There are a number of curious features to the Privacy Notice splash page for Canada’s new online tool for making access to information (ATIP) requests.

The online tool is certainly a welcome development and nothing in this post is meant to detract from that important effort. However, there are a number of issues raised by the Privacy Notice accompanying the tool that are worth considering and debating when considering how to structure and implement privacy notices.

1. Transparency

The online tool contains a “Privacy Notice” on the first page that is more than 530 words long. That doesn’t include all of the information that the reader is directed to by way of hyperlinks or references.

Personally, I don’t think 530 words even when combined with hyperlinks is excessive, although it should be borne in mind that this is for a single tool on a single portal!

What is curious is that the Privacy Notice is not the totality of the privacy terms. There are also “Terms and Conditions” in the footer of the webpage. However, there is no indication in the Privacy Notice that those Terms and Conditions might also contain a “privacy notice”, which is different from and contains additional information regarding information collected by users of the website.

So here’s the question – should all privacy information be in one place? If you split it up, should you be sure to cross-reference it? Would anyone be misled into thinking the Privacy Notice was all there is, given its prominence?

2. Express Consent

Another interesting feature is that the user must also expressly click wrap his or her agreement to the front page Privacy Notice by checking a box that states:

I have read, understood and agree with the above Privacy Notice.

Why must the user expressly agree to the Privacy Notice?

This is not a feature of the paper form, nor is it a feature of the Terms and Conditions, which also contains a “privacy notice”.

What does the express agreement to some, but not all, of the “privacy terms” accomplish? Does the “express consent” feature of the Privacy Notice splash page give a user the false sense that this is all there is?

3. Details

Another interesting feature of the Privacy Notice is that the Privacy Notice leaves the user to figure out his or her legal rights. The Privacy Notice is plainly worded, but much of the detail is in the hyperlinks or in clauses that are external to the Privacy Notice. Of course, the Privacy Notice is not governed by the federal Personal Information Protection and Electronic Documents Act and so we aren’t really comparing apples to apples if we are comparing the Privacy Notice to what you might find in the private sector. However, the following examples are worth considering:

• Retention. The user is told that personal information ”will be kept for the period of time identified in standard Personal Information Bank PSU 901 (Access to Information and Privacy).” The hyperlink isn’t particularly illuminating. If the user accesses it, the user will be told:

For information about the length of time that specific types of common administrative records are maintained by a federal government institution, including the final disposition of those records, please contact the institution’s Access to Information and Privacy Coordinator.

• Disclosure. The user is told that information “may be shared with other organizations only in accordance with paragraph 8(2) of the Privacy Act.” A hyperlink elsewhere in the Privacy Notice takes the user to the whole of the Privacy Act. From there, the user is on his or her own. That would be like a private sector entity saying. We disclose your information in accordance with s.7(3) of PIPEDA – here’s a link to the Act – figure it out.

That’s not to say that the Privacy Notice isn’t an improvement over the paper form. The paper form does not even disclose to the user the handling practices of the user’s personal information once the form is submitted. All the paper form states is:

The personal information provided on this form is protected under the provisions of the Access to Information Act and the Privacy Act.

Is this disclosure adequate? Are private sector organizations just over-complicating matters?

4. Security

There is one last interesting feature of the Privacy Notice. Apparently, if “you are concerned about the confidentiality of information, including your personal information, in transit, you should consider sending it directly to a government institution by secure means.” The recommendation? Mail. This seems to be an odd thing to say, given that the portal to make the online request is supposed to be a secure portal with 128 bit encryption.

Thoughts?

Asking “why” is a powerful deterrent to over collection and, as a recent Alberta case demonstrates, can be a powerful check on “over disclosure”.

In Order F2013-12, the issue for the Office of the Information and Privacy Commissioner of Alberta was whether the entirety of an accident report created from information collected from the driver of one vehicle should be automatically and routinely disclosed by the police to the other driver involved in the accident.

The form established by the Registrar for the accident report collects the driver’s name, address, date of birth, gender, home phone number, work phone number, and operator’s license.

The case for disclosure looked strong:

• The Alberta Traffic Safety Act requires drivers who are involved in an accident to complete an accident report with the policy.

• The form of accident report is prescribed by the Registrar of Motor Vehicles.

• The police are required to collect the accident report.

• If requested, a driver is required to disclose to the police or anyone sustaining loss or injury, the driver’s name, address, operator’s licence, name and address of the registered owner of the vehicle, licence plate of the vehicle, and the financial responsibility card issued in respect of the vehicle.

• The police are permitted to provide the Registrar with a copy of the accident report.

• The police are permitted to release information in the accident report to a person if the person may be liable to pay damages.

The Freedom of Information and Protection of Privacy Act permitted disclosure of personal information for a purpose in accordance with a law that authorizes or requires disclosure, but only to the extent necessary to carry out the purpose in a reasonable manner.

The Adjudicator agreed that in theory disclosure of an accident report was authorized by law. However, the disclosure provision was permissive – that is, the police had discretion to exercise.

So, why did the police exercise the discretion to disclose the entirety of the report? The Adjudicator didn’t receive a good answer. It seems it was the practice of the police to do so. But the drivers in this case had not asked for each other’s information. Even had they done so, the Traffic Safety Act did not require disclosure of the drivers’ birth dates or telephone numbers. Moreover, no party requested a copy of the accident report.

The disclosure was gratuitous in order that the drivers need not ask for copies of the report and in order to ensure that the drivers meet their obligations to one another. In the result, the Adjudicator ordered the police to cease disclosing more information than was necessary for that more limited purpose – such as name, address and operator’s licence.

The use of personal email for business is a significant problem for records retention and privacy programs.

On March 18, 2013, the British Columbia Information and Privacy Commissioner (OIPBC) announced an investigation into the use of personal email accounts by public servants in that province. Although the investigation is taking place in a public sector context, the investigation is also relevant for organizations in the private sector.

Records Management Obligations

Communications taking place outside of the organization’s email records management system may not be captured in compliance with the organization’s records management system. The OIPBC reminds public servants in Guidelines on the Use of Personal Email Accounts for Public Business (released on March 18, 2013) that personal email may still be subject to the British Columbia Freedom of Information and Protection of Privacy Act (FIPPA).

FIPPA applies to records in the custody or control of a public body. A record will be under the control of the organization if (a) the record relates to a departmental matter and (b) the government institution could reasonably expect to obtain a copy of the record upon request. The OIPBC’s general rule is that “any email that an employee sends or receives as part of her or his employment duties will be a record under the public body’s control, even if a personal account is use.” These records may, therefore, be subject to access to information requests even though the organization does not have possession of the email record.

This isn’t just a public sector problem. For example, subsection 23(1) of the British Columbia Personal Information Protection Act (“PIPA”), which applies to private sector organizations in British Columbia, provides that an organization must provide an individual with the individual’s personal information under the control of the organization. There is no obvious reason why the meaning of “control” in PIPA should be narrower than FIPAA.

Information Security Obligations

The OIPBC also expressed concern regarding the security of personal email in the Guidelines. This issue applies equally to the public and private sectors. Depending on the service used by the employees and whether copies of the email are downloaded to unencrypted devices, the email may be stored in an insecure environment.

Private organizations should be aware that section 34 of PIPA requires the organization to protect personal information in its custody or under its control by making reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification or disposal or similar risks. Organizations may be faulted for turning a blind-eye to the practice of employees using personal email systems that do not provide for adequate security. In assessing the risk, organizations should consider whether they would have breach notification responsibilities in the event an employee’s personal email was compromised and that email contained personal information collected by or on behalf of the organization.

Even leaving aside the possibility of a breach, organizations should consider whether employees transmitting personal information outside of the administrative, technical and physical security controls established by organization would violate representations made by the organization in its public privacy policies.

An adjudicator of the Office of the Information and Privacy Commissioner of Alberta (OIPC) has concluded that the Personal Information Protection Act (Alberta) (PIPA) applies to the Legal Aid Society of Alberta. The decision is of broader interest because it continues the trend to interpret the definition of “commercial activity” broadly, resulting in the application of PIPA to the activities of many non-profit organizations.

PIPA applies to non-profit organizations when engaged in a “commercial activity”. Pursuant to subsection 56(1) of PIPA, a “commercial activity” means any transaction, act or conduct, or any regular course of conduct that is of a commercial character. Pursuant to subsection 56(3) of PIPA, non-profit organizations are subject to PIPA in respect of personal information that is collected, used or disclosed by the non-profit organization in connection with any commercial activity carried out by the non-profit organization.

The Legal Aid Society of Alberta provides legal assistance to individuals in defined areas of the law on a means-test basis. In the case that gave rise to the complaint, the applicant sought assistance from the Legal Aid Society on two separate occasions but was refused representation (although the second time he was provided with limited advice and referral information). The applicant then sought access to his file at the Legal Aid Society. The Legal Aid Society provided copies of the staff lawyers notes from one of the applicant’s interactions, records relating to the appeal of the determination of whether to provide him with representation and confirmed certain other facts. The applicant complained to the OIPC relating to certain alleged failures of the Legal Aid Society in addressing his access request. The adjudicator’s decision did not consider the alleged failures.

Instead, as a preliminary matter, the adjudicator considered whether PIPA applied to the Legal Aid Society. In particular, the adjudicator considered whether the Legal Aid Society was engaged in a commercial activity when collection, using or disclosing the applicant’s personal information. In assessing whether the Legal Aid Society’s activities were commercial, the adjudicator accepted the following principles:

• a commercial activity is of a trade-like or business-like nature;

• an exchange of consideration, while important to establishing a contractual relationship, was not an essential characteristic of a commerical activity;

• profit-making need not be the “predonderant” purpose of the activity to make it commercial;

• the activity need not be commercial in itself, provided that it is of a “commercial character”; that is, an activity that is “more or less commercial” or one that would “appear to be commercial by most accounts”; and

• The fact that an activity confers a public benefit or could also be characterized as charitable was irrelevant to whether it is a commercial activity for the purposes of PIPA.

Focusing on the fact that the Legal Aid Society “meets with prospective clients and decides whether to provide legal services, which might be performed by a private lawyer engaged by the [Legal Aid Society] or by its own staff lawyers, the adjudicator concluded that there was very little to distinguish the Legal Aid Society from a private law practice or business. Both were carrying out a trade or business. Moreover, the adjudicator concluded that it would be arbitrary to treat clients who partially reimbursed the Legal Aid Society for services differently from those who did not.

It is not too late to participate in a dialogue with the Office of the Information Commissioner of Canada regarding reform to Canada’s federal Access to Information Act. The deadline for comments and submissions has been extended to January 31, 2013.

To spark dialogue, the Information Commissioner has posted questions and topics for discussion.

The English site can be accessed here. The French site can be accessed here.

On November 20, 2012, the UK’s Information Commissioner’s Office (ICO) issued the Code of Practice on data anonymization, entitled “Anonymisation: managing data protection risk.” I discussed the draft Code and consultation in a previous post.

In addition, the ICO has announced an “Anonymisation Network” (www.ukanon.net – not yet up and running) to host detailed case studies and illustrations of good practice.

The Code is developed within the framework of the Data Protection Act, 1998 (UK), and, therefore, should not be considered to be directly applicable outside the UK. However, the case studies and discussion of data anonymization techniques are useful reading for all organizations considering the conversion of data sets to an anonymized form.

Some highlights from the ICO’s discussion of data anonymization are:

• If an organization converts personal data into an anonymized form, the resulting anonymized data will not constitute personal information. This will continue to be case even though the organization may be able to de-anonymize the information.

• A difficult technical issue for organizations will be whether the anonymized data could be combined with information by a third party to re-identify the individual. The ICO’s position, based on judicial precedent, is that the risk of identification must be greater than remote and reasonably like in order for the data to be considered to be personal data for the purpose of data protection legislation.

• In assessing the risk of re-identification, the ICO recommends using the “motivated intruder” test. In other words, would a person who starts without any prior knowledge but who wishes to identify and individual be able to access resources and investigative techniques to de-anonymize the data? The motivated intruder is not, however, assumed to resort to criminality or have specialist equipment or skills.

• Data that is from low sensitivity sources with a low risk of re-identification may be published by the organization as part of a commitment to open government. However, the ICO recommends that data from highly sensitive sources with a significant risk of re-identification should be made available under limited use restrictions in order to control through contractual terms the use to be made of the data.

• The ICO takes the position that in most cases anonymization does not require an individual’s consent under the Data Protection Act, 1998. However, organizations should address the possibility of anonymizing data through disclosure in privacy policies. By contrast, if an organization collects personal data through re-identification, the organization must have the individual’s knowledge and consent.

A summary document prepared by the ICO is available here.

A 2011 report for the Pew Research Center’s Internet and American Life Project found that Americans between the ages of 18 and 24 exchanged on average nearly 110 text messages on a normal day and that an average of 109.5 messages on a normal day with a median user exchanging approximately 50 text messages a month. Even those in an older age group – 30 to 49 – were texting in significant numbers at an average of 27 texts per day.

Text messages are not confined to personal use, although that is likely still the most pervasive use of text messaging. Close-knit team members may use text messages to convey brief information or simply to prompt a call or attention to email. Text messages may also be used more nefariously as a means to communicate information in an attempt to avoid detection by an employer, particularly when sent and received from employee-owned mobile phones.

In the public sector environment, there may be a duty to produce text messages in response to access to information requests if those text messages are under the “control” of a public institution subject to access to information legislation. Access to information legislation typically defines “records” broadly in a technologically neutral way. The issue, however, is whether text messages are under the “control” of the institution. The answer is straightforward with respect to employer-owned mobile devices. However, the answer is more complex when dealing with employee-owned devices. The Supreme Court of Canada has endorsed an understanding of “control” that would include some power of direction over the record. Whether a policy on employee text messaging would be sufficient to establish control is uncertain.

In response to the possibility that records are falling outside of the access to information system, the Information Commissioner of Canada recently initiated an investigation into the use of text messages and similar forms of communication in the Federal public sector. The Commissioner noted that there is no government-wide policy on text messaging. Her investigation appears, however, to be limited to government-issued wireless devices.

In the private sector, the issue is equally complex. Leaving aside privacy issues relating to non-work-related texts on employer-owned devices, it is impractical for an employer to control the use of text messaging on personal devices. What is clear, however, is that inappropriate use of text messaging may pose a significant record-keeping and compliance challenge for organizations. My colleagues have posted about harassment complaints involving text messages sent and perhaps not sent. More broadly, however, text messages pose challenges for managing communications regarding matters that may be highly regulated or potentially litigious. If a regulatory investigation is commenced or litigation reasonably anticipated, the organization may need to take steps to direct employees to preserve relevant text messages.

There is no easy answer to the issue of text messages. However, like Canada’s Information Commissioner, it may be time to consider whether your organization’s policy and employee training is up to the challenge.

October is Cyber Security Awareness Month.

Canada’s Auditor-General is expected to release a report on Canada’s Cyber Security Strategy. The report is expected to be an important assessment of Canada’s preparedness for further cybersecurity attacks.

In the meantime, and perhaps pre-emptively, the Government of Canada announced, on October 17, 2012, an investment of CAD$155 million over five years to improve the detection of, and response to, continually evolving cyber threats to government systems and services.

A portion of the funding will be invested in the Canadian Cyber Incident Response Centre (CCIRC). The purpose of the funding for CCIRC will be to:

• Improve incident response across Canada, and enhance the ability of government and its partners to maintain awareness of the cyber environment; and

• Strengthen analytical capability to improve mitigation advice and incident response.

Cybersecurity is not formally a part of Canada’s Open Government strategy,  However, the security of electronic government information and digital government services is critical to the success and effectiveness of that strategy and should be considered a “fourth pillar”. The other pillars of the Open Government strategy are:

• Open Data: Offering government data in useful formats for the use of private sectors and non-governmental organizations

• Open Information: Pro-actively release information to Canadians rather than to wait for access to information requests.

• Open Dialogue: Use web-based technologies to engage with Canadians on government policies and priorities.

The Office of the Information Commission of Canada (OIC) has commenced a public consultation regarding the modernization of the Access to Information Act (Canada). The consultation period commenced on September 28, 2012 and will continue until December 21, 2012.

Individuals and organizations interested in participating in the public consultation may do so electronically. The OIC has dedicated webpages to submit feedback. The General Questions tab provides space for an online forum regarding five themes:

Right of Access. The OIC asks whether only persons who are citizens or physically present in Canada should be able to obtain government held records.

Coverage of the Act. The OIC asks what criteria should determine whether a federal entity that spends taxpayer money or performs public functions is or is not subject to access to information legislation.

Limitation on the Right of Access. The OIC asks whether the categorical approach to certain exemptions from disclosure should be eliminated and replaced with a case by case approach requiring the federal institution to establish that injury, harm or prejudice would result. The OIC also asks what role the public interest should play.

Cabinet Confidences. The OIC asks whether Cabinet deliberative secrecy should continue to be invoked to prevent disclosure of records that directly inform Cabinet decisions. If the exclusion is to be maintained, the OIC asks on what basis and whether the Commissioner should be able to review those documents.

Awareness and Education. The OIC notes that the Commissioner has not education and awareness mandate and asks whether this should change.

In addition to the General Questions, the OIC has prepared specific, more detailed questions to which it invites submissions.

As the OIC states, “[a]ccess to information underpins many of our most cherished rights and freedoms such as the freedom of expression the freedom of the press and the right to vote.” It is to be hoped that Commissioner Legault is successful in sparking an organized discussion on reform.

The Supreme Court of Canada determined yesterday, in A.B. v. Bragg Communications, that a 15-year old can proceed anonymously to pursue the identity of her Facebook cyberbully. 

The 15-year old, A.B., found out that someone had posted a face Facebook profile with her picture, a modified version of her name, and other identifying particulars.  The profile also included demeaning comments about A.B.’s appearance, and sexually explicit references.  

Facebook provided the IP address associated with the Nova Scotia account holder.  The Internet provider, Eastlink, agreed to provide more specific information about the address – if a court authorized it to do so.  A.B. brought an application for such an order, and along with the application requested (i) permission to seek the identity of the Facebook cyberbully anonymously (the “anonymity request”), and (ii) a publication ban on the content of the fake Facebook profile. 

While Eastlink did not oppose the privacy requests, the Halifax Herald and Global Television did.  The Nova Scotia court granted the order requiring Eastlink disclose the information about the identity of the cyberbully.  However, it denied A.B.’s anonymity request and the publication ban, on the basis that she had not proved specific harm to her that would outweigh restricting access to the media.  Put simply, the media’s right to access and report on the facts of the case outweighed A.B.’s right to privacy.  This was upheld at the Court of Appeal.

A unanimous Supreme Court overturned this, stating that:

If we value the right of children to protect themselves from bullying, cyber or otherwise, if common sense and the evidence persuade us that young victims of sexualized bullying are particularly vulnerable to the harms of revictimization upon publication, and if we accept that the right to protection will disappear for most children without the further protection of anonymity, we are compellingly drawn in this case to allowing A.B.’s anonymous legal pursuit of the identity of her cyberbully.

The Supreme Court noted that the Canadian Newspapers decision had established that the limits imposed by prohibiting identity disclosure [in a criminal sexual assault case] on the media’s right to freedom of the press are minimal: the media can be present at the hearing, and report facts and the conduct of the trial, without revealing the complainant’s identity. 

In yesterday’s A.B. decision, the Supreme Court placed great emphasis on the inherent vulnerability of children, and the importance of protecting their privacy in the context of cyberbullying.  In the view of the Supreme Court, if we accept that, then surely we must accept the need to prohibit identity disclosure in this case, just as the Court did in the criminal context in Canadian Newspapers.

The Supreme Court allowed A.B.’s appeal in part:  her identity would be protected, and the identifying information in the fake Facebook profile.  The non-identifying information in the profile could be disclosed. 

This decision provides further direction for those conscious of the protection of the privacy of children, and wondering about the specific content of those obligations.  Unlike the United States, Canada has no Children’s Online Privacy Protection Act (COPPA), and while there are set age and child-specific standards in Canadian criminal laws, we have no set age or child-specific standards in our federal privacy legislation, the Personal Information Protection and Electronic Documents Act (PIPEDA) .  The Supreme Court noted that:

Recognition of the inherent vulnerability of children has consistent and deep roots in Canadian law.  This results in protection for young people’s privacy under the Criminal Code, R.S.C., [...] the Youth Criminal Justice Act [...], and child welfare legislation, not to mention international protections such as the Convention on the Rights of the Child [...], all based on age, not the sensitivity of the particular child.  

The Supreme Court has sent a message that in contexts where children may be particularly vulnerable – even when the child is 15 years old, and the context is Facebook – the law will protect their privacy on an objective basis based on age, not individual maturity or temperament.

It’s “Right to Know” week in Canada. It is off to an interesting start.   Canada’s Information Commissioner, Suzanne Legault, announcement in her Annual Report that she will be engaging in a public dialogue as she prepares to make recommendations to Parliament to revise Canada’s access to information laws (even as the budget for her office has been slashed).

The federal Access to Information Act is 30 years old. Nova Scotia and New Brunswick can claim bragging rights to the oldest access to information legislation in Canada, dating from 1977 and 1978 respectively. In most jurisdictions in Canada, there have been no major revisions to access to information laws (1) to account for the volumes of electronic data, public-private partnerships, and Crown and shared governance corporations that have burgeoned in the decades that have followed or (2) to account for the opportunities that information technologies present for sharing that data with citizens.

However, governments across Canada are increasingly embracing the concept of “Open Government”.  Open Government is an initiative to leverage information collected by governments by making it available to citizens and businesses in a proactive way. At the federal level, Open Government involves three main “streams”: (1) Disclosing information in readily useable formats (Open Data). (2) Proactively releasing information (Open Information); and (3) Engaging Canadians directly in policy development through Web 2.0 technologies (Open Dialogue).

British Columbia may be the furthest ahead in embracing Open Government. British Columbia is already proactively releasing information that is commonly requested. In addition, British Columbia has committed to releasing the results of individual access to information requests. However, it has been a bumpy ride with allegations by the B.C. Freedom of Information and Privacy Association, that British Columbia is failing to electronically post about 67% of completed access requests.

Meanwhile, in Ontario, the Information and Privacy Commissioner, Dr. Anne Cavoukian, held a conference last week regarding Open Data. Key to the Ontario Commissioner’s initiative is her “Access by Design” principles. These principles are to inform new government initiatives so that information is “pushed out” to the public more proactively to avoid the overburdened and inefficient access to information process.

Could we be seeing some traction for reform?

A recent Order (MO-2786) of a Senior Adjudicator of the Office of the Ontario Information and Privacy Commissioner provides a useful guide for organizations wishing to protect confidential and financial information submitted in response to requests for proposals issued by a City.

The dispute involved the decision by a City to disclose a bidders’ RFP response (apart from severing personal information) in response to an access to information request under the Municipal Freedom of Information and Protection of Privacy Act (“MFIPPA”). The bidder sought to protect details of its software solutions and it pricing under subsection 10(1) of MFIPPA. This provision permits withholding of records that would disclose “a trade secret or scientific, technical, commercial, financial or labour relations information, supplied in confidence implicitly or explicitly” provided that the disclosure would reasonably be expected to cause the bidder certain types of specified harm. One of the specified harms would be significant prejudice to the competitive position of the bidder.

Lessons from the Senior Adjudicator’s Order:

• Whether information has been made public by the bidder is not relevant to the initial determination of whether the information is “commercial information” or “financial information” under subsection 10(1) of MFIPPA.

• The fact that the RFP states that all bid responses will be subject to MFIPPA does not displace a reasonable expectation of confidentiality if (a) the bidder marks the response “Confidential to the City” and (b) there is no indication that the bidder has disseminated the information more broadly.

• If the bidder has published information on its website, there is no expectation of confidentiality for that information in its bid.

• If the total bid price (or, arguably, other information) is disclosed publicly in a City council meeting or documents for the City council meeting, the information will not be protected in an access request.

• “The failure of a party resisting disclosure to provide detailed and convincing evidence will not necessarily defeat the claim for exemption where harm can be inferred from other circumstances.”

• Public policy may permit losing bids greater scope for protection than winning bids. In the Senior Adjudicator’s view, the issue of transparency and accountability in spending taxpayer money are not as engaged as with a winning bid.

In the result, the Senior Adjudicator accepted that the information contained in the RFP response would be expected to cause harm to the bidder (apart from information already disclosed by the bidder on its website, which was not confidential). Although the bidder did not submit detailed evidence regarding potential harm, the Senior Adjudicator accepted that the particular circumstances permitted an inference of harm:

I accept the appellant’s assertion that it markets its products exclusively to municipalities and that, within this market, there is a limited number of competitors. The appellant has identified the bases on which these competitors distinguish themselves in RFP processes, including the detailed pricing structure and detailed explanations of how the functional requirements will be met.

As Canadians were getting ready to head off for a long-weekend, Canada and the U.S. released a Statement of Privacy Principles intended to govern sharing of information between the two countries in connection with the Canada-U.S. Security Perimeter agreement.

Canada and the U.S. have expressly declared that the Statement of Privacy Principles is non-binding and does not create any rights or obligations under domestic or international law.  Accordingly, its utility appears to be limited to a guiding statement of intentions.

There are twelve principles.  Three are particular worthy of noting:

• Permission for Onward Transfers to Third Countries. Information shared by Canada with the United States (or by the United States with Canada) may be shared with third countries.  For example, data shared by Canada with the U.S. may be shared with a third country if onward sharing would be consistent with the domestic law of the United States and any sharing conforms to international agreements and arrangements between the United States and third countries.  If there are no applicable international agreements, the originating country (in our example, Canada) is supposed to be notified of the information transfer.
• Redress.  Canada and the United States are supposed to provide for remedies where a person’s privacy has been infringed by international sharing or where there has been a violation of data protection rules with respect to that individual.
• Individual Access and Rectification.  Canada and the United States are supposed to provide individuals with access to personal information as well as the ability to seek rectification and/or expungement of their personal information.  If access is to be limited, the country restricting access is supposed to provide specific grounds consistent with domestic law.

On June 4, 2012, the Information and Privacy Commissioner of Ontario (“IPC”) released her 2011 Annual Report.  The theme of the report “Ever Vigilant” was chosen because, according the IPC’s press release, the reintroduction of “lawful access” legislation (discussed in my previous posts here, here and here) “represented one of the most invasive threats to our privacy and freedom” that the IPC has encountered and represent, in her words, what she is calling “Surveillance by Design.”

Here are some highlights relating to access to government-held information from the Annual Report and accompanying material.

• A record number (45,159) of access to government-held information requests were filed in Ontario in 2011 (up 16% year over year).
• A record number of appeals (1,214) appeals were issued regarding government responses to those access to government-held information requests.
• The dramatic increases in public demand for government-held information reflects the role of the Internet and accompanying technologies and provides the opportunity for greater civic participation but requires proactive rather than reactive approaches to information disclosure.
• The IPC has developed 7 principles to guide “Access by Design” to guide government and public sector organizations in re-thinking access to government-held information.
• The IPC calls on the Government of Ontario to develop an “Open Data” portal by the end of 2012.  The IPC is setting an example by making raw statistics available along with its report.

In a recent order of the Office of the Information and Privacy Commissioner of Ontario, an adjudicator concluded that confidential information included in a contract was not “supplied” to the municipality and, therefore, must be disclosed in response to an access to information request.

Subsection 10(1) of the Municipal Freedom of Information and Protection of Privacy Act (Ontario) protects informational assets of third parties contracting with municipalities in Ontario. Subsection 10(1) provides, among other things, that a record that reveals technical, commercial, or financial information of a third party is exempt from disclosure under an access to information request under certain circumstances.  The information will be exempt from disclosure if the information is supplied in confidence by the third party and could reasonably be expected to prejudice significantly the competitive position or interfere significantly with the contractual negotiations of a person or organization.

In MO-2738, the requester sought access to information in a contract between the municipality and a third party.  The information in the contract included maintenance information regarding equipment that was subject to the contract, a detailed code for the supply of the services under the contract, and a summary of financial incentives and disincentives and the third party’s rates.  The adjudicator accepted that this was technical, commercial and financial information.

However, relying on prior precedent, the adjudicator concluded that the information was not “supplied” to the municipality by the third party.  Instead, it was part of a negotiated contract and, therefore, was “mutually generated”.  Accordingly, it was required to be disclosed.

Organizations entering into agreements with municipal and other governmental entities that are subject to access to information laws should take note.  Although there are no solutions that offer “bullet proof” protection for confidential information in government contracts, there are a variety of strategies for disclosure and contract negotiation that may be used to enhance the likelihood of protection by taking into account the strict requirements of the Act.

When a government employee uses workplace email to send and receive personal email, are those emails subject to disclosure under access to information laws?

What about when a government employee uses a personal email account to send and receive emails relating to government business?

Two recent cases – one in Alberta and one in Ontario, answer the first question in the negative.

A recent case in England answers the second question in the affirmative – and a similar result might be expected in Canada based on recent Supreme Court of Canada jurisprudence.

1. Personal email may not be in the custody or control of the public authority

In City of Ottawa v. Ontario, the information requester sought production of communications between an employee of the City and an organization where the employee volunteered.  Subsection 4(1) of the Municipal Freedom and Protection of Privacy Act (“MFIPPA”) provides that a requester is entitled to access to records if it is in the custody or under the control of the City, unless an exemption applies or the request for access is frivolous or vexatious.

The employee used his work email address to receive emails related to his volunteer work.  This was permitted by the City.  However, the City reserved the right to monitor email without notice.  All email was property of the City, but employees were not required to retain personal email under any record-keeping policy.

Initially, the adjudicator concluded that the email was in the custody or control of the City.  After all, the City had physical possession of the emails on its server and had the authority to regulate them.  On judicial review, however, the Ontario Divisional Court concluded that the documents were not in the custody or control of the City.  In order to be in the custody or control of the City, two criteria must be satisfied.  The City must be entitled to obtain a copy of the emails and the emails had to concern a City matter.  However, if personal email was sufficiently intermingled with email relating to City matters, then it would have to be produced.

In University of Alberta v. Alberta (Information and Privacy Commissioner), the requester sought access to emails between an academic at the University and a government grant agency relating to the review of a grant application.  Like the Ontario case, the adjudicator had taken a straight-forward approach: the emails passed through the University’s servers and the University had some right to deal with the emails; therefore, the University must have had custody or control.

The Alberta Court of Queen’s Bench rejected the adjudicator’s approach and adopted the Ontario Divisional Court’s interpretation of the meaning of “custody or control”.  Analogizing the emails to the situation of paper records, the court held that employees may keep private items at an employer’s place of work but that does not bring them within the meaning of custody or control for the purpose of access to information legislation.  The emails in this case were only remotely related to the University’s business and need not be disclosed.

2. Personal email may be producible under access to information requests if related to government business

In order to understand the next two cases, a bit of legislative background is required.  The scope of the Freedom of Information Act 2000 (UK) is somewhat different from federal Canadian access to information legislation.  In the UK, it seems that there is no specific exemption from production for records in a Minister’s Office.  Under the federal Access to Information Act (Canada), the Minister’s Office is not a government institution that is subject to the Act.

In a recent UK decision of the Information Commissioner’s Office (FS50422276), the issue was whether email sent from the Secretary of Education’s personal email address to two special advisors were subject to production under the UK Act.  One of the emails was characterized by the Information Commissioner’s Office as “essentially an action plan and a list of key events or issues in the work of the department for the month of January 2011.”  This characterization was “supported by the fact that much of what was discussed in the email subsequently resulted in official departmental announcements.”

The Information Commissioner’s Office concluded the fact that the email was sent from the Secretary of Education’s personal email address was not determinative of the requirement to produce the email (although this practice was frowned upon for record-keeping purposes).  The relevant question was whether the majority of the email had to do with the business of the department.  In analysing this question, it would be relevant to consider who the sender and recipients were and their roles, if any, within the civil service or the party machine, as well as the substance of the email and how it was used.

Last year, the Supreme Court of Canada considered whether records held by Minister’s Offices were required to be disclosed under the federal Access to Information Act.  The fact that a Minister’s Office was not a governmental institution for the purposes of the federal Access to Information Act did preclude documents held there from being in the “control” of the department and, therefore, producible.  The court held that consideration had to be given as to whether the record related to a departmental matter and, if so, whether there are factors that suggest that the government institution could reasonably expect to obtain a copy of the record.  The court held that some of the factors to consider include the substance of the record, the circumstances in which it was created and the legal relationship between the government institution and the record holder.

In a recently released access to information decision under Ontario’s Municipal Freedom of Information and Protection of Privacy Act (“MFIPPA”), an adjudicator for the office of the Information and Privacy Commissioner of Ontario (“IPC”) confirmed that building plans are not personal information for the purpose of MFIPPA.

The requester in this access to information case sought disclosure of the building plans for a neighbouring property. The owners of the property objected. It appears that the owners conceded at the hearing that the building plans did not contain personal information. The opening words of the definition of “personal information” in subsection 2(1) of MFIPPA define “personal information” as “recorded information about an identifiable individual”.  The adjudicator followed a long line of decisions of the IPC in which the IPC has distinguished between information “about a property” and information “about an individual”.  The adjudicator concluded that the building plans contained no information other than the layout of the building and, therefore, was information that was solely “about the property”.

It should be noted, however, that the line between what constitutes information about a property and information about an individual for purposes of MFIPPA depends on the type of information at issue and how easy it may be to link to an individual.  For example, in other decisions, the IPC has concluded that appraisal information about a property is personal information.

The British Columbia Information and Privacy Commissioner (“IPC”) has released guidelines on cloud computing. The guidelines apply to the public sector bodies to which British Columbia’s Freedom of Information and Protection of Privacy Act (“FIPPA”) applies.

Paragraph 30.1(a) of FIPPA restricts the ability of public bodies in British Columbia to transfer data outside of Canada.  Subject to limited exceptions, public bodies in British Columbia are permitted to store personal information outside of Canada only with consent of the individual with respect to whom the information relates. The consent must be provided in writing and specify to whom the personal information may be disclosed.

The British Columbia IPC recognizes that some vendors are offering cloud computing services that store information solely within Canada. However, the IPC cautions that public bodies must make inquiries to determine whether they can rely on these representations. In addition, the IPC states that public bodies must consider whether there are reasonable security measures, such as:

• corporate policies, procedures and standards with respect to security and privacy;
• controls regarding access by authorized users;
• infrastructure security, including layered security controls and patch management;
• encrypted transmission and storage of personal information;
• contractual safeguards for the information to prevent unauthorized use, to require mandatory breach reporting and to permit audits.

In a recent decision, the Ontario Court of Appeal has permitted Ontario’s Minister of Finance to withhold draft policy option memos from disclosure in response to an access to information request. The requester sought records relating to the decision of the Ministry of Finance to proposed amendments to section 2 of the Corporations Tax Act (Ontario) that were intended to be retroactive in effect. The result of the retroactive amendment was to close a perceived tax loophole.

Pursuant to subsection 13(1) of the Freedom of Information and Protection of Privacy Act (Ontario) (“FIPPA”), the Minister of Finance had discretion to refuse to disclose documents if (among other things) the disclosure would reveal advice or recommendations of a public servant.

The records in issue were prepared by civil servants and formed part of the internal budget briefing process of the Ministry of Finance at the level of the Assistant Deputy Minister, Deputy Minister and Minister of Finance. The adjudicator of the Information and Privacy Commissioner took the position that in order to qualify as advice or recommendations, a record must reveal a suggested course of action that will ultimately be accepted or rejected by the recipient of the record during a deliberative process. Under this formulation of the test for the application of subsection 13(1) of FIPPA, the advice must set out a course of action and be communicated to the person who is entitled to make the decision in the deliberative process. The Divisional Court found the adjudicator’s analysis was reasonable.

The Ontario Court of Appeal disagreed.  The court held that the adjudicator’s approach to subsection 13(1) of FIPPA was too narrow. In particular, the court held that in order for section 13(1) to apply:

• It is not necessary to demonstrate that the documents are final versions or that the documents were delivered to the final decision-maker.
• The discretion to withhold the record is available when the information would permit the drawing of accurate inferences regarding the nature of the advice and recommendations and the documents are part of the deliberative process.
• The records need not set out a single course of action that is to be adopted or rejected by the decision-maker.

On February 3, 2012, the Supreme Court of Canada provided guidance on the rights of third parties with respect to information that is the subject of a request under the Access to Information Act (Canada).  The court also dealt with, and was divided with respect to, the issue of the standard of review of access decisions. The standard of review issue will be discussed in a subsequent post.

Background

Merck Frosst Canada Ltd. v. Canada (Health) concerned the procedural rights and substantive protections afforded to persons who submit information to the government for regulatory purposes. In Merck Frosst‘s case, the information was submitted to Health Canada in connection with pharmaceutical drug approval submissions.

Information submitted to a government institution may be released to competitors (and others) under access to information requests unless a statutory exemption applies. Although the Merck Frosst case arose in the context of a regulatory approval, these issues also arise when organizations disclose information in connection with contracts with the federal Canadian government (and provincial and municipal governments under separate access to information legislation).

Procedural Protections

On the issue of procedural protections, the Supreme Court of Canada concluded that the right of a third party to receive notice that the third party’s information may be disclosed in response to an access to information request is not absolute.  However, a government institution must provide the third party with notice that the government proposes to release the third party’s information unless there is no reason to believe that any of the exemptions from disclosure apply.

The Supreme Court’s decision sets a high threshold for disclosure without notice. Therefore, a third party who is affected by the information request will have recourse to the procedural protections of the Access to Information Act except in situations where it is clear that no exemption could apply. As the majority of the Supreme Court stated, those responsible for administering the Access to Information Act ”must take their duty not to disclose exempt third party information as seriously as their duty to disclose information that the Act requires to be disclosed.”

Substantive Protections

Section 20 of the Access to Information Act provides a number of exemptions of which the following three were relevant in the proceeding.

• trade secrets of a third party;
• financial, commercial, scientific or technical information that is confidential information supplied to a government institution by a third party and is treated consistently in a confidential manner by the third party; and
• information the disclosure of which could reasonably be expected to result in material financial loss or gain to, or could reasonably be expected to prejudice the competitive position of, a third party.

The court held that the threshold for a third party establishing a trade secret was high. A trade secret is a plan, process, tool, mechanism or compound that meets the following criteria:

• the information is secret in the sense of being known only by the third party or a relatively small group of persons;
• the third party must demonstrate an intention to treat the information as secret;
• the information has or is capable of having an industrial or commercial application; and
• the third party must have an interest worthy of legal protection (such as an economic interest).

In order to qualify as confidential information for the purposes of the second exemption, the following three criteria must be met:

• the information must be financial, commercial, scientific or technical information;
• the third party must have consistently treated it in a confidential manner; and
• the information must have been supplied to a government institution by the third party.

Information will not be confidential if it is available from public sources. Furthermore, except in unusual cases, a compilation of public sources will not be confidential. Nor will information be confidential if it could be obtained by another party by observation or independent study. Finally, the information will not qualify if it is information that is compiled by the government institution unless it is based on confidential information supplied by the third party.

The third exemption involves assessing the harm of disclosure. The harm-based exemption will be available if there is “a reasonable expectation of probable harm”. To establish a reasonable expectation of probable harm, the third party must demonstrate:

• the harm is more than merely possible;
• there is a direct link between the proposed disclosure and the apprehended harm; and
• the harm is of a type that would reasonably be expected to ensue from disclosure. 

The court held that non-public information that would be reasonably be expected to give competitors an advantage in future transactions or in the development of competing products may meet this threshold. The court did not rule out the possibility that publicly available information might also meet this threshold if the manner of presentation was unique. However, in general, the information must be confidential or at least not publicly available.