Save the Date – Top of Mind webinar – privacy commissioners from across Canada – January 31 noon Eastern. Register here.

Blog

Solicitor-Client Privilege, Recent Court Decision

December 4, 2024 - Ron Kruzeniski, Information and Privacy Commissioner

In the spring of 2024, the Ontario Superior Court of Justice issued a decision regarding the Information and Privacy Commissioner of Ontario’s approach to solicitor-client privilege and litigation privilege in a case regarding a breach at LifeLabs. LifeLabs applied for leave to appeal to the Ontario Court of Appeal, which was denied on November 22, 2024.

Saskatchewan had issued an Investigation Report on this breach – see Investigation Report 398-2019, 399-2019, 417-2019, 005-2020, 019-2020, 021-2020.

LifeLabs sought to judicially review the joint decision of the IPC and the Office of the Information & Privacy Commissioner for British Columbia (BC OIPC) that found the information (facts) contained in their joint investigation report were not subject to solicitor-client or litigation privilege (the Privilege Decision).  During the joint investigation into the 2019 cyberattack of LifeLabs computer systems, LifeLabs provided some documents to the Commissioners, but claimed and did not waive privilege with respect to the documents and the information they contained.  LifeLabs was given the opportunity to make representations to the Commissioners on whether certain information was protected by privilege and should not be included in the investigation report.  LifeLabs made representations that continued to claim privilege over certain documents and information.  The IPC and BC OIPC found that LifeLabs had not met its onus of demonstrating that any of the information that was ultimately included in the investigation report was privileged.

The Divisional Court unanimously dismissed LifeLabs’ application for judicial review of the Privilege Decision.  The Court rejected LifeLabs’ arguments that the IPC incorrectly applied the law of solicitor-client and litigation privilege and further rejected the challenge to the IPC’s joint investigation and deliberation of LifeLabs’ claims of privilege with the BC OIPC.  Among other things, the Court upheld the Privilege Decision’s findings that most of the facts in the investigation report had an independent existence outside of the documents provided by LifeLabs.  Notably, a number of facts over which LifeLabs claimed privilege were also found in the Saskatchewan Information and Privacy Commissioner’s publicly released report on the LifeLabs cyberattack.

The Court applied the correctness standard to its review of the Privilege Decision’s identification of the legal test related to the law of privilege and the application of the law to the facts and found that the IPC and BC OIPC were correct.  The Divisional Court’s reasons speak very positively about the Privilege Decision, stating:

The decision is logical, clear and persuasive. It considered all the arguments raised by LifeLabs and gave comprehensive reasons for rejecting the claims of privilege.

Among other things, the Court agreed with the IPC that LifeLabs cannot protect facts relating to statutory compliance simply by claiming privilege:

Health information custodians, such as LifeLabs, cannot defeat these responsibilities [to investigate, contain, and remediate privacy breaches] by placing facts about privacy breaches inside privileged documents. Although the claims of privilege here were rejected, even if they had been accepted, this would not have defeated the ON IPC’s duty to inquire into the facts about the data breach within the control and knowledge of LifeLabs. This result flows not only from the ON IPC’s statutory mandate, but also from how litigation privilege and solicitor client privilege function.

The Court went further and found that the IPC and BC OIPC’s joint investigation and deliberation had statutory authority and did not give rise to apparent bias or a lack of independence.

The most significant statements in the decision and I believe the same approach should be taken in Saskatchewan, are:

[80] Similarly, solicitor-client privilege does not extend to protect facts that are required to be produced pursuant to statutory duty. The ON IPC correctly articulated the law when it stated at para. 49:

Even if the communication is privileged, the facts referred to or reflected to in those communications are not privileged if they exist outside the documents and are relevant and otherwise subject to disclosure. Some facts have a life outside the communication between lawyer and client but have also been communicated within the solicitor-client relationship. Facts that have an independent existence outside of solicitor-client privileged communications are not privileged. When deciding if such facts are privileged, one must keep one eye on the need to protect the freedom and trust between solicitor and client and another eye on the potential use of privilege to insulate otherwise discoverable evidence. While privilege is jealously guarded it must be interpreted to protect only what it is intended to protect and nothing more.

[81] That is, simply depositing a document or providing counsel with a copy of a document does not “cloak” the original document with privilege…

[82] The same reasoning applies to the type of facts at issue here, whether those be lines of code used by the cyber-attackers and copy-pasted into an IT third-party report, information obtained from an employee by counsel about the measures taken to protect software vulnerabilities or an internal data analysis undertaken by LifeLabs to determine the extent of the data breach.

               …

[86] During the discussion of the underlying facts in the reports, the ON IPC found, as discussed above, that litigation privilege is not intended to shield relevant facts from disclosure that do not constitute a lawyer’s work product. The Privilege Decision found that the underlying facts in the third-party cybersecurity firm’s report “would address the key questions of the cause of the breach, the scope of the breach, how the scope was determined, and what was done by [the cybersecurity firm] to contain and then remediate the breach. LifeLabs has not provided us with any evidence or arguments to demonstrate that disclosure of these facts would reveal or undermine the legal strategy of LifeLabs’ defence” (emphasis added).

I would encourage public bodies and their lawyers to read the case and when dealing with my office be prepared to provide factual information about the breach regardless of who requested those reports.

 

Categories: BlogTags: , , , ,

Back to Blog