On October 28, 2025, the Court of Appeal of Alberta affirmed that the Alberta Office of the Information and Privacy Commissioner (the OIPC) acted unreasonably in narrowly construing the teaching and research records exclusion in the Alberta Freedom of Information and Protection of Privacy Act (FIPPA).
The request and OIPC decision
The request was for information pertaining to a complaint made by two University of Calgary law professors to the Canadian Judicial Council regarding Justice Robin Camp, who resigned from the bench in 2017 after the CJC recommended his removal for comments made in hearing a sexual assault case.
The OIPC construed the teaching and research records exclusion narrowly, and expressly stated, “There is no indication in the Act that these categories are determined via balancing interests in disclosure versus academic freedom.” The disputed records included e-mail discussions among professors about what might be taught in a particular course, which the OIPC held were not “teaching materials,” which it defined as “materials the substance of which imparts knowledge, skill, or instruction.” The OIPC also held that the disputed records were not comprised of “research information” when weighed against the “systematic investigation” definition of research adopted by the Ontario IPC.
The Court of Appeal decision
The Court of Appeal identified fundamental flaws in the IPC reasoning.
First, it held that the OIPC’S reasons “simply repeat[ed] statutory language, summariz[ed] arguments made, and then stat[ed] a peremptory conclusion.” The OIPC defined the terms as capturing mostly finished products ultimately presented in classrooms or publicly shared through publications. This, it said, “renders ss 4(1)(h) and (i) largely redundant, as a FOIPPA request would serve little purpose with respect to materials already in the public domain.”
Second, it held that the OIPC “arbitrarily chose definitions of ‘teaching materials’ and ‘research information’ without engaging in the necessary statutory interpretation,” failing to explain why restrictive interpretations were preferable and failing to reckon with legislative intent. Regarding this intent, the Court drew from the important Supreme Court of Canada “Mandate Letters Case” from 2024 in stating that freedom of information statutes “engage significant competing public interests and strike an important balance between the public’s need for transparency and visibility in the conduct of public agencies and the need for confidentiality and/or privacy protection for some of those very same institutions to perform their important public functions effectively.”
Discussion about the scope of research
The parties were joined by intervenors from the Faculty Association of the University of Calgary, the Canadian Association of University Teachers, and the Canadian Association of Law Teachers, all of whom took issue with certain obiter comments made by the chambers judge that suggested a distinction between academic study of social activism and direct participation in social activism, with participation falling outside the statutory exclusion.
The Court of Appeal rejected this approach, stating:
We agree that academic freedom exists to protect all scholarship, including that which may be unpopular or politically targeted. A distinction between participation in activism and study of activism may lead to definitions of “teaching materials” and “research information” which exclude novel teaching methodologies, teaching and research activities on particular topics involving what might be construed as participation in activism, and other direct engagement in the community outside the traditional classroom setting, as well as an academic’s participation relating to responsibilities or duties at their post-secondary institution.
This is a critical clarification. The exclusion protects the process of academic work, broadly defined.
Conclusion
The Court of Appeal’s decision is a decisive affirmation that academic freedom exclusions must be interpreted purposively, not formalistically. The OIPC’s narrow approach – treating these as mere carve-outs rather than affirmative protections for the academy’s core function – was fundamentally unreasonable. This approach is grounded in first principles and the Mandate Letters Case, in which Justice Karakatsanis wrote:
Freedom of information (FOI) legislation strikes a balance between the public’s need to know and the confidentiality the executive requires to govern effectively. Both are crucial to the proper functioning of our democracy.
It is therefore applicable beyond Alberta’s borders, notwithstanding the narrower view taken by Ontario IPC.
As a procedural matter, the University identified the records as teaching or research materials, so neither the University’s right of access to the records nor the question of custody and control were at issue. The matter of exclusion and a university’s entitlement to handle records and determine whether they are excluded are distinct. This case, by illustration, underscores the university entitlement.
Governors of the University of Calgary v Alberta (Information and Privacy Commissioner), 2025 ABCA 350 (CanLII), <https://canlii.ca/t/kg5f3>, retrieved on 2025-11-17
It was an honour and pleasure to speak today at the Canadian SecuR&E Forum, a research and education community-building event event hosted by CANARIE. My object was to spread the gospel of threat information sharing and debunk some myths about legal privilege as a barrier to it. Here are my slides, and I’ve also included the text of my address below.
Slide one
I am here today as a representative of my profession – the legal profession.
I’m an incident response lawyer or so-called “breach coach.” Lawyers like me are often used in an advisory capacity on major cyber incidents. Insurers encourage this. They feel we add consistency of approach mitigate downside risk.
I’ve done some very difficult and rewarding things with IT leaders in responding to incidents, and genuinely believe in the value of using an incident response lawyer. But I am also aware of a discomfort with the lawyer’s role, and the discomfort is typically expressed in relation to the topic of threat information sharing.
We often hear organizations say, “The lawyer told us not to share.”
I’m here as a lawyer who is an ally to IT leadership, and to reinforce the very premise of CanSSOC – that no single institution can tackle cybersecurity issues alone.
Here’s my five-part argument in favour of threat information sharing:
Organizations must communicate to manage
The art is in communicating well
Working within a zone of privilege is important
But privilege does not protect fact
And threat information is fact
My plan is to walk you through this argument, taking a little detour along the way to teach you about the concept of privilege.
Slide 2
Let’s first define what we are talking about – define “threat information.”
NIST is the National Institute for Standards and Technology, an agency of the US Department of Commerce whose cybersecurity framework is something many of your institutions use.
NIST says threat information is, “Any information related to a threat that might help an organization protect itself against a threat or detect the activities of an actor.”
Indicators (of compromise) are pieces of evidence that indicate a network has been attacked: traffic from malicious IP addresses and malware signatures, for example.
“TTPs” are threat actor “tactics, techniques and procedures.” These are behaviours, processes, actions, and strategies used by a threat actor. Of course, if one knows threat actor measures, one can employ countermeasures.
Beyond indicators and TTPs, we have more contextualized information about an incident, information that connects the pieces together and helps give it meaning. It all fits within this definition, however.
Slide 3
Argument 1 – we must communicate to manage
Let’s start with the object of incident response. Sure we want to contain and eradicate quickly. Sure we want to restore services as fast as possible. Without making light of it, I’ll say that there is lots of “drama” associated with most major cyber incidents today,
Major incidents are visible, high stakes affairs in which reputation and relationships are at stake. You’ll have many, many stakeholders descending on you from time zero, and every one of them wants one thing – information. You don’t have a lot of that to give them, in the early days at least, but you’ve got to give them what you can.
In other words, you need to do the right thing and be seen to do the right thing. This means being clear about what’s happened and what you’re doing about it. It means reporting to law enforcement. And it means sharing threat information with peers.
We’re stronger together is the CanSSOC tag line, and it’s bang on. NIST says that Tier 4 or “adaptive” organizations – the most mature in its framework – understand their part in the cyber ecosystem share threat information with external collaborators. There’s no debate: sharing threat information is part of a widely accepted cybersecurity standard.
Slide 4
Argument 2 – the art is in communicating well
People have a broad right to remain silent under our law.
And anything they say can be used as evidence against them in a court of law.
These are plain truths that are taught to lawyers first year constitutional and criminal law classes across the country.
And the right to remain silent ought to be to be adhered to strictly in some scenarios – when one faces criminal jeopardy, for example
Incident scenarios are far, far from that.
The most realistic downside scenario in most incidents is getting sued.
In theory, you can avoid civil liability by not being transparent about your bad facts.
In reality, hiding your bad facts is almost always an unwise approach.
This is because bad facts will come out:
because you’ll notify individuals affected by a privacy breach in accordance with norms or because it’s legally required; or
because you’re a public body subject to FOI legislation.
So you’ve got to do what the communications pros say: get ahead of it the issue, control the message and communicate well.
Slide 5
Let’s detour from the argument for a moment to do some important background learning.
What is legal privilege?
Short answer – It is a very helpful tool for incident responders.
It’s a helpful tool because it shields communications from pretty much everyone. Adversaries in litigation are the main concern, but also the public – who, again, has a presumptive right of access to every record in the custody or control of a university.
There are two types of privilege.
Solicitor-client. This is the strongest form of privilege. You see the definition here. Invoking privilege is not as simple as copying your lawyer on a communication. But if you send a communication to a lawyer and your decision-making team at the same time, and your lawyer is a legal advisor to the team, the communication is privileged.
Litigation privilege works a little differently, and is quite important. I specify in engagement letters that my engagement is both as an advisor and “in contemplation of litigation” so reports produced by the investigators we hire are more likely to survive a privilege challenge.
Invoking privilege is why you want to call your incident response counsel at the outset. If the investigator comes in first, you can always have a late-arriving lawyer say that the investigation is now for their purpose and in contemplation of litigation, but that assertion could be questioned given the timing. In other words, the investigation will look operational and routine and not for the very special purposes that support a privilege claim.
Slide 6
Back to the argument
Argument 3 – Working within a zone of privilege is important
Here’s an illustration of the power of privilege and why you want to establish it.
The left-hand column is within the zone of privilege. I’m in that zone. The experts I retain for you are in that zone. And you’re in that zone along with other key decision-makers. We keep the team small so our confidential communication is more secure.
And we can speak freely within the zone. Have a look at the nuanced situation set out in the left-hand column. The forensic investigator can present evidence gathered over hours and hours of work in one clear and cogent report. We can deal with fine points about what that evidence may or may not prove and what you ought to do about it. I’ll tell you where you can and should go, but I’ll also tell you about the frailties in those directions and other options you shouldn’t and won’t take.
None of that need ever see the light of day, and in the right-hand column, in public, you can tell your story in the clearest, plainest and most favorable way possible: “We do not believe there has been any unauthorized access to student and employee personal information.” If plaintiff counsel or anyone else wishes to disprove that, they can’t go to your forensic report for a road map to the evidence and for something to mine for facts that might seal your fate in court. They must gather all the evidence gathered by your investigator themselves, re-do the analysis and then figure out on their own what it means.
Privilege is of powerful benefit.
Slide 7
Argument 4 – privilege doesn’t protect facts
I often hear, “We need to keep things confidential because of privilege.” Let me tell you what that means.
The privilege belongs to the client, not the lawyer. Clients can waive privilege, so they need to keep their privileged communications and documents confidential. Institutions do this all the time, but it’s risky to say, “We’re doing this because our lawyer said so.” That’s arguably an implicit waiver.
The easy rule is, “Don’t publish anything you’ve said to your lawyer or that your lawyer has said to you.” Don’t state it directly. Don’t even hint at it!
The same goes for your forensic investigator. Saying “Our forensic investigator told us this.” is also a risk. Just say that you’ve done your investigation, and these are the facts, or you that you believe this to be the case.
If you do that. If you talk about the facts, you won’t waive privilege. You’ll be using the privilege to derive the facts you publish, and will be safe.
This is what your lawyer is working so hard on in an incident. One of our main roles is to work within that zone of privilege on the evidence and to determine what is and isn’t fact. If it really is fact, and you are in transparency mode, you will get the fact out whether it’s a good fact or a bad fact. And I’ll agonize with you about what that right hand column should say and make sure it is safe. I’ll ask myself continuously, “If my client gets into a fight later, will that be what is ultimately proven to be the truth?”
Slide 8
Argument 5 – threat information is fact
It is. And if you can convey facts without waiving privilege, you can convey threat information without waiving privilege.
So don’t listen to anyone that tells you that you can’t share threat information because it will waive privilege. It’s not a valid argument.
You’ll have a very clear view of indicators of compromise fairly early into an incident and should share them immediately because their value is time limited.
It takes longer to identify TTPs, but they are safe to share too because they are factual.
That’s my argument. I’ve been talking tough, but will end with a qualification – a qualification and a challenge!
The qualification. You should be wary of the unstructured sharing of information with context, particularly early on in an incident: CISOs call CISOs, Presidents call Presidents, I understand. I get it, and think that the risk of oral conversations with trusted individuals can be low. Nonetheless, this kind of informal sharing is not visible, and does represent a risk that is unknown and unmanaged. I’d rather you bring it into the formal incident response process and do it right. For example, I was part of an incident last year in which CanSSOC took an unprecedented and and creative step in brining together two universities who were simultaneously under attack by the same threat actor so they could compare notes.
This is the, challenge, then: how do we – IT, leaders, lawyers and CANSSOC together – enable better sharing in a safe manner. There’s a real opportunity to lead the nation on this point, and I welcome it.
I had a great time this morning at pre-conference workshop for the annual Canadian Association of College and University Student Services conference. The workshop was organized by the new CACUSS academic integrity and student judicial affairs division – CAISJA. I love addressing professionals working in the higher education sector because attendees are always very knowledgeable and engaged. Today was no exception!
Here is a copy of my slides, which were just to put a little structured content into three hours of discussion moderated by my CAISJA hosts.
As promised to attendees, here is the Hicks Morley paper (written in 2005) on student appeals and here are some citations to recent and relevant case law.
Zeliony v. Red River College – On hearing transcripts and the requirement to give reasons. The College’s reliance on unsworn witness statements (in part because witnesses said they were afraid to testify) is an important issue that is not addressed head-on in this award.
F.H. v. McDougall – The Supreme Court of Canada on the existence of only one standard of proof in civil cases – the balance of probabilities standard.
Though it is technically neither an academic integrity nor a student judicial affairs issue, we did get into discussion on threat assessments, student privacy and non-disciplinary suspensions. Some materials on this topic are posted here (my CAUBO March 2008 presentation), here (comments made after the Kajouji case) and here (link to good podcast).
Thanks again to my CAISJA hosts. I hope this material is helpful and, for those who attended, look forward to keeping in touch!
All About Information 
You must be logged in to post a comment.