Whose information is it anyway? Implications of the York University decision on public and private sector privacy and confidentiality
Included in Discovery: Atlantic Education & the Law – Issue 12
Privacy and confidentiality requirements are some of the most important responsibilities of organizations today. An organization’s ability to properly manage information, regardless of its type, is critical for legal and contractual compliance, the avoidance of monetary penalties, and reputation.
Compliance, however, is rarely as straightforward as it seems, and knowing the obligations of your organization with respect to information is an increasingly difficult and complex task. This is particularly true for information that straddles the line between public and private, namely information that is shared between private entities and their affiliated public institutions.
Background
The privacy and confidentiality obligations of private entities (i.e. organizations that engage in commercial activity, such as for-profit companies) and public institutions (i.e. government departments and public sector entities, such as universities) are significantly different, except for personal information.[1] While private entities enjoy a largely unregulated regime that allows them to go about their business as they see fit subject only to the scrutiny of shareholders, public institutions are heavily regulated and are accountable to the public at large.
This public sector accountability derives from freedom of information legislation (sometimes also known as access to information legislation). Under this legislation, public institutions are required to divulge recorded information that is in their custody or control when requested pursuant to freedom of information or access to information requests. This requirement is incredibly broad and includes all information in the custody or control of the public institution that is not subject to one of the very limited disclosure exceptions, such as for personal information or information that could bring harm to a specific person, entity, or group.
Since private entities are not directly subject to freedom of information legislation, they rarely consider it, or its implications, in the day-to-day management of their information. Public institutions, meanwhile, regularly grapple with the implications of this legislation on their information. What is rarely considered, however, is what happens when a public institution obtains information owned by a private entity, and when, if ever, that information may need to be disclosed.
The York University Decision[2]
The question at the centre of public institution information disclosure rests on the definition of “custody or control.” That is, if a public institution is only required to disclose information in its custody or control, at what point does information held by a private entity and shared with a public institution fall under the custody or control of that public institution? Thanks to the recent decision in YUDC v IPC, the answer to this is becoming clearer.
By way of background, York University Development Corporation (“YUDC”) is a wholly-owned subsidiary of York University that was created to assist with, among other things, renovations of the University book store and pharmacy. Over the course of these renovations, several documents were created by and shared between YUDC, which is not subject to freedom of information legislation, and York University, which is.
In 2019, two professors requested that the University disclose certain records relating to the bookstore and pharmacy renovations. The University refused on account of the records being confidential YUDC information (confidential third-party information is one of the exceptions to disclosure under Ontario freedom of information legislation) but this refusal was overturned by the Ontario Information and Privacy Commissioner (“IPC”)[3]. York University then claimed that the records in question were not under its custody or control, but this too was unsuccessful.[4] The University then requested a judicial review with the Ontario Divisional Court (the “Court”).
Upon review, the Court determined that the records in question were in the custody or control of York University, upholding the decision of the IPC and mandating that York University disclose the requested records to the two professors. Its decision was grounded in the Supreme Court of Canada’s decision in Canada (Information Commissioner) v Canada (Minister of National Defence) (“IC v MND“),[5] which set out the two-part test for custody or control:
- Do the contents of the document relate to a department matter; and
- Could the [public] institution reasonably expect to obtain a copy of the document on request?[6]
The Court determined that the records related to the renovation project, which formed part of York University’s mandate, and that the University would have no difficulty obtaining the documents. Therefore, the test for custody or control was easily met and disclosure was obligated.
In making this decision, the Court spent much of its time discussing the second step of the test – that is, whether York University could reasonably expect to obtain a copy of the requested records. While the content of those records is important, there was never any debate as to whether their contents related to the mandate of the University.
In IC v MND, the Supreme Court of Canada stated that the reasonable ability of a public institution to obtain a copy of the requested documents needed to be considered in light of “[t]he substantive content of the record, the circumstances in which it was created, and the legal relationship between the government institution and the record holder.”[7] The Court in YUDC v IPC found several pieces of evidence to support its analysis on this step two.
First, the records in question were in possession of an individual who was both an officer of the University and a member of the board of directors of YUDC. Even if the individual had been holding the documents in their role as director of YUDC, the context made it impossible to separate them from their other role with the University for the purpose of the custody or control of the records in question. On this basis, it was concluded that so long as this individual was in possession of the documents, the University had custody or control.
On the possession piece alone, the Court could have likely concluded that the test had been met; however, it went further and also found compelling evidence that York University could have undertook to complete the renovations without creating the YUDC, in which case the records would have been within the University’s control all along. In the words of the Court, it would not be appropriate to permit a public institution like York University to “divest itself of its responsibility and accountability for records directly related to its statutory mandate by choosing to create a corporate entity to discharge its mandate […] in aid of achieving its objects and purposes.”[8]
In other words, while a public entity can work with affiliates to achieve its mandate, it cannot create or enlist non-arm’s length entities to assist with the expectation or assumption that this non-public entity’s involvement will free the public institution of its accountability obligations under the relevant freedom of information legislation.
While the Court heavily focused its step two analysis on the fact that the individual who was in possession of the requested documents was both an officer of the University and a director of YUDC, it is clear from the test that the connection between the entities can be far more remote, yet result in the same determination by a court.
Conclusions
With public institutions becoming increasingly reliant on the support of private entities – and in particular, private, wholly-owned subsidiaries – to deliver on the public institution’s legislated mandates, understanding one’s information privacy obligations and risks is critical.
While the YUDC v IPC decision is from Ontario, the same analysis and principles apply to freedom of information legislation across the country. A similar fact scenario in Atlantic Canada would almost certainly meet with the same result. With that knowledge, however, comes the opportunity to prevent a similar fact scenario from materializing within your organization. Not only do both public institutions and private entities need to turn their minds to the realities of the current information privacy regime, they also need to begin to work with each other to identify processes, policies, and procedures to keep their information, and their relationships, safe.
From YUDC v IPC we have learned that it is prudent for public institutions to ensure that the control of an affiliated private entity is as separate and distinct as possible from the management of the public institution, and certainly to avoid having the majority of a wholly-owned subsidiary’s directors be officers of the public institution. We also learned that organizations must carefully consider the necessity and extent of their relationships, particularly in relation to matters under the public institution’s mandate, and whether the same result could be achieved by the public institution alone or with less involvement from the private entity.
How each organization chooses to address these risks and obligations will necessarily differ, but in all cases determining the level of custody or control the public body has over the private entity’s information is central to pre-empting, restricting and preventing disclosure, and ensuring that any disclosure that does occur has the least potential for harm to those involved.
This client update is provided for general information only and does not constitute legal advice. If you have any questions about the above, please contact the authors.
Click here to subscribe to Stewart McKelvey Thought Leadership.
[1] Office of the Privacy Commissioner of Canada, “PIPEDA in Brief.”
[2] YUDC v Information and Privacy Commissioner, 2022 ONSC 1755 [“YUDC v IPC”]
[3] Information and Privacy Commissioner, Ontario, Canada. “Order PO-3922.” York University
[4] Information and Privacy Commissioner, Ontario, Canada. “Reconsideration Order PO-4029-R.” York University
[5] Canada (Information Commissioner) v Canada (Minister of National Defence), 2011 SCC 25.
[6] Ibid at 6.
[7] Ibid at 56.
[8] YUDC v IPC, supra note 2 at 48.
Archive
Kevin Landry The first look at regulations for cannabis edibles, extracts and topicals has arrived. The Federal Government has opened a 60-day consultation period respecting the strict regulation of additional cannabis products. Notice of the consultation was accompanied…
Read MoreErin Best and Kara Harrington “This case is about pain, how it was caused, by what accident and the opinions of dueling experts.”¹ “In this case, like so many, the assessment of the evidence depends…
Read MoreJonathan Coady and Michael Fleischmann Overview Once again, the time has come to review the year that was and to chart the course for the year ahead. For municipalities, developers and planning professionals throughout Prince…
Read MoreFollowing the various Stakeholder Consultations (which Stewart McKelvey participated in on behalf of Nova Scotia Employers), the Government has changed the Labour Standards Code Regulations effective January 1, 2019 to: a) provide for up to…
Read MoreVersion française à suivre Sara Espinal Henao Canada has expanded its permanent and temporary immigration requirements to include biometrics – the measurement of unique physical characteristics, such as fingerprints and facial features. The new requirements,…
Read MoreMany businesses rely on trade-mark, copyright, and patent law for the protection of their intellectual property (IP). The Federal Government recently proposed changes to IP laws, which may impact your business. Bill C-86, Budget Implementation Act,…
Read MoreJulia Parent and David Wedlake (special thanks to Graham Haynes for his assistance) In a rare decision from the bench, the Supreme Court of Canada (“SCC”) allowed the appeal of Callidus Capital Corporation in the matter…
Read MoreMark Tector and Killian McParland ‘Tis again the season for the company holiday party. And while the party planners are starting to break out the eggnog, there are some lessons learned from seasons past to…
Read MoreMark Tector and Richard Jordan The Nova Scotia Occupational Health and Safety Act (the “Act”) provides that “contractors” and “constructors” have similar, but not identical, responsibilities, with a “Constructor” having greater authority and more responsibility for the health and…
Read MoreJulia Parent and Graham Haynes On October 29, 2018, the federal government tabled national pay equity legislation as part of its second budget implementation bill, Bill C-86. This legislation is targeted at reducing the portion of the…
Read More