Whose information is it anyway? Implications of the York University decision on public and private sector privacy and confidentiality
Included in Discovery: Atlantic Education & the Law – Issue 12
Privacy and confidentiality requirements are some of the most important responsibilities of organizations today. An organization’s ability to properly manage information, regardless of its type, is critical for legal and contractual compliance, the avoidance of monetary penalties, and reputation.
Compliance, however, is rarely as straightforward as it seems, and knowing the obligations of your organization with respect to information is an increasingly difficult and complex task. This is particularly true for information that straddles the line between public and private, namely information that is shared between private entities and their affiliated public institutions.
Background
The privacy and confidentiality obligations of private entities (i.e. organizations that engage in commercial activity, such as for-profit companies) and public institutions (i.e. government departments and public sector entities, such as universities) are significantly different, except for personal information.[1] While private entities enjoy a largely unregulated regime that allows them to go about their business as they see fit subject only to the scrutiny of shareholders, public institutions are heavily regulated and are accountable to the public at large.
This public sector accountability derives from freedom of information legislation (sometimes also known as access to information legislation). Under this legislation, public institutions are required to divulge recorded information that is in their custody or control when requested pursuant to freedom of information or access to information requests. This requirement is incredibly broad and includes all information in the custody or control of the public institution that is not subject to one of the very limited disclosure exceptions, such as for personal information or information that could bring harm to a specific person, entity, or group.
Since private entities are not directly subject to freedom of information legislation, they rarely consider it, or its implications, in the day-to-day management of their information. Public institutions, meanwhile, regularly grapple with the implications of this legislation on their information. What is rarely considered, however, is what happens when a public institution obtains information owned by a private entity, and when, if ever, that information may need to be disclosed.
The York University Decision[2]
The question at the centre of public institution information disclosure rests on the definition of “custody or control.” That is, if a public institution is only required to disclose information in its custody or control, at what point does information held by a private entity and shared with a public institution fall under the custody or control of that public institution? Thanks to the recent decision in YUDC v IPC, the answer to this is becoming clearer.
By way of background, York University Development Corporation (“YUDC”) is a wholly-owned subsidiary of York University that was created to assist with, among other things, renovations of the University book store and pharmacy. Over the course of these renovations, several documents were created by and shared between YUDC, which is not subject to freedom of information legislation, and York University, which is.
In 2019, two professors requested that the University disclose certain records relating to the bookstore and pharmacy renovations. The University refused on account of the records being confidential YUDC information (confidential third-party information is one of the exceptions to disclosure under Ontario freedom of information legislation) but this refusal was overturned by the Ontario Information and Privacy Commissioner (“IPC”)[3]. York University then claimed that the records in question were not under its custody or control, but this too was unsuccessful.[4] The University then requested a judicial review with the Ontario Divisional Court (the “Court”).
Upon review, the Court determined that the records in question were in the custody or control of York University, upholding the decision of the IPC and mandating that York University disclose the requested records to the two professors. Its decision was grounded in the Supreme Court of Canada’s decision in Canada (Information Commissioner) v Canada (Minister of National Defence) (“IC v MND“),[5] which set out the two-part test for custody or control:
- Do the contents of the document relate to a department matter; and
- Could the [public] institution reasonably expect to obtain a copy of the document on request?[6]
The Court determined that the records related to the renovation project, which formed part of York University’s mandate, and that the University would have no difficulty obtaining the documents. Therefore, the test for custody or control was easily met and disclosure was obligated.
In making this decision, the Court spent much of its time discussing the second step of the test – that is, whether York University could reasonably expect to obtain a copy of the requested records. While the content of those records is important, there was never any debate as to whether their contents related to the mandate of the University.
In IC v MND, the Supreme Court of Canada stated that the reasonable ability of a public institution to obtain a copy of the requested documents needed to be considered in light of “[t]he substantive content of the record, the circumstances in which it was created, and the legal relationship between the government institution and the record holder.”[7] The Court in YUDC v IPC found several pieces of evidence to support its analysis on this step two.
First, the records in question were in possession of an individual who was both an officer of the University and a member of the board of directors of YUDC. Even if the individual had been holding the documents in their role as director of YUDC, the context made it impossible to separate them from their other role with the University for the purpose of the custody or control of the records in question. On this basis, it was concluded that so long as this individual was in possession of the documents, the University had custody or control.
On the possession piece alone, the Court could have likely concluded that the test had been met; however, it went further and also found compelling evidence that York University could have undertook to complete the renovations without creating the YUDC, in which case the records would have been within the University’s control all along. In the words of the Court, it would not be appropriate to permit a public institution like York University to “divest itself of its responsibility and accountability for records directly related to its statutory mandate by choosing to create a corporate entity to discharge its mandate […] in aid of achieving its objects and purposes.”[8]
In other words, while a public entity can work with affiliates to achieve its mandate, it cannot create or enlist non-arm’s length entities to assist with the expectation or assumption that this non-public entity’s involvement will free the public institution of its accountability obligations under the relevant freedom of information legislation.
While the Court heavily focused its step two analysis on the fact that the individual who was in possession of the requested documents was both an officer of the University and a director of YUDC, it is clear from the test that the connection between the entities can be far more remote, yet result in the same determination by a court.
Conclusions
With public institutions becoming increasingly reliant on the support of private entities – and in particular, private, wholly-owned subsidiaries – to deliver on the public institution’s legislated mandates, understanding one’s information privacy obligations and risks is critical.
While the YUDC v IPC decision is from Ontario, the same analysis and principles apply to freedom of information legislation across the country. A similar fact scenario in Atlantic Canada would almost certainly meet with the same result. With that knowledge, however, comes the opportunity to prevent a similar fact scenario from materializing within your organization. Not only do both public institutions and private entities need to turn their minds to the realities of the current information privacy regime, they also need to begin to work with each other to identify processes, policies, and procedures to keep their information, and their relationships, safe.
From YUDC v IPC we have learned that it is prudent for public institutions to ensure that the control of an affiliated private entity is as separate and distinct as possible from the management of the public institution, and certainly to avoid having the majority of a wholly-owned subsidiary’s directors be officers of the public institution. We also learned that organizations must carefully consider the necessity and extent of their relationships, particularly in relation to matters under the public institution’s mandate, and whether the same result could be achieved by the public institution alone or with less involvement from the private entity.
How each organization chooses to address these risks and obligations will necessarily differ, but in all cases determining the level of custody or control the public body has over the private entity’s information is central to pre-empting, restricting and preventing disclosure, and ensuring that any disclosure that does occur has the least potential for harm to those involved.
This client update is provided for general information only and does not constitute legal advice. If you have any questions about the above, please contact the authors.
Click here to subscribe to Stewart McKelvey Thought Leadership.
[1] Office of the Privacy Commissioner of Canada, “PIPEDA in Brief.”
[2] YUDC v Information and Privacy Commissioner, 2022 ONSC 1755 [“YUDC v IPC”]
[3] Information and Privacy Commissioner, Ontario, Canada. “Order PO-3922.” York University
[4] Information and Privacy Commissioner, Ontario, Canada. “Reconsideration Order PO-4029-R.” York University
[5] Canada (Information Commissioner) v Canada (Minister of National Defence), 2011 SCC 25.
[6] Ibid at 6.
[7] Ibid at 56.
[8] YUDC v IPC, supra note 2 at 48.
Archive
In Wood v. Wood et al, 2013 PESC 11, a motion pursuant to Rule 7.08 of the Rules of Civil Procedure for court approval of a settlement involving a minor, Mr. Justice John K. Mitchell approved the settlement among the…
Read MoreClients who sit on boards of corporate employers should take note of recent amendments made to New Brunswick’s Employment Standards Act (the “ESA”) which could increase their exposure to personal liability in connection with claims advanced by…
Read MoreSignificant changes may be coming to the standard automobile policy in PEI, including increases to the accident benefits available under Section B and an increase to the so-called “cap” applicable to claims for minor personal…
Read MoreOn June 17, 2013, pursuant to the recently amended Section 70 of the Labour Relations Act for Newfoundland and Labrador (“NL”), the Government of Newfoundland and Labrador issued three Special Project Orders (“SPOs”) in respect of the…
Read MoreOn June 14, 2013, the Supreme Court of Canada (“the Court”) released the decision that employers across the country were waiting for. In CEP Local 30 v. Irving Pulp & Paper Ltd., 2013 SCC 34, a…
Read MoreThe Government of Newfoundland and Labrador (“NL”) has recently released its “Aboriginal Consultation Policy on Land and Resource Development Decisions” (the “Policy”). A copy of the Policy can be accessed here. This new Policy is the…
Read MoreThe following is a province-by-province update of legislation from a busy 2013 spring session in Atlantic Canada. Watching these developments, we know the new legislation that has passed or could soon pass, will impact our…
Read MoreThe integrity of the jury system has become a pressing topic for our courts of late, with articles about jury duty frequently appearing front and centre in the press. The recent message from the Nova…
Read MoreIN THIS ISSUE: Cloud computing: House to navigate risky skies by Daniela Bassan and Michelle Chai Growing a startup by Clarence Bennett, Twila Reid and Nicholas Russon Knowing the lay of the land – Aboriginal rights and land claims in Labrador by Colm St. Roch Seviour and Steve Scruton Download…
Read MoreDOES IT APPLY TO YOU? On June 1, 2013, the Personal Health Information Act (PHIA) comes into force in Nova Scotia. If you are involved in health care in Nova Scotia, you need to know whether PHIA…
Read More