Private-sector entities regularly provide confidential information to government for a host of reasons – regulatory filings, responses to requests for proposals, contractual negotiations and others. But across Canada, government institutions have obligations to disclose records pursuant to freedom of information (FOI) legislation. When does a company need to be concerned about the security of its information? The risk of disclosure is something that should be kept in mind before information is provided to government.
OVERVIEW OF FOI LEGISLATION
The federal and all provincial governments in Canada have enacted FOI legislation. In Dagg v. Canada (Minister of Finance), the Supreme Court of Canada (SCC) confirmed that the purpose of this legislation is to facilitate democracy by ensuring that information required for meaningful participation by citizens is available and ensure that public office holders are accountable.
FOI legislation creates a general right of access to government "records" upon request – defined broadly to include information, however recorded, under the control of a government institution. There are numerous exemptions from disclosure, including for personal information, solicitor-client privilege, law enforcement and to protect third-party information. These exemptions are intended to be "narrow and specific" and have been narrowly interpreted. Requests for disclosure are made to the head of an institution or his/her designate, who considers any applicable exemptions and issues a decision regarding disclosure. In certain circumstances, decisions can be appealed or reviewed by the provincial or federal information commissioner and ultimately by the courts.
Certain statutes contain provisions that specifically override FOI legislation. Under the Ontario Securities Act, information and documents delivered pursuant to section 20(1), dealing with continuous disclosure reviews, are exempt from disclosure under the Ontario Freedom of Information and Protection of Privacy Act (FIPPA) if the Ontario Securities Commission determines that they should be maintained in confidence. Other overriding provisions are mandatory. Section 145 of the Ontario Mining Act preserves confidentiality over the financial assurance required as part of a closure plan. But these exemptions from FOI legislation are unusual. There are also certain statutory provisions that explicitly designate information as confidential, but do not override FOI legislation. Section 955 of the Canada Bank Act designates as confidential all information regarding the business or affairs of a bank holding company that is obtained by the Superintendent of Financial Institutions, as well as all information prepared from that information, but it is not one of the statutory provisions listed in the federal Access to Information Act (ATIA) as an overriding prohibition against disclosure. In such circumstances, the confidentiality designation is relevant to the third-party exemption discussed below, but the information is not categorically excluded from the scope of the FOI law.
APPLICATION OF FOI – WHAT IS A "GOVERNMENT INSTITUTION"?
The scope of this term is generally broad. All government departments and ministries have FOI obligations, and generally so do Crown commissions, boards and agencies. Most Crown corporations are included as well. Current examples of government institutions are Canada Post and the Canadian Broadcasting Corporation under the ATIA, and the Liquor Control Board of Ontario and the Ontario Mortgage Corporation under FIPPA. In Ontario, municipalities, hospitals and universities are also subject to FOI obligations.
FEDERAL THIRD-PARTY EXEMPTION
The ATIA contains an exemption protecting third-party information in the possession of a government institution from disclosure to requesters. The purpose of this exemption, and similar provincial exemptions, is to protect the "informational assets" of businesses or other organizations who provide information to government. The exemption under the ATIA is mandatory – if the records at issue fall under the exemption, the institution has no discretion to disclose them, although there is a narrow public interest override under the ATIA where public health, public safety or the protection of the environment are at issue.
In 2012, the SCC issued its first decision interpreting the third-party exemption under the ATIA: Merck Frosst Canada Ltd. v. Canada (Health). (See our February 2012 Blakes Bulletin for further details.) As a guiding principle in applying the ATIA, the SCC found that government institutions have equally important duties to disclose information that is accessible under the ATIA, and to refuse to disclose confidential information that is exempt. The government must take both duties equally seriously. The SCC held: "third party confidential commercial information must receive the protection which the Act intends for it."
For the third-party exemption under the ATIA (section 20(1)) to be met, one of four branches must be satisfied:
- The record contains trade secrets of a third party
- The record contains confidential financial, commercial, scientific or technical information that was supplied to the government institution by a third party
- The record contains information, the disclosure of which could reasonably be expected to result in material financial loss or gain to, or could reasonably be expected to prejudice the competitive position of, a third party, or
- The record contains information, the disclosure of which could reasonably be expected to interfere with contractual or other negotiations of a third party.
While the first two branches protect confidential third-party information provided to government, regardless of the risk of harm from disclosure, the second two branches are harm-based. With respect to the exemption in section 20(1)(c), in Merck, the SCC found that the third party must demonstrate "a reasonable expectation of probable harm." The SCC concluded that this test captures the principle that while a third party need not prove harm on a balance of probabilities, the third party must nonetheless do more than show that such harm is merely possible.Merck dealt with requests for documents related to a new drug submission and supplementary new drug submission. The SCC held that insofar as Health Canada had required that the loss or prejudice be "immediate" and "clear", it had applied an unduly onerous test of probability of harm. The SCC also accepted Merck's submission that disclosure of information not already in the public domain that could give competitors a head start in product development could, as a general proposition, be shown to give rise to a reasonable expectation of probable harm.
Merck was represented by Blakes at the Supreme Court of Canada, with a team led by Catherine Beagan Flood.
ONTARIO THIRD-PARTY EXEMPTION
In Ontario, the provincial third-party exemption is more difficult to meet. The third party must demonstrate both that its information was: 1) "supplied in confidence" to the institution; and 2) demonstrate the risk of prejudice from disclosure, whereas either is sufficient under the federal test. Case law in Ontario has interpreted the word "supplied" to generally exclude contractual terms between a third party and government, on the basis that these should be treated as "mutually generated". While there are exceptions, they tend to be narrowly interpreted.
WHAT CAN BE DONE TO PROTECT INFORMATION?
A key component of the third-party exemptions is that the information is confidential. A third party should be in a position to show that it had a reasonable expectation of confidentiality at the time the information was provided to government. As such, to the extent that information can be provided to government specifying it is confidential and that its disclosure will result in harm to the third party, this will be helpful in evidencing this expectation. This should be done even where there is a statutory provision that overrides or may override FOI legislation. However, explicit maintenance of confidentiality will not be sufficient if other statutory requirements cannot be met. More generally, with knowledge that the risk of disclosure exists, caution should be exercised in providing highly confidential third-party information to government.
In addition, other considerations when communicating with government include the potential applicability of lobbying legislation and the need to protect privileged information.