A years-long access-to-information battle between journalists and Health Canada over data on the locations of large-scale medical cannabis growers has concluded with a Federal Court judge ruling that even city or town information could risk identifying patients and is therefore protected from disclosure.
The case, which was taken to court by the federal Information Commissioner on behalf of a Globe and Mail reporter and another journalist in 2020, addresses the tension between the public’s right to information and a patient’s right to privacy, and the necessity of striking a balance in an increasingly data-centric world.
One expert who reviewed the decision said that health information – including the postal codes of licensed medical cannabis growers – must be treated sensitively. But another said he fears the decision will be taken by the government as licence to abdicate its responsibility to provide full responses to access-to-information requests.
The court battle started with an access request filed by The Globe in August, 2017, seeking a list of addresses for individual people who were licensed to grow and possess industrial quantities of cannabis, meaning hundreds of plants at a time.
The request was made as part of an investigation into personal yet industrial-scale marijuana farms under the now-defunct medical marijuana regime of the time. The Globe found that these farms – licensed and shielded by health privacy laws – created a shadow market in which individual people, who were either patients or their designates, were able to collectively churn out as much marijuana as some commercial producers, with none of the scrutiny. As a result, The Globe found, they became prime targets for robberies and abuse by organized crime.
Health Canada denied The Globe’s request, arguing that providing even general location details for these operations, despite their industrial scale, could risk breaching medical marijuana patients’ private health information. Only province-level information was provided. A similar request around that same time by Toronto-based freelance journalist Patrick Cain was also denied.
That fall, The Globe and Mr. Cain both appealed the decisions to the Information Commissioner, who agreed that at least two or three digits of the postal codes of operations in more populous regions should be made available, and, in a rare move, ultimately decided to take Health Canada to court when the department still refused to release the information.
Canadian postal codes are made up of six characters, divided into groups of three. The first three make up what’s known as a “forward sortation area,” or FSA. In large cities, FSAs are usually neighbourhood-sized, while in less-populated areas they may encompass areas of thousands of square kilometres.
The Information Act dictates that, when a full record cannot be provided, any parts that can “reasonably” be severed and disclosed should be.
Health Canada’s argument for refusing disclosure was that even if some FSAs could be provided for areas large enough that no one patient could be identifiable, it would be too burdensome for it to conduct a full analysis of whether it would be possible for someone to combine the information with other data to identify patients.
In the Federal Court decision, which was released at the end of January, Justice William Pentney agreed with Health Canada. He found that the government agency was “not required to undertake a more detailed analysis of the risks associated with releasing more information pursuant to its obligation to sever and release as much information as is reasonable.”
In a digital world, the process of depersonalizing data has become a lot more complicated, said Teresa Scassa, a University of Ottawa law professor whose research focuses on privacy law and data governance, because so much other data exists online that could potentially be used to re-personalize it.
“Part of me reads this decision and says, yeah, I think that this is a vulnerable community, and the protection of privacy has to be paramount … so I think it’s the right decision,” Prof. Scassa said. “But another part of me looks at this and says: How are we going to come to terms with issues of transparency and accountability of government and access to information in a society where there are not only so many data, but so many tools to process that data in a way that re-identification risk is almost guaranteed?”
Ruling out the possibility of re-identification is the government’s responsibility. But whether it is able to do so boils down to resources.
“We’re already facing an access-to-information system that is just on its knees, because departments and agencies can’t handle the volume of requests. Everything is delayed, and the whole thing is just not functioning,” Prof. Scassa said.
Vincent Gogolek, a retired lawyer and former executive director of the BC Freedom of Information and Privacy Association, said FSA-related requests are increasingly common. Governments must invest in the resources to be able to do these individual assessments and release what they can, he added.
In some cases, governments have been warned that they need to make more of an effort when dealing with access requests. In 2021, for instance, B.C.’s Information and Privacy Commissioner ordered the provincial government to create record systems that didn’t previously exist.
“You don’t get to just sit back and say, ‘Well, gee, it’s really complicated, so we’re done.’ There’s an obligation to make reasonable efforts,” Mr. Gogolek said.
With a report from Tom Cardoso
Help The Globe and Mail investigate Canada’s broken freedom-of-information regimes. We’re looking to speak with people who use and interact with the system at all levels of government. You can get in touch with us at firstname.lastname@example.org