Teaching is the best way of learning for some, including me. Here are two recent cyber security presentations that may be of interest:
- A presentation from last month on “the law of information” that I delivered to participants in the the Osgoode PDP program on cyber security
- Last week’s presentation for school boards – Critical Issues in School Board Cyber Security
If you have questions please get in touch!
Here is a deck I just put together for the The Osgoode Certificate in Privacy & Cybersecurity Law that gives a high-level perspective on the state of FOI, in particular given (a) the free flow of information that can eviscerate practical obscurity and (b) the serious cyber threat that’s facing our public institutions. As I said in the webinar itself, I’m so pleased that Osgoode PDP has integrated an FOI unit into into its privacy and cyber program given it is such a driver of core “information law.”
For related content see this short paper, Threat Exchanges and Freedom of Information Legislation, 2019 CanLIIDocs 3716. And here’s a blog post from the archives that with some good principled discussion that I refer to – Principles endorsed in Arar secrecy decision.
Here is a copy of the presentation I delivered yesterday at the at the PISCC’s 2020 Ontario Connections Conference. As I told the audience, I’m a confessed FOI nerd. The exclusion is such a unique, important and misunderstood part of our Ontario FOI law that it was good to dive deep on it while in good company.
ALSO, BLG is launching a new webinar series for the provincial public sector called “nuts and bolts.” The first webinar will run in late November, please sign up here, or if you can’t attend in November and want me to put you on our mailing list please DM me.
On June 3rd, the Court of Appeal for Newfoundland and Labrador held that the signature of an “employee” who authorized a vacation leave payout to a senior administrator at a college campus in Qatar was accessible to the public even though the individual was hired by Qatar, and not the College.
The matter turned on the meaning of “employee” under Newfoundland’s now repealed and replaced FOI statute, which at the time exempted all personal information from the right of access subject to an exemption for “information… about a third party’s position, function or remuneration as an officer, employee or member of a public body.” The Court held that the term employee is broad enough to include some independent contractors. It explained:
The statutory context and the purpose of the Act, however, would appear to limit including independent contractors only to those who, by virtue of their contract, are required to perform services for the public body in a manner that involves them as a functional cog in the institutional structure of the organization. It is those persons whose personal information about position and functions which can be regarded as employees and still promote the purpose and object of the legislation. To restrict the definition further would be to shield information about certain aspects of the public body’s operations and functioning from potential public scrutiny. To expand the definition further would equally not promote the object and purpose of the Act because it would allow for disclosure of personal information that does not elucidate the institutional functioning of the public body which is to be held accountable.
The Court’s affirmation of the public’s right of access here is no surprise. For one, the record suggested that the College and Qatar were common employers. More fundamentally, the privacy interest in the signature that would justify the outcome sought by the College was simply too minimal to give its interpretation argument principled force. In Ontario, signatures made in one’s professional capacity are not even considered to be one’s personal information.
College of the North Atlantic v. Peter McBreairty and Information and Privacy Commissioner of Newfoundland and Labrador, 2020 NLCA 19.
On December 9th, the British Columbia Supreme Court held that the British Columbia OIPC erred in its handling of a claim that the identities of BC Hydro employees who had evaluated an RFQ for services at a controversial hydroelectric project should be withheld. Hydro argued that identifying information may be withheld due to the potential harm to the employees’ physical and mental health.
The Court held that the OIPC improperly elevated the test for harm set out in the Supreme Court of Canada’s Merck decision – more than a possibility but less than a probability. Helpfully, it said the OIPC was wrong to suggest that Hydro “had to establish some employees were physically hurt or employees suffered from mental health issues before bringing itself within the [applicable exemption.” It also said, “I am also troubled by the Delegate’s comment that there was no evidence proffered from employees regarding how the disclosure of their names might threaten their mental health… It was unreasonable to expect such evidence in the circumstances.”
British Columbia Hydro and Power Authority v British Columbia (Information and Privacy Commissioner), 2019 BCSC 2128 (CanLII).
On October 9th, Justice McHaffie of the Federal Court held that firearm serial numbers, on their own, are not personal information. His ratio is nicely stated in paragraphs 1 and 2, as follows:
Information that relates to an object rather than a person, such as the firearm serial numbers at issue in this case, is not by itself generally considered
personal information”since it is not information about an identifiable individual. However, such information may still be personal information exempt from disclosure under the Access to Information Act, RSC 1985, c A-1 [ATIA] if there is a serious possibility that the information could be used to identify an individual, either on its own or when combined with other available information.
The assessment of whether information could be used to identify an individual is necessarily fact-driven and context-specific. The
other available information relevant to the inquiry will depend on the nature of the information being considered for release. It will include information that is generally publicly available. Depending on the circumstances, it may also include information available to only a segment of the public. However, it will not typically include information that is only in the hands of government, given the purposes of both the ATIA and the personal information exemption.
This is not a bright line test, though Justice McHaffie did say that the threshold should be more privacy protective than if the “otherwise available information” requirement was limited to publicly available information or even information available to “an informed and knowledgeable member of the public.”
Canada (Information Commissioner) v Canada (Public Safety and Emergency Preparedness), 2019 FC 1279 (CanLII).
On May 16th the Court of Appeal for Saskatchewan held that the Office of the Information and Privacy Commissioner, Saskatchewan should not have required the University of Saskatchewan to produce communications that it claimed were subject to solicitor-client privilege.
The Commissioner began by inviting the University to provide evidence that supported its privilege claim. The University filed an affidavit from a non-lawyer stating that legal counsel had advised that “some” of the withheld documents are subject to solicitor-client privilege. It did not file an index of records.
This led the Commissioner to immediately request the records. Although the Commissioner had asked the University for a index of records, it did not ask again – an omission that the Court held to breach the principle that demands an adjudicator only review solicitor-client communications when absolutely necessary to assess a privilege claim.
This fact-specific decision illustrates how strictly the absolute necessity principle will be enforced. The Court also spoke about what privilege claimants ought to be required to present in support of their claims. In doing so, it suggested that an index that identifies records will ordinarily provide an adequate basis for assessing a privilege claim in the absence of any evidence suggesting a claim is “ill founded”.
University of Saskatchewan v Saskatchewan (Information privacy Commissioner), 2018 SKCA 34.
On April 13th, the Court of Appeal for British Columbia held that a rubric for an undergraduate admissions test administered by UBC was excluded from British Columbia’s public sector access and privacy act as a “record of a question.” It interpreted this phrase purposely, as encompassing “anything that is inregral to the question such that disclosure would defeat the purpose of the question for future use.”
University of British Columbia v. Lister, 2018 BCCA 139 (CanLII).
It is inappropriate to closely parse solicitor-client communications in assessing the scope of privilege; the entire “continuum of communications” must be protected. This is the principle articulated in a June 8th decision of the Court of Appeal for British Columbia.
The Court allowed the appeal of a chambers judge order to produce parts of a series of e-mails between a government lawyer and staff at an administrative tribunal. The content ordered to be produced included:
- two paragraphs and two sentences of a ten paragraph advisory e-mail in which the chambers judge suggested the lawyer stepped beyond his role as legal advisor and impinged upon the tribunal’s decision-making authority;
- a follow-up e-mail that the chambers judge held was not privileged for similar reasons; and
- follow-up correspondence between (internal) clients discussing the lawyer’s advice.
The Court held that all this communication was part of the “continuum of communications” that supported the solicitor-client relationship and was therefore privileged. It held there was no basis for a finding that the lawyer usurped the tribunal’s decision making authority, also stating:
In my view, it is in the nature of legal advice that it may influence the decision-making of the client. The purpose of legal advice is normally to advise the client on the best course of action to comply with the relevant law. Advice provided to a statutory decision-maker as to what should be done in order to be legally defensible is still legal advice.
The dispute arose after the above communications were inadvertently disclosed in response to a freedom of information request made by a law firm. The receiving lawyer obtained the communications as part of a disclosure package in which government made a number of exemption claims. She believed government to have waived privileged and used the communications in a proceeding, which led government to assert its privilege claim and claim its disclosure was inadvertent. The Court held there was no waiver. It wasn’t highly critical of the receiving lawyer given these facts, but reminded lawyers of their duty to give notice when they receive communications that are apparently privileged.
British Columbia (Attorney General) v. Lee, 2017 BCCA 219 (CanLII).
On September 12, the Alberta Court of Queen’s bench issued a decision in which it held that the Alberta Health Information Act may apply to information about individuals other than those who receive a health service that is collected when a health service is provided to an individual.
The case involves an FOI request filed by the daughter of two residents of a health facility. The daughter sought records of her personal information in the custody of the facility after it imposed conditions on her visitation privileges. The facility denied access to a number of records on the basis that references in the records to the daughter constituted the health information of her parents. The Court agreed, and said the following:
These hypotheticals suggest that “other information about an individual that is collected when a health service is provided to the individual” includes, at the very least, information about the mental or physical health of others that relates to the physical and mental health of an individual or a health service provided to an individual and is collected when a health service is provided to an individual. It may affect the diagnosis or the health service provided to the patient.
Using this standard to determine whether any of the information in the records of Covenant Health about Ms. McHarg is classified as health information under the Health Information Act, the adjudicator must ask two questions. First, is there any information in Covenant Health’s records about Ms. McHarg that relates to or may directly affect the physical and mental health of Ms. McHarg’s parents or a health service provided by Covenant Health to Ms. McHarg’s parents? Second, if so, was this information collected when Covenant Health provided a health service to her parents?
The Court also addressed two issues pertaining to the application of exemptions under the Alberta Freedom of Information and Protection of Privacy Act. It found in favour of the facility on all issues and quashed the OIPC’s disclosure order.
Covenant Health v Alberta (Information and Privacy Commissioner), 2014 ABQB 562 (CanLII).