Manitoba judge implores common sense approach to privacy protection

On November 11th of last year, the Manitoba Court of Kings Bench ordered the City of Winnipeg to release information sought by an FOI requester, rejecting a claim that the information constituted “personal information.”

The media requester sought access to records of breaches and penalties imposed on Winnipeg police officers for breach of police service regulations. The City recorded this information in quarterly reports without names or other direct identifiers, and routinely published the reports internally to approximately 2,000 civilian and police service members.

In answering the request, the City redacted information about penalties imposed for each violation (identified only by regulation number) under the “unjustified invasion of personal privacy” exemption. It claimed that to include penalty information would render the information personal information, the disclosure of which constituted an unjustified invasion of personal privacy. Here is the City’s re-identification risk argument:

[7] Some of the penalties in the Routine Orders are unique and significant and might be apparent to family and close friends of the member who received the penalty. If a member received a penalty of loss of days, family or close friends of the member could be aware of a change of routine because the member has reduced pay or less leave. Family or close friends who saw the penalty in combination with the timeframe on the Routine Order in which the penalty was registered might make the connection and realize that their friend or relative was investigated by their employer and what the particular charge was.

And more:

[9] Some of the charges in the Routine Orders are specific and could result in public identification of the member by that fact alone. For example, witnesses, and complainants could be aware of the circumstances that resulted in the Regulatory charge and if they saw the charge and the Routine Orders in combination with the timeframe on the Routine Order in which the penalty was registered, could then become aware of the penalty imposed.

The Court rejected this argument and found that the information was not personal information based on the well-established reasonable expectations test – a test that asks whether a proposed disclosure, in conjunction with other available information, could reasonably be expected to identify an individual. Notably, the court held that this standard imposes the same evidentiary burden articulated by the Supreme Court of Canada in Merck Frosst – a burden that requires proof of a non-speculative event considerably more likely than a mere possibility but not necessarily proof of an event that is likely.

Like most public sector access and privacy statutes, the Manitoba Freedom of Information and Protection of Privacy Act does not shield personal information from the right of public access entirely – it only protects against unjustified invasions. The judge noted this, noted the City’s broad internal publication of the penalty information at issue and urged those charged with facilitating access to records to approach their task “with a healthy dose of common sense.”

Annable (CBC) v. City of Winnipeg, 2022 MBKB 222 (CanLII).

Recent cyber presentations

Teaching is the best way of learning for some, including me. Here are two recent cyber security presentations that may be of interest:

A presentation from last month on “the law of information” that I delivered to participants in the the Osgoode PDP program on cyber security
Last week’s presentation for school boards – Critical Issues in School Board Cyber Security

If you have questions please get in touch!

The union right of access to information

I’ve done a fair deal of enjoyable work on matters relating to a union’s right of access to information – be it under labour law, health and safety law (via union member participation in the health and safety internal responsibility system) or via freedom of information law. Today I had the pleasure of co-presenting to the International Municipal Lawyers Association on the labour law right of access with my colleague from the City of Vaughan, Meghan Ferguson.

Our presentation was about how the labour law right has fared against employee privacy claims. In short, it has fared very well, and arguably better in Ontario than in British Columbia.

I don’t believe the dialogue between labour and management is over yet, however, especially as unions push for greater access at the same time privacy sensitivities are on the rise. The advent of made-in-Ontario privacy legislation could be an impetus for a change, not because it is likely to provide employees with statutory privacy rights as much as because the new legislation could apply directly to unions. So stay tuned, and in the interim please enjoy the slides below.

The current state of FOI

Here is a deck I just put together for the The Osgoode Certificate in Privacy & Cybersecurity Law that gives a high-level perspective on the state of FOI, in particular given (a) the free flow of information that can eviscerate practical obscurity and (b) the serious cyber threat that’s facing our public institutions. As I said in the webinar itself, I’m so pleased that Osgoode PDP has integrated an FOI unit into into its privacy and cyber program given it is such a driver of core “information law.”

For related content see this short paper, Threat Exchanges and Freedom of Information Legislation, 2019 CanLIIDocs 3716. And here’s a blog post from the archives that with some good principled discussion that I refer to – Principles endorsed in Arar secrecy decision.

Cyber, secrecy and the public body

Here’s a copy of a presentation I gave yesterday at the High Technology Crime Investigation Association virtual conference. It adresses the cyber security pressures on public bodies that arise out of access-to-information legislation, with a segment on how public sector incident response differs from incident response in the private sector

Threat Exchanges and FOI Legislation

Here’s the second paper that relates to the panel I will be sitting on later this week. It is a collection of FOI case digests about the hacking threat with a covering thesis about the need for greater protection from disclosure. This one particularly caught my interest and includes some ideas I will come back to. Enjoy, and again, please send comments by PM.

View this document on Scribd

Federal Court says firearm serial numbers not personal information

On October 9th, Justice McHaffie of the Federal Court held that firearm serial numbers, on their own, are not personal information. His ratio is nicely stated in paragraphs 1 and 2, as follows:

Information that relates to an object rather than a person, such as the firearm serial numbers at issue in this case, is not by itself generally considered personal information”since it is not information about an identifiable individual. However, such information may still be personal information exempt from disclosure under the Access to Information Act, RSC 1985, c A-1 [ATIA] if there is a serious possibility that the information could be used to identify an individual, either on its own or when combined with other available information.

The assessment of whether information could be used to identify an individual is necessarily fact-driven and context-specific. The other available information relevant to the inquiry will depend on the nature of the information being considered for release. It will include information that is generally publicly available. Depending on the circumstances, it may also include information available to only a segment of the public. However, it will not typically include information that is only in the hands of government, given the purposes of both the ATIA and the personal information exemption.

This is not a bright line test, though Justice McHaffie did say that the threshold should be more privacy protective than if the “otherwise available information” requirement was limited to publicly available information or even information available to “an informed and knowledgeable member of the public.”

Canada (Information Commissioner) v Canada (Public Safety and Emergency Preparedness), 2019 FC 1279 (CanLII).

Sask CA says Commissioner’s request for privileged communications unnecessary

On May 16th the Court of Appeal for Saskatchewan held that the Office of the Information and Privacy Commissioner, Saskatchewan should not have required the University of Saskatchewan to produce communications that it claimed were subject to solicitor-client privilege.

The Commissioner began by inviting the University to provide evidence that supported its privilege claim. The University filed an affidavit from a non-lawyer stating that legal counsel had advised that “some” of the withheld documents are subject to solicitor-client privilege. It did not file an index of records.

This led the Commissioner to immediately request the records. Although the Commissioner had asked the University for a index of records, it did not ask again – an omission that the Court held to breach the principle that demands an adjudicator only review solicitor-client communications when absolutely necessary to assess a privilege claim.

This fact-specific decision illustrates how strictly the absolute necessity principle will be enforced. The Court also spoke about what privilege claimants ought to be required to present in support of their claims. In doing so, it suggested that an index that identifies records will ordinarily provide an adequate basis for assessing a privilege claim in the absence of any evidence suggesting a claim is “ill founded”.

University of Saskatchewan v Saskatchewan (Information privacy Commissioner), 2018 SKCA 34.

Ontario Court says FOI statute fails in providing access to administrative tribunal records

Yesterday the Ontario Superior Court of Justice held that the Ontario Freedom of Information and Protection of Privacy Act violates section 2(b) of the Charter because it goes too far to protect the privacy of parties, witnesses and others in matters heard by the Ontario Human Rights Tribunal, Ontario Labour Relations Boards and other statutory tribunals.

The Toronto Star brought the Charter application. It argued that the access regime created by FIPPA is too restrictive and too slow to meet its Charter-based right of access to “adjudicative records” – records of things filed before tribunals like pleadings and exhibits as well as tribunal decisions. A number of Ontario tribunals process requests for adjudicative records formally under FIPPA while others provide access more informally. The Star argued that the informal process must be the norm.

Justice Morgan allowed the application and declared that FIPPA violates the Charter by imposing a presumption of non-disclosure of “personal information” in adjudicative records. It is a puzzling decision for two reasons.

First, there is virtually no discussion about whether the open courts principle ought to apply to administrative tribunals. The Court’s application of the open courts principle appears to be derived from a provision requiring openness in the Statutory Powers Procedure Act:

All parties acknowledge that administrative hearings governed by the Statutory Powers Procedure Act (“SPPA”) are required to be open to the public. In principle, therefore, it is uncontroversial that “[t]he ‘open court’ principle” – at least in some version – “is a cornerstone of accountability for decision-making tribunals and courts.”

One might argue that the Court elevates a statutory presumption (which ought to be read in harmony with FIPPA) into a constitutional right. One might also argue that there are policy imperatives for administrative justice that weigh against recognition, in respect of tribunals, of the same level of openness that applies to courts – expediency and ease of access, for example. These two imperatives in particular are likely to suffer if administrative tribunal records are treated similarly to court records.

Second, the Court’s decision rests on what it says is a flawed “presumption of non-disclosure” – one that makes personal information in adjudicative records presumptively inaccessible. According to the Court this presumption arises out of the framing of FIPPA’s section 21 “unjustified invasion of privacy exemption,” which states that personal information shall be withheld unless its disclosure would not constitute an “unjustified invasion of privacy.”

It is too strong to call this a presumption, particularly in light of section 53 of FIPPA, which states, “Where a head refuses access to a record or a part of a record, the burden of proof that the record or the part falls within one of the specified exemptions in this Act lies upon the head.” To the contrary, all records in an institution’s custody or control are presumptively accessible under FIPPA, with limitations on the right of access dictated to be “limited and specific” as stipulated FIPPA’s purpose provision.

It’s quite arguable that FIPPA grants a right of access subject to a balancing of interests that has been carefully calibrated by the legislature and ultimately governed by an expert tribunal – the Information Privacy Commissioner/Ontario. Justice Morgan did not hide his views about the IPC, stating “In terms of the expertise of the institution heads and, in particular, the IPC, it is fair to say that the jury is still out. ”

Toronto Star v. AG Ontario, 2018 ONSC 2586.

BCCA gives broad protection to e-mail communications with inside counsel

It is inappropriate to closely parse solicitor-client communications in assessing the scope of privilege; the entire “continuum of communications” must be protected. This is the principle articulated in a June 8th decision of the Court of Appeal for British Columbia.

The Court allowed the appeal of a chambers judge order to produce parts of a series of e-mails between a government lawyer and staff at an administrative tribunal. The content ordered to be produced included:

two paragraphs and two sentences of a ten paragraph advisory e-mail in which the chambers judge suggested the lawyer stepped beyond his role as legal advisor and impinged upon the tribunal’s decision-making authority;
a follow-up e-mail that the chambers judge held was not privileged for similar reasons; and
follow-up correspondence between (internal) clients discussing the lawyer’s advice.

The Court held that all this communication was part of the “continuum of communications” that supported the solicitor-client relationship and was therefore privileged. It held there was no basis for a finding that the lawyer usurped the tribunal’s decision making authority, also stating:

In my view, it is in the nature of legal advice that it may influence the decision-making of the client. The purpose of legal advice is normally to advise the client on the best course of action to comply with the relevant law. Advice provided to a statutory decision-maker as to what should be done in order to be legally defensible is still legal advice.

The dispute arose after the above communications were inadvertently disclosed in response to a freedom of information request made by a law firm. The receiving lawyer obtained the communications as part of a disclosure package in which government made a number of exemption claims. She believed government to have waived privileged and used the communications in a proceeding, which led government to assert its privilege claim and claim its disclosure was inadvertent. The Court held there was no waiver. It wasn’t highly critical of the receiving lawyer given these facts, but reminded lawyers of their duty to give notice when they receive communications that are apparently privileged.

British Columbia (Attorney General) v. Lee, 2017 BCCA 219 (CanLII).