CBRM Gets Schooled by Privacy Commissioner

Harbor-Port Development Partners logoOn 3 July 2015, over a year before I launched the Cape Breton Spectator, I made a Freedom of Information and Protection of Privacy (FOIPOP) application to the clerk of the Cape Breton Regional Municipality, Deborah Campbell — now Deborah Campbell-Ryan — requesting:

Any communications between Mayor Cecil Clarke or his communications staff or CAO Michael Merrit[t] and Barry Sheehy and/or Albert Barbusci and/or Harbor Port Development Partners between December 1, 2013 and June 29, 2015.

Sheehy and Barbusci are the principals of Harbor Port Development Partners (now Sydney Harbour Investment Partners), a company with its registered office in Montreal. HPDP was established on 26 May 2015.

Less than a month later, on 16 June 2015, CBRM Council approved an agreement giving HPDP what the Post described at the time as, “exclusive rights to market Sydney as a commercial gateway to North America.” How a company that didn’t exist before 26 May 2015 came to be signing an exclusivity agreement with the municipality in June was explained this way:

Barbusci and Sheehy have already been working with the CBRM for 16 months, investing $1.2 million of their own capital into port development.

The whole situation struck me as bizarre — what kind of municipality engages secret, volunteer port developers for 16 months? And what kind of port developers invest $1.2 million of their own money in a project before they have an actual contract?

I figured Barbusci and Sheehy had to have been communicating with Mayor Cecil Clarke and/or then CAO Michael Merritt and/or the mayor’s spokesperson Christina Lamey about their activities, and so I submitted my FOIPOP.

As I reported in an article I wrote for goCapeBreton in October 2015 and republished later in the Spectator, it took the CBRM 104 days to respond to my request:

Part of that time was needed to allow “third parties” whose “interests” might be “affected” by its release to determine what part of the requested information I was entitled to see. Those third parties were not, by any stretch of the imagination, over-sharers.

When the municipality finally did reply, it was to send me an “odd little collection of documents”: a handful of emails from Sheehy to Mayor Clarke in which Sheehy sends along articles (one he wrote with his brother about pilot-less planes, one he wrote himself about the decline of America), offers to assist the reconstruction of St. Mary’s Polish Church, provides his pro-port Cape Breton Post op-ed pieces before they appear in the paper, praises Clarke for a recent CBC interview and congratulates him on WestJet’s recently announced daily flights between Sydney and Halifax.

 

FOIPOP.10.14.2015

 

Considering that the period covered by my request included 16 months during which Sheehy and Barbusci were apparently spending over $1 million of their own money to promote our port, it seemed to me implausible that this was the sum total of communications between HPDP and the CBRM.

And so, I appealed the response to the Office of the Information and Privacy Commissioner (OIPC)  for Nova Scotia.

 

Vindication

I was contacted by the OIPC and given the opportunity to explain why I wanted the information, and why I felt the CBRM had not been sufficiently forthcoming. On several occasions over the intervening five years I was asked if I wished to continue the appeal. Each time I said I did, but not without a pang of guilt — what if I were wasting the Privacy Commissioner’s limited resources on a wild goose chase?

Last week, though, I received a response from the Office of the Information and Privacy Commissioner and I have been vindicated. Commissioner Tricia Ralph (who replaced Catherine Tully in March 2020) wrote

The applicant sought any communications between employees of the Cape Breton Regional Municipality (CBRM) and an organization granted the exclusive right to market the Port of Sydney for a 19-month period between 2013 and 2015. The CBRM provided the applicant with 28 pages of records with a small amount of personal information severed pursuant to s. 480(1) of the MGA (personal information). The CBRM withheld 862 pages [emphasis mine] in full claiming that it was authorized to withhold the records because they were about negotiations carried on for the CBRM (s. 477(1)(e)); release would result in the premature disclosure of a project (s. 477(1)(d)) and the information was received in confidence (s. 481).

I have to admit, I gasped when I read they had withheld 862 pages of information from me, a total beyond my wildest, most paranoid dreams. And compared to the 28 pages I was sent, the 862 pages the CBRM withheld sound way more interesting. Ralph characterized the categories of information as:

  • emails,
  • draft news releases and articles,
  • strategies for what should be included in news releases and articles,
  • preparation and circulation of presentation emails, and
  • business agreements

Ralph considered the two packages of information — the 28 pages I was sent and the mother lode I was denied — separately. On the subject of the 862 withheld pages, after noting that the Supreme Court of Canada has stated that  access to information legislation creates “a presumption in favour of disclosure,” albeit with authorized exemptions, she wrote:

The CBRM is expected to do a line-by-line review of the entire record. Even at a glance, it is obvious that this did not occur. First, attachments to emails were missing. Second, information that obviously would not be subject to any exemption was withheld in full, such as the business contact information of CBRM employees and things like salutations and plans to meet that included no substantial information.

(Given they conducted no line-by-line review, I’d like to know what they were up to for the 104 days it took them to respond to my FOIPOP, but that seems destined to remain a mystery.)

Ralph said there were four issues under review and I’m going to go through them one at at time

 

Issue #1

Did the CBRM meet its duty to assist the applicant by conducting an adequate search for records as required by s. 467(1)(a) of the MGA?

As Ralph notes, I did not raise the issue of whether the CBRM had conducted an adequate search in my appeal because I had no knowledge of the 862 pages of records withheld in full. The OIPC, however, got to review all 862 pages and discovered, in addition to information that should not have been subject to redaction, 41 missing documents as well as “multiple missing additional attachments.”

The OIPC requested copies of all the missing documents and while the CBRM let the office know “several times” that it was continuing to search for the materials, it “never committed to a date to complete this task and as of the date of this report had only provided a couple of the missing records.”

She concludes:

The CBRM was well outside of the statutory time frame to complete this fundamental requirement. The CBRM treated the statutory time frames as guidelines when they are in fact legal duties. It completely disregarded the statutory timeframes set out in the law. As such, I have no hesitation in finding that the CBRM failed to meet its duty to conduct an adequate search for the responsive records.

 

Issue #2

Was the CBRM authorized to refuse access to information under s. 477 of the MGA because disclosure of the information could reasonably be expected to harm the financial or economic interests of the municipality?

You can read the actual decision, but the CBRM basically argued that releasing the “sensitive” information I’d requested would be detrimental to the municipality’s financial and economic interests.

In response, Ralph cited the “leading case in Canada on the appropriate interpretation of the reasonable expectation of harm test” (a 2014 Supreme Court of Canada decision involving a request for disclosure from the Ministry of Community Safety and Correctional Services of “the number of offenders registered under its sex offender registry residing within the areas designated by the first three digits of Ontario’s postal codes”) which, she said, determined that access to information statutes “mark out a middle ground between that which is probable and that which is merely possible.” (In passing, I would say this would be a nice middle ground for the CBRM to adopt with regard to port development generally, but I digress…)

In this case, she said the CBRM “barely even set out what the alleged harm could be. There was one sentence that the release of the documents could put the prospects of the project in jeopardy.”

Even if I accept that releasing some records could put the project in jeopardy, the CBRM simply asserted that harm would occur. No explanations were provided as to how release of the documents could cause the asserted harm. The withheld records contain things like emails about logistics and circulations of draft press releases. I fail to see how the release of such records could cause the alleged harm of having the whole project not succeed.

Obviously, the Privacy Commissioner doesn’t subscribe to the Barry Sheehy school of information control. Sheehy, in that Post story cited above, actually warns citizens — people he characterizes in an email to Clarke as the “naysayers at Tim Hortons” — not to be negative about the terminal project:

“Money runs from trouble,” he says, meaning companies are wary to invest if there’s little public support for a project.

Ralph rules the subsections of s. 477 cited by the CBRM don’t apply, but then has a little fun at the municipality’s expense, pointing out that documents released in July 2015 could hardly constitute “premature disclosure” of a project one of the “third parties” (read: Sheehy)  had been discussing on radio in March 2015. She also notes that emails about “meeting logistics” don’t constitute information “about [emphasis hers] negotiations.”

 

Issue #3

Was the CBRM required by s. 481 of the MGA to refuse access to the record or any part thereof because disclosure of the information could reasonably be expected to be harmful to the business interests of a third party?

Section 481 of the MGA relates to “confidential information.” To meet the test for its application, the asserting party (i.e. the CBRM) must establish that the disclosure of the requested information:

  1. Would reveal trade secrets of a third party of commercial, financial, labour relations, scientific or technical information of a third party;
  2. That was supplied implicitly or explicitly in confidence; and
  3. The disclosure of which could reasonably be expected to cause one or more of the harms enumerated in s.481(1)(c).

In fact, the asserting party must satisfy “all of the lettered subsections of s. 481.”

NS MGA Section 481(1)

 

Before considering whether the CBRM had done so, Ralph went pretty deep into the legal weeds determining what constitutes a “third party,” “proprietary information,” “trade secrets,” and what “supplied” and “in confidence” mean. Again, you can read the full decision, but there are a couple of points I’d like to highlight.

The CBRM told Ralph it had approached “two of the parties referenced in the record” who had “objected to disclosure of their communications.” But Ralph determines that none of the information in those communications was proprietary and therefore “notice to the various various parties named was not required.” Meaning, the CBRM consulted people it didn’t need to consult and then withheld information based on their responses.

There being no third parties, Ralph said it was “the CBRM that has the burden to prove that the applicant has no right of access [to] the record.”

On the question of how disclosure of the information would “reveal trade secrets of a third party of commercial, financial, labour relations, scientific or technical information of a third party,” Ralph said the CBRM “provided no representations,” and so failed to discharge its burden.

Which means s.481 does not apply because you have to meet all the subsection and the CBRM didn’t meet the first one.

But Ralph said that in case she was “incorrect” on this point, she would consider the other two parts of the test, beginning with the question of whether the information was supplied implicitly or explicitly in confidence. The CBRM, she writes, provided:

…no evidence as to whether or not, at any stage in the process, the third parties suppled any information with the expectation that it would be kept confidential…it simply stated that all communications were confidential, securing a project of this size requires confidence in the various entities seeking to invest in this area and that in order to maintain confidence with various private sector players involved in this project, it needed to ensure that communications regarding the advancement of the container terminal remained confidential.

How often, over the past five years, have we heard that? But, as it turns out, you can’t just say this — you have to prove it — and the CBRM did not:

It would be a rare case where the burden to meet this aspect of the test was satisfied with no evidence and a bare assertion. Access to information legislation has long been in force in Canada. Private third parties should be well aware that their interactions with municipalities are fully accessible to the public subject to limited [emphasis in the original] exemptions as set out in the legislation. One cannot promise or contract out of the disclosure requirements of the MGA. Again, the CBRM did not meet its burden. For all these reasons, I find the information was not supplied “in confidence” within the meaning of s.481(1)(b).

Ralph, “for completeness sake,” then discussed whether releasing the information could reasonably be expected to harm the business interest of a third party:

The CBRM has simply said that disclosure of the records would cause harm and that it would jeopardize current negotiations and the potential for future negotiations and agreements with third parties, but it has not explained how [emphasis Ralph’s] this would occur. For example, why would release of an email discussing a draft press release cause the harm alleged?

Ralph ruled that s. 481 does not apply.

 

Issue #4

Was the CBRM required by s. 480(1) of the MGA to refuse access to the record or any part thereof because disclosure of the information would be an unreasonable invasion of a third party’s personal privacy?

This referred to the names, email addresses and phone numbers redacted from the 28 pages I actually received from the CBRM on the grounds that they constituted “personal information.”

Ralph says the CBRM submitted “no representations” justifying these redactions, so she applied the test established by the Nova Scotia Supreme Court in 2000 and determined that the information the CBRM had redacted was not personal — all the individuals are “communicating in their professional capacity” and the information discloses no personal details of the email senders or recipients.

 

Conclusions (the Commissioner’s)

I’m just going to copy these directly from the decision because I find they make for very satisfying reading:

Findings from OIPC review

 

Conclusions (mine)

The word that comes to mind is “contempt” — for me, for the Privacy Commissioner, for the law.

It’s not even that I think there’s a smoking gun in those 862 pages, I don’t, not really (although I think there will be a lot of funny stuff which is almost as good in my book). It’s just that I have a right to that information and the CBRM didn’t even pretend it was going to give it to me.

I’m also struck by the lack of understanding of the applicable law — this municipality doesn’t seem to have a basic grasp of access to information legislation.

I wasn’t actually charged for this FOIPOP, which I now suspect is because they didn’t put hours into a line-by-line review of the documents. (I also suspect it’s because I did it as a citizen, not as the editor/publisher of an online publication, and yes, I realize that’s also damning.) They just redacted some non-personal information from a handful of emails and shoved them in an envelope. My $5 application fee probably covered their costs.

The Information and Privacy Commissioner has no powers of enforcement, so what happens next is anybody’s guess. Best case scenario: we mark the beginning of a new and more transparent era in this municipality with council adopting a disclosure-by-default information policy and the bureaucrats adhering to it.

There’s reason to hope for this. Before our new mayor became our mayor, I asked her thoughts on the municipality’s broken access to information system and she told me:

…City Hall belongs to the residents of the CBRM and they have a right to know and access documentation and information in a reasonable amount of time. I would suggest to council to consider revisiting the policy around charging the public to access files and instead have an open data-type program, where the public can easily access and request information online. Of course, when there are files pertaining to contracts and HR some discretion is required under law, but otherwise, opening up data and information can only build the trust in our decision-making processes.

Worse-case scenario: the decision is left up to the municipal clerk and CAO and regional solicitor and they try to charge me an arm and a leg for access to information a) the Commissioner says I’m entitled to and b) they’ve already (mostly) gathered.

Worst-case scenario: the Commissioner’s recommendations are ignored and I get bupkis.

Don’t touch that dial, folks.