Privacy Commissioner finds that Canadians have a right to have information de-listed from online search engine results in limited circumstances.

Joint investigation of TikTok Pte. Ltd.

How systemic delays, a backlog of overdue requests, and process errors led to UBC having the lowest rate of compliance.

NEW Checklist for Healthcare Organizations Considering the use of an AI Scribe

Privacy Commissioner of Canada to investigate cybersecurity breach at WestJet

PowerSchool commits to strengthened breach measures following engagement with the Privacy Commissioner of Canada

Sask. information and privacy commissioner brings a focus on cyber security, AI

Guardrails for Police Use of Investigative Genetic Genealogy in Ontario

Access to Information Act, Protection of Privacy Act implemented in Alberta

Commissioner Dufresne launches exploratory consultation on children’s privacy code

AI’s Double-Edged Sword: Balancing Innovation and Privacy of Information

AI’s Double-Edged Sword: Balancing Innovation and Privacy of Information

Canada enacted the first federal privacy protection in 1977 as part of Part IV of the Canadian Human Rights Act. The right to privacy was further supported in the enactment of the Canadian Charter of Rights and Freedoms in 1982 and when the federal Privacy Act and Access to Information Act were proclaimed in 1983. The first forms of Artificial Intelligence (AI) have been around for many decades; however, AI as we know it now, only began to emerge more recently. With further developments continuing in AI, it is natural that people’s concerns about how their privacy will be affected has had to evolve as well. As technology continues to advance, so do the risks of improperly collecting, using and disclosing individuals’ personal information and/or personal health information (pi/phi).

What is AI?

Bill C-27 (not passed) – Subsection 39(2) defines AI as a “technological system that, autonomously or partly autonomously, processes data related to human activities through the use of a genetic algorithm, a neural network, machine learning or another technique in order to generate content or make decisions, recommendations or predictions.”

The Department of National Defence and Canadian Armed Forces (DND/CAF) recognizes there is no single accepted definition of AI, however, defines AI as “the capability of a computer to do things that are normally associated with human cognition, such as reasoning, learning, and self-improvement.”

AI and Privacy

As AI continues to transform industries and workflows worldwide, with some formal investigations underway, we are learning more about AI and its potential negative impacts on privacy. For instance, AI software may “scrape” pi/phi from websites without the requisite authority. The Privacy Commissioner of Canada (PCC) launched a joint investigation with three provincial Commissioners on OpenAI, which runs ChatGPT, to determine if their practices comply with Canadian privacy laws.

New Legislation

The Artificial Intelligence and Data Act (AIDA) as part of Bill C-27 is dead because parliament has prorogued. Bill C-27 or AIDA itself will have to be reintroduced into the House of Commons. If Bill C-27 were to pass, AIDA would be one of the first national frameworks specific to the creation and use of Artificial Intelligence in Canada.

The PCC notes that, while privacy laws require modernization, the current laws apply regarding the misuse of pi/phi in the AI space. The PCC also notes that if an organization or public body is considering adopting AI tools in their work, to complete a Privacy Impact Assessment (PIA) to determine if privacy rights are complied with in implementing new tools.

Even without specific legislation here in Saskatchewan governing AI, if a public body or trustee bound by FOIP, LA FOIP or HIPA uses AI in a way that creates a privacy breach, we could review or investigate the matter. More information as to who we have oversight on can be found in the Acts or on my office’s blog posts: “When We Cannot Help You | IPC” and “Why some reviews and investigations cannot pass go (updated) | IPC.”

Moving Forward

The risks of the misuse of AI and corresponding privacy implications have been raised by the PCC and several provincial privacy commissioners in Canada, including the Saskatchewan Information and Privacy Commissioner.

As a result, the Federal, Provincial and Territorial Information and Privacy Commissioners proposed 9 principles for the “development, provision, and use of generative AI systems” listed in the Principles for responsible, trustworthy and privacy-protective generative AI technologies document.

  1. Legal authority and consent: ensure consent for collection, use or disclosure and is as specific as possible.
  2. Appropriate purposes: collection, use and disclosure of pi/phi should only be for appropriate purposes.
  3. Necessity and proportionality: use of data to achieve intended purposes.
  4. Openness: open and transparent on the collection, use and disclosure of personal information and the potential privacy risks
  5. Accountability: establish accountability for compliance with privacy legislation.
  6. Individual access: individuals have the right to access their personal information collected during use of an AI software.
  7. Limiting collection, use, and disclosure: limit to only what is needed to fulfill the explicitly specified, appropriate identified purpose.
  8. Accuracy: ensure personal information is as accurate, complete, and up to date as necessary for the purposes it is used.
  9. Develop safeguards: to protect personal information and mitigate potential privacy risks.

Recommendations:

  • Avoid using confidential data in AI software, including pi/phi.
  • Implement data masking techniques such as replacing names or redaction to reduce privacy risk.
  • Balance transparency of use with confidentiality with data and ensure controlled disclosure of information.
  • Review and update policies to re-evaluate AI data privacy policies as AI standards are updated.
  • Educate staff on the importance of data protection.
  • Monitor and audit AI systems for potential vulnerabilities.
  • Complete a PIA: My office has published a PIA Guidance Document which can support organizations in determining if AI has an impact on privacy.

AI can be a helpful tool to help automate the work that organizations and individuals do, but it does not come without risks. Anyone who plans to use AI tools in their work should review the recommendations from my office, and when in doubt, contact us.

Further Resources

The Artificial Intelligence and Data Act: Video

The Artificial Intelligence and Data Act (AIDA) – Companion document

References

A Regulatory Framework for AI: Recommendations for PIPEDA Reform – Office of the Privacy Commissioner of Canada

Principles for responsible, trustworthy and privacy-protective generative AI technologies – Office of the Privacy Commissioner of Canada

Government Bill (House of Commons) C-27 (44-1) – First Reading – Digital Charter Implementation Act, 2022 – Parliament of Canada

Exploring privacy issues in the age of AI | IBM

Legislative Summary of Bill C-27: An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts

Statement on Generative AI – Office of the Privacy Commissioner of Canada

Protecting privacy in a digital age – Office of the Privacy Commissioner of Canada

A regulatory roadmap to AI and privacy | IAPP

 

Was this page helpful?

Canada’s Information Commissioners and Ombuds issue joint resolution calling for enhanced transparency in government operations

Gatineau, Québec – December 10, 2024 – In a joint resolution, Canada’s Information Commissioners and Ombuds from federal, provincial, and territorial jurisdictions are pressing their respective governments to prioritize transparency in the design and implementation of new systems, administrative processes, procedures, and governance models. This resolution reflects the need for a new standard in government operations and a collective commitment to fostering a culture of transparency and accountability across all levels of government in Canada.

Canada’s Information and Privacy regulators believe that by adhering to 8 key principles, public bodies and institutions can enhance public trust and ensure that government actions and decisions are properly documented and communicated in a spirit of transparency and to counter misinformation and disinformation.

This resolution underscores the importance of access to information for the effective functioning of Canadian society and its democracy. It calls on Canada’s governments to show leadership by making the modernization of legislative and governance regimes around freedom of information and protection of privacy a priority.

Quote from the Information Commissioner of Canada:

“Transparency is the cornerstone of a healthy democracy. By embedding transparency into the very fabric of our public institutions, we not only build trust between Canadians and their governments but also empower citizens to actively participate in the decision-making processes that shape our society. This resolution is a significant step towards ensuring that our public bodies operate with the openness and accountability that Canadians rightfully expect,” said Caroline Maynard, Information Commissioner of Canada.

Related document:
Transparency by default – Information Regulators Call for a New Standard in Government Service

Media Contact:

Julie Ursu, Manager of Communication
Telephone: 306-798-2260
Email: jursu@oipc.sk.ca

Was this page helpful?

Independent Schools Treated Like School Boards

Currently in our education system, we have 27 school boards. They are defined as local authorities under The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP). Under LA FOIP, they are obligated to provide records to parents and citizens. Of course, there are exemptions which they can claim to justify withholding certain records. They are also obligated to protect personal information of students, parents and teachers. There are rules around collecting, using and disclosing personal information.

We now also have 64 independent schools, which are licenced by the Ministry of Education. Many of these independent schools receive government funds: some as much as 80% of what a school board would receive for a student. These independent schools are not local authorities under LA FOIP. They do not have the same obligation as a school board. I believe students, parents and teachers in independent schools are entitled to the same protection as those involved with regulated school boards. Thus, I have written the Minister of Education requesting that he consider making independent schools, local authorities under LA FOIP. This would put independent schools on the same legal framework as school boards. You can see my letter to the Minister here.

 

Was this page helpful?

Solicitor-Client Privilege, Recent Court Decision

In the spring of 2024, the Ontario Superior Court of Justice issued a decision regarding the Information and Privacy Commissioner of Ontario’s approach to solicitor-client privilege and litigation privilege in a case regarding a breach at LifeLabs. LifeLabs applied for leave to appeal to the Ontario Court of Appeal, which was denied on November 22, 2024.

Saskatchewan had issued an Investigation Report on this breach – see Investigation Report 398-2019, 399-2019, 417-2019, 005-2020, 019-2020, 021-2020.

LifeLabs sought to judicially review the joint decision of the IPC and the Office of the Information & Privacy Commissioner for British Columbia (BC OIPC) that found the information (facts) contained in their joint investigation report were not subject to solicitor-client or litigation privilege (the Privilege Decision).  During the joint investigation into the 2019 cyberattack of LifeLabs computer systems, LifeLabs provided some documents to the Commissioners, but claimed and did not waive privilege with respect to the documents and the information they contained.  LifeLabs was given the opportunity to make representations to the Commissioners on whether certain information was protected by privilege and should not be included in the investigation report.  LifeLabs made representations that continued to claim privilege over certain documents and information.  The IPC and BC OIPC found that LifeLabs had not met its onus of demonstrating that any of the information that was ultimately included in the investigation report was privileged.

The Divisional Court unanimously dismissed LifeLabs’ application for judicial review of the Privilege Decision.  The Court rejected LifeLabs’ arguments that the IPC incorrectly applied the law of solicitor-client and litigation privilege and further rejected the challenge to the IPC’s joint investigation and deliberation of LifeLabs’ claims of privilege with the BC OIPC.  Among other things, the Court upheld the Privilege Decision’s findings that most of the facts in the investigation report had an independent existence outside of the documents provided by LifeLabs.  Notably, a number of facts over which LifeLabs claimed privilege were also found in the Saskatchewan Information and Privacy Commissioner’s publicly released report on the LifeLabs cyberattack.

The Court applied the correctness standard to its review of the Privilege Decision’s identification of the legal test related to the law of privilege and the application of the law to the facts and found that the IPC and BC OIPC were correct.  The Divisional Court’s reasons speak very positively about the Privilege Decision, stating:

The decision is logical, clear and persuasive. It considered all the arguments raised by LifeLabs and gave comprehensive reasons for rejecting the claims of privilege.

Among other things, the Court agreed with the IPC that LifeLabs cannot protect facts relating to statutory compliance simply by claiming privilege:

Health information custodians, such as LifeLabs, cannot defeat these responsibilities [to investigate, contain, and remediate privacy breaches] by placing facts about privacy breaches inside privileged documents. Although the claims of privilege here were rejected, even if they had been accepted, this would not have defeated the ON IPC’s duty to inquire into the facts about the data breach within the control and knowledge of LifeLabs. This result flows not only from the ON IPC’s statutory mandate, but also from how litigation privilege and solicitor client privilege function.

The Court went further and found that the IPC and BC OIPC’s joint investigation and deliberation had statutory authority and did not give rise to apparent bias or a lack of independence.

The most significant statements in the decision and I believe the same approach should be taken in Saskatchewan, are:

[80] Similarly, solicitor-client privilege does not extend to protect facts that are required to be produced pursuant to statutory duty. The ON IPC correctly articulated the law when it stated at para. 49:

Even if the communication is privileged, the facts referred to or reflected to in those communications are not privileged if they exist outside the documents and are relevant and otherwise subject to disclosure. Some facts have a life outside the communication between lawyer and client but have also been communicated within the solicitor-client relationship. Facts that have an independent existence outside of solicitor-client privileged communications are not privileged. When deciding if such facts are privileged, one must keep one eye on the need to protect the freedom and trust between solicitor and client and another eye on the potential use of privilege to insulate otherwise discoverable evidence. While privilege is jealously guarded it must be interpreted to protect only what it is intended to protect and nothing more.

[81] That is, simply depositing a document or providing counsel with a copy of a document does not “cloak” the original document with privilege…

[82] The same reasoning applies to the type of facts at issue here, whether those be lines of code used by the cyber-attackers and copy-pasted into an IT third-party report, information obtained from an employee by counsel about the measures taken to protect software vulnerabilities or an internal data analysis undertaken by LifeLabs to determine the extent of the data breach.

               …

[86] During the discussion of the underlying facts in the reports, the ON IPC found, as discussed above, that litigation privilege is not intended to shield relevant facts from disclosure that do not constitute a lawyer’s work product. The Privilege Decision found that the underlying facts in the third-party cybersecurity firm’s report “would address the key questions of the cause of the breach, the scope of the breach, how the scope was determined, and what was done by [the cybersecurity firm] to contain and then remediate the breach. LifeLabs has not provided us with any evidence or arguments to demonstrate that disclosure of these facts would reveal or undermine the legal strategy of LifeLabs’ defence” (emphasis added).

I would encourage public bodies and their lawyers to read the case and when dealing with my office be prepared to provide factual information about the breach regardless of who requested those reports.

 

Was this page helpful?

Federal, provincial, and territorial privacy regulators address responsible information sharing in situations involving intimate partner violence

Toronto, Ontario, November 27, 2024 (TBC) Privacy authorities across Canada have issued a joint resolution to guide the responsible disclosure of personal information in situations involving intimate partner violence (IPV). Finalized at their October annual meeting, hosted by the Information and Privacy Commissioner of Ontario, the resolution aims to empower organizations and their staff to make informed decisions about privacy, confidentiality, and public safety.

IPV is a pervasive problem in Canada, primarily harming women and gender-diverse individuals. In 2023, there were 123,319 victims (aged 12 years and older) of intimate partner violence reported to police. While alarming, this statistic very likely underrepresents the true number of IPV incidents nationwide, as many cases go unreported.

Professionals working in the justice, health care, and social services sectors play an important role in reducing or eliminating IPV harm. Private-sector actors can also help identify and take necessary and reasonable steps to prevent potential IPV-related harm to clients and employees. A critical component of IPV prevention and mitigation includes the timely and responsible disclosure of personal information. Effective information sharing could mean the difference between life and death.

In recent years, Canadians have seen a number of public inquiries and inquests involving IPV, which highlighted misconceptions about Canada’s privacy laws. Organizations and their staff reported feeling conflicted about how to respond to an IPV situation due to concerns around their obligations of confidentiality and the risk of infringing privacy rights.

Canada’s privacy regulators collectively affirm that Canada’s privacy laws generally permit the disclosure of personal information if there is a risk of serious harm to health or safety. The resolution calls for a collective effort from governments and organizations to develop privacy-compliant governance frameworks for responsible information-sharing in cases involving risk of serious harm to life, health, or safety when certain conditions are met.

The resolution urges governments to work with their respective privacy regulator or ombuds to ensure organizations develop clear privacy policies around permissible disclosures, conduct public education campaigns, develop culturally sensitive and trauma-informed tools to support organizations serving at-risk communities, and proactively disclose IPV-related data, statistics, and trends to help inform and improve policymaking on this issue.

The resolution also calls on public institutions and private sector organizations to establish corporate policies on permissible disclosures, require staff training, adopt culturally-sensitive and trauma-informed approaches particularly among marginalized, racialized, or vulnerable groups and consider the unique experiences of Indigenous communities, be transparent up front about potential disclosures and document them when they occur, ensure privacy and security safeguards are in place, and respect data minimization principles.

For their part, Canada’s privacy regulators commit to working collectively to clarify permissible disclosures under their respective privacy laws by engaging with governments and other key interested parties to educate professionals, affected individuals, and the public on when and how personal information can be disclosed in IPV situations. Together, they aim to provide ongoing policy guidance and support for the responsible disclosure of personal information to help prevent situations of IPV.

 

Learn more:

 

Media contact:

Julie Ursu, Manager of Communication
Telephone: 306-798-2260
Email: jursu@oipc.sk.ca

Was this page helpful?

Severing Email Records (updated)

My office released a blog in June of 2017 regarding the obligation under section 8 of The Freedom of Information and Protection of Privacy Act (FOIP) and The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) and section 38(2) of The Health Information Protection Act (HIPA) to release as much information in a record as can be reasonably severed without disclosing the exempt information.

The advice provided in that blog continues to apply today – public bodies and trustees cannot apply an exemption to an entire page or record just because some or most of the information in the record is exempt. To comply with FOIP, LA FOIP and HIPA, public bodies and trustees need to conduct a line-by-line review of each page and only withhold information that is subject to an exemption. This basic rule applies regardless of the exemption that may be found to apply – mandatory or discretionary – and includes records where portions may be subject to solicitor-client privilege.

For email records, this means that a public body or trustee needs to consider if the ‘header’, ‘footer’ and ‘opening and closing statements’ of the email are exempt.

Definitions of these terms can be found in my office’s Review Report 051-2024. In that review, I stated that:

  • ‘Header’ refers to the to, from, cc, bcc, date and subject line of the email.
  • ‘Footer’ refers to the signature block (name, contact details and title of the sender) and confidentiality statement.
  • The ‘opening and closing statements’ are greetings such as ‘Dear’, ‘Yours truly’, and “I hope you are having a good day” that people often include in emails.

If a public body or trustee claims that any of the above information is exempt, it will be required to demonstrate that the exemption applies if an applicant requests a review by my office.

For examples of recent reports where the Commissioner recommended release of this type of information in email records, see Review Reports 026-2019, 188-2022 and 024-2024.

For examples of cases where the public body proactively released this type of information to an applicant, see Review Reports 099-2024, which involved the City of Regina, and 051-2024, which involved the Saskatchewan Health Authority.

For more information about the obligation to sever and the application of exemptions, please see IPC Guide to FOIP, Chapter 3 and Chapter 4, and the IPC Guide to LA FOIP, Chapter 3 and Chapter 4. Our Modern Age Severing Webinar may also be of interest. It provides guidance on how to sever information from responsive records easily and electronically.

Was this page helpful?

Canadian privacy regulators pass resolution to address privacy-related harms resulting from deceptive design patterns

TORONTO, ON, November 13, 2024 – Privacy regulators from across Canada have issued a joint resolution calling for action on the growing use of deceptive design patterns (DDPs) that undermine privacy rights. Passed at their October annual meeting, hosted by the Information and Privacy Commissioner of Ontario, the resolution outlines key measures for organizations to adopt privacy-first design practices.

Deceptive design patterns, often referred to as dark patterns, manipulate or coerce users into making decisions that may not be in their best interests, particularly children. These patterns are frequently used on websites and mobile apps, and their prevalence is a growing concern for regulators, especially as more of Canadians’ daily activities move online.

In 2024, the Global Privacy Enforcement Network (GPEN) launched a sweep of websites and apps, examining the prevalence of privacy-related DDPs. Some Canadian privacy regulators joined this international effort, which examined over 1,000 websites and apps across multiple sectors, including retail, social media, news, entertainment, health, fitness, and those aimed at children.

The findings were troubling: 99 percent of Canadian digital platforms examined in the sweep included at least one deceptive design pattern, with especially high levels of DDPs on platforms designed for children.

In response to the widespread use of and potential harm from privacy-related DDPs, Canada’s privacy commissioners and ombuds are calling on organizations in the public and private sectors to prioritize users’ privacy and support their informed and autonomous choices by avoiding deceptive design practices. The resolution urges organizations to:

  • build privacy and the best interests of young people into the design framework using privacy-by-design principles
  • limit the collection of personal information to only what is necessary for a specific purpose
  • use clear, accessible language that complies with privacy laws, enhances transparency and builds trust
  • regularly review and improve design elements of websites and apps to reduce exposure to deceptive design patterns and support informed privacy choices
  • choose design elements that adhere to privacy principles and do not generate negative habits or behaviors in users

The privacy commissioners and ombuds commit to collaborating with governments and other interested parties to modernize design standards, reduce the presence of DDPs, and champion privacy-friendly design patterns that respect user autonomy.

Learn more:

For more information:

Julie Ursu, Manager of Communication
Telephone: 306-798-2260
Email: jursu@oipc.sk.ca

Was this page helpful?

Federal, provincial, territorial information and privacy commissioners and ombuds wrap up successful annual meeting

TORONTO, ON (October 10, 2024) – Today, federal, provincial, and territorial (FPT) information and privacy commissioners and ombuds concluded two days of productive discussions on privacy and access to information issues across Canada. The annual event, hosted this year by the Information and Privacy Commissioner of Ontario, was a significant opportunity to address key issues, enhance collaboration among jurisdictions, and reaffirm a shared commitment to protecting the access and privacy rights of all Canadians.

AI modernization and freedom of information
Participants discussed novel ways artificial intelligence (AI) can modernize government services, including freedom of information (FOI) processes, while ensuring the use of these emerging technologies is in alignment with privacy and ethical standards and principles.

Representatives from the Ministry of the Environment, Conservation and Parks shared valuable insights on some of the ministry’s recent initiatives to improve government services related to access to information.

The evolution of cabinet confidence under constitutional and administrative law
A distinguished panel featuring Paul Daly, Chair in Administrative Law and Governance at the University of Ottawa, Yan Campagnolo, Vice-Dean of the French Common Law Program at the University of Ottawa, and Vincent Kazmierski, Associate Professor at Carleton University, discussed cabinet confidence in Canada in light of recent constitutional and administrative law developments.    

Privacy implications around the use of neurotechnology
Dr. Jennifer Chandler, Professor of Law at the University of Ottawa, delivered a presentation on the implications of neurotechnology for privacy and data protection. Her presentation addressed the ethical and legal challenges posed by advancements in neurotechnology and its application in various sectors, along with future policy options for governing this emerging technology.

First Nations concepts of privacy
Dr. Jonathan Dewar, Chief Executive Officer of the First Nations Information Governance Centre, delivered a compelling presentation on First Nations concepts of privacy and data sovereignty. The perspective he shared enriched discussions and broadened the commissioners’ understanding of collective rights and data sovereignty from First Nations viewpoints, opening the door to further potential collaboration with First Nations groups to advance reconciliation.

Youth privacy
A panel of teens and young adults from the IPC’s Youth Advisory Council engaged directly with FPT commissioners and ombuds to explore the need to protect the rights of Canada’s children and youth in the digital age. Moderated by Jane Bailey, Professor at the University of Ottawa, the panel provided firsthand insights into the challenges faced by youth in a digitally networked environment, emphasizing the importance of policies and educational programs to empower young people with the knowledge and tools to fully and safely participate in the digital world.

Legislative updates
The commissioners and ombuds discussed recent developments and anticipated changes to access and privacy laws across Canada, resulting in a comprehensive overview of the evolving legal landscape. This comparative exercise provided an insightful understanding of general trends and opportunities for legislative modernization.

“FPT discussions over the past two days confirm that our shared commitment to upholding the privacy and access rights of Canadians is stronger and more united than ever,” said Patricia Kosseim, Ontario’s Information and Privacy Commissioner. “My office was pleased to host this year’s FPT meeting, where we tackled some of the most pressing challenges of our times. By fostering collaboration and sharing insights, we are better equipped to ensure that the privacy and access rights of all Canadians are protected in an increasingly digital world. Together, we are more effective and impactful than any one of us can possibly be alone.”

Media Contact:
Julie Ursu, Manager of Communication
Telephone: 306-798-2260
Email: jursu@oipc.sk.ca

Was this page helpful?

Contracting with Governments (updated)

Government, whether municipal or provincial, charge taxes and spend those taxes on services we need. By government I mean at all levels and includes school boards, universities, colleges and health regions. All of them enter into contracts with service providers. I generally believe that if you contract with an entity which uses tax dollars, your contract and dealings with the entity should be public. I am surprised when I find a public body (at any level) not willing to share a contract or a service provider not wanting their contract with a government entity to not have it disclosed.

In many instances, third parties did not want details of their contract (hourly rates or prices) to be disclosed. See Review Reports 195-2015, 196-2015 and 229-2015. In another report a city did not want a contract released. See Review Report 084-2015. A Ministry severed two winning bid figures although they were publicly available. See Review Report 125-2014. In another case, even after holding a public meeting where an agreement, a contract, with a third party was discussed, the Village withheld them from release. See Review Report 122-2014.

This issue has been litigated in the Court of King’s Bench. In the case Canadian Bank Note Limited v. SGI, the judge held that the head properly withheld unit prices pursuant to subsections 19(1)(b) and (c)(i) and (ii) of FOIP. As a result of this case, the IPC has concluded that the contract should be released but not necessarily the unit pricing. See Review Reports 323-2021, Review Report 123-2020 and Review Report 078-2020. For an example where the public body did not show any prejudice, and it was recommended that unit prices be released see Review Report 048-2024. One can also refer to the Guide to FOIP, Ch. 4, p. 206.

In conclusion, third parties should expect that their contracts with governments will be released but if they can show that they can comply with section 19 of FOIP (section 18 of LA FOIP) they may be successful in not releasing the unit price.

I thought I would do this blog to clarify the situation. When a government entity requests tenders or proposals, the submissions by third parties will generally be kept confidential. Once the successful bidder gets the contract, the contract with all attached schedules, will generally be accessible (viewable) by the public. This is consistent with the provisions of The Cities Act (s. 91) and The Municipalities Act (s. 117). The Freedom of Information and Protection of Privacy Act (FOIP) requires Government Institutions (Ministries, Crown Corporations, Boards and Agencies) to release contracts. FOIP does have a number of exceptions to the general rule such as those found in sections 19 and 29(1).

The Local Authority Freedom of Information and Protection of Privacy Act imposes a similar requirement to provide documents (contracts) unless a specific exemption can be claimed and supported. If a contract does not fit into one of those exceptions, then the contract and its attachments are to be released to anyone who asks. It can be a resident, the media or a competitor. The contract gets released.

I often hear the argument that releasing the contract will affect the competitive situation. Just the opposite is true, if all parties know what the successful contractor proposed, next time other parties are free to propose a cost lower than the previous contract. This is good for competition and for taxpayers.

Also I have heard the argument that the contract contains trade secrets. Contractors should try to avoid putting trade secrets in the contracts because the public are entitled to see the contracts showing the work to be done, the obligations of the contractors, the cost and the responsibilities of the public body.

I have some suggestions for public bodies. One is in the tender or RFP documents, put in a clause saying the final contract and schedules are public documents and in the contract itself, put in a clause that says these contracts and all schedules may be released if requested to the public at any time.

These steps may go part of the way to making it clear to all that contracts with public bodies may be released to the public.

Was this page helpful?

Protecting Your Personal Information in the Digital Age

Whether adding to your shopping cart from your laptop in a café, doom-scrolling social media on the bus ride home from the office, or engaging in work remotely, our online presences make us more vulnerable to invasions of our privacy. So, how can we protect ourselves from risks to our personal information in an era where everything is online?

Stay up to date.

Start with something so simple, you can literally do it in your sleep. The conscious decision to maintain current updates on your devices requires minimal effort but has significant impact. By ensuring your software and apps are up to date, you ensure critical security measures are in place.

Back it up.

Also, while you are sleeping, why not back up your data? With a few keystrokes or screen swipes, you can configure your most beloved fur-baby photos (or your critical work files) to automatically save in a cloud-based storage system or external hard drive and mitigate heart-wrenching (and potentially professionally precarious) digital losses.

Beware of virtual snares.

Phishing scams are everywhere these days, with cybercriminals posing as anything from your utility company to your bank. Take a course on how to recognize phishing scams so that you can easily spot a digital intruder. For more information about phishing, read our blog post A Near Attack or view our Security and Phishing Presentation.

Be wise about your Wi-Fi.

Most free public Wi-Fi networks have minimal security measures in place. This means others using the same network could easily access your activity. Delay any secure online purchases, especially, until you are on a secure, password protected network.

Create passwords that are hard to crack.

Speaking of passwords, make sure yours (yes, plural – as in more than one) is not easily deciphered by a cybercriminal. Employ a combination of lower and uppercase letters, numbers and symbols. Some even swear by splicing together three random words to stump would-be hackers.

Do the two-step.

Two-step verification is valuable in safeguarding your accounts. Two-step verification (also known as multi-factor authentication) refers to a process whereby the program you are accessing authenticates that the access request is truly from you. For example, after entering your username and password into your e-mail program on your work computer, an authentication server sends a distinct code to a secondary device, such as your cell phone. You then are prompted in your e-mail to enter the distinct code sent by that authentication server, thereby confirming your identity, and granting you access. This process ensures that, even if a password is compromised, a digital intruder cannot access an account without approval. Without authorization at that second step, a compromised password alone is useless.

While there are many ways to ensure that your private information stays truly private, starting with these six tips will launch you in a positive direction for feeling empowered about your privacy in this increasingly online world.

For more information, please see the links to our support materials below:

5 ways to protect your privacy

Influencing Sources

Government of Canada – Get Cyber Safe

 

Was this page helpful?

Google Translate Disclaimer

Translations on the IPC Website are performed by Google Translate. Please note that not all text may be translated accurately or be translated at all. The IPC is not responsible for incorrect or inaccurate translations. The IPC will not be held responsible for any damage or issues that may result from using Google Translate.

For more information, read our full disclaimer.