On hour presentation to lawyers on the Freedom of Information and, more broadly, "the law of information" in Canada.

1. Presented By
Introduction to
Freedom of
Information Law
(The Law of
Information)
Dan Michaluk
April 2022

2. Your presenter
Dan is a cybersecurity, privacy and information
management lawyer, with significant experience
working with education and public sector organizations
in Canada. Dan helps organizations:
• respond optimally to security and cyber incidents
• defend security and privacy complaints, claims and
grievances
• handle complex freedom of information matters
and appeals
• address security and other operational issues
while minimizing privacy risks
Dan has maintained a privacy and security practice
since 2003 and has acted as a security incident
“coach” since 2006. He has represented clients in
significant privacy, security and freedom of information
litigation, including at the Ontario Court of Appeal and
Supreme Court of Canada.
Dan Michaluk
Partner
2
o The Best Lawyers in Canada (Privacy and Data
Security Law)
o Chambers Canada – Canada’s Leading Lawyers for
Business (Privacy & Data Protection)
o Lexpert Zenith Award – Celebrating Mid-Career
Excellence in Computer and IT Law (2018)
o LLB, Queen's University, 1997
o B.Comm, Queen's University, 1994

3. o The law of information underpins the privacy
and cyber practice – openness is the flip
side of secrecy
o FOI is a key driver of the law of information
• The scope of individual privacy rights
• The legitimate scope of confidential business
information
• The scope of legal privilege
o Public sector incident responders need to
know it
…to professionals in the privacy and cyber milieu
Why FOI is relevant
3

4. FOI basics

5. o Applies to designated “institutions” or “public
bodies” (tied to government funding)
o Statutes may exclude some records altogether
o Presumptive right of access to “records” in “custody
or control” (or “control”)
o And they exempt some information from the right of
public access
• Discretionary versus mandatory
• Status based versus harms based
o Institutions have the burden of establishing that an
exemption applies
o And information that can be severed must be
severed (“disconnected snippets” test)
How FOI works
FOI basics
5

6. o Personal privacy (mandatory)
• Federal – personal information
• Provincial – unjustified invasion
o Third-party business (mandatory)
• Trade secrets, commercial, technical and scientific
information
• Status based and harms based
o Economic interests of government (discretionary)
• Also status and harms based
• This is where institutional security comes in
o Privilege, advice and recommendations…
Key exemptions
FOI basics
6

7. Key legal concepts

8. o The test is disjunctive – note the “or”
o Not as straightforward as one may think
because…
• … one can have control without custody …
• bare possession does not amount to custody
o Contextual, multi-factor test – ATIA leading
case is Canada (Information Commissioner)
v. Canada (Minister of National Defence),
2011 SCC 25 (CanLII), [2011] 2 SCR 306
Custody or control
Key legal concepts
8

9. o Personal e-mails held on City server are not
within the City’s custody despite the City’s
governance of the e-mail system
o Not integrated, nothing to do with City business,
no issue of employee misconduct
o City of Ottawa v. Ontario, 2010 ONSC 6835
(CanLII), which is consistent with R v Cole and
2012 SCC 53 and Johnson v Bell Canada, 2008
FC 1086
Bare possession does not amount to custody
Key legal concepts
9
Scenario. Conti has stolen 200GB of data. The e-discovery
comes back identifying 10GB of personal files, including tax
returns with SINs. What does the organization do?

10. o Harms based exemptions are marked by the words
“could reasonably be expected to” or “reasonable
expectation of probable harm”
o The SCC has said that the standard this means
more than a mere possibility but less than likelihood
(50% plus a feather) - Merck Frosst Canada Ltd. v.
Canada (Health), 2012 SCC 3
o Also, the quality of the evidence must be “detailed
and convincing” or “clear and cogent”
o Practically harms based arguments require proof of
(a) confidentiality and (b) basic facts that establish
risk is non-speculative
o Case law recognizes difficulty of predicting future
events in a law enforcement context – Fineberg,
1994 CanLII 10563
The test for harm
Key legal concepts
10

11. o A legal right which allows persons to resist
compulsory disclosure of communications and
documents rooted in some recognized public
interest in secrecy
• Class based or case-by-case
o Based in common law, statute and the Charter and
recognized in FOI statutes
o Can be waived by purposeful communication about
a privileged communication or document
o Applies to communications and documents and not
facts, which is essential to understand
• Our investigator told us exfiltration was unlikely
• There is no evidence that establishes exfiltration
• We believe that exfiltration was unlikely
Legal privilege
Key legal concepts
11

12. o “About an identifiable individual”
o Must reveal something personal about an
individual in the relevant context – e.g.
doctors’ gross income from practice ≠ PI, air
traffic controller communications ≠ PI
o The test, however, is contextual – e.g. air
traffic controller under investigation!
o And must be a sufficient linkage - is there a
reasonable expectation that, when the
information in the record at issue is combined
with information from sources otherwise
available, the individual can be identified?
Personal information
Key legal concepts
12

13. o The right of privacy is not absolute
o In FOI statutes, this is reflected in the
“unjustified invasion of privacy” exemptions,
which attempt to set a balance
o Three stage analysis – deemed to be
inaccessible? Presumed to be an unjustified
invasion? Left to balancing based on
factors?
o Example of principle in action
• Lottery winners identities protected
• But not the identify of insiders
Unjustified invasion of privacy
Key legal concepts
13

14. o Records >> information >> data
o An institution must disclose what information
it can
o But when does redaction become an
exercise in futility, warranting withholding of
whole records?
o When what’s left would be meaningless (in
the context), and constitute “disconnected
snippets” of text
Disconnected snippets test
Key legal concepts
14

15. Presented By
Impact of new
and emerging
technologies on
FOI
Dan Michaluk
March 2022

16. The impact of internet
publication and search

17. Internet publication and search
17

18. o With the internet, we can no longer “hide in
the noise” or enjoy “practical obscurity”
o It has been used to shield the identity of
lottery winners once published - Order PO-
2812 (in which IPC relies on SCOTUS
Reporters’ Committee case and R v Duarte)
o This case was from 2009, is practical
obscurity still a reality today???
Practical obscurity is no longer protection
Internet publication and search
18

19. o Related principle – a disclosure to one is a
disclosure to the world
o This is about equal application of the law,
and as such is sound
o We generally don’t distinguish requester A
from requester B based on motive
o From an institutional perspective, the full
scope of potential harm should always be
presumed
o The question – Is that so?
A requester’s identity is irrelevant
Internet publication and search
19

20. o Information which in isolation appears
meaningless or trivial could, when fitted
together, permit a comprehensive
understanding of the information being
protected
o The “assiduous inquirer” or “informed
reader” has a strong ability to look-up
information piece together the full picture
o Note - in the Maher Arar decision (2007 FC
766) the Federal Court made that there
must be a factual basis for asserting that
innocuous information will lead to harm
Mosaic effect
Internet publication and search
20

21. The impact of the cyber
threat

22. o The Merck test - The institution resisting public
disclosure “must show that the risk of harm is
considerably above a mere possibility,
although not having to establish on the
balance of probabilities that the harm will in
fact occur.”
o How will regulators account for the plain
existence of adversaries and the potential for
“threat shifting” – “the response of adversaries
to perceived safeguards and/or
countermeasures (i.e., security controls), in
which adversaries change some characteristic
of their intent/targeting in order to avoid and/or
overcome those
safeguards/countermeasures.” (NIST)
The harms test and the risk of threat shifting
The impact of the cyber threat
22

23. o Ontario PO-3670 - location of its data centre
can be kept secret, consistent with Ontario
government IT standard and ISO/IEC
27002:2013
o BC F17-23 - Drive names and paths of LAN
storage systems reference to a secure
system URL based on security architect
data about standard practice
o BC F18-13 - manual relating to the a
stadium roof SCADA system.
Access denied
The impact of the cyber threat
23

24. o BC F-15-72 - User IDs disclosed over
Ministry arguments that such disclosure
would give hackers “valuable information to
assist in breaching layers of security of
government systems to access extremely
sensitive corrections information.”
o F2013-13 - Alberta OIPC rejected an
argument that obtaining a list of cellphone
numbers would allow an individual to
infiltrate a system or harm its safety and
security
• What about RROSH and e-mail addresses?
Access granted
The impact of the cyber threat
24

25. o There’s a legitimate need to share and obtain threat
information - any information related to a threat that
might help an organization protect itself against a
threat or detect the activities of an actor. Major
types of threat information include indicators, TTPs,
security alerts, threat intelligence reports, and tool
configurations
o Sharing between FOI institutions creates many
presumptively accessible copies
• Threat shifting potential is real
o So should institutions still share?
• Yes – benefit to all > cost
• Information becomes stale quickly, reducing risks
• If you have a 3P to distribute masked copies, do it
Threat information sharing and threat exchanges
The impact of the cyber threat
25

26. Data, data and more
data

27. o Traditionally, institutions sent search memos to
internal custodians, who would engage in
“field filtering”
o Has been affirmed despite allegations that
custodians cannot be trusted – see MO-2634
o Pressure to move to an “e-FOI” approach –
retrieve, de-duplicate and conduct a
coordinated search of an electronic repository
o Simply more efficient for dealing with large
sets of data, but it’s leading to costs that are
significant
Traditional FOI versus e-FOI
Data, data and more data
27

28. o FOI is a user pay system, though the tariffs
leave much of the cost unfunded
o In Ontario, there’s an outsourcing option that
can be used to recover 100% of the costs
• The costs, including computer costs, that the
institution incurs in locating, retrieving,
processing and copying the record if those
costs are specified in an invoice that the
institution has received
o E.g. MO-2154 - $12,500 fees affirmed for
request that included deleted e-mails
How are costs handled?
Data, data and more data
28

29. For more information, contact:
The information contained herein is of a general nature and is not intended to constitute legal advice, a complete statement of the law, or an opinion on
any subject. No one should act upon it or refrain from acting without a thorough examination of the law after the facts of a specific situation are considered.
You are urged to consult your legal adviser in cases of specific questions or concerns. BLG does not warrant or guarantee the accuracy, currency or
completeness of this presentation. No part of this presentation may be reproduced without prior written permission of Borden Ladner Gervais LLP.
© 2020 Borden Ladner Gervais LLP. Borden Ladner Gervais is an Ontario Limited Liability Partnership.
Thank You
Dan Michaluk
Partner
416.367.6097
dmichaluk@blg.com