Included in Discovery: Atlantic Education & the Law – Issue 12

By Charlotte Henderson

Privacy and confidentiality requirements are some of the most important responsibilities of organizations today. An organization’s ability to properly manage information, regardless of its type, is critical for legal and contractual compliance, the avoidance of monetary penalties, and reputation.

Compliance, however, is rarely as straightforward as it seems, and knowing the obligations of your organization with respect to information is an increasingly difficult and complex task. This is particularly true for information that straddles the line between public and private, namely information that is shared between private entities and their affiliated public institutions.

Background

The privacy and confidentiality obligations of private entities (i.e. organizations that engage in commercial activity, such as for-profit companies) and public institutions (i.e. government departments and public sector entities, such as universities) are significantly different, except for personal information.^[1] While private entities enjoy a largely unregulated regime that allows them to go about their business as they see fit subject only to the scrutiny of shareholders, public institutions are heavily regulated and are accountable to the public at large.

This public sector accountability derives from freedom of information legislation (sometimes also known as access to information legislation). Under this legislation, public institutions are required to divulge recorded information that is in their custody or control when requested pursuant to freedom of information or access to information requests. This requirement is incredibly broad and includes all information in the custody or control of the public institution that is not subject to one of the very limited disclosure exceptions, such as for personal information or information that could bring harm to a specific person, entity, or group.

Since private entities are not directly subject to freedom of information legislation, they rarely consider it, or its implications, in the day-to-day management of their information. Public institutions, meanwhile, regularly grapple with the implications of this legislation on their information. What is rarely considered, however, is what happens when a public institution obtains information owned by a private entity, and when, if ever, that information may need to be disclosed.

The York University Decision^[2]

The question at the centre of public institution information disclosure rests on the definition of “custody or control.” That is, if a public institution is only required to disclose information in its custody or control, at what point does information held by a private entity and shared with a public institution fall under the custody or control of that public institution? Thanks to the recent decision in YUDC v IPC, the answer to this is becoming clearer.

By way of background, York University Development Corporation (“YUDC”) is a wholly-owned subsidiary of York University that was created to assist with, among other things, renovations of the University book store and pharmacy. Over the course of these renovations, several documents were created by and shared between YUDC, which is not subject to freedom of information legislation, and York University, which is.

In 2019, two professors requested that the University disclose certain records relating to the bookstore and pharmacy renovations. The University refused on account of the records being confidential YUDC information (confidential third-party information is one of the exceptions to disclosure under Ontario freedom of information legislation) but this refusal was overturned by the Ontario Information and Privacy Commissioner (“IPC”)^[3]. York University then claimed that the records in question were not under its custody or control, but this too was unsuccessful.^[4] The University then requested a judicial review with the Ontario Divisional Court (the “Court”).

Upon review, the Court determined that the records in question were in the custody or control of York University, upholding the decision of the IPC and mandating that York University disclose the requested records to the two professors. Its decision was grounded in the Supreme Court of Canada’s decision in Canada (Information Commissioner) v Canada (Minister of National Defence) (“IC v MND“),^[5] which set out the two-part test for custody or control:

1. Do the contents of the document relate to a department matter; and
2. Could the [public] institution reasonably expect to obtain a copy of the document on request?^[6]

The Court determined that the records related to the renovation project, which formed part of York University’s mandate, and that the University would have no difficulty obtaining the documents. Therefore, the test for custody or control was easily met and disclosure was obligated.

In making this decision, the Court spent much of its time discussing the second step of the test – that is, whether York University could reasonably expect to obtain a copy of the requested records. While the content of those records is important, there was never any debate as to whether their contents related to the mandate of the University.

In IC v MND, the Supreme Court of Canada stated that the reasonable ability of a public institution to obtain a copy of the requested documents needed to be considered in light of “[t]he substantive content of the record, the circumstances in which it was created, and the legal relationship between the government institution and the record holder.”^[7] The Court in YUDC v IPC found several pieces of evidence to support its analysis on this step two.

First, the records in question were in possession of an individual who was both an officer of the University and a member of the board of directors of YUDC. Even if the individual had been holding the documents in their role as director of YUDC, the context made it impossible to separate them from their other role with the University for the purpose of the custody or control of the records in question. On this basis, it was concluded that so long as this individual was in possession of the documents, the University had custody or control.

On the possession piece alone, the Court could have likely concluded that the test had been met; however, it went further and also found compelling evidence that York University could have undertook to complete the renovations without creating the YUDC, in which case the records would have been within the University’s control all along. In the words of the Court, it would not be appropriate to permit a public institution like York University to “divest itself of its responsibility and accountability for records directly related to its statutory mandate by choosing to create a corporate entity to discharge its mandate […] in aid of achieving its objects and purposes.”^[8]

In other words, while a public entity can work with affiliates to achieve its mandate, it cannot create or enlist non-arm’s length entities to assist with the expectation or assumption that this non-public entity’s involvement will free the public institution of its accountability obligations under the relevant freedom of information legislation.

While the Court heavily focused its step two analysis on the fact that the individual who was in possession of the requested documents was both an officer of the University and a director of YUDC, it is clear from the test that the connection between the entities can be far more remote, yet result in the same determination by a court.

Conclusions

With public institutions becoming increasingly reliant on the support of private entities – and in particular, private, wholly-owned subsidiaries – to deliver on the public institution’s legislated mandates, understanding one’s information privacy obligations and risks is critical.

While the YUDC v IPC decision is from Ontario, the same analysis and principles apply to freedom of information legislation across the country. A similar fact scenario in Atlantic Canada would almost certainly meet with the same result. With that knowledge, however, comes the opportunity to prevent a similar fact scenario from materializing within your organization. Not only do both public institutions and private entities need to turn their minds to the realities of the current information privacy regime, they also need to begin to work with each other to identify processes, policies, and procedures to keep their information, and their relationships, safe.

From YUDC v IPC we have learned that it is prudent for public institutions to ensure that the control of an affiliated private entity is as separate and distinct as possible from the management of the public institution, and certainly to avoid having the majority of a wholly-owned subsidiary’s directors be officers of the public institution. We also learned that organizations must carefully consider the necessity and extent of their relationships, particularly in relation to matters under the public institution’s mandate, and whether the same result could be achieved by the public institution alone or with less involvement from the private entity.

How each organization chooses to address these risks and obligations will necessarily differ, but in all cases determining the level of custody or control the public body has over the private entity’s information is central to pre-empting, restricting and preventing disclosure, and ensuring that any disclosure that does occur has the least potential for harm to those involved.

This client update is provided for general information only and does not constitute legal advice. If you have any questions about the above, please contact the authors.

Click here to subscribe to Stewart McKelvey Thought Leadership.

[1] Office of the Privacy Commissioner of Canada, “PIPEDA in Brief.”
[2] YUDC v Information and Privacy Commissioner, 2022 ONSC 1755 [“YUDC v IPC”]
[3] Information and Privacy Commissioner, Ontario, Canada. “Order PO-3922.” York University
[4] Information and Privacy Commissioner, Ontario, Canada. “Reconsideration Order PO-4029-R.” York University
[5] Canada (Information Commissioner) v Canada (Minister of National Defence), 2011 SCC 25.
[6] Ibid at 6.
[7] Ibid at 56.
[8] YUDC v IPC, supra note 2 at 48.