Skip to content

Whose information is it anyway? Implications of the York University decision on public and private sector privacy and confidentiality

Included in Discovery: Atlantic Education & the Law – Issue 12


By Charlotte Henderson

Privacy and confidentiality requirements are some of the most important responsibilities of organizations today. An organization’s ability to properly manage information, regardless of its type, is critical for legal and contractual compliance, the avoidance of monetary penalties, and reputation.

Compliance, however, is rarely as straightforward as it seems, and knowing the obligations of your organization with respect to information is an increasingly difficult and complex task. This is particularly true for information that straddles the line between public and private, namely information that is shared between private entities and their affiliated public institutions.

Background

The privacy and confidentiality obligations of private entities (i.e. organizations that engage in commercial activity, such as for-profit companies) and public institutions (i.e. government departments and public sector entities, such as universities) are significantly different, except for personal information.[1] While private entities enjoy a largely unregulated regime that allows them to go about their business as they see fit subject only to the scrutiny of shareholders, public institutions are heavily regulated and are accountable to the public at large.

This public sector accountability derives from freedom of information legislation (sometimes also known as access to information legislation). Under this legislation, public institutions are required to divulge recorded information that is in their custody or control when requested pursuant to freedom of information or access to information requests. This requirement is incredibly broad and includes all information in the custody or control of the public institution that is not subject to one of the very limited disclosure exceptions, such as for personal information or information that could bring harm to a specific person, entity, or group.

Since private entities are not directly subject to freedom of information legislation, they rarely consider it, or its implications, in the day-to-day management of their information. Public institutions, meanwhile, regularly grapple with the implications of this legislation on their information. What is rarely considered, however, is what happens when a public institution obtains information owned by a private entity, and when, if ever, that information may need to be disclosed.

The York University Decision[2]

The question at the centre of public institution information disclosure rests on the definition of “custody or control.” That is, if a public institution is only required to disclose information in its custody or control, at what point does information held by a private entity and shared with a public institution fall under the custody or control of that public institution? Thanks to the recent decision in YUDC v IPC, the answer to this is becoming clearer.

By way of background, York University Development Corporation (“YUDC”) is a wholly-owned subsidiary of York University that was created to assist with, among other things, renovations of the University book store and pharmacy. Over the course of these renovations, several documents were created by and shared between YUDC, which is not subject to freedom of information legislation, and York University, which is.

In 2019, two professors requested that the University disclose certain records relating to the bookstore and pharmacy renovations. The University refused on account of the records being confidential YUDC information (confidential third-party information is one of the exceptions to disclosure under Ontario freedom of information legislation) but this refusal was overturned by the Ontario Information and Privacy Commissioner (“IPC”)[3]. York University then claimed that the records in question were not under its custody or control, but this too was unsuccessful.[4] The University then requested a judicial review with the Ontario Divisional Court (the “Court”).

Upon review, the Court determined that the records in question were in the custody or control of York University, upholding the decision of the IPC and mandating that York University disclose the requested records to the two professors. Its decision was grounded in the Supreme Court of Canada’s decision in Canada (Information Commissioner) v Canada (Minister of National Defence) (“IC v MND“),[5] which set out the two-part test for custody or control:

  1. Do the contents of the document relate to a department matter; and
  2. Could the [public] institution reasonably expect to obtain a copy of the document on request?[6]

The Court determined that the records related to the renovation project, which formed part of York University’s mandate, and that the University would have no difficulty obtaining the documents. Therefore, the test for custody or control was easily met and disclosure was obligated.

In making this decision, the Court spent much of its time discussing the second step of the test – that is, whether York University could reasonably expect to obtain a copy of the requested records. While the content of those records is important, there was never any debate as to whether their contents related to the mandate of the University.

In IC v MND, the Supreme Court of Canada stated that the reasonable ability of a public institution to obtain a copy of the requested documents needed to be considered in light of “[t]he substantive content of the record, the circumstances in which it was created, and the legal relationship between the government institution and the record holder.”[7] The Court in YUDC v IPC found several pieces of evidence to support its analysis on this step two.

First, the records in question were in possession of an individual who was both an officer of the University and a member of the board of directors of YUDC. Even if the individual had been holding the documents in their role as director of YUDC, the context made it impossible to separate them from their other role with the University for the purpose of the custody or control of the records in question. On this basis, it was concluded that so long as this individual was in possession of the documents, the University had custody or control.

On the possession piece alone, the Court could have likely concluded that the test had been met; however, it went further and also found compelling evidence that York University could have undertook to complete the renovations without creating the YUDC, in which case the records would have been within the University’s control all along. In the words of the Court, it would not be appropriate to permit a public institution like York University to “divest itself of its responsibility and accountability for records directly related to its statutory mandate by choosing to create a corporate entity to discharge its mandate […] in aid of achieving its objects and purposes.”[8]

In other words, while a public entity can work with affiliates to achieve its mandate, it cannot create or enlist non-arm’s length entities to assist with the expectation or assumption that this non-public entity’s involvement will free the public institution of its accountability obligations under the relevant freedom of information legislation.

While the Court heavily focused its step two analysis on the fact that the individual who was in possession of the requested documents was both an officer of the University and a director of YUDC, it is clear from the test that the connection between the entities can be far more remote, yet result in the same determination by a court.

Conclusions

With public institutions becoming increasingly reliant on the support of private entities – and in particular, private, wholly-owned subsidiaries – to deliver on the public institution’s legislated mandates, understanding one’s information privacy obligations and risks is critical.

While the YUDC v IPC decision is from Ontario, the same analysis and principles apply to freedom of information legislation across the country. A similar fact scenario in Atlantic Canada would almost certainly meet with the same result. With that knowledge, however, comes the opportunity to prevent a similar fact scenario from materializing within your organization. Not only do both public institutions and private entities need to turn their minds to the realities of the current information privacy regime, they also need to begin to work with each other to identify processes, policies, and procedures to keep their information, and their relationships, safe.

From YUDC v IPC we have learned that it is prudent for public institutions to ensure that the control of an affiliated private entity is as separate and distinct as possible from the management of the public institution, and certainly to avoid having the majority of a wholly-owned subsidiary’s directors be officers of the public institution. We also learned that organizations must carefully consider the necessity and extent of their relationships, particularly in relation to matters under the public institution’s mandate, and whether the same result could be achieved by the public institution alone or with less involvement from the private entity.

How each organization chooses to address these risks and obligations will necessarily differ, but in all cases determining the level of custody or control the public body has over the private entity’s information is central to pre-empting, restricting and preventing disclosure, and ensuring that any disclosure that does occur has the least potential for harm to those involved.


This client update is provided for general information only and does not constitute legal advice. If you have any questions about the above, please contact the authors.

Click here to subscribe to Stewart McKelvey Thought Leadership.

[1] Office of the Privacy Commissioner of Canada, “PIPEDA in Brief.”
[2] YUDC v Information and Privacy Commissioner, 2022 ONSC 1755 [“YUDC v IPC”]
[3] Information and Privacy Commissioner, Ontario, Canada. “Order PO-3922.” York University
[4] Information and Privacy Commissioner, Ontario, Canada. “Reconsideration Order PO-4029-R.” York University
[5] Canada (Information Commissioner) v Canada (Minister of National Defence), 2011 SCC 25.
[6] Ibid at 6.
[7] Ibid at 56.
[8] YUDC v IPC, supra note 2 at 48.

SHARE

Archive

Search Archive


 
 

Discovery: Atlantic Education & the Law – issue 04

June 12, 2019

We are pleased to present the fourth issue of Discovery, our very own legal publication targeted to educational institutions in Atlantic Canada. While springtime for universities and colleges signal the culmination of classes, new graduates…

Read More

How employers can protect themselves with respect to social media

May 29, 2019

Grant Machum and Richard Jordan   In an earlier article, we considered an employer’s options when an employee departs and takes with them the social media contacts they have obtained during the course of their…

Read More

Canada’s Digital Charter – a principled foundation for a digital future?

May 28, 2019

Matthew Jacobs and Daniel Roth (summer student)   “… we cannot be a Blockbuster government serving a Netflix society.” – The Hon. Minister Navdeep Bains paraphrasing the Hon. Scott Brison (May 2019, at the Empire…

Read More

New reporting requirements for beneficial ownership of federal corporations coming this June

May 24, 2019

Tauna Staniland, Andrea Shakespeare, Kimberly Bungay and Alycia Novacefski The federal government has introduced new record keeping requirements for private, federally formed corporations governed by the Canada Business Corporations Act (“CBCA”). The amendments to the…

Read More

Doctors must provide ‘effective referrals’ for medical services they oppose on religious grounds: Christian Medical and Dental Society of Canada v. College of Physicians and Surgeons of Ontario, 2019 ONCA 393

May 17, 2019

Health Group, Christopher Goodridge and Matthew Jacobs The Ontario Court of Appeal confirmed in a decision released on May 15, 2019 that doctors must provide an ‘effective referral’ where they are unwilling to provide care on…

Read More

The road forward: Nova Scotia government announces and seeks input on further regulatory changes regarding funding of defined benefit pension plans

May 14, 2019

Level Chan and Dante Manna The Province of Nova Scotia is soliciting stakeholder input on significant regulatory changes to the Pension Benefits Act (“PBA”) and Pension Benefits Regulations (“PBR”).  The solicitation is accompanied by a…

Read More

Changes to Canadian cannabis licensing application process

May 9, 2019

Kevin Landry Health Canada has announced changes to the cannabis licensing regime. These changes come ahead of the release of the cannabis edibles, extracts, and topicals amendments to the Cannabis Regulations expected to be released…

Read More

Managing change in the workplace – constructive dismissal and the duty to mitigate

May 3, 2019

Grant Machum Last week’s Nova Scotia Court of Appeal’s decision in Halifax Herald Limited v. Clarke, 2019 NSCA 31, is good news for employers. The Court overturned the trial judge’s determinations that an employee had…

Read More

New Trade Union Act General Regulations addresses (in part) *snapshot* approach to construction industry unionization

May 2, 2019

Rick Dunlop On April 24, 2019, the Nova Scotia Government created the Trade Union Act General Regulations so that the Labour Board will no longer consider a Saturday, Sunday, or holiday as the date of…

Read More

Caution – Reform ahead for Newfoundland and Labrador automobile insurance

April 18, 2019

Rodney Zdebiak and Anthony Granville On Monday, April 15, 2019, the Newfoundland and Labrador legislature passed a number of changes to the Automobile Insurance Act (“Act”) stating that the intent is to help stabilize insurance rates,…

Read More

Search Archive


Scroll To Top