ORDER PO-3670

Appeal PA15-138

Ontario Lottery and Gaming Corporation

November 30, 2016

Summary: The appellant sought access to a proposal submitted by a third party to the Ontario Lottery and Gaming Corporation (OLG) and the resulting contract between OLG and the third party for technology services for a bingo gaming system. OLG granted the appellant partial access to the proposal and contract, relying on the mandatory exemption in section 17(1) (third party information) and the discretionary exemptions in sections 14(1)(i) (security) and 18(1) (economic and other interests) to withhold portions of the records. The appellant appealed OLG’s access decision and narrowed the scope of the appeal to include only specific pages of the two records. OLG withdrew its claim of section 18(1). OLG’s decision is partially upheld. The information withheld under section 14(1)(i) is found to be exempt from disclosure, but the information withheld under section 17(1) is ordered disclosed.

Statutes Considered: Freedom of Information and Protection of Privacy Act , R.S.O. 1990, c. F.31 , as amended, sections 14(1)(i) and 17(1)(c).

Orders and Investigation Reports Considered: PO-2391 and MO-3058-F.

Cases Considered: Accenture Inc. v Ontario (IPC) 2016 ONSC 1616 (CanLII); Miller Transit Limited v Information and Privacy Commissioner of Ontario et al., 2013 ONSC 7139 (CanLII); Ontario (Community Safety and Correctional Services) v Ontario (Information and Privacy Commissioner), 2014 SCC 31 (CanLII).

OVERVIEW:

[1]  The Ontario Lottery and Gaming Corporation (OLG) received a request under the Fre edom of Information and Protection of Privacy Act  (the Act ) for access to various records related to an agreement between OLG and a third party for the design, management and operation of technology services for charitable bingo and gaming operations. The appellant subsequently narrowed the scope of the request to include only the proposal submitted by the third party to OLG and the resulting agreement entered into between OLG and the third party. OLG then notified the third party of the request in accordance with section 28 of the Act and sought its position on disclosure of the responsive records. The third party objected to the disclosure of portions of the responsive records.

[2]  OLG then issued a decision granting the appellant partial access to the records. OLG relied on the discretionary exemptions in sections 14(1)(i) (security) and 18(1) (economic and other interests) and the mandatory exemption in section 17(1) (third party information) to deny access to portions of the records. The appellant was not satisfied with OLG’s decision and appealed it to the Office of the Information and Privacy Commissioner (the IPC). In his appeal letter, the appellant argued that OLG applied the exemptions too broadly, heavily redacting the records and disclosing little information about the pricing models, fee estimates, budgets, service level commitments, or detailed services it is to receive under the agreement.

[3]  During the mediation stage of the appeal, the appellant asserted that there is a public interest in disclosure of the information at issue in the records because of the significant monetary value of the agreement entered into between OLG and the third party. As a result, the possible application of the public interest override in section 23  of the Act  was added as an issue in the appeal. A mediated resolution of the appeal was not possible and it was moved to the adjudication stage of the appeal process for a written inquiry under the Act .

[4]  During my inquiry, I sought and received representations from OLG, the third party and the appellant, and shared these in accordance with section 7 of the IPC’s Code of Procedure and Practice Direction Number 7.

[5]  In its representations, OLG addressed only the application of section 14(1)(i). It withdrew its reliance on section 18(1) and it provided no representations on section 17(1). Since OLG withdrew its reliance on section 18(1), this exemption is no longer at issue in this appeal. The third party provided representations and advised that it also relies on submissions that it provided to the OLG when it was first notified of the appellant’s request. The third party initially took the position that its representations were confidential and should not be shared with the appellant. However, it subsequently agreed to share its representations with the appellant. Finally, the appellant provided representations in which he further narrowed the scope of his appeal, specifying the pages to which he seeks access. As a result, I will only address the withheld information sought by the appellant as specified in the records section below, and the representations from the parties that address this specific information.

[6]  In this order, I find that the withheld information is not exempt under section 17(1)(c), but that the information OLG withheld in pages 135, 137, 139 and 141 is exempt under section 14(1) (i) of the Act .

RECORDS:

[7]  The records at issue in this appeal are the following pages of the “Proposal to OLG for the Implementation of Bingo Gaming & Administration System and Rapid Draw Bingo” (the Proposal) that appears at pages 1 to 53 of the records, and of the “Master Vendor Services Agreement” (the MVSA) that appears at pages 54 to 181 of the records:

• pages 7-11, 86-92, 111-123, 135-141 and 143-145 that have been withheld in full; and
• pages 22, 61 and 62, that have been withheld in part.

ISSUES:

1. Does the discretionary exemption at section 14(1)(i) apply to information withheld by OLG in pages 135, 137, 139 and 141 of the records?
2. Did OLG properly exercise its discretion under section 14(1)(i)?
3. Does the mandatory exemption at section 17(1) apply to remaining information at issue in pages 7-11, 22, 61, 62, 86-92, 111-123, 135-141, 143-145?

DISCUSSION:

A. Does the discretionary exemption at section 14(1)(i) apply to information withheld by OLG in pages 135, 137, 139 and 141 of the records?

[8]  Section 14(1)(i) states:

(1) A head may refuse to disclose a record where the disclosure could reasonably be expected to,

(i)  endanger the security of a building or the security of a vehicle carrying items, or of a system or procedure established for the protection of items, for which protection is reasonably required[.]

[9]  Although section 14(1)(i) is found in a section of the Act  dealing specifically with law enforcement matters, IPC orders have repeatedly held that it is not restricted to law enforcement situations and can cover any building, vehicle or system which requires protection. ^[1]

[10]  To successfully claim this discretionary exemption, OLG must provide detailed and convincing evidence about the potential for harm. It must demonstrate a risk of harm that is well beyond the merely possible or speculative although it need not prove that disclosure will in fact result in such harm. How much and what kind of evidence is needed will depend on the type of issue and seriousness of the consequences. ^[2]

OLG’s representations

[11]  In its representations, OLG explains that it claims section 14(1)(i) to protect against the disclosure of information that could reasonably be expected to endanger the security of its administrative system for charitable gaming. OLG states that its narrow claim of section 14(1)(i) encompasses the precise physical locations at which its confidential data reside.

[12]  OLG submits that the records at issue establish that its system is a secure system created to protect data. OLG states that page 107 of the records gives a brief and general description of the technical architecture for user authentication and authorization and the encryption of data, while page 90 sets out a number of services that support data security. OLG submits that the architecture and these services, together, make up a “system” for securing OLG’s data.

[13]  OLG asserts that data protection is reasonably required for a number of reasons, and it provides an affidavit sworn by its Vice President Information Technology Strategy & Architecture in support of its position. Among other things, the affidavit states that OLG’s administrative system for charitable gaming contains data about all the play transactions and point of sale transactions made at each of its bingo sites; and that OLG relies on this data for its business purposes, including for the purpose of calculating its liabilities to the bingo sites and to its vendor, and for producing financial reports. The affidavit also states that OLG treats the withheld information as confidential because the withheld information would be useful to a person seeking to gain unauthorized access or to otherwise compromise its administrative system for charitable gaming; specifically, keeping the physical location of OLG’s data secret is a means of supporting physical information security – protection from real world threats such as unauthorized physical access and sabotage.

[14]  OLG submits that restricting information about the location of data is an accepted data security practice where disclosure would facilitate physical access and sabotage. It notes that:

1. Government of Ontario IT Standard 25.18 establishes the following requirement for data centre facilities that require enhanced safeguards: “no signage should identify the ownership or role of the facility.” [3]
2. ISO/IEC 27002:2013 (Information Technology – Security Techniques – Code of practice for information security controls) recommends the following to organizations implementing physical security: “where applicable, buildings should be unobtrusive and give minimum indication of their purpose with no obvious signs, outside or inside the building, identifying the presence of information processing activities.” [4]

[15]  OLG submits that the standard of “endangerment” is met in this appeal because there is a real possibility of endangerment even if the endangerment is not probable. [5] It submits that the endangerment standard is met when there is a real possibility of endangerment to the “security” (system) itself and not to the thing being secured, and that the exemption and its endangerment standard should be approached in a sensitive manner recognizing the difficulty of predicting future events in a law enforcement context. [6]

[16]  OLG then cites four IPC orders that it submits have upheld the application of the exemption to similar information as follows:

• Order MO-2011, which found that information at risk, such as “the ranking of hazards, specific facilities at risk, the specific manner in which a human-created event may be expected to happen, and weaknesses in the response capacity of public agencies, for example, could reasonably be expected to facilitate the harms contemplated by section 8(1)(i).” [7]
• Order PO-2685 which adopted the statement from Order MO-2011 above and found similar information exempt.
• Order PO-2391 which endorsed the protection of “detailed, specific information about this system and the operational procedures including sensitive login procedures, diagrams, screen reproductions and step-by-step instructions, as well as information about the security of the system itself.”
• Order PO-2765 which withheld the same kind of information as that withheld in Order PO-2391.

[17]  OLG submits that these four orders demonstrate that the section 14(1)(i) exemption protects against the potential for compromise to its security system. It argues that if information is detailed enough to be useful to a bad actor, it is exempt from the right of public access.

The third party’s representations

[18]  In its representations, the third party states that disclosure of the information at issue would reveal the components and requirements of the secure bingo gaming system, resulting in the system being less secure.

The appellant’s representations

[19]  The appellant does not address this issue in his representations. He makes the general assertion that the exemptions claimed in this appeal have been improperly applied to the records.

Analysis and finding

[20]  Having considered the representations of the parties and having reviewed pages 135, 137, 139 and 141, I agree with OLG that disclosure of the information it has withheld under section 14(1)(i) could reasonably be expected to endanger the security of its administrative system for charitable gaming established for the protection of the information in that system. I accept that OLG’s administrative system for charitable gaming, which is the subject of the records at issue, is a system established for the protection of OLG’s business data. I also accept that this protection is reasonably required to secure business data on all the play and point of sale transactions at OLG bingo sites, data on OLG’s liabilities to bingo sites and its vendor, and data for its financial reports. As noted by OLG, a number of IPC orders have found information subject to similar security risks to be exempt, including Order PO-2391 whose approach I follow in this order. The fact that the protected data is comprised of sensitive personal, financial and/or commercial information relating to OLG’s customers, its partners and its own business interests, raises heightened security concerns in the context of this appeal and the possible application of section 14(1)(i). I appreciate that the risk of unauthorized access to OLG’s data is a real concern that would have serious and far-reaching consequences.

[21]  In these circumstances, I am satisfied by OLG’s submissions that the security of OLG’s gaming system could reasonably be expected to be endangered if the withheld information were disclosed. I find that the information withheld by OLG in pages 135, 137, 139 and 141 of the records is exempt under section 14(1)(i), subject to my review of OLG’s exercise of discretion below.

B. Did OLG properly exercise its discretion under section 14(1)(i)?

[22]  The section 14(1)(i) exemption is discretionary, and permits OLG to disclose information, despite the fact that it could withhold it. OLG must exercise its discretion. On appeal, I may determine whether OLG failed to do so. I may also find that the OLG erred in exercising its discretion where, for example,

• it does so in bad faith or for an improper purpose
• it takes into account irrelevant considerations
• it fails to take into account relevant considerations.

[23]  In either case I may send the matter back to OLG for an exercise of discretion based on proper considerations. [8] However, I may not substitute my own discretion for that of OLG. [9]

[24]  Relevant considerations may include those listed below. However, not all those listed will necessarily be relevant, and additional unlisted considerations may be relevant: [10]

• the purposes of the Act , including the principles that
• information should be available to the public
• individuals should have a right of access to their own personal information
• exemptions from the right of access should be limited and specific
• the privacy of individuals should be protected
• the wording of the exemption and the interests it seeks to protect
• whether the requester has a sympathetic or compelling need to receive the information
• whether the requester is an individual or an organization
• the relationship between the requester and any affected persons
• whether disclosure will increase public confidence in the operation of the institution
• the nature of the information and the extent to which it is significant and/or sensitive to the institution, the requester or any affected person
• the age of the information
• the historic practice of the institution with respect to similar information.

The parties’ representations

[25]  OLG states that it considered a number of relevant factors in exercising its discretion to apply section 14(1)(i): the nature and significance of the withheld information, whether it had already made the withheld information available to the public; normative data security practices in handling information of the same kind; the degree and nature of the risk facing it if the withheld information were to be disclosed; the benefit to the public in giving access to the withheld information; and the degree to which the public interest was satisfied by the disclosure of other information in the records at issue.

[26]   The appellant submits that OLG improperly applied the exemptions and that it is in the public interest to disclose the withheld information.

Analysis and finding

[27]  I am satisfied that OLG considered relevant factors in exercising its discretion and did so in good faith and for a proper purpose. While the appellant’s representations allege that OLG improperly applied the exemptions and that much of the withheld information is in the public interest, they do not contain any argument or information to support these bald assertions. I have upheld OLG’s application of section 14(1)(i) to pages 135, 137, 139 and 141, and I also uphold OLG’s exercise of discretion as appropriate.

C. Does the mandatory exemption at section 17(1) apply to the remaining information at issue in pages 7-11, 22, 61, 62, 86-92, 111-123, 135-141, 143-145?

[28]  Section 17(1) states, in part:

A head shall refuse to disclose a record that reveals a trade secret or scientific, technical, commercial, financial or labour relations information, supplied in confidence implicitly or explicitly, where the disclosure could reasonably be expected to,

(a)  prejudice significantly the competitive position or interfere significantly with the contractual or other negotiations of a person, group of persons, or organization;

. . .

(c)  result in undue loss or gain to any person, group, committee or financial institution or agency; or

[29]  In the Notice of Inquiry that I sent to the parties, I provided information on the purpose of section 17(1) and the way that the IPC and the courts have interpreted and applied this exemption. I have reproduced this information in paragraphs 30, 31 and 33 to 37 of this order.

[30]  Section 17(1) is designed to protect the confidential “informational assets” of businesses or other organizations that provide information to government institutions. [11] Although one of the central purposes of the Act  is to shed light on the operations of government, section 17(1) serves to limit disclosure of confidential information of third parties that could be exploited by a competitor in the marketplace. [12]

[31]  For section 17(1) to apply, the institution and/or the third party must satisfy each part of the following three-part test:

1. the record must reveal information that is a trade secret or scientific, technical, commercial, financial or labour relations information; and
2. the information must have been supplied to the institution in confidence, either implicitly or explicitly; and
3. the prospect of disclosure of the record must give rise to a reasonable expectation that one of the harms specified in paragraph (a), (b), (c) and/or (d) of section 17(1) will occur.

Part 1: type of information

[32]  The third party submits, and I accept, that the records at issue reveal commercial information. Since the early 1990s, the IPC has consistently found that commercial information is information that relates solely to the buying, selling or exchange of merchandise or services. [13] Both the Proposal and the MVSA relate to the sale and purchase of services in satisfaction of the first part of the test.

Part 2: supplied in confidence

Supplied

[33]  The requirement that the information was “supplied” to the institution reflects the purpose in section 17(1) of protecting the informational assets of third parties. [14] Information may qualify as “supplied” if it was directly supplied to an institution by a third party, or where its disclosure would reveal or permit the drawing of accurate inferences with respect to information supplied by a third party. [15]

[34]  The contents of a contract involving an institution and a third party will not normally qualify as having been “supplied” for the purpose of section 17(1). The provisions of a contract, in general, have been treated as mutually generated, rather than “supplied” by the third party, even where the contract is preceded by little or no negotiation or where the final agreement reflects information that originated from a single party. [16]

[35]  There are two exceptions to this general rule which are described as the “inferred disclosure” and “immutability” exceptions. The “inferred disclosure” exception applies where disclosure of the information in a contract would permit accurate inferences to be made with respect to underlying non-negotiated confidential information supplied by the third party to the institution. ^[17] The immutability exception arises where the contract contains information supplied by the third party, but the information is not susceptible to negotiation. Examples are financial statements, underlying fixed costs and product samples or designs. ^[18]

In confidence

[36]  In order to satisfy the “in confidence” component of part two, the parties resisting disclosure must establish that the supplier of the information had a reasonable expectation of confidentiality, implicit or explicit, at the time the information was provided. This expectation must have an objective basis. [19]

[37]  In determining whether an expectation of confidentiality is based on reasonable and objective grounds, all the circumstances of the case are considered, including whether the information was:

• communicated to the institution on the basis that it was confidential and that it was to be kept confidential
• treated consistently by the third party in a manner that indicates a concern for confidentiality
• not otherwise disclosed or available from sources to which the public has access
• prepared for a purpose that would not entail disclosure. [20]

The third party’s representations

[38]  In its representations, the third party explains it is a business that develops systems services for clients, including payments systems, lottery systems and identification systems; each system is secure and tailored to the specific needs of each client. Its lottery systems group supplies secure online electronic lottery systems in a number of countries as well as a charitable gaming system to OLG and bingo halls across Ontario. The third party asserts that its business is built around the digital security of the systems it builds and its business model is premised on it not making public the systems and processes it uses to protect its government clients. The third party states that it was the only vendor to submit a proposal in response to OLG’s request for proposals (RFP) [21] for this system.

[39]  The third party acknowledges that its Proposal contains no explicit confidentiality claim. Notwithstanding a lack of an explicit confidentiality section, it submits that the information it provided to OLG in the Proposal was implicitly confidential and should be protected from further disclosure under the section 17 exemption because: the product OLG was seeking in the RFP was a security product which is heavily regulated; OLG was seeking a supplier with a proven financial track record in the supply of sensitive products; the personal and corporate security expectations required of the proposed vendors in the RFP (i.e. mandatory certification from the Alcohol and Gaming Commission of Ontario); and OLG’s subsequent agreement to a comprehensive confidentiality section in the MVSA which covers substantially similar information.

[40]  The third party notes that the MVSA contains a comprehensive mutual confidentiality clause at section 8 that was included because it is providing a solution that is highly secure and leverages its proprietary know-how and processes. It submits that it is reasonable (when considering the IPC’s practice direction on the inquiry procedure at the adjudication stage) to conclude that there is an explicit agreement of confidentiality between it and OLG, and that all information exchanged under the MVSA was exchanged in confidence, subject only to the narrow exceptions set out in the Act . On the basis of clause 8 of the MVSA, the third party submits that it provided all information to the OLG in confidence in satisfaction of the threshold.

Analysis and findings

[41]  Although the third party has provided lengthy submissions on the section 17 exemption, it does not address the “supplied” requirement of part two of the test beyond making a general assertion that it “provided all information” to OLG “in confidence” relying on clause 8 of its MVSA. It does not explain how and why the withheld information in the MVSA can be considered to have been “supplied” by it to OLG. The third party focusses its representations instead on the “in confidence” requirement of the section 17(1) test.

[42]  The IPC has repeatedly found that the contents of a contract between an institution and a third party will not qualify as having been “supplied” for the purpose of section 17(1) because contracts are presumed to be mutually generated, while proposals submitted by third parties to institutions are presumed to be “supplied.” [22] The IPC has applied this general rule even in situations where the contracts are preceded by little or no negotiation. The Divisional Court has repeatedly upheld the IPC’s general rule that contracts are mutually generated. [23] While there are two exemptions to this general rule – the “inferred disclosure” and “immutability” exceptions – the third party does not argue that these exceptions apply in this appeal.

[43]  From my review of the records, I see no reason to depart from the general rule in this appeal. The records themselves do not establish that the withheld information in the MVSA would permit accurate inferences to be made about underlying non-negotiated confidential information supplied by the third party, nor do they contain information supplied by the third party that is not susceptible to negotiation – for example, underlying fixed costs – such that one of the two exceptions to the general rule applies. I note that the third party submits that pages 143, 144 and 145 set out its fee rates, which it asserts are its confidential financial information. However, the third party also acknowledges in its representations that it negotiated the rates with OLG; this acknowledgement confirms that the fee rates and structures set out in pages 143 to 145 were not “supplied” by the third party within the meaning of the second part of the section 17(1) test.

[44]  I conclude that the general rule applies in this appeal. I find that the withheld information in pages 61, 62, 86-92, 111-123, 135-141 and 143-145 of the MVSA was not “supplied” by the third party and therefore, the second part of the test is not met for this information. As a result, the section 17(1) exemption cannot apply to this withheld information in the MVSA which I will order disclosed as no other exemptions have been claimed for it.

[45]  Applying the general rule to the withheld information in the Proposal, I am satisfied that the third party supplied it in its entirety to OLG as required for the second part of the test. Turning to the “in confidence” requirement, I am satisfied that the third party supplied its Proposal to OLG with a reasonable expectation of confidentiality based on objective grounds. I accept the third party’s statement that it submitted its Proposal to OLG on the basis that the Proposal was confidential and was to be kept confidential. There is no evidence before me to contradict the third party’s submission, nor is there any suggestion that the Proposal was disclosed or made publicly available by either the third party or OLG. The third party also prepared its Proposal in order to respond to OLG’s request for services, and not for a purpose that would entail disclosure. Looking specifically at pages 7-11 and 22 of the Proposal, which are the only pages that remain at issue, I note they set out the third party’s game design and development setting out the mechanics, features and experiences of the game, as well as the key steps for delivery of the third party’s services. The nature of the information in pages 7-11 and 22 supports a conclusion that the third party had an implicit expectation of confidentiality when it supplied this information to OLG. Considering all of these circumstances, the absence of a confidentiality provision in the Proposal is not determinative and does not negate the third party’s implicit expectation of confidentiality. I find that pages 7-11 and 22 of the Proposal were supplied in confidence to OLG by the third party in satisfaction of part two of the test.

Part 3: harms

[46]  As the party resisting disclosure, the third party must provide detailed and convincing evidence about the potential for harm. It must demonstrate a risk of harm that is well beyond the merely possible or speculative although it need not prove that disclosure will in fact result in such harm. How much and what kind of evidence is needed will depend on the type of issue and seriousness of the consequences. ^[24]

[47]  The failure of a party resisting disclosure to provide detailed and convincing evidence will not necessarily defeat the claim for exemption where harm can be inferred from the surrounding circumstances. However, parties should not assume that the harms under section 17(1) are self-evident or can be proven simply by repeating the description of harms in the Act . [25]

[48]  In applying section 17(1) to government contracts, the need for public accountability in the expenditure of public funds is an important reason behind the need for “detailed and convincing” evidence to support the harms outlined in section 17(1). [26]

The third party’s representations

[49]  The third party submits that disclosure of the information in pages 7-11 of the Proposal would result in undue loss to it and undue gain to others in its industry as contemplated by section 17(1) (c) of the Act . It states that the information contained in these pages about its proposed game design and development strategy is commercially sensitive information that is the result of over 20 years of experience in the lottery sector. It asserts that disclosure of this information would result in a gain to its competitors as they would not have to expend the same research and development costs to obtain a competitive program rollout strategy and product.

[50]  The third party similarly submits that disclosure of the information on page 22 of the records would similarly result in undue loss and gain under section 17(1)(c). The third party explains that the information on this page describing how it will be accountable to OLG as it develops the project is commercially sensitive and based on experience it has gained over the past 10 years. It argues that disclosure of this information would allow its competitors to more easily replicate the solution that it has developed to meet OLG’s requirements, resulting in undue gain to its competitors who would not have to expend the same research and development costs to obtain a competitive product.

Analysis and finding

[51]  As noted above, the third party must demonstrate a risk of harm that is well beyond the merely possible or speculative in order for me to find that section 17(1)(c) applies. Having considered the third party’s representations and reviewed pages 7-11 and 22 with these representations in mind, I am not convinced that the third party’s arguments demonstrate a risk of undue loss or gain that is beyond the merely possible or speculative. To the contrary, the circumstances of this appeal lead me to conclude that the third party’s risk of harm arguments are speculative at best, addressing a harm that is too remote to be considered even merely possible. First, the information in pages 7-11 and 22 is not as detailed or commercially sensitive as the third party claims it is. These pages of the records do not contain the type of information that would allow a competitor to replicate the secure system services provided by the third party or its strategy for doing so. There are no details about the technical architecture of the services being provided, [27] no full descriptions of the structure, system and procedures, and no specifications on the project software, products and applications. Therefore, disclosure of these pages could not reasonably be expected to give the third party’s competititors the undue gain of a competitive product and program rollout strategy.

[52]  Second, the third party’s concerns about competitors and undue gain or loss are overstated. The third party was the only company to submit a proposal to OLG in response to OLG’s RFP, meaning that it had no competition on its Proposal. In addition to having no competitors at the time it submitted its Proposal, the third party has the benefit of being in a multi-year MVSA with OLG with a number of years remaining. So for the next few years, the third party remains competitor-less in respect of the MVSA with negligible risk of suffering undue loss on the MVSA, despite any disclosure I may order. Looking to future opportunities, the third party’s arguments similarly do not demonstrate a risk beyond the merely possible or speculative because as noted above, the disclosure of these pages would not result in an undue gain to competitiors. Also, as the sole bidder in OLG’s RFP and the provider of its secure system, the third party is in a position of negotiating privilege and power with respect to any further RFPs with OLG for the same services. The third party has not provided a reasonable basis to believe otherwise.

[53]  I find that the third party has not established that the risk of harm from disclosure is well beyond or considerably above a mere possibility, and that pages 7-11 and 22 do not qualify for exemption under section 17(1)(c). As no other exemption has been claimed for these pages of the records, I will order them disclosed.

ORDER:

1. I uphold OLG’s claim of section 14(1)(i) to the withheld information in pages 135, 137, 139 and 141 of the records, and its exercise of discretion.
2. I do not uphold OLG’s claim that the remaining withheld information is exempt under section 17(1)(c) and I order OLG to disclose pages 7-11, 22, 61, 62, 86-92, 111-123, 135-141 and 143-145 to the appellant, withholding only the information noted in order provision 1 above. I order OLG to disclose the records by January 9, 2017, but not before January 3, 2017, and to provide me with a copy of its disclosure letter.

Original Signed by:		November 30, 2016
Stella Ball
Adjudicator