Protecting the integrity of Ontario’s FOI System

This year, the issue of individuals submitting multiple appeals or complaints to our tribunal led to important developments in our processes, including the adoption of a File Processing Limitation Policy. A 2024 Ontario Divisional Court ruling dismissed an application for judicial review brought by an appellant who challenged the IPC’s decision to limit the number of files they could actively pursue at one time. The court found that the IPC’s file processing limits amount to administrative directions that allow the IPC to control its own process and manage its limited resources effectively. 

LifeLabs

In June 2020, the IPC and the Office of the Information and Privacy Commissioner for British Columbia (OIPC) completed a joint investigation into the 2019 cyberattack on LifeLabs’ computer systems. The IPC and OIPC found that LifeLabs did not comply with its obligations under Ontario’s PHIPA and British Columbia’s Personal Information Protection Act, including through its failure to take reasonable steps to safeguard the personal information and personal health information of millions of Canadians. The IPC and OIPC made several orders to address these failures. LifeLabs complied with the orders but challenged a procedural decision made by the IPC and OIPC that found the information contained in their joint investigation report was neither privileged nor confidential and could be published. 

In April 2024, the Ontario Divisional Court heard and dismissed LifeLabs’ challenge. The Divisional Court upheld the IPC and OIPC’s procedural decision finding, among other things, that health information custodians cannot defeat their responsibilities under PHIPA by placing facts about privacy breaches in privileged documents. The Divisional Court also found that the IPC and OIPC had authority to conduct a joint investigation and to issue joint decisions related to their joint investigation. The Ontario Court of Appeal’s dismissal of LifeLabs’ motion for leave to appeal in November 2024 concluded this lengthy legal process, allowing the IPC and OIPC to finally publish their joint investigation report.

Liquor Control Board of Ontario PO-4302

The Ontario Court of Appeal unanimously upheld an IPC decision ordering the release of statistical records related to thefts from LCBO stores. The court restored the IPC’s decision which it found it to be reasonable in all respects.

This outcome followed a legal challenge by the Liquor Control Board of Ontario (the LCBO) of an IPC decision finding statistical records of thefts from individual LCBO stores in Toronto and statistics for all stores province-wide were not exempt from disclosure under sections 14(1)(e) and 20 (endanger physical safety), 14(1)(I) (endanger security), 14(1)(l) (facilitate unlawful act), and 18(1)(c) and (d) (prejudice economic interests) of FIPPA. A majority of the Ontario Divisional Court overturned the IPC decision, holding the IPC was unreasonable for applying the wrong standard of proof, misapprehending the LCBO’s evidence, and giving inadequate reasons. The dissenting judge found the IPC applied the correct standard of proof, made reasonable findings based on the evidence, and gave adequate reasons in light of the IPC’s statutory duty not to reveal the LCBO’s confidential submissions in its decision. The Ontario Court of Appeal granted the IPC leave to appeal from the majority judgment. 

PO-4383 and PO-4404-R

The applicant sought judicial review of two IPC decisions concerning the adequacy of a records search conducted by Seneca College in response to a request for records related to a ridesharing service provided at the college. The applicant argued that the IPC adjudicator erred in accepting a single affidavit from the college’s Privacy Officer rather than requiring affidavits from all staff involved in the search.

The Ontario Divisional Court upheld the IPC’s decision that found the Privacy Officer's detailed affidavit provided sufficient evidence to demonstrate that the college conducted a reasonable search. The court also rejected claims of procedural unfairness, affirming that the IPC has discretion under its Code of Procedure to manage its inquiry processes. This decision reinforces the IPC’s established approach to assessing institutional compliance with FOI obligations and affirms the need for flexibility in its inquiry procedures.

Canadian Home Healthcare Inc. PO-4413 and PO-4443-R

The applicant sought judicial review of IPC decisions regarding an FOI request for records related to a hospital contract. The applicant challenged the IPC’s handling of procedural issues and its application of section 17(1) of FIPPA, which exempts certain third-party information from disclosure.

The Ontario Divisional Court dismissed the judicial review application, affirming the IPC’s processes and reasoning. On procedural fairness, the court found that the IPC did not have an obligation to inform the applicant of other possible arguments that the applicant could make. In any event, the IPC had advised the applicant that it could raise additional exemptions under FIPPA, and the applicant did not do so. The court declined the applicant's request to overturn established precedents on section 17(1), emphasizing that doing so would undermine transparency in government contracting, contrary to FIPPA’s legislative intent. 

MO-4447 and MO 4461-R

The applicant sought judicial review of two IPC decisions concerning access to records held by the integrity commissioner of the Toronto District School Board. The applicant argued that the IPC adjudicator erred in concluding that the board did not have custody or control over records held by its integrity commissioner. 

The Ontario Divisional Court upheld the IPC’s decisions, finding that the IPC’s “detailed and thoughtful consideration of the evidence, the submissions, and the law” was reasonable. The IPC found the integrity commissioner’s independence and impartiality, important values in the context of carrying out their functions, would be eroded if the board had the ability to assert control over their records. The court also rejected the applicant’s argument that it was procedurally unfair for the IPC to decline to join two of his access to information appeals, affirming that the IPC has considerable latitude to determine the course and conduct of its own proceedings.

CYFSA Decision 19/Halton Children’s Aid Society

The Halton Children’s Aid Society (CAS) seeks judicial review and appeal of CYFSA Decision 19, where the IPC found that the CAS had a duty to notify individuals of a ransomware attack. In that decision, the adjudicator determined that encryption of the CAS servers by a cyber-attacker amounted to an unauthorized use and loss of personal information under the CYFSA and ordered the CAS to provide indirect public notice. This obligation arose as part of the explicit duty to notify under the CYFSA which, unlike other privacy statutory regimes, is not subject to any minimum risk threshold.

The CAS argued that the decision was incorrect, asserting that the ransomware attack did not involve the cyber-attacker viewing, handling, copying, or exfiltrating personal information. The CAS also maintained that the encryption only affected the containers housing the information, that the data was never permanently lost, and that accessible copies remained available. heard the CAS' judicial review on May 1, 2025, and reserved its decision.

PHIPA Decision 253/Hospital for Sick Children

The Hospital for Sick Children (SickKids) seeks a judicial review of PHIPA Decision 253, where the IPC found that the hospital had a duty to notify individuals of a ransomware attack. The adjudicator determined that encryption of the hospital servers by a cyber-attacker amounted to an unauthorized use and loss of personal health information under PHIPA, but did not issue an order requiring additional notification as it would serve no useful purpose. Like the CYFSA, the duty to notify individuals of a breach under PHIPA is not subject to any minimum risk threshold.

SickKids argued that the decision was unreasonable, asserting that the ransomware attack did not involve the cyber-attacker viewing, handling, copying, or exfiltrating personal health information. The hospital also asserted that the encryption only affected the containers housing the information, that the data was never permanently lost, and that accessible copies remained available. Additionally, SickKids claims the decision improperly conflates the definitions of use and loss. The Ontario Divisional Court heard Sick Kids’ judicial review on May 1, 2025, and reserved its decision.