The Supreme Court of Canada issued its “Mandate Letters” decision in February of this year. It was an obscure case for day-to-day freedom of information practice, addressing whether written mandates by a premier to their ministers are accessible to the public under freedom of information legislation. Mandate Letters was nonetheless signficant for its re-framing of statutory purposes: access legislation does not just support transparency, but is meant to “strike a balance.” In the very first line of her judgement Justice Karatkanis said:
Freedom of information (FOI) legislation strikes a balance between the public’s need to know and the confidentiality the executive requires to govern effectively. Both are crucial to the proper functioning of our democracy.
She then held that the IPC/Ontario erred by failing to engage meaningfully with the legal and factual context underlying the cabinet confidences exemption in Ontario FIPPA.
On September 30, 2024, the Court of King’s Bench of Alberta applied Mandate Letters in finding that the Alberta OIPC erred in failing to adequately engage with the teaching and research records exclusion in Alberta FIPPA.
The request was for information pertaining to a complaint made by two University of Calgary law professors to the Canadian Judicial Council regarding Justice Robin Camp, who resigned from the bench in 2017 after the CJC recommended his removal for comments made in hearing a sexual assault case.
The OPIC construed the teaching and research records exclusion narrowly, and expressly stated, “There is no indication in the Act that these categories are determined via balancing interests in disclosure versus academic freedom.” One can plainly see the conflict between this statement and Mandate Letters.
Teaching records. The disputed teaching records included e-mail discussions among professors about what might be taught in a particular course. The Court held the OPIC erred in treating these records as within the Act because they do not themselves impart knowledge, skill or instruction. It said that the exclusion extends to all “materials arising from activities reasonably necessary to facilitate and/or related to the act of teaching.”
Research records. The Court also held that the OPIC erred in constraining research to “systematic investigation,” explaining:
Whatever the field, research is rarely a siloed activity. Breakthroughs and progress often occur in the crucible of conversation, contention and controversy. Accordingly, to encourage research and innovation, it may be necessary to protect discussions among academic colleagues.
It further commented that the question is not about the quality or social utility of the research in question, nor does a link to “ideological precepts” diminish a claim to academic freedom – judgement on such matters being within the exclusive domain of the academy. The exclusion, however, does not extend to (pure) social activism
Academics who personally involve themselves in social actions/causes do so with the advantage of time, resources, and status afforded to them by virtue of their affiliation with, and funding by, public institutions. It is appropriate, and in line with the fundamental purposes of freedom of information legislation, that their activities in this realm be subject to scrutiny and oversight.
These findings are at odds with the more constrained view of Ontario’s teaching and research records exclusion taken by the Ontario/IPC, though are principled and threfore applicable outside of Alberta.
Note that this decision is about the substantive scope of the exclusion, and not a University’s entitlement to access teaching and research records. These are distinct issues per City of Ottawa. The Court noted, “The University of Calgary identified and categorized the records at issue as either teaching materials or research materials.”
Online proctoring software was critical to higher education institutions during the heart of the pandemic. Though less signficant today, the report of findings issued by the Information and Privacy Commissioner/Ontario last week about McMaster University’s use of online proctoring is an important read for Ontario public sector institutions – with relevant guidance on IT contracting, the use of generative AI tools and even the public sector necessity test itself.
The necessity test
To be lawful, the collection of personal information by Ontario public sector institutions must be “necessary to the proper administration of a lawfully authorized activity.” The Court of Appeal for Ontario adopted the IPC’s interpretation of the test in Cash Converters in 2007. It is strict, requiring justification to collect each data element, and the necessity standard requires an institution to establish that a collection is more than “merely helpful.”
The strictness of the test leaves one to wonder whether institutions’ business judgment carries any weight. This is a particular concern for universities, whose judgement in academic matters has been given special deference by courts and administrative decision-makers and is protected by a FIPPA exclusion that carves out teaching and research records from the scope of the Act. It does not appear that McMaster argued that the teaching and research records exclusion limited the IPC’s jurisdiction to scrutinize its use of online proctoring, but McMaster did argue that it, “retains complete autonomy, authority, and discretion to employ proctored online exams, prioritizing administrative efficiency and commercial viability, irrespective of necessity.”
The IPC rejected this argument, but applied a form of deference nonetheless. Specifically, the IPC did not question whether the University’s use of online proctoring was necessary. It held that the University’s decision to employ online proctoring was lawfully authorized, and only considered whether the University’s online proctoring tool collected personal information that was necessary for the University to employ online proctoring.
This deferential approach to the Ontario necessity test is not self-evident, though it is the same point that the University of Western Ontario prevailed on in2022 in successfully defeating a challenge to its vaccination policy. In Hawke v Western University, the Court declined to scrutinize the necessity of the University’s vaccination policy itself; the only questions invited by FIPPA were (a) whether the the University’s chosen policy was a lawful exercise of its authority, and (b) whether the collection of vaccination status information to enforce the chosen and lawful policy was necessary.
To summarize, the authority now makes clear that Ontario institutions get to set their own “policy” within the scope of their legal mandates, even if the policy invites the collection of personal information. The necessity of the collection is then measured against the purposes of the chosen lawful policy.
IT contracting
It is common for IT service providers to reserve a right to use the information they process in providing services to institutions. Institutions should appreciate whether the right reserved is a right to use aggregate or de-identified information, or a right to use personal information.
The relevant term of use in McMaster’s case was as follows:
Random samples of video and/or audio recordings may be collected via Respondus Monitor and used by Respondus to improve the Respondus Monitor capabilities for institutions and students. The recordings may be shared with researchers under contract with Respondus to assist in such research. The researchers are consultants or contractors to Respondus and are under written obligation to maintain the video and/or audio recordings in confidence and under terms at least as strict as these Terms. The written agreements with the researchers also expressly limit their access and use of the data to work being done for Respondus and the researchers do not have the right to use the data for any other purposes. No personally identifiable information for students is provided with the video and/or audio recordings to researchers, such as the student’s name, course name, institution, grades, or student identification photos submitted as part of the Respondus Monitor exam session.
Despite the (dubious) last sentence of this text, the IPC held that this contemplated a use of test taker personal information was for a secondary purpose that was not a “consistent purpose.” It was therefore not authorized by FIPPA.
In recommending that the University secure a written undertaking from the service provider that it would cease to use student personal information for system improvement purposes without consent, the IPC carefully noted that the service provider had published information that indicated it refrains from this use in certain jurisdictions.
In addition to this finding and a number of related findings about the use of test taker personal information for the vendor’s secondary purposes, the IPC held:
the vendor contract was deficient because it did not require the vendor to notify the University in the event that it is required to disclose a test taker’s personal data to authorities; and
that the University should contractually require the vendor to delete audio and video recordings from its servers on, at minimum, an annual basis and that the vendor provide confirmation of this deletion.
The McMaster case adds to the body of IPC guidance on data protection terms. The IPC appears to be accepting of vendor de-identification rights, but not of vendor rights to use personal information.
Generative AI
While the IPC recognized that Ontario does not have law or binding policy specifically governing the use of artificial intelligence in the public sector, it nonetheless recommended that the University build in “guardrails” to protect its students from the risks of AI-enabled proctoring software. Specifically, the IPC recommended that the University:
conduct an algorithmic impact assessment and scritinize the source or provenance of the data used to train the vendors algorithms;
engage and consult with affected parties (including those from vulnerable or historically marginalized groups) and those with relevant expertise;
provide an opt out as a matter of accommodating students with disabilities and “students having serious apprehensions about the AI- enabled software and the significant impacts it can have on them and their personal information”;
reinforce human oversight of outcomes by formalizing and communicating about an informal process for challenging outcomes (separate and apart from formal academic appeal processes);
conduct greater scrutiny over how the vendor’s software was developed to ensure that any source data used to train its algorithms was obtained in compliance with Canadian laws and in keeping with Ontarians’ reasonable expectations; and
specifically prohibit the vendor from using students’ personal information for algorithmic training purposes without their consent.
The IPC’s approach suggests that it expects institutions to employ a higher level of due diligence in approaching AI-enabled tools given their inherent risks.
It was an honour and pleasure to speak today at the Canadian SecuR&E Forum, a research and education community-building event event hosted by CANARIE. My object was to spread the gospel of threat information sharing and debunk some myths about legal privilege as a barrier to it. Here are my slides, and I’ve also included the text of my address below.
Slide one
I am here today as a representative of my profession – the legal profession.
I’m an incident response lawyer or so-called “breach coach.” Lawyers like me are often used in an advisory capacity on major cyber incidents. Insurers encourage this. They feel we add consistency of approach mitigate downside risk.
I’ve done some very difficult and rewarding things with IT leaders in responding to incidents, and genuinely believe in the value of using an incident response lawyer. But I am also aware of a discomfort with the lawyer’s role, and the discomfort is typically expressed in relation to the topic of threat information sharing.
We often hear organizations say, “The lawyer told us not to share.”
I’m here as a lawyer who is an ally to IT leadership, and to reinforce the very premise of CanSSOC – that no single institution can tackle cybersecurity issues alone.
Here’s my five-part argument in favour of threat information sharing:
Organizations must communicate to manage
The art is in communicating well
Working within a zone of privilege is important
But privilege does not protect fact
And threat information is fact
My plan is to walk you through this argument, taking a little detour along the way to teach you about the concept of privilege.
Slide 2
Let’s first define what we are talking about – define “threat information.”
NIST is the National Institute for Standards and Technology, an agency of the US Department of Commerce whose cybersecurity framework is something many of your institutions use.
NIST says threat information is, “Any information related to a threat that might help an organization protect itself against a threat or detect the activities of an actor.”
Indicators (of compromise) are pieces of evidence that indicate a network has been attacked: traffic from malicious IP addresses and malware signatures, for example.
“TTPs” are threat actor “tactics, techniques and procedures.” These are behaviours, processes, actions, and strategies used by a threat actor. Of course, if one knows threat actor measures, one can employ countermeasures.
Beyond indicators and TTPs, we have more contextualized information about an incident, information that connects the pieces together and helps give it meaning. It all fits within this definition, however.
Slide 3
Argument 1 – we must communicate to manage
Let’s start with the object of incident response. Sure we want to contain and eradicate quickly. Sure we want to restore services as fast as possible. Without making light of it, I’ll say that there is lots of “drama” associated with most major cyber incidents today,
Major incidents are visible, high stakes affairs in which reputation and relationships are at stake. You’ll have many, many stakeholders descending on you from time zero, and every one of them wants one thing – information. You don’t have a lot of that to give them, in the early days at least, but you’ve got to give them what you can.
In other words, you need to do the right thing and be seen to do the right thing. This means being clear about what’s happened and what you’re doing about it. It means reporting to law enforcement. And it means sharing threat information with peers.
We’re stronger together is the CanSSOC tag line, and it’s bang on. NIST says that Tier 4 or “adaptive” organizations – the most mature in its framework – understand their part in the cyber ecosystem share threat information with external collaborators. There’s no debate: sharing threat information is part of a widely accepted cybersecurity standard.
Slide 4
Argument 2 – the art is in communicating well
People have a broad right to remain silent under our law.
And anything they say can be used as evidence against them in a court of law.
These are plain truths that are taught to lawyers first year constitutional and criminal law classes across the country.
And the right to remain silent ought to be to be adhered to strictly in some scenarios – when one faces criminal jeopardy, for example
Incident scenarios are far, far from that.
The most realistic downside scenario in most incidents is getting sued.
In theory, you can avoid civil liability by not being transparent about your bad facts.
In reality, hiding your bad facts is almost always an unwise approach.
This is because bad facts will come out:
because you’ll notify individuals affected by a privacy breach in accordance with norms or because it’s legally required; or
because you’re a public body subject to FOI legislation.
So you’ve got to do what the communications pros say: get ahead of it the issue, control the message and communicate well.
Slide 5
Let’s detour from the argument for a moment to do some important background learning.
What is legal privilege?
Short answer – It is a very helpful tool for incident responders.
It’s a helpful tool because it shields communications from pretty much everyone. Adversaries in litigation are the main concern, but also the public – who, again, has a presumptive right of access to every record in the custody or control of a university.
There are two types of privilege.
Solicitor-client. This is the strongest form of privilege. You see the definition here. Invoking privilege is not as simple as copying your lawyer on a communication. But if you send a communication to a lawyer and your decision-making team at the same time, and your lawyer is a legal advisor to the team, the communication is privileged.
Litigation privilege works a little differently, and is quite important. I specify in engagement letters that my engagement is both as an advisor and “in contemplation of litigation” so reports produced by the investigators we hire are more likely to survive a privilege challenge.
Invoking privilege is why you want to call your incident response counsel at the outset. If the investigator comes in first, you can always have a late-arriving lawyer say that the investigation is now for their purpose and in contemplation of litigation, but that assertion could be questioned given the timing. In other words, the investigation will look operational and routine and not for the very special purposes that support a privilege claim.
Slide 6
Back to the argument
Argument 3 – Working within a zone of privilege is important
Here’s an illustration of the power of privilege and why you want to establish it.
The left-hand column is within the zone of privilege. I’m in that zone. The experts I retain for you are in that zone. And you’re in that zone along with other key decision-makers. We keep the team small so our confidential communication is more secure.
And we can speak freely within the zone. Have a look at the nuanced situation set out in the left-hand column. The forensic investigator can present evidence gathered over hours and hours of work in one clear and cogent report. We can deal with fine points about what that evidence may or may not prove and what you ought to do about it. I’ll tell you where you can and should go, but I’ll also tell you about the frailties in those directions and other options you shouldn’t and won’t take.
None of that need ever see the light of day, and in the right-hand column, in public, you can tell your story in the clearest, plainest and most favorable way possible: “We do not believe there has been any unauthorized access to student and employee personal information.” If plaintiff counsel or anyone else wishes to disprove that, they can’t go to your forensic report for a road map to the evidence and for something to mine for facts that might seal your fate in court. They must gather all the evidence gathered by your investigator themselves, re-do the analysis and then figure out on their own what it means.
Privilege is of powerful benefit.
Slide 7
Argument 4 – privilege doesn’t protect facts
I often hear, “We need to keep things confidential because of privilege.” Let me tell you what that means.
The privilege belongs to the client, not the lawyer. Clients can waive privilege, so they need to keep their privileged communications and documents confidential. Institutions do this all the time, but it’s risky to say, “We’re doing this because our lawyer said so.” That’s arguably an implicit waiver.
The easy rule is, “Don’t publish anything you’ve said to your lawyer or that your lawyer has said to you.” Don’t state it directly. Don’t even hint at it!
The same goes for your forensic investigator. Saying “Our forensic investigator told us this.” is also a risk. Just say that you’ve done your investigation, and these are the facts, or you that you believe this to be the case.
If you do that. If you talk about the facts, you won’t waive privilege. You’ll be using the privilege to derive the facts you publish, and will be safe.
This is what your lawyer is working so hard on in an incident. One of our main roles is to work within that zone of privilege on the evidence and to determine what is and isn’t fact. If it really is fact, and you are in transparency mode, you will get the fact out whether it’s a good fact or a bad fact. And I’ll agonize with you about what that right hand column should say and make sure it is safe. I’ll ask myself continuously, “If my client gets into a fight later, will that be what is ultimately proven to be the truth?”
Slide 8
Argument 5 – threat information is fact
It is. And if you can convey facts without waiving privilege, you can convey threat information without waiving privilege.
So don’t listen to anyone that tells you that you can’t share threat information because it will waive privilege. It’s not a valid argument.
You’ll have a very clear view of indicators of compromise fairly early into an incident and should share them immediately because their value is time limited.
It takes longer to identify TTPs, but they are safe to share too because they are factual.
That’s my argument. I’ve been talking tough, but will end with a qualification – a qualification and a challenge!
The qualification. You should be wary of the unstructured sharing of information with context, particularly early on in an incident: CISOs call CISOs, Presidents call Presidents, I understand. I get it, and think that the risk of oral conversations with trusted individuals can be low. Nonetheless, this kind of informal sharing is not visible, and does represent a risk that is unknown and unmanaged. I’d rather you bring it into the formal incident response process and do it right. For example, I was part of an incident last year in which CanSSOC took an unprecedented and and creative step in brining together two universities who were simultaneously under attack by the same threat actor so they could compare notes.
This is the, challenge, then: how do we – IT, leaders, lawyers and CANSSOC together – enable better sharing in a safe manner. There’s a real opportunity to lead the nation on this point, and I welcome it.
The Alberta Court of Queen’s Bench issued a pair of judgements about access to faculty e-mails on April 23rd, ultimately deciding that the Alberta OIPC erred in finding that faculty member e-mails relating to participation on a Social Sciences and Humanities Research Council of Canada committee were in the custody or control of the University of Alberta.
Here are the four points of significance.
First, the Court held that the standard of review for custody or control decisions is reasonableness based on the strong presumption established by the Supreme Court of Canada last December in Alberta (Information and Privacy Commissioner) v. Alberta Teachers’ Association. This is a change, albeit a predictable one in light of Alberta Teachers’ Association. Despite the outcome in this case, custody or control decisions will generally be harder to challenge on judicial review than in the past.
Second, the Court held that the Association of Academic Staff of the University of Alberta did not have a right to notice of standing in the OPIC’s hearing as an affected party or as a matter of fairness. It held that the AASUA interest in the precedential effect of the OIPC’s finding did not give it an interest in the request under appeal sufficient to justify a right to notice and standing.
Third, the Court held that the OIPC erred in finding that the records at issue were under the university’s custody or control.
In part, the Court’s reasoning highlights the growing importance of assessing the purpose of access to information legislation in deciding custody or control issues. It held the OPIC erred by failing to recognize that the faculty member’s e-mails related to a grant funding process in which the university had no role. They therefore shed no light on the university’s own operation in furtherance of the statutory aims. Rather, the records at issue shed much more light on another public institution’s operations, something the Court said the OIPC also ought to have considered.
The Court’s reasoning also suggests that standard technical processes used in the management of business e-mail systems will not govern whether e-mails are in the custody or control of a public institution. It held that the OIPC erred by inferring too much from the routine backup of e-mails and the right to monitor. The Court said, “It was unreasonable to focus on the general computer use policy, rather than considering the particular records in question.”
Finally, the Court declined to address a bold argument by the AASUA that all records produced by faculty members in the course of participating in external committee work and in the context of their internal research and other academic work are not subject to a university’s custody or control. The Court said, “Academic freedom may be one relevant factor in considering whether a university has custody or control of records, but until the Commissioner considers that question in a hearing that raises the issue at first instance, this Court need not address it here.”
All About Information 
You must be logged in to post a comment.