Notes on Nova Scotia’s FOIPOP Reform Bill

On Friday, the Nova Scotia legislature introduced Bill 150, a new statute that consolidates the province’s public sector access and privacy laws and introduces key modernization reforms. Below are some quick highlights from the bill.

Class-based exemption for security control information. I just posted last week about withholding information that could jeopardize network security. Nova Scotia’s proposed legislation includes a novel class-based exemption that permits a head to withhold “information the disclosure of which could reasonably be expected to reveal, or lead to the revealing of, measures put in place to protect the security of information stored in electronic form.” Having previously negotiated with regulators to exclude control-related details from investigation reports, I view this language as both protective and positive.

New privacy impact assessment requirement. Under Bill 150, public bodies will be required to conduct a privacy impact assessment (PIA) before initiating any “project, program, system, or other activity” that involves the collection, use, or disclosure of personal information. The PIA must also be updated if there is a substantial change to the activity. A key question is whether the term “other activity” is broad enough to include non-routine or minimal data collections—which public bodies may prefer not to assess.

Power to collect for threat assessment purposes. This touches on an issue I’ve followed for years: behavioral threat assessment and the conduct of so-called “threat inquiries.” Conducting a threat inquiry in response to concerning behavior to properly assess a human threat is a best practice that arose out of 2004 United States school shooting report. However, their legality has been questioned when conducted by institutions without a law enforcement mandate. Nova Scotia’s proposed legislation includes a new authorization to collect personal information—either directly or indirectly—for the purpose of reducing the risk that an individual will be the victim of intimate partner violence or human trafficking. This is a positive step, but it raises a key question: What about other forms of physical violence? The statute’s narrow focus may leave gaps in protection where threat assessments could be equally justified.

New offshoring rules. The new statute, if passed, will repeal the Personal Information International Disclosure Protection Act (PIIDPA)- Nova Scotia’s statute that prohibits public bodies and municipalities from storing, accessing, or disclosing personal information outside of Canada unless an exception applies. It will replace it with a new provision, however, that could be used to continue a similar prohibition. The new provision prohibits disclosing and storing personal information outside of Canada (as well as permitting personal information to be accessed from outside of Canada) unless in accordance with regulations. It does not contemplate regulation of service providers and their employees, which is a feature of PIIDPA.

New breach notification. The new statute, if passed, will include privacy breach notification and reporting, triggered when “it is reasonable to believe that an affected individual could experience significant harm as a result of the privacy breach.” This is equivalent to the “real risk of significant harm standard” in my view.

Supreme Court power to remedy breaches. The new statute, if passed, will give the Nova Scotia Supreme Court the power to issue orders when “personal information has been stolen or has been collected by or disclosed to a third party other than as authorized by this Act.” British Columbia has a more elaborate version of such a provision, which can help public bodies respond to breaches given ongoing legal uncertainty around the status of personal information as property.

Hat tip to David Fraser.

File path information, network security and FOI

On March 7, 2025, the Saskatchewan Court of King’s Bench affirmed the withholding of file path information from a requester who sought the information under Saskatchewan’s provincial freedom of information statute.

The Court described the information as “file path addresses/links and barcodes within the documents that describe the process of accessing information/data stored in specific databases on a computer system.”

Notably, the institution relied on the class-based exemption for information with proprietary value. Proof of a non-speculative risk of harm is not required to invoke such this exemption, but case law in Saskatchewan and Ontario narrows the class to information with “inherent monetary value” and a proprietary character (in my words). The Court held that the exception applied based on an affidavit that stated that granting access would provide, “an instruction manual for any person with access to SHA’s systems to quickly and effectively identify and access locations on SHA’s systems that contain sensitive personal and personal health information and other sensitive security information…”

In 2023, the IPC/Ontario rejected a claim made by the Ontario Ministry of Health that file path information was exempt from the right of access because the Ministry failed to prove a non-speculative risk of harm. It commented, “I do not accept that disclosure of the file path information (the location of a specific document in the ministry’s computer system) could reasonably be expected to compromise the security of the ministry’s computer system or allow unauthorized individuals to infiltrate the ministry’s computer systems. The ministry has not adequately explained how this information could be used to access the ministry’s computer system by an individual who is not a ministry employee.”

I’ve underlined the text above to highlight the flaw in the Ministry’s argument—though, to be fair, it was addressing only two lines of file path information. It is difficult to conceive how file path information could be used to compromise a network. However, one can easily see how such information could assist a malicious actor in quickly locating valuable data within a network. File path information should be exempt, and the new Saskatchewan case will help make that argument. It’s a particularly good case because it rests on a class based exemption and not amore circumstantial harms based exemption.

Note that the IPC/Ontario has withheld other information about a network to protect it from malicious actors. See Ontario Lottery and Gaming Corporation (Re), 2016 CanLII 85802 (ON IPC), <https://canlii.ca/t/gw1g6>, retrieved on 2025-09-23.

Schiller v Saskatchewan Health Authority, 2025 SKKB 37 (CanLII), <https://canlii.ca/t/kb2fh>, retrieved on 2025-09-23.

Sask CA says how to interpret access rights, and addresses various standards for proof of harm

On January 28, 2025, the Court of Appeal for Saskatchewan held that Saskatchewan Government Insurance could rightly withhold a report that questioned an individual’s fitness to drive based on a Health Information Protection Act discretionary exemption that permits a trustee to refuse access if “disclosure of the information could interfere with a lawful investigation or be injurious to the enforcement of an Act or regulation.”

The Court firstly held that the lower court erred in reading the exemption to apply only if the disclosure could interfere with “an existing or identifiable prospective investigation.” In doing so, the Court made an important point about purposive analysis and access-granting statutes, finding that one ought not give weight to the purpose of an access-granting statute without also giving weight to the purpose of the applicable exception to the granted right of access. It said:

[45] …in a case pitting a right of access against an exception to it, a court must not let the broad purpose of legislation granting rights of access overtake the exercise of properly interpreting provisions that provide exemptions. As always, the modern approach demands that the court must begin the interpretative exercise with attention to the words of the statute, as used in the context of the statute. It also requires that the interpreter consider statutory purpose in a somewhat broader sense than did the judge in this case. This idea is explained in Sullivan, as follows:

§9.02[1] Introduction. In its broadest sense, legislative purpose refers not only to the material goals the legislature hoped to achieve but also to the reasons underlying each feature of the implementing scheme. It asks the question why: why this legislation? why this arrangement of powers? why this direction or rule? why this turn of phrase? In purposive analysis every feature of legislation from the overall conception to the smallest linguistic detail is presumed to be there for a reason. It is presumed to address a concern, anticipate a difficulty, or in some way promote the legislature’s goals.

[43] In short, in a case like this, the interpreter must have regard not only to the purpose of the legislation as a means to extend rights of access to information but also must be mindful of the objectives that stand behind the exceptions themselves. This is because exemptions, such as found in s. 38(1)(f), are the mechanism chosen by the Legislature to achieve the balance between, on the one hand, rights of access and, on the other hand, society’s interest in maintaining the confidentiality of some types of information. In this case, the judge’s singular focus on the purpose that lies behind the right of access found in s. 32 of HIPA was therefore too narrow.

The court also interpreted the word “could” in the applicable exemption to impose an “objective possibility” proof of harm standard, a lower standard than the standard that arises from the words “could reasonably expected to” (which the Supreme Court of Canada said in Merck requires proof of harm that is “more than a mere possibility”).

The question for privacy lawyers, then, is whether a “real risk” (as in “real risk of significant harm”) requires proof of an “objective possibility” of harm or proof of harm that is “more than a mere possibility.” The text might go either way in my view, and as in this case, one ought not let the purpose of breach notification eclipse the purpose the standard itself, which is to set a threshold and protect against notification fatigue and other harms associated with over notification.

Saskatchewan Government Insurance v Giesbrecht, 2025 SKCA 10 (CanLII).

Mandate letters decision applied to give full force to academic freedom exclusion in Alberta

The Supreme Court of Canada issued its “Mandate Letters” decision in February of this year. It was an obscure case for day-to-day freedom of information practice, addressing whether written mandates by a premier to their ministers are accessible to the public under freedom of information legislation. Mandate Letters was nonetheless signficant for its re-framing of statutory purposes: access legislation does not just support transparency, but is meant to “strike a balance.” In the very first line of her judgement Justice Karatkanis said:

Freedom of information (FOI) legislation strikes a balance between the public’s need to know and the confidentiality the executive requires to govern effectively. Both are crucial to the proper functioning of our democracy.

She then held that the IPC/Ontario erred by failing to engage meaningfully with the legal and factual context underlying the cabinet confidences exemption in Ontario FIPPA.

On September 30, 2024, the Court of King’s Bench of Alberta applied Mandate Letters in finding that the Alberta OIPC erred in failing to adequately engage with the teaching and research records exclusion in Alberta FIPPA.

The request was for information pertaining to a complaint made by two University of Calgary law professors to the Canadian Judicial Council regarding Justice Robin Camp, who resigned from the bench in 2017 after the CJC recommended his removal for comments made in hearing a sexual assault case.

The OPIC construed the teaching and research records exclusion narrowly, and expressly stated, “There is no indication in the Act that these categories are determined via balancing interests in disclosure versus academic freedom.” One can plainly see the conflict between this statement and Mandate Letters.

Teaching records. The disputed teaching records included e-mail discussions among professors about what might be taught in a particular course. The Court held the OPIC erred in treating these records as within the Act because they do not themselves impart knowledge, skill or instruction. It said that the exclusion extends to all “materials arising from activities reasonably necessary to facilitate and/or related to the act of teaching.”

Research records. The Court also held that the OPIC erred in constraining research to “systematic investigation,” explaining:

Whatever the field, research is rarely a siloed activity. Breakthroughs and progress often occur in the crucible of conversation, contention and controversy. Accordingly, to encourage research and innovation, it may be necessary to protect discussions among academic colleagues.

It further commented that the question is not about the quality or social utility of the research in question, nor does a link to “ideological precepts” diminish a claim to academic freedom – judgement on such matters being within the exclusive domain of the academy. The exclusion, however, does not extend to (pure) social activism

Academics who personally involve themselves in social actions/causes do so with the advantage of time, resources, and status afforded to them by virtue of their affiliation with, and funding by, public institutions. It is appropriate, and in line with the fundamental purposes of freedom of information legislation, that their activities in this realm be subject to scrutiny and oversight.

These findings are at odds with the more constrained view of Ontario’s teaching and research records exclusion taken by the Ontario/IPC, though are principled and threfore applicable outside of Alberta.

Note that this decision is about the substantive scope of the exclusion, and not a University’s entitlement to access teaching and research records. These are distinct issues per City of Ottawa. The Court noted, “The University of Calgary identified and categorized the records at issue as either teaching materials or research materials.”

Governors of the University of Calgary v Alberta Information and Privacy Commissioner, 2024 ABKB 522 (CanLII).

BCCA sends notice issue back to BC OIPC

On September 25th, the Court of Appeal for British Columbia partially upheld Airbnb’s successful judicial review of a British Columbia OIPC decision that required the City of Vancouver to disclose short term rental addresses along with related information, but vacated the application judge’s order to notify over 20,000 affected individuals.

Background

The City licenses short term rentals. It publicly discloses license information, presumably to enable renter inquires. However, the City stopped publishing host names and rental addresses with license information in 2018 based on credible reports of safety risks. Evidence of the safety risks was on the record before the OIPC – general evidence about “concerned vigilante activity” and harassment, evidence about a particular stalking episode in 2019 and evidence that raised a concern about enabling criminals to determine when renters likely to be out of the country.

The OIPC nonetheless ordered the City to disclose:

License numbers of individuals;
Home addresses of all hosts (also principle residences given licensing requirements); and
License numbers associated with the home addresses.

It was common ground that the above information could be readily linked to hosts by using publicly available information, rendering the order upsetting to Airbnb’s means of protecting its hosts. Airbnb only discloses the general area of rentals on its platform, which allows hosts to screen renters before disclosing their address.

Supreme Court Decision

The application judge affirmed the OIPC dismissal of the City’s safety concern as a reasonable application of the Merck test, but held that the OIPC erred on two other grounds.

First, the Court held that the OIPC unreasonably held that home address information was contact information rather than personal information. It failed to consider the context in making a simplistic finding that home address information was “contact information” because the home address was used as a place of business. The disclosure of the home address information, in the context, had a significant privacy impact that the OIPC ought to have considered.

Second, the Court held that the OIPC erred in not giving notice to the affected hosts – who numbered at least 20,000 – and for not providing reasons for its failure. The Court said this was a breach of procedural fairness, a breach punctuated by the evidence of a stalking and harassment risk that the OIPC acknowledged but held did not meet the Merck threshold.

Appeal Court Decision

The Court of Appeal affirmed the lower court’s contact information finding. It also held that the matter of notice to third parties ought to have been raised before the OIPC at the first instance, and that the application judge ought not to have ordered notice to be given. It stressed the OIPC’s discretion, and said:

Relevant facts that may inform the analysis include the nature of the records in issue, the number of potentially affected third parties, the practical logistics of providing notice, whether there are alternative means of doing so, and potential institutional resource issues.

Analysis

Giving notice and an opportunity to make submissions to 20,000 affected individuals is no small matter. In this case, valid electronic contact information was likely available. However, even a 2% response rate would generated 400 submissions, each of which deserving of due consideration.

Many institutions, thinking practically, would simply deny access as a means of avoiding this burden and respecting affected party rights, bearing in mind that the Supreme Court of Canada cautioned in Merck that notice should be given prior to disclosure in all but “clear cases.” When an institution denies access to avoid a massive notification burden, that burden transfers to the relevant commissioner/adjudicator, and even recognizing “practical logistics” and “institutional resource issues,” is see no reason why the “clear cases” rule from Merck should not be the governing test.

The Office of the Information and Privacy Commissioner for British Columbia v. Airbnb Ireland UC, 2024 BCCA 333.

NSCA outlines the “law of redaction”

Exactly when should an entire document be withheld because redaction is not reaonable?

Freedom of information adjudicators have used the concept of “disconnected snippets” to delineate; if redaction would leave a reader with meaningless “disconnected snippets,” entire records can rightly be withheld.

The Nova Scotia Court of Appeal, on August 7th, applied similar logic in determining that a set of affidavits “could not be redacted without sacrificing their intelligibility and therefore the utility of public access.” It therefore held that the affidavits could be sealed in whole in compliance with the necessity component of the test from Sherman Estate.

Notably, the Court reviewed cases that establish a second basis for full record withholding – cost. In Patient X v College of Physicians and Surgeons of Nova Scotia, the Nova Scotia Supreme Court held that redacting a 120-page records would be too “painstaking and prone to error” given it included a significant number of handwritten notes. And in Khan v College of Physicians and Surgeons of Ontario, the Ontario Superior Court of Justice reached a similar finding given the record requiring redaction was almost 4,500 pages in length, requiring an error prone hunt for (sensitive) patient information.

Back to freedom of information, where costs are passed through to requesters. In Ontario, the norm is to charge through two minutes a page for redaction. Should a premium be chargeable for handwritten records or records that contain very sensitive information?

Dempsey v. Pagefreezer Software Inc., 2024 NSCA 76 (CanLII).

Notable quote from recent EWCA freedom of information judgement

On November 22, 2023, the Court of Appeal (England and Wales) held that the Freedom of Information Act 2000 permits the public interest in maintaining non-absolute exemptions to be weighed in the aggregate against the public interest in disclosure.

This decision is technical, and about the unique structure of the United Kingdom’s freedom of information statute. Lady Justice Andrews even remarked, “I anticipate that it will rarely be the case that the issue of statutory construction that we have been asked to resolve would make a practical difference to the outcome of an application for disclosure under FOIA.” The ICO is apparently appealing nonetheless.

I am blogging about the decision because Lord Justice Lewis provides us with this good quote that challenges the idea that a purposive interpretation of an access statute necessarily favours access. He says:

…it is too simplistic to say, as the Upper Tribunal did and as the respondents do, that aggregation of the different public interests in non-disclosure would lead to less disclosure of information and so run counter to the purpose of FOIA which is to promote openness. Similarly, it is unduly simplistic to take the view that FOIA is to be interpreted in as liberal a manner as possible in order to promote the right to information. As Lord Hope recognised in the Common Services Agency case, the right to information is qualified in significant respects and appropriate weight must be given to those qualifications as the “scope and nature of the various exemptions plays a key role within the Act’s complex analytical framework” (see paragraph 34 above). A similar approach to FOIA has been recognised by Lord Walker in BBC v Sugar (No.2) [2012] UKSC 4, [2012] 1 WLR 439, especially at paragraphs 76 to 84 and in Kennedy by Lord Mance and Lord Sumption (with whom Lord Neuberger and Lord Clarke agreed) in the quotations set out at paragraphs 35 and 36 above. Rather, the wording of section 2(2) should be considered, in the light of the statutory context, to determine how Parliament intended the system of exempting information from disclosure to operate.

Bear in mind that the purpose sections in Ontario’s freedom of information statutes expressly state that statutory “exemptions” from the public right of access should be “limited and specific.” The Divisional Court, however, has also held that the statutory purpose of FIPPA and MFIPPA weights in favour of narrowly construing exclusions – the provisions that remove certain records entirely from the scope of the right of access. I question that approach for the reasons articulated by Lord Justice Lewis; it is too simplistic an approach to discerning legislative intent.

Dept for Business and Trade v IC and Montague [2023] EWCA Civ 1378.

BCSC addresses university possession and control of research records

On November 6th, the Supreme Court of British Columbia affirmed a British Columbia OIPC finding that a university was in possession and control of e-mails sent and received by a faculty member that the University claimed related to research. The Court nonetheless quashed the OIPC’s order to issue a decision in respect of the e-mails on the basis that they were not excluded from the public right of access.

The request was for e-mail correspondence between a faculty member and his research collaborator in Japan over a lengthy time period. The University denied the request based on the statutory exclusion for “research information” in British Columbia FIPPA – an exclusion meant to safeguard academic freedom.

On appeal to the OIPC, the University relied on an affidavit from the targeted professor that stated all of the requested communications were related to ongoing research. The affidavit also described the general nature of the communciations, but did not include an index.

The requester responded that the faculty member and his colleague from Japan “have collaborated on numerous formal complaints to TRU about Dr. Pyne’s professional work and behavior” and indicated that they were seeking correspondence that established an improper leak of related information by the faculty member to the colleague – an act of “professional activism.” The OPIC held that the records were under the University’s possession and control and that the University failed to meet its onus of establishing that they were excluded. It ordered it to make a decision as to their release under FIPPA.

The Court affirmed the OIPC’s possession and control finding, dismissing the University’s argument that academic freedom rendered the e-mails beyond its possession and control. The Court said:

[49] Much of TRU’s argument on both arms of the custody and control issue is an attempt to characterize the academic university setting as one in which ordinary analysis does not apply. The argument is that academic faculty members are special: they have academic freedom, which is to say, a protected sphere of individual autonomy, within which they are free from oversight and direction by the university, and their email correspondence within that sphere should be no more subject to disclosure under FIPPA than would be purely personal correspondence.

[50] Counsel for OIPC submits that both arms of TRU’s argument are analytically misplaced because, while FIPPA recognizes the importance of academic freedom, it does so under the aegis of the research information (or research materials) exception in s. 3(1)(e) (now s. 3(3)(i)). I agree with this submission. The research information exception makes room for TRU’s argument. It is unhelpful to have to deal with it separately as an argument about custody or control.

The suggestion in the last sentence above is that the existence of the statutory exclusion lends support to institutional possession and control – i.e., that academic freedom is protected by the exclusion but does not restrict a University’s ability to handle faculty records in processing requests.

The Court nonetheless quashed the OIPC’s order. It held that the University’s evidence established that at least some of the responsive e-mails were excluded, and that the resulting order to issue a decision in respect of all responsive records was over-broad. In making this finding, it held that the OPIC had a reasonable basis for doubting the faculty member’s “blanket assertion” given the competing evidence about “professional activism.”

IMHO the University’s affidavit ought to have carried the day. It may make sense to require better, more particular evidence to support an exclusion claim when the claimant’s evidence is rebutted, but I don’t believe it was rebutted in this case. The only assertion by the requester is that the set of responsive e-mails likely contained information about a research misconduct matter, and research misconduct is typically treated as within the scope of academic freedom and subject to academic self governance and freedom.

Thompson Rivers University v British Columbia (Information and Privacy Commissioner), 2023 BCSC 1933 (CanLII).

BCSC quashes FOI decision about risk of harm to Airbnb hosts

On July 4th, the Supreme Court of British Columbia quashed a British Columbia OIPC order to provide an FOI requester with access to information about Airbnbs operating in the City of Vancouver.

The OIPC nonetheless ordered the City to disclose:

License numbers of individuals;
Home addresses of all hosts (also principle residences given licensing requirements); and
License numbers associated with the home adresses.

The Court affirmed the OIPC dismissal of the City’s safety concern as a reasonable application of the Merck test, but held that the OIPC erred on two other grounds.

This is a wonderful case that illustrates how judicial review works. In my view, the evidence about the risk of harm drove the outcome despite the Court’s affirmation of the OIPC finding. The Court simply found an easier way to address the problem with the OIPC’s outcome – a procedural fairness finding. The notice obligation is no small obligation in cases like this, but cannot be rightly ignored.

Airbnb Ireland UC v Vancouver City, 2023 BCSC 1137.

Manitoba judge implores common sense approach to privacy protection

On November 11th of last year, the Manitoba Court of Kings Bench ordered the City of Winnipeg to release information sought by an FOI requester, rejecting a claim that the information constituted “personal information.”

The media requester sought access to records of breaches and penalties imposed on Winnipeg police officers for breach of police service regulations. The City recorded this information in quarterly reports without names or other direct identifiers, and routinely published the reports internally to approximately 2,000 civilian and police service members.

In answering the request, the City redacted information about penalties imposed for each violation (identified only by regulation number) under the “unjustified invasion of personal privacy” exemption. It claimed that to include penalty information would render the information personal information, the disclosure of which constituted an unjustified invasion of personal privacy. Here is the City’s re-identification risk argument:

[7] Some of the penalties in the Routine Orders are unique and significant and might be apparent to family and close friends of the member who received the penalty. If a member received a penalty of loss of days, family or close friends of the member could be aware of a change of routine because the member has reduced pay or less leave. Family or close friends who saw the penalty in combination with the timeframe on the Routine Order in which the penalty was registered might make the connection and realize that their friend or relative was investigated by their employer and what the particular charge was.

And more:

[9] Some of the charges in the Routine Orders are specific and could result in public identification of the member by that fact alone. For example, witnesses, and complainants could be aware of the circumstances that resulted in the Regulatory charge and if they saw the charge and the Routine Orders in combination with the timeframe on the Routine Order in which the penalty was registered, could then become aware of the penalty imposed.

The Court rejected this argument and found that the information was not personal information based on the well-established reasonable expectations test – a test that asks whether a proposed disclosure, in conjunction with other available information, could reasonably be expected to identify an individual. Notably, the court held that this standard imposes the same evidentiary burden articulated by the Supreme Court of Canada in Merck Frosst – a burden that requires proof of a non-speculative event considerably more likely than a mere possibility but not necessarily proof of an event that is likely.

Like most public sector access and privacy statutes, the Manitoba Freedom of Information and Protection of Privacy Act does not shield personal information from the right of public access entirely – it only protects against unjustified invasions. The judge noted this, noted the City’s broad internal publication of the penalty information at issue and urged those charged with facilitating access to records to approach their task “with a healthy dose of common sense.”

Annable (CBC) v. City of Winnipeg, 2022 MBKB 222 (CanLII).