The case involves a 2019 incident that exposed the health data of millions in Canada
In a recent ruling, the Ontario Superior Court of Justice affirmed the Ontario and British Columbia Information and Privacy Commissioners' authority to oversee and act on breaches involving personal health information.
The dispute in LifeLabs LP v. Information and Privacy Commr. (Ontario), 2024 ONSC 2194 stemmed from a cyberattack in 2019 which resulted in the unauthorized access to the personal health data of millions of Canadians. This breach, predominantly affecting Ontario and British Columbia residents, led to a comprehensive joint investigation by both provinces' Information and Privacy Commissioners.
The core of LifeLabs' application for judicial review before the Superior Court challenged the Information and Privacy Commissioners’ decision regarding the breach of solicitor-client and litigation privilege claims and sought to prevent the publication of the investigation report detailing findings from the joint investigation into the breaches.
During the proceedings, LifeLabs argued that the ON IPC and BC IPC had jointly erred by denying privilege claims and mishandling the application of the law concerning these privileges. However, the court found that the commissioners had correctly applied the law of privilege to the information at hand, thoroughly addressing and dismissing the claims of privilege raised by LifeLabs.
The judicial review also questioned the joint investigation's procedural fairness, suggesting that the coordination between the ON IPC and BC IPC could compromise its independence. Nevertheless, the court upheld the decision, recognizing that joint investigations are a standard procedure under the relevant provincial legislation and that LifeLabs had been adequately involved.
The Superior Court’s ruling emphasized that the privilege decisions by ON IPC and BC IPC were made based on substantial evidence and within the legal frameworks of privilege law. The court highlighted that the disclosed facts were independently known outside the disputed documents and were essential to fulfilling the legislative mandate of the privacy commissioners.
The court also dismissed LifeLabs' request to quash the privilege decision and the order preventing the publication of the investigation report. The court concluded that the privacy commissioners had acted within their rights and obligations under the Personal Health Information Protection Act (PHIPA) to investigate and report on the breach, ensuring public transparency and accountability.
