2. Your presenter
Dan is a well-recognized cybersecurity, privacy and
information management lawyer, with significant
experience working with education and public sector
organizations in Canada. Dan helps organizations:
• respond optimally to security and cyber incidents
• defend security and privacy complaints, claims and
grievances
• handle complex freedom of information matters
and appeals
• address security and other operational issues
while minimizing privacy risks
Dan has maintained a privacy and security practice
since 2003 and has acted as a security incident
“coach” since 2006. He has represented clients in
significant privacy, security and freedom of information
litigation, including at the Ontario Court of Appeal and
Supreme Court of Canada.
Dan Michaluk
Partner
2
o The Best Lawyers in Canada (Privacy and Data
Security Law)
o Chambers Canada – Canada’s Leading Lawyers for
Business (Privacy & Data Protection)
o Lexpert Zenith Award – Celebrating Mid-Career
Excellence in Computer and IT Law (2018)
o LLB, Queen's University, 1997
o B.Comm, Queen's University, 1994
3. o The law of information underpins the privacy
and cyber practice
o FOI is a key driver of the law of information
• The scope of individual privacy rights
• The legitimate scope of confidential business
information
• The scope of legal privilege
o Public sector incident responders need to
know it
…to professionals in the privacy and cyber milieu
Why FOI is relevant
3
4. Agenda
o FOI basics
o Openness under pressure
o Data security and FOI
How should FOI respond to the increased need for
secrecy?
4
6. o Applies to designated “institutions” or “public
bodies” (tied to government funding)
o Presumptive right of access to “records” in
“custody or control” (or “control”)
o Though the Act excludes some records
altogether
o And exempts some information from the right
of public access
o Institutions have the burden of establishing
that an exemption applies
o And information that can be severed must be
severed (“disconnected snippets” test)
How FOI works
FOI basics
6
7. o Not as straightforward as one may think
because…
• … one can have control without custody – see
Laurentian University federated university
case and consider government employee use
of personal IT services
• … bare possession does not amount to
custody – e.g. City of Ottawa e-mail case
o Contextual, multi-factor test – ATIA leading
case is Canada (Information Commissioner)
v. Canada (Minister of National Defence),
2011 SCC 25 (CanLII), [2011] 2 SCR 306
Custody or control
FOI basics
7
8. o Personal privacy (mandatory)
• Federal – personal information
• Provincial – unjustified invasion
o Third-party business (mandatory)
• Trade secrets, commercial, technical and scientific
information
• Class based or harms based
o Economic interests of government (discretionary)
• Also class and harms based
• This is where institutional security comes in
o Privilege, advice and recommendations…
Key exemptions
FOI basics
8
11. o With the internet, we can no longer “hide in
the noise” or enjoy “practical obscurity”
o It has been used to shield the identity of
lottery winners once published - Order PO-
2812 (in which IPC relies on SCOTUS
Reporters’ Committee case and R v Duarte)
o This case was from 2009, is practical
obscurity still a reality today???
Practical obscurity is no longer protection
Openness under pressure
11
12. o Related principle – a disclosure to one is a
disclosure to the world
o This is about equal application of the law,
and as such is sound
o We generally don’t distinguish requester A
from requester B based on motive
o From an institutional perspective, the full
scope of potential harm should always be
presumed
o The question – Is that so?
A requester’s identity is irrelevant
Openness under pressure
12
13. o Information which in isolation appears
meaningless or trivial could, when fitted
together, permit a comprehensive
understanding of the information being
protected
o The “assiduous inquirer” or “informed
reader” has a strong ability to look-up
information piece together the full picture
o Note - in the Maher Arar decision (2007 FC
766) the Federal Court made that there
must be a factual basis for asserting that
innocuous information will lead to harm
Mosaic effect
Openness under pressure
13
15. o The Merck test - The institution resisting public
disclosure “must show that the risk of harm is
considerably above a mere possibility,
although not having to establish on the
balance of probabilities that the harm will in
fact occur.”
o How will regulators account for the plain
existence of adversaries and the potential for
“threat shifting” – “the response of adversaries
to perceived safeguards and/or
countermeasures (i.e., security controls), in
which adversaries change some characteristic
of their intent/targeting in order to avoid and/or
overcome those
safeguards/countermeasures.” (NIST)
The harms test and the risk of threat shifting
Data security and FOI
15
16. o Ontario PO-3670 - location of its data centre
can be kept secret, consistent with Ontario
government IT standard and ISO/IEC
27002:2013
o BC F17-23 - Drive names and paths of LAN
storage systems reference to a secure
system URL based on security architect
data about standard practice
o BC F18-13 - manual relating to the a
stadium roof SCADA system.
Access denied
Data security and FOI
16
17. o BC F-15-72 - User IDs disclosed over
Ministry arguments that such disclosure
would give hackers “valuable information to
assist in breaching layers of security of
government systems to access extremely
sensitive corrections information.”
o F2013-13 - Alberta OIPC rejected an
argument that obtaining a list of cellphone
numbers would allow an individual to
infiltrate a system or harm its safety and
security
• What about RROSH and e-mail addresses?
Access granted
Data security and FOI
17
18. o There’s a legitimate need to share and obtain threat
information - any information related to a threat that
might help an organization protect itself against a
threat or detect the activities of an actor. Major
types of threat information include indicators, TTPs,
security alerts, threat intelligence reports, and tool
configurations
o Sharing between FOI institutions creates many
presumptively accessible copies
• Threat shifting potential is real
o So should institutions still share?
• Yes – benefit to all > cost
• Information becomes stale quickly, reducing risks
• If you have a 3P to distribute masked copies, do it
Threat information sharing and threat exchanges
Data security and FOI
18