Unit 6 Privacy and Data Protection 8 hrTushar Rajput
Right to Privacy and its Legal Framework, The Concept of Privacy, National Legal
Framework for Protecting Privacy, International Legal Framework for Protecting Privacy, Privacy Related Wrongs and Remedies, Data Security, The Concept of Security in Cyberspace, Technological Vulnerabilities, Legal Response to Technological
Vulnerabilities, Security Audit (VA/PT), Data Protection, Data Protection Position in
India, Privacy Policy, Emerging Issues in Data Protection and Privacy, BPOs and
Legal Regime in India, Protect Kids' Privacy Online, Evolving Trends in Data Protection and Information Security
Data Privacy: What you should know, what you should do!
CSMFO Data Privacy in the Governmental Sector, Local Government. Data Privacy Laws, PCI, Breaches, AICPA – Generally Accepted Privacy Principles
2014-09-18 Protection of Personal Information Act readiness workshopPaul Jacobson
I presented at the 3rd Protection of Personal Information Act readiness workshop of 2014 on the topic of practical data protection practices. I focused on high level constraints and useful approaches to policy development and data processing strategies.
Unit 6 Privacy and Data Protection 8 hrTushar Rajput
Right to Privacy and its Legal Framework, The Concept of Privacy, National Legal
Framework for Protecting Privacy, International Legal Framework for Protecting Privacy, Privacy Related Wrongs and Remedies, Data Security, The Concept of Security in Cyberspace, Technological Vulnerabilities, Legal Response to Technological
Vulnerabilities, Security Audit (VA/PT), Data Protection, Data Protection Position in
India, Privacy Policy, Emerging Issues in Data Protection and Privacy, BPOs and
Legal Regime in India, Protect Kids' Privacy Online, Evolving Trends in Data Protection and Information Security
Data Privacy: What you should know, what you should do!
CSMFO Data Privacy in the Governmental Sector, Local Government. Data Privacy Laws, PCI, Breaches, AICPA – Generally Accepted Privacy Principles
2014-09-18 Protection of Personal Information Act readiness workshopPaul Jacobson
I presented at the 3rd Protection of Personal Information Act readiness workshop of 2014 on the topic of practical data protection practices. I focused on high level constraints and useful approaches to policy development and data processing strategies.
How your nonprofit can avoid data breaches and ensure privacyTechSoup Canada
Increasingly, nonprofits hold large quantities of digital assets (such as donor information, grant application details, financial records, etc.). Organizations of all sizes and industries are being targeted by cyber criminals. Cyber-attacks will often devastate an organization’s operations and have significant financial, legal and reputational consequences.
In this webinar, Imran Ahmad of Miller Thomson, LLP will explain how implementing best practices from a pre-breach standpoint can go a long way to mitigate the negative consequences of a cyber-attack.
What you will learn:
- what the cyber threat landscape looks like
- how to ensure privacy of your digital assets
- steps to take in the aftermath of a cyber-attack
1 hours presentation to IT security and law enforcement audience on how access to information legislation and related pressures affect public bodies in Canada.
The Privacy Law Landscape: Issues for the research communityARDC
Presentation by Anna Johnston of Salinger Privacy to ARDC's 'GDPR and NDB scheme: Intersection with the Australian research sector' webinar on 13 September 2018
[Privacy Webinar Slides] Global Enforcement PrioritiesTrustArc
To watch the full on-demand webinar recording please visit: https://info.truste.com/WB-2016-05-19-Insight-Series-Global-Privacy-Enforcement-Priorities_RegPage-OnDemand.html
As the scope of EU law extends its reach globally, we are also seeing greater international regulatory co-operation. Whether it’s the FTC, the FCC or European DPAs - global privacy regulators are taking steps to prioritize and address top concerns that affect everyone on a global scale.
In this on-demand webinar the speakers will:
• Review the latest case law and enforcement actions from the last 12 months
• Address the impact of the rise of activism and the role of individuals like Max Schrems who have forced legal changes
• Provide their perspectives on future outcomes and how to keep your company out of the regulatory spotlight
Register to watch this on-demand webinar now to to learn how to keep your company out of the regulatory spotlight: https://info.truste.com/WB-2016-05-19-Insight-Series-Global-Privacy-Enforcement-Priorities_RegPage-OnDemand.html
So You Want to Protect Privacy: Now What?Stuart Bailey
Protecting privacy is more than just stating principles; compliance means being able to demonstrate how everyday practices affect the ability to comply with abstract principles and interests. A short discussion on how managing information helps demonstrate compliance.
All levels of society rely upon information technology systems. Network operations are pervasive and impact nearly every aspect of our society. The desire of companies to collect, use, store, and secure information about customers, employees, and other individuals is a requirement of the new economy. It is no wonder that the prevalence of electronic communications and a growing dependency on cyber structures and operations also create potential vulnerabilities to cyberattacks. It is critical to preserve information systems and address and prevent weaknesses in cyber protection efforts. This webinar examines the means for companies to reach data goals ethically, efficiently and legally. Best practices and model comprehensive privacy and cybersecurity policies are discussed. And, data breach response and related litigation, including class action litigation issues and fiduciary duty violations under corporate law, are discussed.
To view the accompanying webinar, go to:
https://www.financialpoise.com/financial-poise-webinars/data-privacy-compliance-2020/
All levels of society rely upon information technology systems. Network operations are pervasive and impact nearly every aspect of our society. The desire of companies to collect, use, store, and secure information about customers, employees, and other individuals is a requirement of the new economy. It is no wonder that the prevalence of electronic communications and a growing dependency on cyber structures and operations also create potential vulnerabilities to cyberattacks. It is critical to preserve information systems and address and prevent weaknesses in cyber protection efforts. This webinar examines the means for companies to reach data goals ethically, efficiently and legally. The panel will also discuss the evolving regulatory approaches of the European Union, United States Federal government and significant developments in U.S. state regimes, including California. Best practices and model comprehensive privacy and cybersecurity policies are discussed. And, data breach response and related litigation, including class action litigation issues and fiduciary duty violations under corporate law, are discussed.
Part of the webinar series: CORPORATE & REGULATORY COMPLIANCE BOOTCAMP 2022 - PART I
See more at https://www.financialpoise.com/webinars/
One hour presentation to Ontario public sector institutions that looks at the privacy and security implications the main information flows associated with COVID-19 workplace health and safety.
All levels of society rely upon information technology systems. Network operations are pervasive and impact nearly every aspect of our society. The desire of companies to collect, use, store, and secure information about customers, employees, and other individuals is a requirement of the new economy. It is no wonder that the prevalence of electronic communications and a growing dependency on cyber structures and operations also create potential vulnerabilities to cyberattacks. It is critical to preserve information systems and address and prevent weaknesses in cyber protection efforts. This webinar examines the means for companies to reach data goals ethically, efficiently and legally. The panel will also discuss the evolving regulatory approaches of the European Union, United States Federal government and significant developments in U.S. state regimes, including California. Best practices and model comprehensive privacy and cybersecurity policies are discussed. And, data breach response and related litigation, including class action litigation issues and fiduciary duty violations under corporate law, are discussed.
To view the accompanying webinar, go to: https://www.financialpoise.com/financial-poise-webinars/data-privacy-compliance-2021/
Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...Diana Maier
No matter what kind of law practice you have, you need to comply with privacy laws generally and lawyers' ethical duties with respect to privacy, specifically. In this presentation, legal ethics counsel Sarah Banola (Cooper, White and Cooper, LLP) and employment and privacy attorney Diana Maier (Law Offices of Diana Maier) deliver a primer on privacy law and teach you the key areas of privacy law and associated ethical obligations.
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Financial Poise
There is no federal law governing privacy and data security applicable to all US citizens. Rather, individual states and regulatory agencies have created a patchwork of protections that may overlap in certain industries.
This webinar provides an overview of the many privacy and data security laws and regulations which may impact your business, from the state law protecting personal information to regulations covering the financial services industry to state breach notification laws.
To view the accompanying webinar, go to: https://www.financialpoise.com/financial-poise-webinars/introduction-to-us-privacy-and-data-security-2020/
Ecno cyber - 23 June 2023 - djm(137852631.1).pptxDan Michaluk
One hour presentation to IT professionals at Ontario school boards. Covers labour issues in MFA rollout, threat information sharing and business e-mail compromises and PHIPA.
Critical Issues in School Board Cyber SecurityDan Michaluk
An hour presentation to school board officials in Ontario on cyber security issues, covering the threat environment, defense, incident response, threat information sharing and vendor issues.
More Related Content
Similar to Introduction to FOI law (the law of information)
How your nonprofit can avoid data breaches and ensure privacyTechSoup Canada
Increasingly, nonprofits hold large quantities of digital assets (such as donor information, grant application details, financial records, etc.). Organizations of all sizes and industries are being targeted by cyber criminals. Cyber-attacks will often devastate an organization’s operations and have significant financial, legal and reputational consequences.
In this webinar, Imran Ahmad of Miller Thomson, LLP will explain how implementing best practices from a pre-breach standpoint can go a long way to mitigate the negative consequences of a cyber-attack.
What you will learn:
- what the cyber threat landscape looks like
- how to ensure privacy of your digital assets
- steps to take in the aftermath of a cyber-attack
1 hours presentation to IT security and law enforcement audience on how access to information legislation and related pressures affect public bodies in Canada.
The Privacy Law Landscape: Issues for the research communityARDC
Presentation by Anna Johnston of Salinger Privacy to ARDC's 'GDPR and NDB scheme: Intersection with the Australian research sector' webinar on 13 September 2018
[Privacy Webinar Slides] Global Enforcement PrioritiesTrustArc
To watch the full on-demand webinar recording please visit: https://info.truste.com/WB-2016-05-19-Insight-Series-Global-Privacy-Enforcement-Priorities_RegPage-OnDemand.html
As the scope of EU law extends its reach globally, we are also seeing greater international regulatory co-operation. Whether it’s the FTC, the FCC or European DPAs - global privacy regulators are taking steps to prioritize and address top concerns that affect everyone on a global scale.
In this on-demand webinar the speakers will:
• Review the latest case law and enforcement actions from the last 12 months
• Address the impact of the rise of activism and the role of individuals like Max Schrems who have forced legal changes
• Provide their perspectives on future outcomes and how to keep your company out of the regulatory spotlight
Register to watch this on-demand webinar now to to learn how to keep your company out of the regulatory spotlight: https://info.truste.com/WB-2016-05-19-Insight-Series-Global-Privacy-Enforcement-Priorities_RegPage-OnDemand.html
So You Want to Protect Privacy: Now What?Stuart Bailey
Protecting privacy is more than just stating principles; compliance means being able to demonstrate how everyday practices affect the ability to comply with abstract principles and interests. A short discussion on how managing information helps demonstrate compliance.
All levels of society rely upon information technology systems. Network operations are pervasive and impact nearly every aspect of our society. The desire of companies to collect, use, store, and secure information about customers, employees, and other individuals is a requirement of the new economy. It is no wonder that the prevalence of electronic communications and a growing dependency on cyber structures and operations also create potential vulnerabilities to cyberattacks. It is critical to preserve information systems and address and prevent weaknesses in cyber protection efforts. This webinar examines the means for companies to reach data goals ethically, efficiently and legally. Best practices and model comprehensive privacy and cybersecurity policies are discussed. And, data breach response and related litigation, including class action litigation issues and fiduciary duty violations under corporate law, are discussed.
To view the accompanying webinar, go to:
https://www.financialpoise.com/financial-poise-webinars/data-privacy-compliance-2020/
All levels of society rely upon information technology systems. Network operations are pervasive and impact nearly every aspect of our society. The desire of companies to collect, use, store, and secure information about customers, employees, and other individuals is a requirement of the new economy. It is no wonder that the prevalence of electronic communications and a growing dependency on cyber structures and operations also create potential vulnerabilities to cyberattacks. It is critical to preserve information systems and address and prevent weaknesses in cyber protection efforts. This webinar examines the means for companies to reach data goals ethically, efficiently and legally. The panel will also discuss the evolving regulatory approaches of the European Union, United States Federal government and significant developments in U.S. state regimes, including California. Best practices and model comprehensive privacy and cybersecurity policies are discussed. And, data breach response and related litigation, including class action litigation issues and fiduciary duty violations under corporate law, are discussed.
Part of the webinar series: CORPORATE & REGULATORY COMPLIANCE BOOTCAMP 2022 - PART I
See more at https://www.financialpoise.com/webinars/
One hour presentation to Ontario public sector institutions that looks at the privacy and security implications the main information flows associated with COVID-19 workplace health and safety.
All levels of society rely upon information technology systems. Network operations are pervasive and impact nearly every aspect of our society. The desire of companies to collect, use, store, and secure information about customers, employees, and other individuals is a requirement of the new economy. It is no wonder that the prevalence of electronic communications and a growing dependency on cyber structures and operations also create potential vulnerabilities to cyberattacks. It is critical to preserve information systems and address and prevent weaknesses in cyber protection efforts. This webinar examines the means for companies to reach data goals ethically, efficiently and legally. The panel will also discuss the evolving regulatory approaches of the European Union, United States Federal government and significant developments in U.S. state regimes, including California. Best practices and model comprehensive privacy and cybersecurity policies are discussed. And, data breach response and related litigation, including class action litigation issues and fiduciary duty violations under corporate law, are discussed.
To view the accompanying webinar, go to: https://www.financialpoise.com/financial-poise-webinars/data-privacy-compliance-2021/
Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...Diana Maier
No matter what kind of law practice you have, you need to comply with privacy laws generally and lawyers' ethical duties with respect to privacy, specifically. In this presentation, legal ethics counsel Sarah Banola (Cooper, White and Cooper, LLP) and employment and privacy attorney Diana Maier (Law Offices of Diana Maier) deliver a primer on privacy law and teach you the key areas of privacy law and associated ethical obligations.
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Financial Poise
There is no federal law governing privacy and data security applicable to all US citizens. Rather, individual states and regulatory agencies have created a patchwork of protections that may overlap in certain industries.
This webinar provides an overview of the many privacy and data security laws and regulations which may impact your business, from the state law protecting personal information to regulations covering the financial services industry to state breach notification laws.
To view the accompanying webinar, go to: https://www.financialpoise.com/financial-poise-webinars/introduction-to-us-privacy-and-data-security-2020/
Ecno cyber - 23 June 2023 - djm(137852631.1).pptxDan Michaluk
One hour presentation to IT professionals at Ontario school boards. Covers labour issues in MFA rollout, threat information sharing and business e-mail compromises and PHIPA.
Critical Issues in School Board Cyber SecurityDan Michaluk
An hour presentation to school board officials in Ontario on cyber security issues, covering the threat environment, defense, incident response, threat information sharing and vendor issues.
Here's a one hour presentation to Canadian municipal lawyers on the union right of access to information that arises under labour law and how it has fared against employee privacy claims.
Privacy, Data Security and Anti-Spam ComplianceDan Michaluk
45 min prez to compliance professionals at Canadian financial institutions. A survey presentation covering privacy, data security and anti-spam (CASL).
I hate the term "breach" - please call it a "security incident" - but the term "breach coach" is certainly ingrained. Posting today's presentation on the role of the coach as I step out the door to an insurance sector event.
Who is the "health information custodian" when an institution with an educational mandate provides health care? PHIPA gives institutions choice. Here's a presentation i gave yesterday in which I argue that the institution (and not its practitioners) should assume the role of the HIC.
Student Conduct Investigations - Examining Evidence and Determining CredibiliityDan Michaluk
A one hour presentation to student conduct investigators at colleges and universities in Canada. Support for the "hard" cases in which credibility is at issue, including hard sexual violence cases.
Lifting the Corporate Veil. Power Point Presentationseri bangash
"Lifting the Corporate Veil" is a legal concept that refers to the judicial act of disregarding the separate legal personality of a corporation or limited liability company (LLC). Normally, a corporation is considered a legal entity separate from its shareholders or members, meaning that the personal assets of shareholders or members are protected from the liabilities of the corporation. However, there are certain situations where courts may decide to "pierce" or "lift" the corporate veil, holding shareholders or members personally liable for the debts or actions of the corporation.
Here are some common scenarios in which courts might lift the corporate veil:
Fraud or Illegality: If shareholders or members use the corporate structure to perpetrate fraud, evade legal obligations, or engage in illegal activities, courts may disregard the corporate entity and hold those individuals personally liable.
Undercapitalization: If a corporation is formed with insufficient capital to conduct its intended business and meet its foreseeable liabilities, and this lack of capitalization results in harm to creditors or other parties, courts may lift the corporate veil to hold shareholders or members liable.
Failure to Observe Corporate Formalities: Corporations and LLCs are required to observe certain formalities, such as holding regular meetings, maintaining separate financial records, and avoiding commingling of personal and corporate assets. If these formalities are not observed and the corporate structure is used as a mere façade, courts may disregard the corporate entity.
Alter Ego: If there is such a unity of interest and ownership between the corporation and its shareholders or members that the separate personalities of the corporation and the individuals no longer exist, courts may treat the corporation as the alter ego of its owners and hold them personally liable.
Group Enterprises: In some cases, where multiple corporations are closely related or form part of a single economic unit, courts may pierce the corporate veil to achieve equity, particularly if one corporation's actions harm creditors or other stakeholders and the corporate structure is being used to shield culpable parties from liability.
Defending Weapons Offence Charges: Role of Mississauga Criminal Defence LawyersHarpreetSaini48
Discover how Mississauga criminal defence lawyers defend clients facing weapon offence charges with expert legal guidance and courtroom representation.
To know more visit: https://www.saini-law.com/
Guide on the use of Artificial Intelligence-based tools by lawyers and law fi...Massimo Talia
This guide aims to provide information on how lawyers will be able to use the opportunities provided by AI tools and how such tools could help the business processes of small firms. Its objective is to provide lawyers with some background to understand what they can and cannot realistically expect from these products. This guide aims to give a reference point for small law practices in the EU
against which they can evaluate those classes of AI applications that are probably the most relevant for them.
In 2020, the Ministry of Home Affairs established a committee led by Prof. (Dr.) Ranbir Singh, former Vice Chancellor of National Law University (NLU), Delhi. This committee was tasked with reviewing the three codes of criminal law. The primary objective of the committee was to propose comprehensive reforms to the country’s criminal laws in a manner that is both principled and effective.
The committee’s focus was on ensuring the safety and security of individuals, communities, and the nation as a whole. Throughout its deliberations, the committee aimed to uphold constitutional values such as justice, dignity, and the intrinsic value of each individual. Their goal was to recommend amendments to the criminal laws that align with these values and priorities.
Subsequently, in February, the committee successfully submitted its recommendations regarding amendments to the criminal law. These recommendations are intended to serve as a foundation for enhancing the current legal framework, promoting safety and security, and upholding the constitutional principles of justice, dignity, and the inherent worth of every individual.
A "File Trademark" is a legal term referring to the registration of a unique symbol, logo, or name used to identify and distinguish products or services. This process provides legal protection, granting exclusive rights to the trademark owner, and helps prevent unauthorized use by competitors.
Visit Now: https://www.tumblr.com/trademark-quick/751620857551634432/ensure-legal-protection-file-your-trademark-with?source=share
Synopsis On Annual General Meeting/Extra Ordinary General Meeting With Ordinary And Special Businesses And Ordinary And Special Resolutions with Companies (Postal Ballot) Regulations, 2018
Car Accident Injury Do I Have a Case....Knowyourright
Every year, thousands of Minnesotans are injured in car accidents. These injuries can be severe – even life-changing. Under Minnesota law, you can pursue compensation through a personal injury lawsuit.
How to Obtain Permanent Residency in the NetherlandsBridgeWest.eu
You can rely on our assistance if you are ready to apply for permanent residency. Find out more at: https://immigration-netherlands.com/obtain-a-permanent-residence-permit-in-the-netherlands/.
Matthew Professional CV experienced Government LiaisonMattGardner52
As an experienced Government Liaison, I have demonstrated expertise in Corporate Governance. My skill set includes senior-level management in Contract Management, Legal Support, and Diplomatic Relations. I have also gained proficiency as a Corporate Liaison, utilizing my strong background in accounting, finance, and legal, with a Bachelor's degree (B.A.) from California State University. My Administrative Skills further strengthen my ability to contribute to the growth and success of any organization.
2. Your presenter
Dan is a cybersecurity, privacy and information
management lawyer, with significant experience
working with education and public sector organizations
in Canada. Dan helps organizations:
• respond optimally to security and cyber incidents
• defend security and privacy complaints, claims and
grievances
• handle complex freedom of information matters
and appeals
• address security and other operational issues
while minimizing privacy risks
Dan has maintained a privacy and security practice
since 2003 and has acted as a security incident
“coach” since 2006. He has represented clients in
significant privacy, security and freedom of information
litigation, including at the Ontario Court of Appeal and
Supreme Court of Canada.
Dan Michaluk
Partner
2
o The Best Lawyers in Canada (Privacy and Data
Security Law)
o Chambers Canada – Canada’s Leading Lawyers for
Business (Privacy & Data Protection)
o Lexpert Zenith Award – Celebrating Mid-Career
Excellence in Computer and IT Law (2018)
o LLB, Queen's University, 1997
o B.Comm, Queen's University, 1994
3. o The law of information underpins the privacy
and cyber practice – openness is the flip
side of secrecy
o FOI is a key driver of the law of information
• The scope of individual privacy rights
• The legitimate scope of confidential business
information
• The scope of legal privilege
o Public sector incident responders need to
know it
…to professionals in the privacy and cyber milieu
Why FOI is relevant
3
5. o Applies to designated “institutions” or “public
bodies” (tied to government funding)
o Statutes may exclude some records altogether
o Presumptive right of access to “records” in “custody
or control” (or “control”)
o And they exempt some information from the right of
public access
• Discretionary versus mandatory
• Status based versus harms based
o Institutions have the burden of establishing that an
exemption applies
o And information that can be severed must be
severed (“disconnected snippets” test)
How FOI works
FOI basics
5
6. o Personal privacy (mandatory)
• Federal – personal information
• Provincial – unjustified invasion
o Third-party business (mandatory)
• Trade secrets, commercial, technical and scientific
information
• Status based and harms based
o Economic interests of government (discretionary)
• Also status and harms based
• This is where institutional security comes in
o Privilege, advice and recommendations…
Key exemptions
FOI basics
6
8. o The test is disjunctive – note the “or”
o Not as straightforward as one may think
because…
• … one can have control without custody …
• bare possession does not amount to custody
o Contextual, multi-factor test – ATIA leading
case is Canada (Information Commissioner)
v. Canada (Minister of National Defence),
2011 SCC 25 (CanLII), [2011] 2 SCR 306
Custody or control
Key legal concepts
8
9. o Personal e-mails held on City server are not
within the City’s custody despite the City’s
governance of the e-mail system
o Not integrated, nothing to do with City business,
no issue of employee misconduct
o City of Ottawa v. Ontario, 2010 ONSC 6835
(CanLII), which is consistent with R v Cole and
2012 SCC 53 and Johnson v Bell Canada, 2008
FC 1086
Bare possession does not amount to custody
Key legal concepts
9
Scenario. Conti has stolen 200GB of data. The e-discovery
comes back identifying 10GB of personal files, including tax
returns with SINs. What does the organization do?
10. o Harms based exemptions are marked by the words
“could reasonably be expected to” or “reasonable
expectation of probable harm”
o The SCC has said that the standard this means
more than a mere possibility but less than likelihood
(50% plus a feather) - Merck Frosst Canada Ltd. v.
Canada (Health), 2012 SCC 3
o Also, the quality of the evidence must be “detailed
and convincing” or “clear and cogent”
o Practically harms based arguments require proof of
(a) confidentiality and (b) basic facts that establish
risk is non-speculative
o Case law recognizes difficulty of predicting future
events in a law enforcement context – Fineberg,
1994 CanLII 10563
The test for harm
Key legal concepts
10
11. o A legal right which allows persons to resist
compulsory disclosure of communications and
documents rooted in some recognized public
interest in secrecy
• Class based or case-by-case
o Based in common law, statute and the Charter and
recognized in FOI statutes
o Can be waived by purposeful communication about
a privileged communication or document
o Applies to communications and documents and not
facts, which is essential to understand
• Our investigator told us exfiltration was unlikely
• There is no evidence that establishes exfiltration
• We believe that exfiltration was unlikely
Legal privilege
Key legal concepts
11
12. o “About an identifiable individual”
o Must reveal something personal about an
individual in the relevant context – e.g.
doctors’ gross income from practice ≠ PI, air
traffic controller communications ≠ PI
o The test, however, is contextual – e.g. air
traffic controller under investigation!
o And must be a sufficient linkage - is there a
reasonable expectation that, when the
information in the record at issue is combined
with information from sources otherwise
available, the individual can be identified?
Personal information
Key legal concepts
12
13. o The right of privacy is not absolute
o In FOI statutes, this is reflected in the
“unjustified invasion of privacy” exemptions,
which attempt to set a balance
o Three stage analysis – deemed to be
inaccessible? Presumed to be an unjustified
invasion? Left to balancing based on
factors?
o Example of principle in action
• Lottery winners identities protected
• But not the identify of insiders
Unjustified invasion of privacy
Key legal concepts
13
14. o Records >> information >> data
o An institution must disclose what information
it can
o But when does redaction become an
exercise in futility, warranting withholding of
whole records?
o When what’s left would be meaningless (in
the context), and constitute “disconnected
snippets” of text
Disconnected snippets test
Key legal concepts
14
18. o With the internet, we can no longer “hide in
the noise” or enjoy “practical obscurity”
o It has been used to shield the identity of
lottery winners once published - Order PO-
2812 (in which IPC relies on SCOTUS
Reporters’ Committee case and R v Duarte)
o This case was from 2009, is practical
obscurity still a reality today???
Practical obscurity is no longer protection
Internet publication and search
18
19. o Related principle – a disclosure to one is a
disclosure to the world
o This is about equal application of the law,
and as such is sound
o We generally don’t distinguish requester A
from requester B based on motive
o From an institutional perspective, the full
scope of potential harm should always be
presumed
o The question – Is that so?
A requester’s identity is irrelevant
Internet publication and search
19
20. o Information which in isolation appears
meaningless or trivial could, when fitted
together, permit a comprehensive
understanding of the information being
protected
o The “assiduous inquirer” or “informed
reader” has a strong ability to look-up
information piece together the full picture
o Note - in the Maher Arar decision (2007 FC
766) the Federal Court made that there
must be a factual basis for asserting that
innocuous information will lead to harm
Mosaic effect
Internet publication and search
20
22. o The Merck test - The institution resisting public
disclosure “must show that the risk of harm is
considerably above a mere possibility,
although not having to establish on the
balance of probabilities that the harm will in
fact occur.”
o How will regulators account for the plain
existence of adversaries and the potential for
“threat shifting” – “the response of adversaries
to perceived safeguards and/or
countermeasures (i.e., security controls), in
which adversaries change some characteristic
of their intent/targeting in order to avoid and/or
overcome those
safeguards/countermeasures.” (NIST)
The harms test and the risk of threat shifting
The impact of the cyber threat
22
23. o Ontario PO-3670 - location of its data centre
can be kept secret, consistent with Ontario
government IT standard and ISO/IEC
27002:2013
o BC F17-23 - Drive names and paths of LAN
storage systems reference to a secure
system URL based on security architect
data about standard practice
o BC F18-13 - manual relating to the a
stadium roof SCADA system.
Access denied
The impact of the cyber threat
23
24. o BC F-15-72 - User IDs disclosed over
Ministry arguments that such disclosure
would give hackers “valuable information to
assist in breaching layers of security of
government systems to access extremely
sensitive corrections information.”
o F2013-13 - Alberta OIPC rejected an
argument that obtaining a list of cellphone
numbers would allow an individual to
infiltrate a system or harm its safety and
security
• What about RROSH and e-mail addresses?
Access granted
The impact of the cyber threat
24
25. o There’s a legitimate need to share and obtain threat
information - any information related to a threat that
might help an organization protect itself against a
threat or detect the activities of an actor. Major
types of threat information include indicators, TTPs,
security alerts, threat intelligence reports, and tool
configurations
o Sharing between FOI institutions creates many
presumptively accessible copies
• Threat shifting potential is real
o So should institutions still share?
• Yes – benefit to all > cost
• Information becomes stale quickly, reducing risks
• If you have a 3P to distribute masked copies, do it
Threat information sharing and threat exchanges
The impact of the cyber threat
25
27. o Traditionally, institutions sent search memos to
internal custodians, who would engage in
“field filtering”
o Has been affirmed despite allegations that
custodians cannot be trusted – see MO-2634
o Pressure to move to an “e-FOI” approach –
retrieve, de-duplicate and conduct a
coordinated search of an electronic repository
o Simply more efficient for dealing with large
sets of data, but it’s leading to costs that are
significant
Traditional FOI versus e-FOI
Data, data and more data
27
28. o FOI is a user pay system, though the tariffs
leave much of the cost unfunded
o In Ontario, there’s an outsourcing option that
can be used to recover 100% of the costs
• The costs, including computer costs, that the
institution incurs in locating, retrieving,
processing and copying the record if those
costs are specified in an invoice that the
institution has received
o E.g. MO-2154 - $12,500 fees affirmed for
request that included deleted e-mails
How are costs handled?
Data, data and more data
28
Welcome everyone
I’m Dan Michaluk
Happy to present on the current state of FOI
As part of the Osgoode Certificate in Privacy & Cybersecurity
…
FOI has been a key part of my own practice for a long time now – 20 years
Grown into cyber security and cyber incident response, heavily in the last five os ro yesr
Time when lawyers are trying to find true legal substance in providing cyber services (to distinguish them from many, many consultants in the space)
Understanding the law of information is part of that
And that’s really what FOI law has been to me, a chance to learn and apply the law of information
Easily called this the law of information
-bla bla bla
-but do visit allaboutinformation.ca
Whether you are a lawyer or a nonlegal professional, everything we do in this space is premised on the law of information
-It’s not as transitory as computer law, internet law or AI law
-It addresses the more foundational questions
-What does privacy mean?
-What information has a “quality of confidence” such that it deserves legal protection?
-What communications warrant the application of a legal privilege?
I think if you have a good sense of how to answer these questions you’ll be better at your job
And FOI’s drives that law
Think of some of the key cases about privacy – Dagg for example, is a case about an ATIP request
The same goes for confidentiality and legal privilege
So there’s a lot to joining the club of FOI nerds to which I belong
Maybe more practically… if you’re a cyber responder in the public sector you need to know it
As you’ll see… FOI puts a lot of pressure on transparency pressure on public sector intuitions
You need to be able to manage that when you’re responding to a public sector incident
-statutes provincial and federal – underscored by Charter
-personal information is exempt… head has discretion to disclose it if head believes public interest clearly outweighs the resulting invasion of privacy (but very protective)
-versus provincial unjustified invasion standard – personal information is not necessarily exempt… built in balance to the exemption
-STAART W FOI – DOESN’T APPLY TO RECORDS UNLESS THEY ARE IN CUSTODY OR CONTROL
-control without custody
-outsourcing and accountability is a big topic in data security and privacy
-organization object is to foster strong control without custody
-standard terms
-put them in a DPA – data protection addendum
-recent cases in Ontario PS – Halton DSB and TDSB
-bare possession is not necessarily custody
-prime minister’s agenda not in control of RCMP or Privy Counsel Office
-though they had them in their possession
-see the leading test here
-get this finding with personal e-mails on government e-mail servers
-ordinarily not subject to the presumptive right of access
-based on facts but pretty broad
…
-that’s a 400,000 e-discovery bill by the way
-but you learn a lot about how your network is being used
-truly personal then disregard
-at most give employees mass warning
-personal business – individual warning
-personal use that you’ve invited, then include that in your notification set
-send me back this form
-here’s a form to send to our insurance company for enrollment
EXEMPTION ISSUE – IF THE DISCLSOURE COULD REASONABLY BE EXPECTED TO CAUSE ECONOMIC HARM, PROTECTED
-How much risk does there need to before it warrants putting up a barrier to the transparency guaranteed by statute?
-risk assessment which is part of the data security domain
1) identify your threat scenario – a competitor will use this information to under bid us
2) assess the probability of it happening – low, medium, high
-look for evidence that underscores the probability – do that by inference (connect the dots)
-we are have four key competitors
-we all of our products are identical
-it’s happened to us before
-you get a bit of a break when the threat scenario is about a malicious actor
-drive to the evidence that helps you understand the probability of the bad action
-one other respect of cyber security this relates to is data classification
-green/public, amber medium security, protect, top secret
-if you work with this model enough you will see data classifications pop out at you
-some information just doesn’t have a quality of confidence
-factual and not evaluative
-facts are obvious rather than non obvious
-and the facts are general in nature
Privilege is so important to understand
FOI – EXEMPT – IF PRIVILEGED IT IS EXEMP
-lcass based
-soclitor and client privilege, litigation privilege, settlement privilege – look at the parameters and see fi they are met
-case by case – balance all the factors
-slavuych – terminated for tenture feedback received in confidence
-communications and documetns and not facts… hard to understand but very important, especially when you are trying to avoid a waiver
-simply because you can refer to facts without waiving gprivilege
ANOTHER
-this allegation is bogus
-we had our expert counsel look into it
-it is bogus because of x and y
FOI – more amenable to protection if it is PI
-under some statutes it is protected pure and simple, other you have to engage in a second layer of balancing
Definition and key case law
Ontario Medical Association v Ontario (Information and Privacy Commissioner), 2018 ONCA 673
Canada (Information Commissioner) v Canada (Transportation Accident Investigation and Safety Board) 2006 FCA 157
Gordon v Canada (Minister of Health) + Ontario Case called Pascoe
Tie in to cyber
-lose 200gb
-teams of 35 reviewer ploughing through trying to identify all PI
-my own preference is to ho source
-students do it on a small scale… applying this law
Also
-can I send that spreadsheet in plaint text e-mail if I delete the first and last name colums
-please…
-answer is probably no….
-that’s just a variation of pseudoanonymization – remove enough identierfrs to sufficiently protect a data set
-in Ontario and most of the provinces the test is unjustified invasion
-can have an invitation of privacy, and the public interest in government transparency prevails over it
-literally justifies the invasion
Tie into cyber an data security is rather fundamental
-what is and is not reasonable to disclose
-how sensitive is something
-what’s a good
-incredibly contextual
-incredibly hard to protect
-because the law is very clear that privacy is not absolute
-lost of my practice is trying to be a good judge of that
-the problem with pracy protectxion is that itg’s causin gfinrformaiton not to flow
-think of network security and the need for early detection
-need solid behavioral monitoring
-but the rules are unclear
-it’s rare to give an unqualified opinion but often we can enable if we have a strong graps of how a judg eor a commissioner will strike the balance
-
Foi
-disclose what you can
-withhold what you must
-and if you must withhold so much that the disclosure is meaningless
-just hold back the whole doc
Rather tdirectly a data security/confidentiality problem
-what can you reveal whithout revealing the secret indrieclty
-a good task for lawyer
-about text and inferences
-if you can apply this test it’s like you’ll be better as speaking data seurity
A little more applied
And a little highler level
Where we are and where are we going
Identify the issues to study
Called openness under pressure
It’s about how FOI is responding to modern challenges
-ease by which information is disseminated
-the cyber threat
Each of these factors weigh against the disclosure of government information pursuant to the FOI regime
Let’s look a little more closely at the two factors
Ease by which information is disseminated, increase the impact and harm from the disclosure of information
-so much so that we have privacy law developing to put brakes on the flow of information
-with the RTBF, new online harassment tort, the Sherman estate case
-legal developmetns that counter act the free flow we are seeing
-puts pressure on the FOI system too – weighs against stranspraency
-true adversaries who will use benign information against organizations
-hackers are doing open source intelligence gathering to perpetrate hacks
-almost any information held within an organization can be used for social engineering purposes
-we’re experiencing VPN problems
-not confidential business information
-used by hackers who compromised Twitter’s account management system in 2020
-Now I’m not suggesting hackers will file FOI requests
-but any FOI requester is free to publish a response on the internet… so how should we adjust?
Let’s examine this some more by reference to some fundamental principles
The first one being the principle of practical obscurity
…
Information is practically obscure if has been published but is nonetheless not widely distributed or known
Practical obscurity is protective in this way
…
To date it has been mainly used to preserve privacy despite limited publication
….
-did a case in which we argued that point successfully
-lottery winner > $50,000… media release (security reasons)
-but they were not available on the internet
-argued that they needed tor remain practically secure
…
-rap sheets… convictions a matter of public records but access denied under FOI statute in any event
…
This was 2009
We just won’t likely have that fact scenario available to us going forward
The internet is like an archive of everything…
Here’s another related principle
…
-denied access to requester’s own information … likely harm to others
In my view, there is sufficient evidence before me to conclude that the appellant’s motives for seeking access to this information are not benevolent and that he has demonstrated a history of intimidating behaviour.
….
-sounds so sensible but it is radical….
-another person could conceivably access the same information and treat it freely
….
-not only is the information at issue likely to be disseminated
-it may be more readily decoded to cause harm….
The affiant X (for the RCMP) explains that “the more limited the dissemination of some of the information, the more likely an informed reader can determine the targets, sources and methods of operation of the agency”
Traditionally we look at the “informed reader” or the “assiduous inquirer” [what now in light of the internet]