The requester (now the appellant) appealed the Ministry’s decision, and also took the position that the public interest override at section 23 of the Act applied to the records.  As a result, section 23 of the Act was added as an issue in this appeal.

During mediation, issues regarding access to all of the records other than the PIAs were resolved. 

In addition, during mediation the Ministry issued a revised decision regarding the PIAs, in which it agreed to disclose portions of two of the PIAs, and also took the position that section 19 of the Act (solicitor-client privilege) applied to the PIAs.  Specifically, the Ministry’s decision was as follows:

• Laboratories Branch PIA:  Access was granted to pages 1 to 11, 121 and 122 in full and page 123 in part.  The Ministry continues to deny access to the remainder of this record pursuant to section 12(1)(a) of the Act.  In addition, the Ministry is now raising the application of sections 19 and 14(1)(i) of the Act to this record.

• Drug Programs Branch PIA:  Access was granted to pages 56 to 71.  The Ministry continues to deny access to the remainder of this record pursuant to sections 14(1)(i) and 17(1)(a)(b)(c) of the Act.  In addition, the Ministry is now raising the application of sections 12(1)(a) and 19 of the Act to this record.

• Health Care Branch I & IT Cluster PIA:  The Ministry continues to deny access to this record in its entirety pursuant to sections 12(1)(c),(e), and 14(1)(i) of the Act.  In addition, the Ministry is now raising the application of section 19 of the Act to this record.

At the end of the mediation process, the appellant advised the mediator that he objected to the Ministry’s revised decision.  Specifically, the appellant objected to the Ministry raising a new exemption and extending the application of the other exemptions.  As a result, the issue of the Ministry’s late raising of discretionary exemptions was added as an issue in this appeal.

Mediation did not resolve the appeal, and it was transferred to the adjudication stage of the process.  At the onset of the adjudication process, the Ministry contacted this office to advise that it no longer relied on section 17 to deny the appellant access to the withheld portions of the Drug Programs Branch PIA.  The adjudicator previously assigned to this file reviewed the portions of the Drug Programs Branch PIA that the Ministry had initially identified as containing third party information, and he was satisfied that those portions of the record did not contain third party information, but rather described in very general terms the roles and responsibilities of outside service providers.  Accordingly, the previous adjudicator determined that section 17 of the Act was no longer an issue in this appeal.

A Notice of Inquiry, identifying the facts and issues in this appeal, was sent to the Ministry, initially.  The Ministry provided representations in response and, in its representations, the Ministry also submits that there exists a public interest in non-disclosure of the information at issue.  A Notice of Inquiry, along with a copy of the Ministry’s representations, was sent to the appellant who also provided representations in response.  A copy of the appellant’s representations was then sent to the Ministry and the Ministry was invited to provide representations in reply, which it did.

The file was subsequently transferred to me to complete the adjudication process.

RECORDS:

The records at issue in this appeal consist of the withheld portions of the following:

• Laboratories Branch PIA (pages 12 to 120, 124 to 153 and a portion of page 123)
• Drug Programs Branch PIA (pages 1 to 55 and 72 to 83)
• Health Care Branch I & IT Cluster PIA (pages 1 to 181)

DISCUSSION:

Preliminary issue - late raising of discretionary exemptions

The parties in this appeal agree that the Ministry did not claim the application of section 19 to the records at issue until the mediation stage of this appeal, and after the 35-day period set out in section 11 of the Code of Procedure.  The Ministry provides representations in support of its position that I ought to consider the possible application of section 19 to the records, notwithstanding its failure to claim that exemption within the timeframe prescribed.  In the appellant’s representations, he states that he has serious objections and concerns about the late raising of this exemption; however, he then goes on to state:

However, in spite of my objections …, I ask the adjudicator to rule on the applicability of section 19 to this request.  I expect that, if successful on appeal, I will be making future requests for PIAs conducted by [the Ministry] and other Ministries.  It is likely that in future requests [the Ministry] will rely on section 19 to deny access to PIAs.  Clarity on the applicability of section 19 would ensure that this section is applied appropriately in the consideration of future requests.

In light of the appellant’s statement set out above, I will review the issue of whether or not the exemption in section 19 applies to the records at issue in this appeal.

With respect to the application the section 14 discretionary exemption to additional portions of the records, the Ministry states that it had already raised the application of this exemption to portions of the records, and that applying it to additional portions would not prejudice the appellant.  The Ministry also references the fact that it had withdrawn the application of other exemptions for portions of the records, and had also “significantly narrowed” the scope and application of the section 12 claim.  The appellant does not address this issue in his representations.  In the circumstances, I will review the possible application of the section 14 claim to the additional portions of the records for which it is made, as I find that the appellant will not be prejudiced by the late raising of this section to additional portions of the records.

CABINET RECORDS

Although the Ministry initially took the position that the records at issue qualified for exemption under various subsections of section 12(1) of the Act, in its representations, the Ministry indicated that it was revising its decision and is now only claiming that certain portions of the records (namely the bolded paragraph at the bottom of page 25 of the Health Care Branch I & IT Cluster PIA, and the first two paragraphs under heading 1.1.1 on page 16 of the Laboratories Branch PIA) are exempt under the introductory wording of section 12(1) of the Act.

The introductory wording of section 12(1) of the Act reads:

A head shall refuse to disclose a record where the disclosure would reveal the substance of deliberations of the Executive Council or its committees, including, …

Previous decisions of this office have established that the use of the word “including” in the introductory language of section 12(1) means that any record which would reveal the substance of deliberations of Cabinet or its committees (not just the types of records enumerated in the various subparagraphs of 12(1)), qualifies for exemption under section 12(1) [See Orders P-22, P-331, P-894, P-1570].  It is also possible for a record that has never been placed before Cabinet or its committees to qualify for exemption under the introductory wording of section 12(1), if an institution can establish that disclosing the record would reveal the substance of deliberations of Cabinet or its committees, or that its release would permit the drawing of accurate inferences with respect to these deliberations [See Orders P-361, P-604, P-901, P-1678, PO-1725].

Representations

The Ministry’s representations on the application of this exemption state:

In PO-1917 the IPC held that a record is exempt under the opening words of section 12(1) where it is “obvious from the contents that the document formed the substance of Cabinet deliberations”, even where the record itself is not identified as a Cabinet record.  The Ministry submits that the contents of these records would, if disclosed, reveal the substance of a Cabinet committee’s deliberations in respect of the matter in the record and as such, these portions of the records are exempt under the introductory wording of section 12(1) of the Act.  The relevant portions of the records refer to specific items that Cabinet, or one of its committees, the Management Board of Cabinet, deliberated on and approved.

In his representations the appellant reviews his understanding of the process by which PIAs are approved.  He states:

I am aware that it is standard practice for [Ministries] to conduct a Privacy Impact Assessment for any major IT initiative involving the collection, use, disclosure, retention and destruction of personal information, and to make that PIA available to the Ministry of Government Services (MGS) when seeking cabinet or cabinet committee approval.  I note that the PIA Guidelines on the MGS website state in part:

A PIA will now normally be required as part of any Management Board of Cabinet (MBC) submission seeking approval to begin the detailed design phase onto request funding approval for product acquisition or system development work.

It is my understanding that PIAs are reviewed by Management Board analysts and the Access and Privacy Office to confirm that appropriate due diligence has been conducted prior to submission to a Cabinet Committee such as Management Board of Cabinet.  Often these are preliminary or conceptual PIAs created to support the project and budget approval process.

Most initiatives, and certainly those in question here, having gained approval from cabinet, will proceed with the development of the project and conduct more comprehensive PIAs (often called physical or design level PIAs).  These are vastly different and separate documents from those submitted to cabinet, containing more information and more comprehensive analyses.  These documents, or parts thereof, may be shared with officials in MGS such as the Access and Privacy Office during the course of development for expert comment and advice, but will rarely find their way to the cabinet or committee table.  The documents I seek fall into this category.

Having said that, the appellant agrees that if I were to determine section 12 applies to those portions of the records, those two portions of the records ought to be severed and the remainder of the records released.

Analysis/Findings

The Ministry has withheld the bolded paragraph at the bottom of page 25 of the Health Care Branch I & IT Cluster PIA and the first two paragraphs under heading 1.1.1 on page 16 of the Laboratories Branch PIA under section 12(1).  After reviewing these two portions of the records, and considering the Ministry’s representations, I am satisfied that these paragraphs contain information which, if disclosed, would reveal the substance of deliberations of the Executive Council or its committees.  The withheld portions refer to information which was put before cabinet, and, although the information itself may be fairly innocuous, I find that it is sufficiently detailed such that these paragraphs qualify for exemption under the introductory wording of section 12(1).  As a result, I am satisfied that the introductory wording of section 12(1) applies to the two severances identified by the Ministry.

SOLICITOR-CLIENT PRIVILEGE

Section 19 of the Act states as follows:

A head may refuse to disclose a record,

(a)      that is subject to solicitor-client privilege;

(b)      that was prepared by or for Crown counsel for use in giving legal advice or in contemplation of or for use in litigation; or

(c)          that was prepared by or for counsel employed or retained by an educational institution for use in giving legal advice or in contemplation of or for use in litigation.

Subsection (c) has no application in the circumstances of this appeal.

Section 19 contains two branches as described below.  The institution must establish that one or the other (or both) branches apply.

Branch 1:  common law privilege

Branch 1 of the section 19 exemption appears in section 19(a) and encompasses two heads of privilege, as derived from the common law:  (i) solicitor-client communication privilege; and (ii) litigation privilege.  In order for branch 1 of section 19 to apply, the institution must establish that one or the other, or both, of these heads of privilege apply to the records at issue.  [Order PO-2538-R; Blank v. Canada (Minister of Justice) (2006), 270 D.L.R. (4^th) 257 (S.C.C.) (also reported at [2006] S.C.J. No. 39)].

Branch 2:  statutory privileges

Branch 2 of section 19 arises from sections 19(b) and (c).  Section 19(b) is a statutory exemption that is available in the context of Crown counsel giving legal advice or conducting litigation.  The statutory exemption and common law privileges, although not necessarily identical, exist for similar reasons.

The Ministry’s representations

The Ministry submits that the withheld portions of the three PIAs are exempt from disclosure based on section 19 of the Act.  The Ministry states:

The [three PIAs] are documents intended for internal consideration by the Ministry as part of its decision-making process.  Various counsel from the Ministry’s legal services branch are listed as significant contributors in these documents, and their legal opinions and legal advice are interspersed throughout.

As all three PIAs pertain to systems involving information sharing under complex legislative schemes (requiring analysis under the Ontario Drug Benefits Act, the Health Protection and Promotion Act, the Laboratory and Specimen Collection Centre Licensing Act, the Personal Health Information Protection Act, 2004 and the Freedom of Information and Protection of Privacy Act), and legal opinions and advice are found interspersed throughout the records.  Examples of legal opinions and advice may be found, among numerous other places, in the Laboratories Branch PIA at the top of page 31, in the first paragraph on page 55, in the paragraph half-way down on page 81, in the Drug Programs Branch PIA at pages 16-17, under heading 4.2 on page 34, under heading 4.5 on page 37 and under heading 4.9 on page 43, and Health Care Branch I & IT Cluster PIA in the definitions at pages 15-16, in section 1.2.3 at page 25, in section 1.3.2 at page 27, in section 3.1.1.2 at page 74 and in section 3.5.1.5 at pages 109-110.

The Ministry submits that the Divisional Court’s decision in Ontario (Ministry of Finance) v, Ontario (Assistant Information and Privacy Commissioner) (1997), 102 O.A.C. 71 applies equally to these records.  In this decision, the Court held that legal opinions are exempt in their entirety; not just stated opinion portions.

Additionally, the Ministry submits that these PIAs are solicitor-client communications made in confidence.  Each page of both the Drug Programs Branch PIA and Health Care Branch I & IT Cluster PIA is labelled with a header that says, “CONFIDENTIAL”, while the footer on each page of the Laboratories Branch PIA describes it as being of high sensitivity.  The Laboratories Branch PIA also contains a note stating that it is not expected to be published for external use.  Each of the PIAs is treated as confidential by Ministry staff.

The Ministry also states that the privilege in these records has not been lost through waiver, and that although the three PIAs were shared with this office for consultation purposes, they were shared on a confidential basis.  The Ministry then states:

Specifically with respect to the Health Care Programs I & IT PIA, the only version that was shared with the IPC was an early version dated November 8, 2004.  The final version, to which the Ministry is claiming the section 19 exemption applies, is 11 versions later, contains numerous revisions and is dated June 16, 2005.

The Ministry also identifies that representatives of Canada Health Infoway (CHI), which provided investment funding for Ontario with respect to OLIS were permitted to view the Laboratories PIA in order to identify and or confirm that certain identified privacy concerns were addressed.  The Ministry states that this sharing was done on a confidential basis, and that CHI representatives were only permitted to view the PIA on the Ministry’s premises.  As a result, the Ministry submits that the viewing of the Laboratories PIA by CHI representatives did not constitute waiver of solicitor-client privilege in the PIA.  The Ministry then states:

The Laboratories Branch PIA, Drug Programs Branch PIA and Health Care Branch I & IT Cluster PIA are written communications of a confidential nature prepared in consultation with Ministry legal counsel for the purpose of providing legal advice.  As such, the Ministry submits that these records are subject to solicitor-client privilege and therefore exempt in their entirety under section 19 of the Act.

The appellant’s representations

The appellant provides lengthy representations addressing the issue of whether the solicitor-client privilege applies.  These representations focus on the purpose, authorship and audience of PIAs.

The appellant begins by noting that the litigation privilege has not been claimed by the Ministry.  He then refers to the description of the solicitor-client communication privilege set out in the Notice of Inquiry, which includes the following quotation from Descoteaux v. Mierawinski (1982) 141 D.L.R. (3d) 590 (S.C.):

Solicitor-client communication privilege protects direct communications of a confidential nature between a solicitor and client, or their agents or employees, made for the purpose of obtaining or giving professional legal advice.

The appellant then states that he does not agree with the Ministry’s position that the three PIAs are primarily communications between the Ministry’s legal counsel and Ministry employees as their clients for the purpose of soliciting and providing legal advice.  Referring to the purpose of the PIAs, he states:

The Privacy Impact Assessment Guidelines published on [the MGS website] describe a privacy impact assessment as follows:

A privacy impact assessment (PIA) is a process that helps to determine whether new technologies, information systems, and proposed programs or policies meet basic privacy requirements.  It measures both technical compliance with privacy legislation - such as the Freedom of Information and Protection of Privacy Act (FIPPA) or the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA) and the broader privacy implications of a given proposal.

The MGS Privacy Impact Assessment Guidelines further states that the goals of a PIA include:

-      providing senior executives and the government with the tools necessary to make fully-informed policy and system design and/or procurement decisions based on an understanding of privacy risk and of the options available for mitigating that risk;

-      ensuring accountability for privacy issues is clearly incorporated into the role of project managers and sponsors;

-      ensuring that there is a consistent format and structured process for analysing both technical and legal compliance with FIPPA and MFIPPA, relevant program statutes, Management Board of Cabinet (MBC) Directives, and internationally accepted, fair information practices;

-      ensuring that the protection of privacy is included in the core criteria for business or I & IT projects, and for subsidiary project activities, to reduce the potential for subsequent project termination or retrofitting systems for privacy compliance;

-      providing basic documentation on the flow of personal information for common use and review by policy and program design staff, systems analysts, and security analysts, and as the basis for:

-       consultations with [the IPC] and other stakeholder groups,

-       public announcements,

-       adequate notice and consent statements for clients, legislative amendments, contract specifications and penalties, partnership agreements, and monitoring and enforcement mechanisms,

-       post-implementation verification and periodic reviews and audits;

-      preventing the inadvertent development of personal information management systems that may be characterized or criticized as facilitating surveillance; and

-      identifying remedial steps necessary to improve privacy protection in pre-existing programs or systems.

The appellant also refers to the publication from this office entitled Privacy Impact Assessment Guidelines for the Ontario Personal Health Information Protection Act, and states that it describes the PIA on page 4 as follows:

A PIA is a formal risk management tool used to identify the actual or potential effects that a proposed or existing information system, technology or program may have on individuals’ privacy.  A PIA also identifies ways in which privacy risks can be mitigated.  A PIA is desirable to assess the following types of risks:

-      Risks arising from a new technology or the convergence of existing technologies such as an electronic medical record (EMR) system or electronic health record (EHR) system;

-      Risks arising from the use of a known privacy-intrusive technology in new circumstances, such as the installation of CCITJ in patient examination rooms for teaching or educational purposes or the recording of telephone consultations with patients;

-      Risks arising from a new program or from changing information handling practices with significant privacy effects, such as a proposal to use personal health information collected for treatment purposes to develop a research database or a proposal to integrate an EIu1R or EHR with a patient scheduling system; and

-      Risks arising from legacy systems that may not support privacy and security best practices. Best practices include, but are not limited to, auditing access to personal health information, providing access to personal health information based on a user’s job requirements, and requiring individuals to sign into a system with a unique username and password before they can access any personal health information.

The appellant then states:

I respectfully submit that I have never seen any definition of a PIA or its purposes that suggests that the PIA was primarily “made for the purpose of obtaining or giving professional legal advice”.  While legal analyses dealing with such things as the applicability of legislation are always part of the PIA, it is only one piece of a multi-disciplinary assessment of privacy risk.  Much of the time, the analyses provided by lawyers on the PIA team constitute business advice and not legal advice subject to solicitor-client privilege.

I ask the adjudicator to review the stated purposes for each PIA subject to this appeal to determine whether or not they were created for the purpose of obtaining or giving professional legal advice.  I also ask the adjudicator to determine whether any advice provided by [Ministry] legal counsel in the PIAs constituted legal advice subject to privilege, or business advice.

With respect to the authorship of the PIAs, the appellant states:

The PIA is authored by a multi-disciplinary team representing a wide range of skills and expertise.  The MGS PIA Guidelines, Part l, identify the following skill-sets as necessary for a PIA:

-     Policy Development skills Relating to business-specific policy experience, broad strategic policy and planning skills, and stakeholder impact analysis and consultation skills.

-     Operational Program and Business Design skills Relating to those associated with examination of proposals for the operational flow of the business, and analyse the feasibility, practicality, efficiency of the program and of public1private partnerships.

-     Technology and Systems expertise Relating to the design, attributes and operations of mainframe and legacy systems, networking products, new Internet tools, system security, and front-end customer interface systems including, counter/staff terminal entry, unattended computer/kiosk, Automated voice response, attended voice/call centres, remote access, Internet tools, smart cards, card read/write devices at the customer interface level, financial or transaction settlement systems, and biometric tools.

-     Risk and Compliance Analysis skills Relating to those associated with comprehensive financial and due diligence audits, and the emerging specialties related to audits of computer system vulnerabilities.

-     Procedural and Legal skills Relating to program authority for Out-Sourcing, program or agent collection and use of personal information, jurisdiction of institutional oversight mechanisms, statutory, regulatory and contractual options, and potential statutory or code conflicts where multiple statutes or jurisdictions are involved.

-     Access to Information and Privacy expertise Relating to the FIPPA/MFIPPA, privacy provisions in relevant program statutes, national and international privacy standards, privacy enhancing technologies, and current privacy developments.

I note that legal skills represent only one of a number of skills required to conduct the range of analyses included in a PIA.  At a minimum, the portions of the PIA that contain the analyses and contributions of policy analysts, program and business analysts; technical analysts, risk management analysts, and access to information and privacy analysts should not be subject to solicitor-client privilege.

The appellant then refers to an MGS Manual on access requests under the Act, which states as follows under the Solicitor-Client Privilege heading:

“Legal advice” includes a legal opinion about a legal issue and a recommended course of action based on legal considerations.  It does not include information which was provided about a matter having legal implications where no legal opinion was expressed or where no course of action based on legal considerations was recommended.  The fact that a lawyer reviewed a record does not of itself mean that the record falls within the exemption.

The appellant then states:

I respectfully submit that many, if not all of the contributions made by Ministry lawyers to these PIAs were “information which was provided about a matter having legal implications where no legal opinion was expressed or where no course of action based on legal considerations was recommended.”  I refer specifically to matters such as the definitions of terms, legal authority for the collection of personal information, roles and responsibilities, high-level discussion of agreements between various parties involved in the development, deployment and operation of the systems, and application of privacy legislation.  These are matters that could be determined by a competent non-legal privacy specialist, although many organizations rely on their legal advisors to provide this information.

The [Laboratories PIA], parts of which were released to me …, includes, on page 2, a list of reviewers, contributors and approvers.  I note that no Ministry lawyers or external legal counsel have been identified as a reviewer, contributor or approver on this page.

I ask the adjudicator to review the authorship of the PIAs in question to determine if they were either:

a.       Prepared by legal counsel for the purpose of giving privileged legal advice, and/or

b.       Prepared by Ministry officials for the purpose of seeking privileged legal advice.

Concerning the audience for the PIAs, the appellant again refers to the Privacy Impact Assessment Guidelines publication from this office, and references the following from page 5 of that document:

A PIA provides a credible source of information for health information custodians, privacy regulators, and the public [emphasis added]

The appellant also identifies that the MGS PIA Guidelines state that the goals of a PIA include:

-      providing senior executives and the government with the tools necessary to make fully-informed policy and system design and/or procurement decisions based on an understanding of privacy risk and of the options available for mitigating that risk;

-      providing basic documentation on the flow of personal information for common use and review by policy and program design staff, systems analysts, and security analysts [emphasis added]

The appellant then states:

I ask the adjudicator to review the intended audiences for these PIAs to determine if they were either:

a.       Received by legal counsel for the purpose of providing legal advice to Ministry officials, and/or

b.       Received by Ministry officials for the purpose of obtaining legal advice.

The appellant then refers to the portions of the records that the Ministry specifically identified as examples that contain information the Ministry claims is subject to solicitor-client privilege (as identified in their representations, above), and states:

I note that the portions indicated in [the Ministry’s representation] are examples only.  I submit that it is incumbent upon the Ministry to identify to the adjudicator all portions of the records that it believes are subject to solicitor-client privilege and to provide evidence to the adjudicator of such privilege.

I ask the adjudicator to examine those portions of the records claimed by [the Ministry] as being subject to solicitor-client, privilege to determine:

a.       If there is evidence that the portion of the record was written by legal counsel, or quoted privileged advice written by legal counsel in another document,

b.       Whether the portion of the record contained legal advice or business advice,

c.       If the portion of the record was marked in any way to indicate that it was subject to solicitor-client privilege,

d.       Whether or not [the Ministry] waived privilege by including advice in a document created for purposes other than the communication of privileged legal advice between a solicitor and client.

The appellant also requests that, if portions of the records do contain solicitor-client privileged information, these portions be severed, and the remainder of the PIAs could then be disclosed. 

Finally, the appellant also notes that there is a distinction between the marking of the records as “confidential” or “high sensitivity”, as noted by the Ministry, and “privileged”.  He states:

Under … the Ontario Government’s Information Security and Privacy Classification Policy, the records would have been labelled “confidential” or “high sensitivity” even if they contained no legal advice.

Ministry’s reply representations

The Ministry provided representations in reply in which it reiterates its original submissions that the exemption at section 19 applies to all of the portions of the PIAs remaining at issue.  The Ministry states:

The exempted portions of the PIAs are direct communications of a confidential nature between a solicitor and client, made for the purpose of giving legal advice, or are reflective of such communications, and as such are subject to solicitor client privilege.

In response to the appellant’s submission … that no Ministry lawyers were listed as reviewers, contributors or approvers of the Laboratories Branch PIA, the Ministry submits that its legal counsel made significant contributions to the development of the PIA despite not being included on the list.  Specifically, the Laboratories Branch PIA reflects legal advice provided by Ministry counsel throughout the development of the OLIS system, and also reflects advice that was provided during legal counsel’s review of an earlier iteration of the Laboratories Branch PIA.

The Ministry’s legal counsel made significant contributions to the PIAs, examples of which are listed in the Ministry’s original submissions ….  The purpose of these contributions was to communicate legal opinions and advice to Ministry staff.

Analysis

I have carefully reviewed the records at issue and the representations of the parties in light of the wording of section 19 of the Act. 

I do not agree with the Ministry’s position that, due to the nature of the information contained in the PIAs, and the direct and specific contributions legal counsel made to the PIAs, all of the remaining portions of the PIAs are exempt from disclosure because they are covered by the solicitor-client privilege exemption found in section 19 of the Act.

Although I accept that the PIAs, or portions of them, were drafted with the involvement of legal counsel, this in itself is not sufficient to establish that the solicitor-client privilege is met.  Previous orders have clearly stated that a record does not qualify for exemption under this section simply because it has been reviewed by a lawyer or because legal counsel has suggested that it should be revised in a particular manner (PO-1038), notwithstanding that particular suggestions to amend a document in a specific way might be privileged.   

Furthermore, in PO-2115, former Assistant Commissioner Mitchinson reviewed the Ministry of the Environment’s position that certain records were exempt under section 19 of the Act, and stated:

It is clear from the representations and the content of Record 2 that the Ministry’s Legal Services Branch was consulted in the context of preparing the record. However, it does not necessarily follow that the record qualifies for exemption under section 19 for that reason.  Merely having a lawyer review or comment on a document does not cloak that document with solicitor-client communication privilege.  Former Assistant Commissioner Irwin Glasberg addressed that issue in Order P-1038, where he stated:

In its representations, the Ministry points out that legal counsel created Record 4(A).  This matter is not in dispute.  The Ministry then submits that when legal counsel attached her memorandum to Records 4(B) and (C) (along with her proposed revisions), the nature of these documents was transformed such that they were effectively re-created by legal counsel.  I do not accept this argument.  While it is true that legal counsel suggested that several parts of Record 4(B) be revised, I do not believe that this fact alone can serve to transform a standard type of record produced by an operating area of the Ministry into a piece of legal advice.

I also share the view expressed by Commissioner Tom Wright in Order P-227 that a record does not qualify for exemption under section 19 simply because it has been reviewed by a lawyer. [emphasis added]

In my view, a similar approach is appropriate in considering the application of section 19 to the withheld portions of [the Record] in this appeal.

In support of its position, the Ministry relies on references in the record that a particular position was taken “in consultation with the Ministry’s Legal Services Branch”.  However, the Ministry does not identify what the specific legal advice was or whether it was accepted or rejected by the author, nor does it provide any supporting or separate documentation to confirm the nature of any legal advice requested or given.  In my view, the representations themselves are not sufficient to support the section 19 exemption claim for the final three of the four withheld paragraphs on page 6.

As far as the first withheld paragraph on page 6 is concerned, following the phrase “in consultation with the Ministry’s Legal Services Branch” the author of Record 2 proceeds to identify the specific advice given by that Branch for one aspect of the information covered in the memorandum.  In my view, this paragraph qualifies for exemption under section 19 for the same reasons as the withheld portions of page 2 of Record 1 outlined above.

I adopt the approach taken to this issue in these previous orders.  On my review of the records and the information provided by the Ministry, the mere fact that these records were reviewed by counsel and that counsel may have provided input and suggested changes to the records, does not bring them within the ambit of section 19 of the Act.  However, if information contained in the records would reveal solicitor-client privileged information, such as confidential advice provided by legal counsel, that information would qualify for exemption under section 19 of the Act.

In addition to its general representations on how the solicitor-client privilege extends to all of the remaining portions of the three records (which I do not accept), the Ministry has also provided specific representations on particular portions of the records, and identifies these as “examples” of the privileged information which they maintain is found throughout the records.  I have carefully reviewed the specific examples provided by the Ministry, and make the following findings on these examples.  Although I recognize that these are examples used by the Ministry, the findings also provide insight into how I apply the solicitor-client privilege to other information of this nature found in the records.

Laboratories Branch PIA

1) Information at the top of page 31

This information essentially restates a definition found in legislation, and then lists areas where this information may arise.  Although legal counsel may have been involved in the development of this portion of the record, the information is of a general nature and is part of the final product of this PIA, which was prepared with input from many parties.  On my review of this information and the circumstances of the preparation of this PIA, I am not satisfied that it contains solicitor-client privileged information, or that its disclosure would reveal such information.

2) Information in the first paragraph on page 55

This information identifies various statutory requirements and changes, and also identifies current practices.  Again, although legal counsel may have been involved in the development of this information, it is of a general nature and was prepared with input from many parties.  In the circumstances, I am not satisfied that it contains solicitor-client privileged information, or that its disclosure would reveal such information.

3) Information in the paragraph half-way down on page 81

This information identifies statutory requirements and refers to the wording in identified legislation.  Again, although legal counsel may have been involved in the development of this information, it is of a general nature concerning information found in legislation.  In the circumstances, I am not satisfied that it contains solicitor-client privileged information, or that its disclosure would reveal such information.

Drug Programs Branch PIA

1) Information on pages 16-17, under heading 4.2 on page 34, under heading 4.5 on page 37, and under heading 4.9 on page 43

The identified portions of these sections of this PIA contain very general information about the legislative history of certain statutes, and then define and restate certain legislative requirements.  Again, although legal counsel may have been involved in the development of this information, this information is of a general nature and consists of the final PIA, prepared with input from many parties.  On my review of this information and the circumstances of the preparation of this PIA, I am not satisfied that it contains solicitor-client privileged information, or that its disclosure would reveal such information.

Health Care Branch I & IT Cluster PIA 

1) The definitions at pages 15-16 and section 1.2.3 at page 25

The information found at pages 15-16 of this PIA simply defines terms for the purpose of the PIA.  Section 1.2.3 identifies the legislative context.  Although legal counsel may have been involved in the development of this information, this information is of a general nature and consists of the final PIA, prepared with input from many parties.  In the circumstances, I am not satisfied that it contains solicitor-client privileged information, or that its disclosure would reveal such information.

2) Section 1.3.2 at page 27

On my review of the bolded portion of this section of this PIA, I find that its disclosure would reveal solicitor-client privileged information.  This portion of the PIA specifically refers to information provided directly by the Legal Services Branch that relates to legal advice, and I am satisfied that it qualifies for exemption under section 19 of the Act.  

3) Section 3.1.1.2 at page 74 and section 3.5.1.5 at pages 109-110

The information found in these sections of this PIA simply reviews legislative requirements as set out in the legislation.  Again, although legal counsel may have been involved in the development of this information, this information is of a general nature and consists of the final PIA, prepared with input from many parties.  In the circumstances, I am not satisfied that it contains solicitor-client privileged information, or that its disclosure would reveal such information.

Additional portions of the records

Since the Ministry has claimed that the above portions of the records are only “examples” of solicitor-client protected information, I have reviewed the records in their entirety to determine whether any other portions contain or would reveal solicitor-client privileged information.  Based on this review, I find that two other small portions of the records specifically refer to information provided directly by the Legal Services Branch, and I am satisfied that those two portions of the records qualify for exemption under section 19 of the Act.   These two portions are:

-          a brief paragraph on pages 98-99 of the Health Care Branch I & IT Cluster PIA, and

-          one line on page 144 of the Health Care Branch I & IT Cluster PIA

With respect to the remaining portions of the records, I conclude that none of them contain information that qualifies as solicitor-client privileged under section 19 of the Act.

In arriving at this decision, one of the factors I considered is the nature of the records themselves.  The appellant has provided considerable information about the purpose, authorship and audience of the PIAs, and this information was shared with the Ministry.  In my view, the fact that the records were authored by various parties, with input from numerous disciplines and individuals (including legal counsel), and that the final product was a joint effort by these parties, supports my finding that the solicitor-client privilege does not automatically attach to these records. Furthermore, the purpose of these records is to assist staff in dealing with personal health information, and to identify concerns, procedures and requirements for how to deal with this information.  The nature of the information contained in the records further supports my finding that solicitor-client privilege does not attach to the records merely because they were reviewed by counsel.

I find additional support for this position in the decision of the Divisional Court in Ontario (Ministry of Community and Social Services) v. Ontario (Information and Privacy Commissioner), [2004] 70 O.R. (3d) 680.  Although that decision overturned Order PO-2034, the court took the opportunity to comment on another order of this office, Order PO-1928.  In PO-1928, a requester sought access to records showing interviewing techniques, procedures followed and training manuals used by Office of the Children’s Lawyer (OCL) lawyers to ascertain a child’s wishes in determining questions of custody and/or access.  The Ministry of the Attorney General denied access to the records on the basis that they qualified for exemption under section 19 of the Act.  Adjudicator Nipp addressed this issue as follows:

First, the evidence before me indicates that these documents, being generic training materials, were not treated in a confidential manner, but were widely distributed among most if not all OCL staff and agents.  While early drafts of these documents may have been treated confidentially (and in fact may have been privileged), once this record was finalized and widely distributed [among] OCL staff and agents, it cannot be said to constitute a confidential communication. 

Second, … to be subject to solicitor-client communication privilege, the communication in question must relate to a particular matter on which legal advice is being sought or provided.  This privilege is not intended to apply to general guidelines to staff or agents, or policies about how to carry out their duties, in the absence of a specific legal issue on which advice is being sought.  By contrast, had legal advice been sought and given on the specific legal issue of what the guidelines should contain, then confidential communications between legal counsel and an OCL client made for this purpose may well have attracted privilege.

The Divisional Court examined the facts of Order PO-1928, and noted that the subject matter of the documents in question in that order did not deal with a particular type of litigation and could not be considered to relate to a particular matter on which legal advice was sought.  The court stated that the records “concerned training material prepared by the staff of the Office of the Children’s Lawyer to be given to both lawyers and social workers with the help of clinicians, such as a psychologist or psychiatrist.  The records in question suggested a course of action for the trainees to follow when interviewing children.  They were indeed generic training materials on a non-legal subject.”

In my view the records at issue in this appeal are similar to the ones at issue in PO-1928.  The appellant identifies a number of the purposes for the preparation of the PIAs, which he states includes:

-          providing senior staff with the tools necessary to make fully-informed policy and system design and/or procurement decisions based on an understanding of privacy risks,

-          ensuring accountability for privacy issues and ensuring consistency for analysing compliance with privacy legislation and other requirements,

-          ensuring that privacy protection is included in the core criteria for Ministry projects, and

-          providing documentation on the flow of personal information for common use and review by Ministry staff. 

Although earlier drafts of these documents, exchanged between legal counsel and the other individuals involved in drafting the PIAs, may well have attracted solicitor-client privilege, I find that the records at issue in this appeal were not drafted by counsel and, but for the small portions of the records which I found reveal legal advice, do not qualify for exemption under section 19.

Summary

In summary, I have found that the solicitor-client privilege exemption applies to three small portions of the Health Care Branch I & IT Cluster PIA, but that it does not apply to the remaining portions of the records at issue.   

ENDANGER SECURITY

Introduction

The Ministry claims that the records are exempt under section 14(1)(i), which reads:

A head may refuse to disclose a record where the disclosure could reasonably be expected to,

Endanger the security of a building or the security of a vehicle carrying items, or of a system or procedure established for the protection of items, for which protection is reasonably required;

To meet the test under section 14(1)(i), the Ministry must provide “detailed and convincing” evidence to establish a “reasonable expectation of harm”.  Evidence amounting to speculation of possible harm is not sufficient [Order PO-2037, upheld on judicial review in Ontario (Attorney General) v. Goodis (May 21, 2003), Toronto Doc. 570/02 (Ont. Div. Ct.), Ontario (Workers’ Compensation Board) v. Ontario (Assistant Information and Privacy Commissioner) (1998), 41 O.R. (3d) 464 (C.A.)].

It is not sufficient for an institution to take the position that the harms under section 14 are self-evident from the record or that a continuing law enforcement matter constitutes a per se fulfilment of the requirements of the exemption [Order PO-2040; Ontario (Attorney General) v. Fineberg].

Generally, the law enforcement exemption must be approached in a sensitive manner, recognizing the difficulty of predicting future events in a law enforcement context [Ontario (Attorney General) v. Fineberg (1994), 19 O.R. (3d) 197 (Div. Ct.)].

Representations

The Ministry submits that:

…the disclosure of the records could reasonably be expected to endanger the security of systems and procedures that have been established for the protection of personal health information that is collected, used, stored and disclosed in Ontario’s health information systems.  The Ministry also submits that protection for this personal health information is reasonably required, for the reasons set out below.

The Ministry submits that the disclosure of the records could reasonably be expected to endanger the security of systems and procedures established for the protection of personal health information.  The records contain very specific information describing mechanisms and procedures for the storage and transmission of personal health information. [See, for example, pages 63, 72 and Appendix “C” of the Laboratories Branch PIA; pages 19-27 of the Drug Programs Branch PIA; and pages 23-25, 37 and 149 of the Health Care Branch I & IT Cluster PIA.]

The records also contain extensive analyses of privacy risks relating to the systems described therein, and the procedures and security architecture features that were put in place to address these risks.  [See, for example, pages 31-42 of the Laboratories Branch PIA; pages 27-32 and 45-51 of the Drug Programs Branch PIA; and pages 100-101 and 120-125 of the Health Care Branch I & IT Cluster PIA]

The Ministry … submits that the disclosure of this information into the public domain would assist individuals with malicious intent in circumventing the procedures and technological safeguards described in the records, thereby endangering the security of the systems.

The Ministry … submits that relatively recent examples of privacy breaches involving unauthorized access to highly sensitive, and electronically stored personal information support the Ministry’s submission that the disclosure of the records could reasonably be expected to endanger the security of personal health information contained in the [systems covered by the three PIAs].  For example, the privacy breach at the Ottawa Hospital that is described in IPC Order HO-002 under the Personal Health Information Protection Act, 2004 (PHIPA) involved unauthorized access to a patient’s electronic health record by hospital employees.  Order HO-002 indicates that the hospital employees that committed the breach were motivated by personal concerns - i.e., by their personal relationship with the individual to which the inappropriately accessed information relates.  By contrast, recent breaches of information systems belonging to [an identified company which operates stores in Canada] involved the theft of over forty-five million pieces of information, including credit- and debit-card numbers and drivers licence numbers.  While this privacy breach involved the theft of massive amounts of financial information relating to a large number of people, the common element with the Ottawa Hospital breach is that the information was “hacked” from electronic data storage systems.

The Ministry respectfully submits that these breaches demonstrate that there are significant data security risks associated with the electronic transfer and storage of personal information, and that individuals with malicious intent may try to gain unauthorized access to such personal information for a variety of purposes and in a variety of ways, ranging from focused intrusions into the privacy of selected individuals (as in the Ottawa Hospital case) to generalized hacking expeditions for financial fraud and identify theft purposes ….

In Order MO-2011 (City of Ottawa), the IPC stated that [b]ecause it is impossible to anticipate the myriad ways in which individuals with criminal intent can cause certain types of emergencies and take advantage of others, it is necessary to be cautious about what information is disclosed in emergency planning processes.  As already noted, the Divisional Court has stated that, generally, the law enforcement exemption must be approached in a sensitive manner, recognizing the difficulty of predicting future events in a law enforcement context.

The Ministry … submits that similar caution is appropriate in the present appeal. The records contain detailed assessments of privacy risks in Ontario’s health information systems and outline the procedures and technological mechanisms that are in place to protect the sensitive information that is contained in these systems.  If the records were disclosed into the public domain, individuals who wished to gain unauthorized access to personal information and personal health information could use the information in the records to identify preparedness gaps in these systems, or to circumvent the mechanisms that are in place to address the privacy risks that are identified in the records.

The Ministry respectfully submits that the need to be cautious in releasing sensitive information about privacy risks in eHealth systems is reflected in the Personal Health Information Protection Act, 2004’s (PHIPA’s) rules regarding “health information network providers”, as set out in section 6(3) of Ontario Regulation 329104 under PHIPA.  Section 6(3)(3) of the regulation requires health information network providers (which are persons that provide services to health information custodians for the purpose of enabling them to use electronic means to disclose personal health information to one another) to make “a general description of the safeguards implemented by the person in relation to the security and confidentiality of the information” available to the public (emphasis added).  The use of the word “general” recognizes the risks associated with making specific information about privacy safeguards publicly available.  In the Guide to the Ontario Personal Heath Information Protection Act, Perun, Orr and Dimitriadis describe the scope of this requirement as follows:

The inclusion of the word “general” to qualify the nature of the descriptions is significant.  The provider need not include detailed information about the safeguards that have been put into place.  Indeed, the provider must withhold from the public information that would put the security of the personal health information at risk.

Finally, the Ministry notes that its submissions on the application of section 14 of the Act to the records have focused on the harms that could reasonably be expected to occur if the records were made available to individuals that could attempt to gain unauthorized access to personal health information.  While the Ministry is not suggesting that the appellant intends to use the records for such purposes, the effect of disclosing the records to the appellant is that they would become part of the public domain.  Numerous IPC Orders have established that, especially for the purpose of the harm-related components of section 14 of the Act, disclosure of a record is tantamount to “disclosure to the world” [see, for example, MO-1719, PO-2197, and P-169].

Based on the foregoing, the Ministry … submits that the records are exempt pursuant to section 14(1)(i) of the Act.

In response, the appellant states:

The [Ministry] has claimed an exemption under section 14(1)(i) … for each of the … PIAs, where the disclosure could reasonably be expected to

… endanger the security of a building or the security of a vehicle carrying items, or of a system or procedure established for the protection of items, for which protection is reasonably required.

Presumably this relates to the inclusion of information in the PIA that the Ministry believes could compromise the security of the systems discussed and the personal health information (PHI) they contain.

By and large, PIAs do not contain information that can compromise the security of the systems and PHI.  Unlike Threat and Risk Assessment (TRA) that provides significant detail on threat agents, existing and proposed safeguards and vulnerabilities, the PIA typically addresses the security question at a very high level and in a general manner.

The MGS Access and Privacy Office has published a comparison of the PIA and TRA processes.  The PIA process includes things such as PIA Purpose, Methodology, Legislation and Policies, Privacy Risks to be Analyzed, Policy Issues, Stakeholder Concerns, Data elements, legislation and standards compliance analysis, fair information practices, limiting use and disclosure, accuracy and retention, safeguards, other privacy risks and the privacy risk mitigation plan.  With the possible exception of the safeguards analysis and safeguard risks identified in the privacy risk mitigation plan, there is nothing in the Privacy Impact Assessment that could “endanger” the systems in question.

The appellant also refers to an interim decision letter written in August 27, 2001 by the Freedom of Information Coordinator for Management Board Secretariat (now MGS) regarding “a request for technical documentation and the PIA for the Government’s Smart Card Project (in which the Ministry had significant involvement).”  With respect to the issue of PIAs, the appellant notes that although portions of the PIA in that case were withheld pursuant to sections 12, 13 and 18, MGS did not rely on section 14 as a basis for withholding the record or any portion of it. 

The appellant provides very detailed representations regarding “privacy best practices”, the release of information of similar sensitivity by this office (the IPC), and the obligations of Health Information Network Providers (HINPs) to release information of similar sensitivity to Health Information Custodians (HICs).

With respect to “privacy best practices”, the appellant states that release of PIAs to the public is regarded as a “best practice” with respect to openness and transparency in privacy management, and he provides examples of publically available information.  He notes further that the identified organizations that make their PIAs public “do not appear to be concerned that making PIAs available to the public might compromise the security of the systems in question.” 

Regarding the routine release of information to the public by this office “through its reviews and orders that expose significant privacy and security risks to personal health information,” the appellant refers to reviews conducted by this office which made public “a number of privacy and security risks and commented on deficiencies in documentation, policy, training, privacy impact assessment; threat and risk assessment, agreements with health information custodians and third party service providers, access and transfer, and disaster recovery and business continuity planning.”  The appellant also refers to orders of this office which identify and make public “numerous deficiencies in privacy and security practices that include privacy incident response and management, protection of PHI on portable devices such as laptops, destruction of records; and wireless surveillance systems.”  The appellant states that, in his experience, this information is “as explicit as anything that might be found in a PIA”.

Insofar as disclosure of privacy and security risks is regulated, the appellant refers to regulations through which the Ministry has directed certain Health Information Network Providers (HINPs) such as SSHA and the Ontario Telehealth Network to disclose the results of privacy and security analyses to Health Information Custodians.  The appellant refers to the regulations, and takes the position that these regulations require providing Health Information Custodians (HICs) with specific information on threats, vulnerabilities and risks to the security and integrity of personal health information that would normally be documented in a Threat and Risk Assessment and not a Privacy Impact Assessment.  He then states:

I submit that the routine release of such information to 26,000 HICs, and their employees and agents, where there is no positive obligation to maintain the confidentiality of this information, to control access to the information, or to protect the information in any way, is effectively the same as releasing it to the public.

The appellant then queries whether the PIAs at issue in the current appeal contain more sensitive details than those made public by other organizations.

Finally, addressing the specific portions of the records identified by the Ministry as examples of records, the disclosure of which would endanger the security of the named systems, the appellant states:

I note that the portions indicated in paragraphs 19 and 20 of the [Ministry’s] representations are examples only.  I submit that it is incumbent upon the Ministry to identify to the adjudicator all portions of the records whose release they believe will “endanger” the system and to provide evidence to the adjudicator of such endangerment.

I suspect that many of the portions of the records identified in paragraph 19 of the Ministry’s Representation are high-level descriptions of the system and the security safeguards that have been applied.  The release of information such as general descriptions of the systems and components, roles and responsibilities, high-level architectural diagrams and descriptions, business process diagrams and descriptions, data flow diagrams, descriptions of data elements and clusters and high level discussions of threats, vulnerabilities and safeguards would not compromise the security of the system.  Should there be portions of the record that contain highly specific security-related information, for example, a network diagram that includes IP addresses, I would agree that the identification of IP addresses could be used by hackers to compromise the security of a system and would further agree that the IP addresses be severed from the record and the rest of the record released.

The portions of the records identified in paragraph 20 of the Ministry’s representation describing privacy risks should not qualify for exemption under this clause, unless they contain technical or business process information that could be exploited by a malicious agent to compromise the security of the system.  Privacy risks that detail issues in accountability, identified purposes, consent, collection, use, disclosure, retention, accuracy, openness, individual access, and challenging compliance might cause embarrassment for the Ministry and distress to the public who may be concerned about such risks, but would not “endanger” these systems or the PHI they contain.

The appellant also argues that the examples of past privacy breaches cited by the Ministry are not relevant.  In this regard, he states:

…The [hospital] information was not hacked.  It was accessed by an employee of the Hospital who had access to the system, but did not have authorization to access the particular record of the complainant.  The Commissioner’s order exposed a number of serious deficiencies in the Hospital’s systems and processes and directed a number of remedial actions to address those deficiencies.

I submit that [the Ministry’s] examples … are irrelevant in this case.  The Ministry draws an unsubstantiated link between the release of the high-level information contained in PIAs and two security and privacy breaches that had nothing to do with the release of information in PIAs or any other form of legitimate public disclosure.  These examples do not provide “detailed and convincing” evidence to establish a “reasonable expectation of harm.”

In reply to the appellant’s arguments, the Ministry submits that:

…the appellant’s reference to the fact that Management Board Secretariat did not claim the section 14 or 19 exemptions in a previous FOI request for the PIA regarding the Government’s Smart Card Project, bears no relevance to this appeal.  [The Act] is record-specific and each request must be considered on the basis of the actual records at issue.  In this appeal, the records are [the three PIAs].  The Ministry claimed the section 14 and section 19 exemptions because the information contained in these particular records is subject to these two exemptions.

The Ministry … reiterates its original submission that section 14(1)(i) applies to all of the records remaining at issue in this appeal.  These records are PIAs that describe systems and procedures in place to protect the personal health information (“PHI”) of Ontarians.  The Ministry submits that disclosure of these records could reasonably be expected to endanger the security of the PHI that is collected, used, stored and disclosed in Ontario’s health information systems.

In response to the appellant’s submission that “the PIA typically addresses the security question at a very high level and in a general manner”, the Ministry submits that, as described in further detail below, the PIAs at issue in this appeal contain extensive analyses of privacy risks relating to the systems described therein, as well as the security features put in place to address those risks.

The Drug Programs Branch PIA was created subsequent to an earlier Conceptual Privacy Impact Assessment regarding the same project.  In the PIA currently at issue, the “privacy analysis moves into a detailed review of data flows, legislated compliance and privacy risks”.  This version expands on the earlier privacy assessment and includes:

-      A review and analysis of physical hardware and system design to ensure compliance with privacy design requirements

-      A final review of the initiative to ensure that any changes or new requirements have been addressed from a privacy perspective

-      A privacy and risk analysis of any new changes to the initiative relating to hardware and software design to ensure compliance with privacy legislation, relevant program statues and broader conformity with general privacy principles; and

-      A plan that specifies the communications strategy that will be used to inform and assure the general public that personal information is being handled in strict accordance with legislative requirements.

The [Laboratories] Branch PIA contains three main parts; a Data Flow Analysis which shows the flow of personal information from collection to eventual disposal, a Privacy Analysis which reviews technical compliance with the relevant requirements and privacy design principles, and Conclusions and Recommendations which summarize the status quo and identify privacy and security gaps, risks to privacy and proposed directions.

The purpose of the Health Care Programs I & IT Branch PIA is to “provide project decision makers with a detailed document that outlines current compliance and areas where continued concentration is required”.

In its original submissions, the Ministry identified a number of specific examples of information that, if disclosed, could reasonably be expected to endanger the security of the information systems.  Over and above these specific examples, the Ministry submits that disclosure of any of the information contained in the PIAs could reasonably be expected to endanger the security of the [three systems] because it is not foreseeable exactly how someone would attempt to breach one of these systems, or why they would do so.

In response to … the appellant’s submissions [regarding the two examples of privacy breaches], the Ministry … submits that the Ottawa Hospital breach, a focused intrusion into the personal privacy of a known individual, and the [Companies] breach, an information seeking expedition for the purpose of financial fraud and identity theft, described in detail in the Ministry’s original submissions, highlight the difficulty in predicting how an individual with malicious intent may use the detailed information pertaining to the architecture of Ontario’s electronic information systems, including plans to address potential system vulnerabilities, to circumvent the mechanisms that are in place to protect the privacy of PHI housed on the electronic systems.

Finally, the Ministry submits that disclosure would have a chilling effect on what the Ministry would include in future PIAs.  The Ministry would be disinclined to include sensitive information in PIAs if the Ministry feared that the PIA would enter the public domain.  The Ministry submits that the chilling effect would extend to other ministries within the Government of Ontario and that such a result would put the security of Government projects at risk because it would result in senior officials and the Government being less informed about the privacy risks in the projects, which in turn would negatively impact the decision making process.  The Ministry submits that this is contrary to the public interest in the full disclosure and discussion required to address the privacy risks identified in PIAs.

Analysis and Findings

In order to meet the requirements of section 14(1)(i), I must determine whether,

1)      the records contain a system or procedure established for the protection of items for which protection is reasonably required, and

2)      disclosure would endanger the security of this system or procedure.

Part one – whether the record contains a system or procedure established for the protection of items for which protection is reasonably required

Based on the submissions of both parties, and my review of the records, I am satisfied that portions of the PIAs at issue include information which can be considered to comprise a procedure established for the protection of personal information held in systems operated by the Ministry.  The PIAs are lengthy documents identifying and assessing privacy specific issues arising in the implementation of the systems covered by each.  Although the PIAs all contain some information of a general nature about the privacy implications of each of the projects covered, they also contain some specific information about detailed processes or procedures established to protect the personal information contained in those systems.  Moreover, I find that the protection of personal information is “reasonably required” as contemplated by section 14(1)(i).  Accordingly, I conclude that the records include “systems and procedures established for the protection of items, for which protection is reasonably required”, as set out in section 14(1)(i).  Having found that the records meet the first part of the test set out above, I must now determine whether disclosure of the records (or portions thereof) would endanger the security of the systems and/or procedures.

Part two – whether disclosure would endanger the security of this system or procedure

Introduction

As identified above, to establish that the disclosure of the records would endanger the security of the system or procedure, the Ministry must provide “detailed and convincing” evidence to establish a “reasonable expectation of harm”.  Evidence amounting to speculation of possible harm is not sufficient, and it is not sufficient for the Ministry to take the position that the harms under section 14 are self-evident from the record.  However, in determining whether the records qualify for exemption, I must recognize the difficulty of predicting future events, and must approach the application of this exemption in a sensitive manner.

The Ministry has taken the position that the disclosure of relatively small portions of two of the records (which have been released) would not result in the harms set out in section 14(1)(i), but that the disclosure of the remainder of those two records, and the third record in full, would give rise to the harms contemplated by section 14(1)(i). 

As a preliminary matter, I note that the Ministry’s representations provide some very general arguments in support of its position that the security of the systems or procedures would be endangered, and then provide various “examples” of specific portions where, in its view, identified harms would result.  These “examples” are located on approximately 65 pages of the 380 pages remaining at issue in the three PIAs.  The Ministry’s approach to providing representations in this manner is not particularly helpful.  It refers to the “examples” and appears to assume that these “examples” can then be applied to the other 315 pages.  Generally speaking, representations of this nature do not represent the sort of “detailed and convincing” evidence required to establish the requisite harm under section 14(1)(i). 

In addition, many of these additional 315 pages contain information which I consider to be of a very general nature, dealing with “high-level” descriptions of the privacy impacts, the system and/or the security safeguards that have been applied.  I also note that portions of these PIAs may have been incorporated into more recent, public PIAs.  Furthermore, I note that the specific records at issue in this appeal are now a few years old, and deal with issues that have likely since been addressed.  In that regard, these PIAs can in some circumstances be considered “work in progress” documents, which consider issues and identify solutions or “fixes” as they arise or are implemented.

Having said that, and without representations on the specific information which may have since been disclosed or is no longer relevant, I must nonetheless determine whether the records, or any part of them, qualify for exemption based on the information before me.  In doing so, I have approached the application of this exemption in a sensitive manner, notwithstanding the lack of specificity in the Ministry’s representations with respect to most of the pages at issue.

As identified above, the Ministry has submitted that the disclosure of the records could reasonably be expected to endanger the security of systems and procedures established for the protection of personal health information.  The Ministry then identified two possible harms which might result from the disclosure of certain information, and identifies specific portions of the records which it states fit within these categories.  I will address each harm in turn.

First harm identified by the Ministry

The Ministry states that the records contain “very specific information describing mechanisms and procedures for the storage and transmission of personal health information.”  The Ministry then refers to the following specific portions of the records as examples of the type of information to which this harm applies:

-          pages 63, 72 and Appendix “C” of the Laboratories Branch PIA;

-          pages 19-27 of the Drug Programs Branch PIA; and

-          pages 23-25, 37 and 149 of the Health Care Branch MIT Cluster PIA.

On my review, some portions of these sections contain sufficiently detailed information such that their disclosure could reasonably be expected to endanger the security of the system or procedure.  Specifically, I find that pages 19-24 of the Drug Programs Branch PIA contain step-by-step screen layouts of the computer screen images which appear, and the nature of the information to be entered to proceed to the next screen.  I am also satisfied that the disclosure of one paragraph on page 37, and the diagram on page 149 of the Health Care Branch I & IT Cluster PIA, though somewhat general in nature, could reasonably be expected to endanger the security of the system or procedure. In addition, Appendix C of the Laboratories Branch PIA contains fairly detailed information about the data, including field names, stored in various databases.  In my view, the disclosure of this information could reasonably be expected to result in the harms set out in section 14(1)(i). 

However, I am not satisfied that the other specific examples referred to qualify for exemption under section 14(1)(i).  These records consist of very general information about procedures or processes (pages 63 and 72 of the Laboratories Branch PIA, pages 24-27 - beginning at section 3.2 - of the Drug Programs Branch PIA, and pages 23-25 of the Health Care Branch I & IT Cluster PIA).  Although there is detail provided in the specific information categories to be stored, I am not satisfied that the disclosure of this information could reasonably be expected to result in the harms set out in section 14(1)(i).

The Ministry has claimed that the above portions of the records are only “examples” of information which would result in the first identified harm.  However, owing to the nature of the information in the remaining portions of the records, I have reviewed the records in their entirety to determine whether any other portions contain or would reveal information which qualify for exemption.  Based on this review, I find that the disclosure of the following portions of the records could reasonably be expected to give rise to the first type of harm identified by the Ministry:

Drug Programs Branch PIA:

-          page 48 – one small paragraph describing a system feature

-          pages 52 and 53– eight short paragraphs detailing information about an identified system.

Laboratories Branch PIA:

-          page 32 – three sentences referencing the status of an identified update

-          Page 58 – diagram and description of system architecture

Health Care Branch I & IT Cluster PIA

-          page 12 – specific auditing information (including limitations)

-          pages 55, 56 and 57 – one paragraph on each of these pages referencing system information

-          pages 100 – half of 102 – specific auditing information

-          pages 120-125 – detailed user registration information

In reviewing the information in the records to determine whether its disclosure could reasonably be expected to result in the first type of harm identified by the Ministry, I adopted the same approach I took in Order PO-2391.  In that order, I dealt with a request for information concerning the computer operating system used by the Office of the Registrar General (the ORG).  In that Order, I noted that a broad range of information was administered by the ORG under the Vital Statistics Act, which requires a uniform system of registration for all vital events that occur in Ontario (including births, deaths, marriages, stillbirths, adoptions and changes-of-name).  Moreover, it was pointed out that many of the registration documents the ORG has in its custody contain the personal information of Ontarians.  In that case, it was argued that the release of any or all of the records requested could reasonably be expected to endanger the security of the ORG’s computer systems and/or its operational procedures which were in place to protect the personal information in the custody of the ORG.  I made the following findings regarding the type and nature of the information contained in the record and the application of section 14(1)(i) to it:

I have carefully reviewed the representations, as well as the records at issue in this appeal, which relate to the computer system used by the ORG and contain detailed, specific information about this system including login procedures, diagrams, screen reproductions and step-by-step instructions.

With respect to the information stored in the computer system, the Ministry identified that this information consists of a broad range of personal information of Ontarians administered by the ORG under the Vital Statistics Act, including specific information about individual births, deaths, marriages, stillbirths, adoptions and changes-of-name.  I am satisfied that the protection of this information is reasonably required, including protection from tampering or unauthorized modification.

Furthermore, I am satisfied that the records at issue relate to the security of a system as well as a procedure established for the protection of the information contained in the system.  The Ministry identifies that one of the reasons the computer system and the operational procedures were put in place by the Ministry was to protect the specific information in the system.  The affidavit provided by the Ministry also identifies the security arrangements in place for these records.

Finally, I am satisfied that disclosure of the records could reasonably be expected to endanger the security of the system or procedure established for the protection of the information.  The records contain detailed, specific information about this system and the operational procedures including sensitive login procedures, diagrams, screen reproductions and step-by-step instructions, as well as information about the security of the system itself.

With respect to the appellant’s contention that the records merely relate to general information about a computer system that is used by many companies worldwide, my review of the records has confirmed that they relate to the specific system used by the ORG for the information it is responsible for under the Vital Statistics Act, and is not the sort of generic information referred to by the appellant.

Accordingly, I am satisfied that the disclosure of the records could reasonably be expected to endanger the security of a system or procedure established for the protection of the information contained in the system, for which protection is reasonably required, and that section 14(1)(i) applies to the records. [my emphasis]

Second harms identified by the Ministry

The Ministry claims that the records contain extensive analyses of privacy risks relating to the systems described therein, and the procedures and security architecture features that were put in place to address these risks.  It refers to the following portions of the records as examples:

-          pages 31-42 of the Laboratories Branch PIA;

-          pages 27-32 and 45-51 of the Drug Programs Branch PIA; and

-          pages 100-101 and 120-125 of the Health Care Branch I & IT Cluster PIA.

On my review, I find that some portions of these records contain sufficiently detailed information such that their disclosure could reasonably be expected to endanger the security of the system or procedure.  Specifically, I find that pages 27-32 of the Drug Programs Branch PIA, and pages 100-101 and 120-125 of the Health Care Branch I & IT Cluster PIA contain detailed procedures and architecture features to address identified security risks.  I am satisfied that the disclosure of this information could reasonably be expected to endanger the security of the system or procedure, and result in the harms set out in section 14(1)(i).

However, I am not satisfied that the other specific examples referred to qualify for exemption under section 14(1)(i).  These records generally identify various privacy risks, including assessments of those risks and the methods put in place to ameliorate those risks.  Although some of the identified risks are specifically identified, I find that the identified methods of addressing these risks are general in nature and am not satisfied that the disclosure of this information would result in the harms set out in section 14(1)(i). 

Again, the Ministry claimed that the above portions of the records are only “examples” of the kinds of information whose disclosure could reasonably be expected to result in the second identified harm, I have also reviewed the records in their entirety to determine whether any other portions contain or would reveal information which qualify for exemption.  Based on this review, I find that the disclosure of the following portions of the records would result in the second of the identified harms:

Drug Programs Branch PIA:

-          Page 46 – one paragraph addressing a specific function

-          Appendix A – consisting of a sample report

Laboratories Branch PIA:

-          page 109 – 3 paragraphs identifying possible risks/timing issues

-          page 111 – 1 paragraph dealing with the status of an identified function

-          page 116 – 2 paragraphs addressing an identified risk

-          Pages 117-119 – a section dealing with identified risks

Health Care Branch I & IT Cluster PIA

-          page 38 – one paragraph dealing with a specific risk

-          page 50 – portion dealing with a possible risk

-          pages 110 - 111 – portion dealing with specific screen information

-          page 138 – one paragraph addressing a proposed change

-          page 139 – one portion of a paragraph dealing with a proposed change

-          pages 145-148 – specific auditing information

-          page 150 – identified security matters

-          page 151 - top of 153 – identified security matters

-          page 154 – one paragraph identifying a specific  risk

With respect to the remaining portions of the records, I conclude that none of them contain information that qualifies for exemption under section 14(1)(i) of the Act.

In reviewing the information in the records to determine whether its disclosure would result in the second type of harm identified by the Ministry, I find support for my approach to this issue in the decision of Adjudicator John Swaigen in Order MO-2011.  In that Order, Adjudicator Swaigen had to determine whether information contained in the City of Ottawa’s Vulnerability Analysis Report (VAR) qualified for exemption under section 8(1)(i) of the Municipal Freedom of Information and Protection of Privacy Act (similar to section 14(1)(i) of the Act).  Adjudicator Swaigen found that although some portions of the VAR did qualify for exemption, other portions did not.  He stated:

Because it is impossible to anticipate the myriad ways in which individuals with criminal intent can cause certain types of emergencies and take advantage of others, it is necessary to be cautious about what information is disclosed in the context of emergency planning processes.  As already noted, the Divisional Court has stated  that, generally, the law enforcement exemption must be approached in a sensitive manner, recognizing the difficulty of predicting future events in a law enforcement context [Ontario (Attorney General) v. Fineberg (1994), 19 O.R. (3d) 197 (Div. Ct.)].

Nevertheless, this does not relieve an institution claiming these exemptions from its onus to establish a reasonable basis for believing that endangerment will result from disclosure.  What must be protected to prevent the claimed section 8 harms is information that can be reasonably expected to either facilitate creation of the risks or hazards, facilitate the commission of crimes after an emergency has occurred, or impede the ability of law enforcement and other officials to respond to the emergency.

Not all the information that the City wishes to withhold falls within these categories.  For example, information about the methodology used to determine the kinds of hazard to which the City is vulnerable; the types of natural and human-made events that may occur; and many of the consequences of these events, is largely innocuous or would be obvious to anyone who reads a newspaper, listens to the news, or watches television programs and movies…. 

On the other hand, other information such as the ranking of hazards, specific facilities at risk, the specific manner in which a human-created event may be expected to happen, and weaknesses in the response capacity of public agencies, for example, could reasonably be expected to facilitate the harms …   However, in other cases, the City has provided no evidence that the particular harm could reasonably be expected to result from disclosure of this information.  For example, the hazard discussed in section 3.1 on pages 7 and 8 of the VARs is one that has been widely publicized, as have its potential consequences and the limitations in the capabilities of public authorities to deal with it.  No evidence is provided that disclosure of this information could in any way cause this hazard or impede its control.

Many of the City’s statements are generalizations which it applies to all the information in question without distinguishing between those parts of the information which, if disclosed, could reasonably be expected to result in harms and those parts that are innocuous and/or already available or well known to the public. 

Similarly, in the circumstances of this appeal I am not satisfied that the Ministry has provided sufficiently detailed evidence to establish that the harm in section 14(1)(i) would result from the disclosure of the remaining information at issue in this appeal.  Although portions of the PIAs do identify possible risks and generally identify how these risks are addressed, except for those portions of the PIAs which I have found qualify for exemption, I am not satisfied that the harms in section 14(1)(i) would result from the disclosure of the remaining portions of the records at issue.

Summary

As identified above, I have reviewed the records at issue and found that portions of the three PIAs qualify for exemption under section 14(1)(i).  These are:

Drug Programs Branch PIA: Pages 19-24, 27-32, 46 (one paragraph), 48 (one paragraph), eight paragraphs on pages 52 and 53, and Appendix A.

Laboratories Branch PIA: Page 32 (three sentences), page 58 (in part), page 109 (3 paragraphs), page 111 (one paragraph), page 116 (2 paragraphs), pages 117-119 (an identified section), and Appendix C.

Health Care Branch I & IT Cluster PIA: Pages 12 (one paragraph), 37 (one paragraph), 38 (one paragraph), 50 (one portion), 55 (one paragraph), 56 (one paragraph), 57 (one paragraph), 100 - 102, 110-111, 120-125, 138 (one paragraph), 139 (one portion), 145-148, 149 (a diagram), 150 (a portion), 151 - 153 (top) and 154 (one paragraph).

I have found that the remaining portions of the records do not qualify for exemption under section 14(1)(i) of the Act. 

An exemption from disclosure of a record under sections 13, 15, 17, 18, 20, 21 and 21.1 does not apply where a compelling public interest in the disclosure of the record clearly outweighs the purpose of the exemption.

ORDER:

1.             I uphold the Ministry’s decision to deny access to the portions of the records for which section 12 is claimed - that is - the bolded paragraph at the bottom of page 25 of the Health Care Branch I & IT Cluster PIA, and the first two paragraphs under heading 1.1.1 on page 16 of the Laboratories Branch PIA.

2.             I uphold the Ministry’s decision to deny access to the solicitor-client privileged information found on pages 27, 98-99 and 144 of the Health Care Branch I & IT Cluster PIA.

3.             I uphold the Ministry’s decision to deny access to the portions of the records which I have found qualify for exemption under section 14(1)(i), namely:

Drug Programs Branch PIA: Pages 19-24, 27-32, 46 (one paragraph), 48 (one paragraph), eight paragraphs on pages 52 and 53, and Appendix A.

Laboratories Branch PIA: Page 32 (three sentences), page 58 (in part), page 109 (3 paragraphs), page 111 (one paragraph), page 116 (2 paragraphs), pages 117-119 (an identified section), and Appendix C.

Health Care Branch I & IT Cluster PIA: Pages 12 (one paragraph), 37 (one paragraph), 38 (one paragraph), 50 (one portion), 55 (one paragraph), 56 (one paragraph), 57 (one paragraph), 100 - 102, 110-111, 120-125, 138 (one paragraph), 139 (one portion), 145-148, 149 (a diagram), 150 (a portion), 151 - 153 (top) and 154 (one paragraph).

4.             I have provided the Ministry with highlighted copies of the records along with the copy of this order sent to the Ministry, highlighting the portions which I have found qualify for exemption under sections 12, 14 and 19.

5.             I order the Ministry to disclose the remaining portions of the records to the appellant by
April 13, 2009.

6.             In order to verify compliance with the terms of this order, I reserve the right to require the Ministry to provide me with a copy of the records which are disclosed to the appellant pursuant to Provision 2.

Original signed by:                                                                                  March 13, 2009                           

Frank DeVries