FOI reconsideration order highlights important timing issue for Ontario institutions

On May 14th, the IPC/Ontario dismissed a request for reconsideration based on an asserted change of circumstances, a somewhat common happening given the lengthy period of time it now takes to process an FOI appeal.

The IPC had earlier affirmed a decision to deny access to certain information about the OPP’s use of cell site simulators on the basis that the information could reasonably be expected to “reveal investigative techniques and procedures currently in use in law enforcement.” After the IPC made this appeal decision, the requester learned that the OPP had switched to a new model of simulator, apparently after she made her request and before the IPC made its decision. The requester asked for reconsideration so she did not have to start again (by filing a new request and potentially re-arguing an appeal). The requester argued the Ministry’s exemption claim could not stand in light of the “new evidence.”

Assistant-Commissioner Liang declined the reconsideration request, but only on the basis that the newly proffered evidence would not have led her to make a different decision in any event. Assistant-Commissioner Liang noted that the Ministry had not deliberately withheld key evidence, which the IPC has treated as a basis for reconsideration. She did not comment on whether the Ministry ought to have brought forward the change in circumstances or whether its failure to do so might warrant reconsideration.

Appeal hearings are about the propriety of an access decision that is made at a point in time, though can invite respondent institutions to make representations about prospective harms. It goes without saying that institutions should not misrepresent the state of affairs in existence at the time they file their materials with the IPC. And if they have made accurate representations and the circumstances later change, there should be no duty to bring those circumstances to the attention of the IPC and no consequence for failing to do so. This would be a very heavy and impractical burden to bear, and would do harm to the finality owed to respondents. Requesters can and should be made to file new requests that can be the subject of fresh consideration and new access decisions.

Ontario (Solicitor General) (Re), 2020 CanLII 34928 (ON IPC).

IPC comments on use and disclosure of OSR in litigation

On June 15th, the Information and Privacy/Commissioner Ontario dismissed a privacy complaint that alleged a school board breached the Education Act and MFIPPA by producing a student’s OSR in response to his human rights application.

The Board produced the OSR and filed it in a brief of documents to be used at a pending Human Rights Tribunal of Ontario hearing, all pursuant to the Tribunal’s rules. The complainant objected, and in a preliminary hearing, the HRTO directed the complainant to consent or face dismissal of his application. The complainant did not consent, his application was dismissed and he subsequently filed a privacy complaint with the IPC.

The IPC held that MFIPPA prevails over the statutory privilege provision in the Education Act and that the IPC is therefore “not bound to consider section 266 of the Education Act in its deliberations.” It also held that the OSR was information “otherwise available” to the Board and therefore open to its use under the provision of MFIPPA that stipulates that MFIPPA “does not impose any limitation on the information otherwise available by law to a party to litigation.”

The IPC did recommend that, going forward, the Board refrain from unilaterally handling the OSR when its potential use and disclosure is in dispute: “… the Board should make efforts to seek direction from an administrative tribunal or court prior to disclosing the information contained within an Ontario School Record during the course of litigation.”

 York Region District School Board (Re), 2016 CanLII 37587 (ON IPC).

 

Reasonable necessity not enough to justify collection under Ontario’s public sector statutes

Section 38(2) is an important provision of Ontario’s provincial public sector privacy statue. It requires institutions to satisfy a necessity standard in collecting personal information. Ontario’s municipal public sector privacy statute contains the same provision.

On May 4th, the Divisional Court dismissed an Liquor Control Board of Ontario argument that the Information and Privacy Commissioner/Ontario had erred by applying a higher standard than “reasonable necessity” in resolving a section 38(2) issue. The Divisional Court held that the Court of Appeal for Ontario’s Cash Converters case establishes just such a standard:

The LCBO relies upon Cash Converters to support its submission that the IPC erred in not interpreting “necessary” as meaning “reasonably necessary.” However, Cash Converters does not interpret “necessary” in this way. In fact, it suggests the opposite. Arguably, something that is “helpful” to an activity could be “reasonably necessary” to that activity. Yet, the Court of Appeal makes it clear that “helpful” is not sufficient.

It’s hard to fathom a legislative intent to prohibit a practice that is, by definition “reasonable.” If the LCBO seeks and is granted leave to appeal this could lead to an important clarification from the Court of Appeal on a strict interpretation of section 38(2) that has stood for some time. The LCBO practice at issue – which involves collecting the non-sensitive information of wine club members to control against the illegal stockpiling and reselling of alcohol – is a good one for testing the line.

Liquor Control Board of Ontario v Vin De Garde Wine Club, 2025 ONSC 2537.

Arbitrator dismisses privacy breach grievance based on actions of a snooping employee

On March 15th, the Grievance Settlement Board (Ontario) dismissed a grievance against the government for one employee’s intentional “snooping” into another employee’s employment insurance file.

Intentional unauthorized access to personal information by a trusted agent is a somewhat common scenario that has not yet been addressed by labour arbitrators. While arbitrators have taken jurisdiction over privacy grievances on a number of bases, privacy grievances have typically addressed intentional employer action – e.g. the administration of a drug test or the installation of a surveillance camera. This case raises an issue about an employer’s obligation to secure employee personal information and its liability for intentional access by another person. Can a reasonable safeguards duty arise inferentially out of the terms of a collective agreement? Is there some other source of jurisdiction for such claims? It is not clear.

The GSB ultimately finds jurisdiction in the Municipal Freedom of Information and Protection of Privacy Act, which it finds is an “employment-related statute” that can be the basis of arbitral jurisdiction. This is unfortunate because MFIPPA, in general, excludes employment-related records (and hence employees). There are now a handful of arbitral decisions that neglect to consider and apply the (very important) exclusion.

Having found jurisdiction rooted in MFIPPA, oddly, the GSB does not consider whether the government (or the Ministry’s head) failed to meet the MFIPPA “reasonable measures to prevent unauthorized access” security standard. Instead, it applied a vicarious liability analysis and dismissed the grievance. I’ll quote the GSB analysis in full:

41      Being guided by the principles set out in Re Bazley, I am of the view that the Employer is not vicariously liable for actions of Ms. X. Simply put, the “wrongful act” was not sufficiently related to conduct authorized by the Employer. Indeed, the accessing of the grievor’s EI file had nothing to do with the work assigned to employees. Employees were able to and indeed did access EI files but only in those instances where it was necessary to assist their clients.
42      The evidence established that the Employer had clear and sufficient policies regarding the protection of private information. Privacy matters were discussed with employees at the point that they were hired and although those policies could have and perhaps should have been formally reviewed more frequently by management, employees were reminded of their obligations frequently by way of a “pop up” upon entering their computers.
43      Further, Ms. Smith, a co-worker of the grievor, who testified for the Union was very forthright in her cross-examination that she knew that she was not to access the private information of anyone for her own interest. Moreover, this intrusion was the first time that she knew of anyone in the workplace doing such a thing. It might well be argued that this reinforces the view that the policy was known and followed in the workplace. Certainly there was no evidence of any other breach.
44      This intrusion was not an abuse of power. It was not an instance where someone with power over the grievor utilized their authority to carry out the wrong. It was a coworker — indeed I am of the view that it was the action of a rogue employee who, for her own purposes accessed the grievor’s EI file. It was not an action that could be seen to “further the Employer’s aims.” Indeed this activity was done without the sanction or knowledge of the Employer. I accept the Employer’s evidence that it knew nothing of the intrusion until being told by a coworker of the grievor and upon learning took immediate action to investigate and manage the issue and the Ms. X who received a significant suspension.
45      Finally, it must be recalled that this Board dismissed the grievor’s allegations that the Employer and her coworkers were bullying and harassing her in a separate decision. Accordingly it seems to me that it cannot be said that the intrusion into her EI records by Ms. X was “related to friction, confrontation or intimacy inherent in the employer’s enterprise.”
Whether an organization is vicariously liable for an employee’s intentional unauthorized access to personal information is a very significant legal issue. This analysis will receive significant attention.

Ontario and OPSEU, Re, 2015 CarswellOnt 3885.

Review of IPC exclusion decisions now (officially) subject to reasonableness review

A friend just brought a notable FIPPA judicial review from February 24th to my attention. In it, the Divisional Court affirmed an IPC order to disclose the full names of FRO employees in response to a request for personal information.

The IPC held that the employment-related records exclusion in FIPPA did not apply to certain records containing employee names – records of services provided to the requester. The Court reviewed this on the reasonableness standard, finding that pre-Alberta Teachers case law supporting a review on the correctness standard no longer applies. On the application of the exclusion, the Court rejected an argument that the records of service provided were employment-related in the context:

To qualify for the exclusion, the record must be about labour relations or employment-related matters. The dictionary definition of the word “about” requires that the record do more than have some connection to or some relationship with a labour relations matter. “About” means “on the subject of” or “concerning”: see Concise Oxford English Dictionary, 11th ed., 2004, s.v. “about”. This means that to qualify for the exclusion the subject matter of the record must be a labour relations or employment-related matter.

Adopting the Ministry’s broad interpretation of “about” would mean that a routine operational record or portion of a record connected with the core mandate of a government institution could be excluded from the scope of the Act because such a record could potentially be connected to an employment-related concern, is touched upon in a collective agreement, or could become the subject of a grievance. This interpretation would subvert the principle of openness and public accountability that the Act is designed to foster.

This should be read to be consistent with the Divisional Court’s earlier decision that there need only be “some connection” with excluded subject matter for the exclusion to apply: see Ministry of Attorney General and Toronto Star, 2010 ONSC 991 (CanLII). Records that have some connection (i.e. a partial connection) to excluded subject matter are arguably still excluded, but the connection must be real, not speculative and not driven by the context in which a request is made.

The Court also affirmed the IPC’s finding that full name information is not exempt under the “unjustified invasion of personal privacy” exemption.

Question. Why not argue that the information at issue – full names or identifying information – is not “personal information” to which the right of access to personal information applies? The right of access to personal information applies to information and not whole records. In the absence of a special context, the identity of employee/service provider names should not constitute the requester/service recipient’s personal information.

Ministry of Community and Social Services v Doe et al (2014), 120 O.R. (3d) 451.

IPC says full balancing applies in mixed personal information cases

On September 27, 2013 the Information and Privacy Commissioner/Ontario issued a significant decision on the exemption from the right of access to personal information in section 38(b) of MFIPPA (and 49(b) of FIPPA by implication) by finding that a disclosure that is presumed to constitute an unjustified invasion of privacy for the purpose of answering a general records access request is not so presumed for the purpose of answering a request for access to one’s own personal information.

Individuals have a right of access to their own personal information that is in the custody or control of Ontario institutions subject to a number of discretionary exemptions, including an exemption that applies if “the disclosure would constitute an unjustified invasion of another individual’s personal privacy.” This exemption often arises in cases in which individuals seek access to personal information about themselves that is contained in complaints and incident reports (which record information from witnesses, complainants and others about more than one person).

The “unjustified invasion” question is informed by the mandatory exemption for unjustified invasion of personal privacy that applies to “general records” access requests. The mandatory exemption includes a provision that deems certain disclosures to be a presumed unjustified invasion. Here is the MFIPPA provision:

14(3) A disclosure of personal information is presumed to constitute an unjustified invasion of personal privacy if the personal information,

(a) relates to a medical, psychiatric or psychological history, diagnosis, condition, treatment or evaluation;

(b) was compiled and is identifiable as part of an investigation into a possible violation of law, except to the extent that disclosure is necessary to prosecute the violation or to continue the investigation;

(c) relates to eligibility for social service or welfare benefits or to the determination of benefit levels;

(d) relates to employment or educational history;

(e) was obtained on a tax return or gathered for the purpose of collecting a tax;

(f) describes an individual’s finances, income, assets, liabilities, net worth, bank balances, financial history or activities, or creditworthiness;

(g) consists of personal recommendations or evaluations, character references or personnel evaluations; or

(h) indicates the individual’s racial or ethnic origin, sexual orientation or religious or political beliefs or associations.

In Seguin Township, Adjudicator Cropley held that the application of this deeming provision does not end the analysis in a personal information request as it does in a general records request. A head should go on to consider the other relevant factors (including those listed in the Act) to determine if, on the balance, the invasion of privacy to the person other than the requester is “unjustified” in the circumstances. Adjudicator Cropley said that her interpretation consistent “legislature’s intent in creating a separate, discretionary exemption claim that makes a distinction between an individual seeking another individual’s personal information and an individual seeking his own personal information.” It invites both greater access to personal information and greater uncertainty in dealing with access to personal information requests.

Seguin (Township) (Re), 2013 CanLII 64274 (ON IPC).

The ins and outs of the e-FOI process

Here’s a presentation I delivered today in an Ontario Hospital Association webcast. I’ve been following “e-FOI” developments for a while and was happy to finally build and deliver a presentation to lend some structure to the topic. Stay tuned for more!