Skip to content

Whose information is it anyway? Implications of the York University decision on public and private sector privacy and confidentiality

Included in Discovery: Atlantic Education & the Law – Issue 12


By Charlotte Henderson

Privacy and confidentiality requirements are some of the most important responsibilities of organizations today. An organization’s ability to properly manage information, regardless of its type, is critical for legal and contractual compliance, the avoidance of monetary penalties, and reputation.

Compliance, however, is rarely as straightforward as it seems, and knowing the obligations of your organization with respect to information is an increasingly difficult and complex task. This is particularly true for information that straddles the line between public and private, namely information that is shared between private entities and their affiliated public institutions.

Background

The privacy and confidentiality obligations of private entities (i.e. organizations that engage in commercial activity, such as for-profit companies) and public institutions (i.e. government departments and public sector entities, such as universities) are significantly different, except for personal information.[1] While private entities enjoy a largely unregulated regime that allows them to go about their business as they see fit subject only to the scrutiny of shareholders, public institutions are heavily regulated and are accountable to the public at large.

This public sector accountability derives from freedom of information legislation (sometimes also known as access to information legislation). Under this legislation, public institutions are required to divulge recorded information that is in their custody or control when requested pursuant to freedom of information or access to information requests. This requirement is incredibly broad and includes all information in the custody or control of the public institution that is not subject to one of the very limited disclosure exceptions, such as for personal information or information that could bring harm to a specific person, entity, or group.

Since private entities are not directly subject to freedom of information legislation, they rarely consider it, or its implications, in the day-to-day management of their information. Public institutions, meanwhile, regularly grapple with the implications of this legislation on their information. What is rarely considered, however, is what happens when a public institution obtains information owned by a private entity, and when, if ever, that information may need to be disclosed.

The York University Decision[2]

The question at the centre of public institution information disclosure rests on the definition of “custody or control.” That is, if a public institution is only required to disclose information in its custody or control, at what point does information held by a private entity and shared with a public institution fall under the custody or control of that public institution? Thanks to the recent decision in YUDC v IPC, the answer to this is becoming clearer.

By way of background, York University Development Corporation (“YUDC”) is a wholly-owned subsidiary of York University that was created to assist with, among other things, renovations of the University book store and pharmacy. Over the course of these renovations, several documents were created by and shared between YUDC, which is not subject to freedom of information legislation, and York University, which is.

In 2019, two professors requested that the University disclose certain records relating to the bookstore and pharmacy renovations. The University refused on account of the records being confidential YUDC information (confidential third-party information is one of the exceptions to disclosure under Ontario freedom of information legislation) but this refusal was overturned by the Ontario Information and Privacy Commissioner (“IPC”)[3]. York University then claimed that the records in question were not under its custody or control, but this too was unsuccessful.[4] The University then requested a judicial review with the Ontario Divisional Court (the “Court”).

Upon review, the Court determined that the records in question were in the custody or control of York University, upholding the decision of the IPC and mandating that York University disclose the requested records to the two professors. Its decision was grounded in the Supreme Court of Canada’s decision in Canada (Information Commissioner) v Canada (Minister of National Defence) (“IC v MND“),[5] which set out the two-part test for custody or control:

  1. Do the contents of the document relate to a department matter; and
  2. Could the [public] institution reasonably expect to obtain a copy of the document on request?[6]

The Court determined that the records related to the renovation project, which formed part of York University’s mandate, and that the University would have no difficulty obtaining the documents. Therefore, the test for custody or control was easily met and disclosure was obligated.

In making this decision, the Court spent much of its time discussing the second step of the test – that is, whether York University could reasonably expect to obtain a copy of the requested records. While the content of those records is important, there was never any debate as to whether their contents related to the mandate of the University.

In IC v MND, the Supreme Court of Canada stated that the reasonable ability of a public institution to obtain a copy of the requested documents needed to be considered in light of “[t]he substantive content of the record, the circumstances in which it was created, and the legal relationship between the government institution and the record holder.”[7] The Court in YUDC v IPC found several pieces of evidence to support its analysis on this step two.

First, the records in question were in possession of an individual who was both an officer of the University and a member of the board of directors of YUDC. Even if the individual had been holding the documents in their role as director of YUDC, the context made it impossible to separate them from their other role with the University for the purpose of the custody or control of the records in question. On this basis, it was concluded that so long as this individual was in possession of the documents, the University had custody or control.

On the possession piece alone, the Court could have likely concluded that the test had been met; however, it went further and also found compelling evidence that York University could have undertook to complete the renovations without creating the YUDC, in which case the records would have been within the University’s control all along. In the words of the Court, it would not be appropriate to permit a public institution like York University to “divest itself of its responsibility and accountability for records directly related to its statutory mandate by choosing to create a corporate entity to discharge its mandate […] in aid of achieving its objects and purposes.”[8]

In other words, while a public entity can work with affiliates to achieve its mandate, it cannot create or enlist non-arm’s length entities to assist with the expectation or assumption that this non-public entity’s involvement will free the public institution of its accountability obligations under the relevant freedom of information legislation.

While the Court heavily focused its step two analysis on the fact that the individual who was in possession of the requested documents was both an officer of the University and a director of YUDC, it is clear from the test that the connection between the entities can be far more remote, yet result in the same determination by a court.

Conclusions

With public institutions becoming increasingly reliant on the support of private entities – and in particular, private, wholly-owned subsidiaries – to deliver on the public institution’s legislated mandates, understanding one’s information privacy obligations and risks is critical.

While the YUDC v IPC decision is from Ontario, the same analysis and principles apply to freedom of information legislation across the country. A similar fact scenario in Atlantic Canada would almost certainly meet with the same result. With that knowledge, however, comes the opportunity to prevent a similar fact scenario from materializing within your organization. Not only do both public institutions and private entities need to turn their minds to the realities of the current information privacy regime, they also need to begin to work with each other to identify processes, policies, and procedures to keep their information, and their relationships, safe.

From YUDC v IPC we have learned that it is prudent for public institutions to ensure that the control of an affiliated private entity is as separate and distinct as possible from the management of the public institution, and certainly to avoid having the majority of a wholly-owned subsidiary’s directors be officers of the public institution. We also learned that organizations must carefully consider the necessity and extent of their relationships, particularly in relation to matters under the public institution’s mandate, and whether the same result could be achieved by the public institution alone or with less involvement from the private entity.

How each organization chooses to address these risks and obligations will necessarily differ, but in all cases determining the level of custody or control the public body has over the private entity’s information is central to pre-empting, restricting and preventing disclosure, and ensuring that any disclosure that does occur has the least potential for harm to those involved.


This client update is provided for general information only and does not constitute legal advice. If you have any questions about the above, please contact the authors.

Click here to subscribe to Stewart McKelvey Thought Leadership.

[1] Office of the Privacy Commissioner of Canada, “PIPEDA in Brief.”
[2] YUDC v Information and Privacy Commissioner, 2022 ONSC 1755 [“YUDC v IPC”]
[3] Information and Privacy Commissioner, Ontario, Canada. “Order PO-3922.” York University
[4] Information and Privacy Commissioner, Ontario, Canada. “Reconsideration Order PO-4029-R.” York University
[5] Canada (Information Commissioner) v Canada (Minister of National Defence), 2011 SCC 25.
[6] Ibid at 6.
[7] Ibid at 56.
[8] YUDC v IPC, supra note 2 at 48.

SHARE

Archive

Search Archive


 
 

Reset for renewables: Nova Scotia overhauls energy regulation and governance in advance of influx of renewable energy

April 5, 2024

By Nancy Rubin and James Gamblin The Government of Nova Scotia has embarked on a path to dramatically reshape the regulation and governance of the energy sector with the passage of Bill 404, the Energy…

Read More

An employer’s guide to human rights law in Atlantic Canada

April 2, 2024

By Kathleen Starke and Annie Gray Human rights landscape Human rights legislation prohibits discrimination in specific contexts, including employment and the provision of services. In all Atlantic Provinces, Human Rights Commissions are responsible for enforcing…

Read More

Recognizing subtle discrimination in the workplace: insights from recent legal cases

March 4, 2024

By Sheila Mecking and Michiko Gartshore Subtle discrimination can have a much stronger and longer effect on employees when not properly addressed. It can also result in costly consequences for an employer who does not…

Read More

Immediate changes to travel eligibility for citizens of Mexico

February 29, 2024

By Brittany Trafford and Brendan Sheridan Today Immigration, Refugees and Citizenship Canada (“IRCC”) has announced significant changes to the travel requirements for Mexican citizens. As of February 29, 2024 at 11:30p.m. Eastern Time, all electronic…

Read More

Updated guidance on business reporting obligations under Canada’s supply chain transparency legislation

February 23, 2024

By Christine Pound, ICD.D., Twila Reid, ICD.D., Sarah Dever Letson, CIPP/C, Hilary Newman and Daniel Roth Introduction As we reported on November 30, 2023, the Fighting Against Forced Labour and Child Labour in Supply Chains…

Read More

Trustees beware! New trust reporting and disclosure requirements under the Income Tax Act are here – are you ready for them?

February 21, 2024

By Richard Niedermayer, K.C., TEP  & Rackelle Awad New trust disclosure rules originally announced on February 27, 2018, are now in force, and trusts with taxation years ending on or after December 31, 2023 are…

Read More

Proposed Criminal Interest Rate Regulations: exemptions to the lower criminal interest rate

February 14, 2024

By David Wedlake and Andrew Paul In late December 2023, the Federal Government issued draft Criminal Interest Rate Regulations under the Criminal Code. These proposed regulations follow the Budget Implementation Act, 2023, No. 1 which…

Read More

Outlook for 2024 Proxy Season

February 9, 2024

By Andrew Burke, Colleen Keyes, Gavin Stuttard, David Slipp and Logan Walters With proxy season on the horizon, many public companies are once again preparing their annual disclosure documents and shareholder materials for their annual…

Read More

Significant changes announced for new study permit applications

February 6, 2024

By Brendan Sheridan and Tiegan Scott The Government of Canada recently announced further changes to the international student program that not only limits the number of new study permit applicants per year, but also increases…

Read More

Plans of arrangement come to Newfoundland and Labrador

January 30, 2024

By Tauna Staniland, K.C., ICD.D, Joe Thorne, and Nadine Otten What can you do when your corporation wants to complete a complex transaction requiring significant corporate restructuring that cannot be easily completed under the corporation’s…

Read More

Search Archive


Scroll To Top