

The requester responded that the faculty member and his colleague from Japan “have collaborated on numerous formal complaints to TRU about Dr. Pyne’s professional work and behavior” and indicated that they were seeking correspondence that established an improper leak of related information by the faculty member to the colleague – an act of “professional activism.” The OPIC held that the records were under the University’s possession and control and that the University failed to meet its onus of establishing that they were excluded. It ordered it to make a decision as to their release under FIPPA.

The Court affirmed the OIPC’s possession and control finding, dismissing the University’s argument that academic freedom rendered the e-mails beyond its possession and control. The Court said:

[49] Much of TRU’s argument on both arms of the custody and control issue is an attempt to characterize the academic university setting as one in which ordinary analysis does not apply. The argument is that academic faculty members are special: they have academic freedom, which is to say, a protected sphere of individual autonomy, within which they are free from oversight and direction by the university, and their email correspondence within that sphere should be no more subject to disclosure under FIPPA than would be purely personal correspondence.

[50] Counsel for OIPC submits that both arms of TRU’s argument are analytically misplaced because, while FIPPA recognizes the importance of academic freedom, it does so under the aegis of the research information (or research materials) exception in s. 3(1)(e) (now s. 3(3)(i)). I agree with this submission. The research information exception makes room for TRU’s argument. It is unhelpful to have to deal with it separately as an argument about custody or control.

The suggestion in the last sentence above is that the existence of the statutory exclusion lends support to institutional possession and control – i.e., that academic freedom is protected by the exclusion but does not restrict a University’s ability to handle faculty records in processing requests.

The Court nonetheless quashed the OIPC’s order. It held that the University’s evidence established that at least some of the responsive e-mails were excluded, and that the resulting order to issue a decision in respect of all responsive records was over-broad. In making this finding, it held that the OPIC had a reasonable basis for doubting the faculty member’s “blanket assertion” given the competing evidence about “professional activism.”

IMHO the University’s affidavit ought to have carried the day. It may make sense to require better, more particular evidence to support an exclusion claim when the claimant’s evidence is rebutted, but I don’t believe it was rebutted in this case. The only assertion by the requester is that the set of responsive e-mails likely contained information about a research misconduct matter, and research misconduct is typically treated as within the scope of academic freedom and subject to academic self governance and freedom.

Thompson Rivers University v British Columbia (Information and Privacy Commissioner), 2023 BCSC 1933 (CanLII).

BCSC quashes FOI decision about risk of harm to Airbnb hosts

On July 4th, the Supreme Court of British Columbia quashed a British Columbia OIPC order to provide an FOI requester with access to information about Airbnbs operating in the City of Vancouver.

The OIPC nonetheless ordered the City to disclose:

License numbers of individuals;
Home addresses of all hosts (also principle residences given licensing requirements); and
License numbers associated with the home adresses.

The Court affirmed the OIPC dismissal of the City’s safety concern as a reasonable application of the Merck test, but held that the OIPC erred on two other grounds.

This is a wonderful case that illustrates how judicial review works. In my view, the evidence about the risk of harm drove the outcome despite the Court’s affirmation of the OIPC finding. The Court simply found an easier way to address the problem with the OIPC’s outcome – a procedural fairness finding. The notice obligation is no small obligation in cases like this, but cannot be rightly ignored.

Airbnb Ireland UC v Vancouver City, 2023 BCSC 1137.

IPC/Ontario addresses legibility and the duty to accommodate FOI requesters

On December 23rd, the Information and Privacy Commissioner/Ontario issued an order that illustrates the Ontario law governing the legibility of records and institution’s duty to accommodate freedom of information requesters with disabilities.

These issues are governed by section 48(4) of the provincial act and section 37(3) of the municipal act. They read as follows:

Where access to personal information is to be given, the head shall ensure that the personal information is provided to the individual in a comprehensible form and in a manner which indicates the general terms and conditions under which the personal information is stored and used.

The IPC has held that these sections require institutions to provide reasonable quality copies, though not to transcribe or provide records in an alterative format subject to a duty to accommodate. Regarding accommodation, the IPC has held that institutions have a duty to provide disabled requesters with their personal information in a format that is comprehensible or intelligible to them. This duty is to be informed by the duty to accommodate in respect of service provision as established by the Human Rights Code, and presumably has a similar scope.

As with accommodation requests made under the Code, requesters who seek accommodation have a duty to establish the existence of a disability and their related medical needs. In its December order, the IPC dismissed an appeal that claimed a university had a duty to provide handwritten notes in an alternative format because the requester’s disability rendered the notes illegible. The requester did not provide sufficient evidence of his medical needs to establish a right to accommodation.

McMaster University (Re), 2022 CanLII 123506 (ON IPC).

Alberta CA interprets intergovernmental relations FOI exemption broadly

On December 6th, the Court of Appeal for Alberta held that a record supplied by a local police service to another local police service is amenable to withholding under the intergovernmental relations exemption in the Alberta Freedom of Information and Protection of Privacy Act.

The document at issue was a threat assessment report supplied by the RCMP to the Edmonton Police Service. The RCMP was acting under contract to provide local police services, which led the Alberta OIPC to find that it was an agency of the province. The OIPC relied on the heading “disclosure harmful to intergovernmental relations” and held that information supplied to a public body by an entity within Alberta could not qualify for exemption.

The Court held that the OIPC erred in its narrow interpretation of the exemption and by finding that the RCMP was an agency of the province. In the circumstances, the RCMP was to be treated as any other police service – a “local government body” – and one who could benefit from the exemption in disclosing information to another local public body. The OIPC put too much weight on the “intergovernmental relations” heading, it said, and ignored the plain wording of the Act.

Edmonton Police Service v Alberta (Information and Privacy Commissioner), 2022 ABCA 397 (CanLII).

Recent cyber presentations

Teaching is the best way of learning for some, including me. Here are two recent cyber security presentations that may be of interest:

A presentation from last month on “the law of information” that I delivered to participants in the the Osgoode PDP program on cyber security
Last week’s presentation for school boards – Critical Issues in School Board Cyber Security

If you have questions please get in touch!