ORDER PO-4383

Appeal PA21-00031

Seneca College of Applied Arts and Technology

April 27, 2023

Summary: This order deals with an access request made under the Freedom of Information and Protection of Privacy Act  to Seneca College of Applied Arts and Technology  (the college) for access to records relating to a ridesharing service provided at the college. The college granted access to records responsive to the request, in part. The college denied access to records, either in whole or in part, under the mandatory exemptions in sections 17(1)(a) and (c) (third party information) and 21(1) (personal privacy), as well as the discretionary exemption in section 18(1)(d) (economic and other interests). During the mediation of the appeal, the reasonableness of the college’s search for records was added to the appeal. In this order, the adjudicator finds that some of the records contain personal information, which is exempt from disclosure. She also upholds the college’s search for records. She further finds that the exemptions in sections 17(1) and 18(1) do not apply, and orders the college to disclose this information to the appellant.

Statutes Considered: Freedom of Information and Protection of Privacy Act , R.S.O. 1990, c. F.31 , as amended, sections 2(1) (definition of “personal information”), 17(1)(a), 17(1)(c), 18(1)(d), 21(1) and 24.

OVERVIEW:

[1] This order disposes of the issues raised as a result of an appeal of an access decision made by Seneca College of Applied Arts and Technology  (the college). The requester’s multi-part access request, made under the Freedom of Information and  Protection of Privacy Act  (the Act ), was for an array of records referencing “Smart Commute,” “Rideshare” and “RideShark.”[1]

[2] After seeking clarification about the request and consulting with the requester, the college forwarded part of the request to the Ministry of Education (the ministry) for records that would be in its custody.

[3] Regarding records in the custody of the college, it located records responsive to the request and issued a decision to the requester, granting partial access to them. The college also withheld portions of the records, either in whole or in part, claiming the mandatory exemptions in sections 17(1)(a) and 17(1)(c) (third party information), and 21(1) (personal privacy) of the Act , as well as the discretionary exemption in section 18(1)(d) (economic and other interests). The college also advised the requester that no records exist for certain elements of the request, and provided him with a further detailed explanation.

[4] The requester, now the appellant, appealed the college’s decision to the Information and Privacy Commissioner of Ontario (the IPC).

[5] During the mediation of the appeal, the appellant stated that he believes further responsive records exist, and that seeks all of the information at issue. In response, the college agreed to provide the appellant with a more detailed explanation of the exemptions it applied and the reasons why no further records exist. At the conclusion of mediation, the issues on appeal were the exemptions claimed by the college and its search for records.

[6] The file then moved to the adjudication stage of the appeals process and I conducted an inquiry. I sought representations from the college, the appellant and two affected parties, RideShark and pointA (formerly Smart Commute). I received representations from all of the parties except RideShark.

[7] In its representations, the college advised that it was no longer claiming the application of section 18(1)(d) to records 16, 17 and 28.[2] As a result, this information is no longer at issue and is to be disclosed to the appellant.

[8] For the reasons that follow, I find that some of the records contain personal information, which is exempt from disclosure under section 21(1). I also uphold the college’s search for records, and further find that the exemptions in sections 17(1) and 18(1) do not apply. I therefore order the college to disclose this information to the appellant.

RECORDS:

[9] The following 31 records are at issue. The records were withheld in part, except records 15 and 51, which were withheld in full.

Records at Issue

Records at Issue

Record Number	Description of Record	Exemption(s) Claimed
1	Screen shot from user email	21(1)
3	Email re: RideShark configuration	17(1)(a) and (c), 18(1)(d)
9	Email question from student	21(1), 17(1)(a) and (c)
10	Email to RideShark	17(1)(a) and (c)
11	Email re: RideShark site	17(1)(a) and (c), 18(1)(d)
12	Email from RideShark	17(1)(a) and (c)
13	Email from test user	21(1)
15	Instructions on creating an Apple Developer Account	17(1)(a) and (c) – withheld in full
16	Email from RideShark with quote, purchase order and invoice	17(1)(a) and (c)
17	RideShark purchase order	17(1)(a) and (c)
18	Email re: external user	21(1), 17(1)(a) and (c)
19	Email from tester	21(1), 17(1)(a) and (c)
26	Email re: RideShark demo	17(1)(a) and (c)
30	Email re: Rideshark configuration	17(1)(a) and (c), 18(1)(d)
31	Email re: RideShark configuration	17(1)(a) and (c), 18(1)(d)
32	Email re: RideShark configuration	17(1)(a) and (c), 18(1)(d)
33	Email instructions on how to accept licencing agreement	17(1)(a)
35	Email re: Rideshare incentive programs	17(1)(a) and (c)
36	Email re: Rideshare incentive programs	17(1)(a) and (c), 18(1)(d)
37	Email re: Rideshare setup	17(1)(a) and (c)
38	Email re: Rideshare setup	17(1)(a) and (c)
39	Email re: staff vs. student matching	21(1), 17(1)(a) and (c)
40	Email instructions re: entering information in Rideshare fields	17(1)(a) and (c)
43	Contract between Seneca and RideShark	17(1)(a) and (c)
44	Email re: RideShark demo	17(1)(a) and (c)
47	Email from RideShark with quote, purchase order and invoice	17(1)(a) and (c)
51	Instructions from RideShark on branding	17(1)(a) and (c) – withheld in full
52	Draft Contract between Seneca and RideShark	17(1)(a) and (c)
60	Email between Smart Commute and Seneca	21(1)
61	Email between Smart Commute and Seneca	21(1)
78	Email with questions re: carpool matches	21(1)

ISSUES:

1. Do the records contain “personal information” as defined in section 2(1) and, if so, to whom does it relate?
2. Does the mandatory exemption at section 21(1) apply to the information at issue?
3. Does the mandatory exemption at section 17(1)(a) and/or (c) apply to the records?
4. Does the discretionary exemption at section 18(1)(d) apply to the records?
5. Did the college conduct a reasonable search for records?

DISCUSSION:

Issue A: Do the records contain “personal information” as defined in section 2(1) and, if so, to whom does it relate?

[10] The college submits that records 1, 9, 13, 18, 19, 39, 60, 61 and 78 contain personal information, and I find that most of this information qualifies as personal information with two exceptions. In order to determine which sections of the Act  may apply, it is necessary to decide whether these records contain “personal information” and, if so, to whom it relates. That term is defined in section 2(1) as follows:

“personal information” means recorded information about an identifiable individual, including in part,

(c) any identifying number, symbol or other particular assigned to the individual,

(d) the address, telephone number, fingerprints or blood type of the individual,

. . .

(h) the individual’s name if it appears with other personal information relating to the individual or where the disclosure of the name would reveal other personal information about the individual.

[11] To qualify as personal information, the information must be about the individual in a personal capacity. As a general rule, information associated with an individual in a professional, official or business capacity will not be considered to be “about” the individual.[3]

Representations

[12] As stated above, the college submits that certain withheld portions of records 1, 9, 13, 18, 19, 39, 60, 61 and 78 contain personal information. In particular, the college submits that the personal information consists of college students’ names and email addresses, login credentials, home addresses, and an external vendor’s home telephone number.

[13] The appellant submits that the records do not contain personal information because by agreeing to test the Rideshare/RideShark application on behalf of the college, the students “fell into the brackets” of either a consultant (if unpaid), an independent contractor, a college employee (if paid), or any combination thereof. As a result, the appellant argues, the information about these students is in their professional, not personal capacity and therefore does not qualify as their personal information.

Analysis and findings

[14] I have reviewed the portions of the records referred to above and I find that they consist of the personal information of identifiable individuals, with two exceptions. In particular, I find that the personal information in these records contains the names of college students who were testers of Rideshare/RideShark, with the following additional information:

• their personal email address and/or personal cell phone number and/or home address, qualifying as their personal information under paragraph (d) of the definition of “personal information” in section 2(1)  of the Act ,
• their user ID number and password for Rideshare/RideShark, qualifying as personal information under paragraph (c) of the definition, and
• their name where it appears with other personal information about them, qualifying as personal information under paragraph (h) of the definition.

[15] I also find that record 61 contains the personal phone number of a Smart Commute (now pointA) employee.

[16] The appellant’s position is that the student testers of Rideshare/RideShark are either employees, consultants or independent contractors of the college, yet other than his assertion that the students are of this status, he has not provided evidence to support this position. have considered but rejected the appellant’s position based on the evidence before me and my review of the records themselves.

[17] I further find that three portions of page 3 of record 18, and one portion of page 10 of record 19 do not qualify as personal information because they do not refer to identifiable individuals. The portions in record 18 refer to two businesses, while the portion in record 19 refers to unidentifiable individuals, using a generic term to refer to individuals. As I will discuss in more detail at Issue B, the college claimed the application of the mandatory exemption in section 21(1) to this information. Because the exemption in section 21(1) can only apply if the record at issue contains personal information, I reject the college’s claim that section 21(1) applies to these portions. In addition, the college has not claimed any other exemptions for this information. As a result, I will order the college to disclose these portions of records 18 and 19 to the appellant.

[18] I will now determine whether the personal information at issue is exempt from disclosure under the mandatory personal privacy exemption in section 21(1).

Issue B: Does the mandatory exemption at section 21(1) apply to the information at issue?

[19] I find that the personal information at issue is exempt from disclosure under section 21(1) because its disclosure would constitute an unjustified invasion of the personal privacy of several individuals.

[20] Where a requester seeks personal information of another individual,[4] section 21(1) prohibits an institution from releasing this information unless one of the exceptions in paragraphs (a) to (f) of section 21(1) applies. The section 21(1)(a) to (e) exceptions are relatively straightforward. The section 21(1)(f) exception, allowing disclosure if it would not be an unjustified invasion of personal privacy, is more complex, and requires a consideration of additional parts of section 21.

[21] Sections 21(2) and (3) help in determining whether disclosure would or would not be an unjustified invasion of privacy.

[22] If any of paragraphs (a) to (h) of section 21(3) apply, disclosure of the information is presumed to be an unjustified invasion of personal privacy under section 21. Once established, a presumed unjustified invasion of personal privacy under section 21(3) can only be overcome if section 21(4) or the “public interest override” at section 23 applies.[5]

[23] The college is claiming the application of the presumption in section 21(3)(d), which relates to employment or educational history.

[24] If no section 21(3) presumption applies, section 21(2) lists various factors that may be relevant in determining whether disclosure of personal information would constitute an unjustified invasion of personal privacy.[6] In order to find that disclosure does not constitute an unjustified invasion of personal privacy, one or more factors and/or circumstances favouring disclosure in section 21(2) must be present. In the absence of such a finding, the exception in section 21(1)(f) is not established and the mandatory section 21(1) exemption applies.[7]

[25] If any of paragraphs (a) to (d) of section 21(4) apply, disclosure is not an unjustified invasion of personal privacy and the information is not exempt under section 21.

Representations

[26] The college submits that the presumption in section 21(3)(d) applies to the personal information. The representations state that “personal information relates to educational history.” The college also relies on the factor in section 21(2)(h), submitting that much of the information was provided to it with an expectation of confidentiality, and that it is the college’s practice to sever personal information such as home addresses and personal phone numbers. The college also submits that none of the exceptions in section 21(4) apply to the personal information at issue.

[27] The appellant reiterates his position that the information in these records does not qualify as personal information and, therefore the presumption in section 21(3)(d) and the factor in section 21(2)(h) do not apply to it. In any event, the appellant submits, the information does not relate to educational history and therefore the presumption in section 21(3)(d) cannot apply. In addition, the appellant’s position is that because the records do not contain personal information, as the student testers were either college employees or hired as independent contractors or consultants by the college, section 21(4)(b) applies.[8]

Analysis and findings

[28] I find that the personal information at issue does not fit within any of the exceptions to the personal privacy exemption in paragraphs (a) to (e) of section 21(1), and that the only exception that could apply is section 21(1)(f), which states:

A head shall refuse to disclose personal information to any person other than the individual to whom the information relates except,

(f) if the disclosure does not constitute an unjustified invasion of personal privacy.

[29] For the reasons that follow, I find that the personal information at issue is exempt from disclosure under section 21(1) because its disclosure would constitute an unjustified invasion of the personal privacy of several individuals.

[30] As previously stated, if any of paragraphs (a) to (h) of section 21(3) apply, disclosure of the information is presumed to be an unjustified invasion of personal privacy under section 21. The college claims the presumption in section 21(3)(d), which states:

(3) A disclosure of personal information is presumed to constitute an unjustified invasion of personal privacy where the personal information,

(d) relates to employment or educational history;

[31] Past IPC orders regarding the application of the presumption against disclosure in section 21(3)(d) have determined that for information to qualify as “employment or educational history”, it must contain some significant part of the history of the person’s employment or education. What is or is not significant must be determined based on the facts of each case.[9]

[32] The personal information at issue reveals that several individuals were students attending the college and that one individual worked for Smart Commute. In reviewing this information, I find that there is no further information about their education and/or employment and, as a result, the records do not reveal a significant part of these individuals’ employment or education history. Therefore, I find that the presumption in section 21(3)(d) does not apply to this personal information.

[33] As I have found that none of the presumptions in section 21(3) apply, I will turn to the factors in section 21(2). In order to find that disclosure does not constitute an unjustified invasion of personal privacy, one or more factors and/or circumstances favouring disclosure in section 21(2) must be present. In the absence of such a finding, the exception in section 21(1)(f) is not established and the mandatory section 21(1) exemption applies.[10]

[34] The college is claiming the application of the factor in section 21(2)(h), which states:

(2) A head, in determining whether a disclosure of personal information constitutes an unjustified invasion of personal privacy, shall consider all the relevant circumstances, including whether,

(h) the personal information has been supplied by the individual to whom the information relates in confidence

[35] This factor, which weighs against disclosure, applies if both the individual supplying the information and the recipient had an expectation that the information would be treated confidentially, and that expectation is reasonable in the circumstances. Thus, section 21(2)(h) requires an objective assessment of the reasonableness of any confidentiality expectation.[11] I find that I do not have sufficient evidence before me to conclude that the information was supplied in confidence, nor is it evident on the face of the records. As a result, I find that the factor in section 21(2)(h) does not apply.

[36] However, as stated above, in order to find that disclosure does not constitute an unjustified invasion of personal privacy, one or more factors and/or circumstances favouring disclosure in section 21(2) must be present. Based on the parties’ representations and my review of the records, I find that none of the factors favouring disclosure are relevant to the personal information at issue.

[37] Turning to the limitations in section 21(4), if any of paragraphs (a) to (d) of section 21(4) apply, disclosure is not an unjustified invasion of personal privacy and the information is not exempt under section 21. I agree with the college and find that section 21(4) does not apply to the personal information at issue. The appellant argues that the information at issue is not personal information yet simultaneously argues that section 21(4)(b)[12] applies to the information. The appellant’s position is that the student testers were either college employees or independent contractors or consultants hired by the college to do the ridesharing testing. I have already found that the information at issue qualifies as personal information and that I have no evidence before me that the student testers were employees, independent contractors or consultants of the college. As a result, I find that section 21(4)(b) does not apply to any of the information relating to the college’s student testers. Regarding the personal phone number of the Smart Commute employee located in record 61, I find that section 21(4)(b) has no application to this personal information, because I have no evidence that there was a contract entered into between the college and this particular individual.

[38] Lastly, section 23 provides that the exemption in section 21(1) does not apply where a compelling public interest in the disclosure of the information clearly outweighs the purpose of the section 21(1) exemption. The appellant did not raise the public interest override in section 23 to the personal information at issue and I also find that it does not apply.

[39] As a result, for all of these reasons, I find that the personal information at issue is exempt from disclosure under section 21(1).

Issue C: Does the mandatory exemption at section 17(1)(a) and/or (c) apply to the records?

[40] The college is claiming the application of sections 17(1)(a) and 17(1)(c) to records 3, 9, 10-12, 15-19, 26, 30-33, 35-40, 43-44, 47 and 51-52.[13] The college submits that it reviewed these records and worked closely with RideShark to ensure that the “recommendations” for exemptions under section 17(1) were specific and limited. As previously stated, RideShark was provided with the opportunity to submit its own representations to the IPC, but did not do so.

[41] PointA’s representations do not address the possible application of the exemption in section 17(1)(a) and/or (c). pointA submits that it is a delivery agent for the former Smart Commute program on behalf of the City of Toronto and formerly for Metrolinx. It further submits that it does not get involved with procurement matters for program-wide services because that is the responsibility of the funding agencies and government parties. In that regard, point A goes on to state:

[42] Furthermore, Seneca College severed ties with pointA on [specified date] following a College decision to end the College’s participation in the Smart Commute program. Therefore, pointA was not involved with Seneca College’s decision to work with RideShark.

[43] I note that the information at issue relates to the business relationship between the college and RideShark and that none of the information at issue relates to pointA (formerly Smart Commute). The information consists of branding instructions and specifications, login information, troubleshooting, the name and email address of a specific RideShark employee, URL’s, discussions surrounding RideShark’s incentive program, instructions on how to create an Apple developer account and pricing/fee information. Most of the records are email chains and contain duplicate information.

[44] Sections 17(1)(a) and 17(1)(c) state:

A head shall refuse to disclose a record that reveals a trade secret or scientific, technical, commercial, financial or labour relations information, supplied in confidence implicitly or explicitly, where the disclosure could reasonably be expected to,

(a) prejudice significantly the competitive position or interfere significantly with the contractual or other negotiations of a person, group of persons, or organization;

(c) result in undue loss or gain to any person, group, committee or financial institution or agency; or

[45] Section 17(1) is designed to protect the confidential “informational assets” of businesses or other organizations that provide information to government institutions.[14] Although one of the central purposes of the Act  is to shed light on the operations of government, section 17(1) serves to limit disclosure of confidential information of third parties that could be exploited by a competitor in the marketplace.[15]

[46] For section 17(1) to apply, the institution and/or the third party must satisfy each part of the following three-part test:

1. the record must reveal information that is a trade secret or scientific, technical, commercial, financial or labour relations information; and
2. the information must have been supplied to the institution in confidence, either implicitly or explicitly; and
3. the prospect of disclosure of the record must give rise to a reasonable expectation that one of the harms specified in paragraph (a), (b), (c) and/or (d) of section 17(1) will occur.

Part 1: type of information

[47] The types of information relevant in this appeal have been described in past IPC orders as follows:

Commercial information is information that relates solely to the buying, selling or exchange of merchandise or services. This term can apply to both profit-making enterprises and non-profit organizations, and has equal application to both large and small enterprises.[16] The fact that a record might have monetary value or potential monetary value does not necessarily mean that the record itself contains commercial information.[17]

Technical information is information belonging to an organized field of knowledge in the applied sciences or mechanical arts. Examples of these fields include architecture, engineering or electronics. Technical information usually involves information prepared by a professional in the field, and describes the construction, operation or maintenance of a structure, process, equipment or thing.[18]

Financial information is information relating to money and its use or distribution. The record must contain or refer to specific data. Some examples include cost accounting methods, pricing practices, profit and loss data, overhead and operating costs.[19]

Representations

[48] The college submits that the records contain either a trade secret, technical information, commercial information, financial information or labour relations information, including the identity of a RideShark employee with unique expertise, a session ID and server name, contest options, branding information and instructions, lead design contact information, instructions on how to create an Apple developer account, unit prices, a pricing quote, purchase order and invoice, details for setting up a RideShark test account, domain selection instructions, functionality details, login credentials and launch timelines.

[49] The appellant does not address this part of the three-part test in his representations.

Analysis and findings

[50] On my review of the records, I find that, overall, they contain commercial information because they relate solely to the buying and selling of RideShark’s ridesharing services. I also find that some of the information in the records qualifies as technical information because it describes the operation of the technical aspects of the Rideshare program and that some of the information qualifies as financial information because it refers to specific dollar figures relating to pricing. Conversely, I find that the records do not contain “trade secrets” because the information in these records would generally be known in the ridesharing business, nor do they contain “labour relations” information because they do not relate to the collective relationship between an employer and employee.

[51] In sum, I find that the first part of the three-part test in section 17(1) is met. As a result, I will now go on to determine whether this information was supplied in confidence by RideShark to the college.

Part 2: supplied in confidence

[52] The requirement that the information was “supplied” to the institution reflects the purpose in section 17(1) of protecting the informational assets of third parties.[20]

[53] Information may qualify as “supplied” if it was directly supplied to an institution by a third party, or where its disclosure would reveal or permit the drawing of accurate inferences with respect to information supplied by a third party.[21]

[54] The contents of a contract involving an institution and a third party will not normally qualify as having been “supplied” for the purpose of section 17(1). The provisions of a contract, in general, have been treated as mutually generated, rather than “supplied” by the third party, even where the contract is preceded by little or no negotiation or where the final agreement reflects information that originated from a single party.[22]

[55] In order to satisfy the “in confidence” component of part two, the parties resisting disclosure must establish that the supplier of the information had a reasonable expectation of confidentiality, implicit or explicit, at the time the information was provided. This expectation must have an objective basis.[23]

[56] In determining whether an expectation of confidentiality is based on reasonable and objective grounds, all the circumstances of the case are considered, including whether the information was communicated to the institution on the basis that it was confidential and that it was to be kept confidential, treated consistently by the third party in a manner that indicates a concern for confidentiality, not otherwise disclosed or available from sources to which the public has access and prepared for a purpose that would not entail disclosure.[24]

Representations

[57] The college submits that the information was supplied in confidence to it by RideShark, and that its obligation to maintain the confidentiality of information supplied to it by RideShark is set out in the confidentiality clause of the master agreement between the college and RideShark.

[58] The appellant submits that the information was not supplied by RideShark to the college because it was subject to change, given that the college and RideShark communicated back and forth in regard to the changes requested by the college. In addition, the appellant submits that the information in the records was made available to the public through other sources when the application was marketed to the college’s students, when the college requested that another college test the application, and when the application was tested by students other than the college’s students. Further, the appellant argues that the information in the records was publicly disclosed the day the application was launched, including screenshots and the launch timeline. Lastly, the appellant submits that the information was not prepared for a purpose that would not include disclosure.

Analysis and findings

[59] For the reasons that follow, I find that record 43 was not supplied in confidence to the college by RideShark. Record 43 is the contract that was negotiated and entered into between the college and RideShark for the provision of RideShark’s ridesharing services. As has been held in previous IPC orders, the contents of a contract involving an institution and a third party will not normally qualify as having been “supplied” for the purpose of section 17(1). The provisions of a contract, in general, have been treated as mutually generated, rather than “supplied” by the third party. The exceptions to this general rule are the “inferred disclosure” and “immutability” exceptions. The inferred disclosure exception applies where disclosure of the information in a contract would permit someone to make accurate inferences about underlying non-negotiated confidential information supplied to the institution by a third party.[25] The “immutability” exception applies where the contract contains non-negotiable information supplied by the third party. Examples are financial statements, underlying fixed costs and product samples or designs.[26]

[60] Only a portion of record 43 was withheld from the appellant under section 17(1). This portion sets out a description of the type of support services to be provided by RideShark to the college. I find that this information was mutually generated by RideShark and the college, and does not fit within either of the exceptions to the general rule that the provisions of a contract are negotiated rather than supplied. This information, I find, does not represent or permit the accurate inferences about underlying non-negotiated information that was supplied by RideShark to the college. As a result, I find that this information was not supplied by RideShark to the college, and does not meet part two of the three-part test in section 17(1). As no other exemptions have been claimed with respect to record 43, I will order the college to disclose the withheld portion of it to the appellant.

[61] Turning to the remaining information for which the college claimed section 17(1), it argues that all of this information was “supplied in confidence” and that the college’s obligation to keep the information confidential is set out in the contract it entered into with RideShark. The confidentiality clause sets out that the software, service and customer platform, including the specific design, structure and logic of individual programs, the programs’ interactions and the programming techniques are confidential.

[62] I find that it is not necessary to decide whether the information at issue under section 17(1) was “supplied in confidence” by RideShark to the college, because it does not qualify for exemption under section 17(1), as it has not met part three of the three-part test in section 17(1), as explained below.

Part 3: harms

[63] Parties resisting disclosure must establish a risk of harm from disclosure of the record that is well beyond the merely possible or speculative, but need not prove that disclosure will in fact result in such harm.[27]

[64] Parties should provide detailed evidence to demonstrate the harm. How much and what kind of evidence is needed will depend on the type of issue and seriousness of the consequences.[28] The failure of a party resisting disclosure to provide detailed evidence will not necessarily defeat the claim for exemption where harm can be inferred from the records themselves and/or the surrounding circumstances. However, parties should not assume that the harms under section 17(1) are self-evident or can be proven simply by repeating the description of harms in the Act .[29]

[65] In applying section 17(1) to government contracts, the need for public accountability in the expenditure of public funds is an important reason behind the need for detailed evidence to support the harms outlined in section 17(1).[30]

Representations

[66] In its representations, the college states:

RideShark’s position is that access to the redacted information could prejudice RideShark’s competitive position and its disclosure has the potential to result in an undue loss of revenue.

. . .

Feedback from the third party [RideShark] included references to the small “ridesharing” industry, the heightened risk of head hunting of key employees, as well as the impact to their market share if RideShark’s competitive functionality options (i.e. modules), onboarding process and delivery model (i.e. branded domain) were to become known to its competitors.

[67] As previously stated, RideShark was provided with the opportunity to provide representations in this appeal, but did not do so.

[68] The appellant submits that disclosure of the records will not cause the harms contemplated in section 17(1). For example, he submits that RideShark’s incentive program is not unique to its ridesharing service and many other ridesharing companies share the same features in respect of incentive programs.

Analysis and findings

[69] I find that I have not been provided with sufficient evidence to conclude that the harms contemplated in sections 17(1)(a) and (c) have been established and, as a result, I find that the third part of the three-part test in section 17(1) has not been met.

[70] In order for sections 17(1)(a) and (c) to apply, the parties resisting disclosure must establish a risk of harm from disclosure of the information that is well beyond the merely possible or speculative, but need not prove that disclosure will in fact result in such harm.

[71] Parties should provide detailed evidence to demonstrate the harm, which in this case is that the disclosure of the information could reasonably be expected to prejudice significantly the competitive position or interfere significantly with the contractual or other negotiations of RideShark, or result in undue loss to RideShark or gain to any person, group, committee or financial institution other than RideShark.

[72] As stated above, the college submits that it reviewed these records and worked closely with RideShark to ensure that the “recommendations” for exemptions under section 17(1) were specific and limited. In this appeal, RideShark was provided with the opportunity to submit its own representations on the exemption in section 17(1) to the IPC, but did not do so.

[73] I find that the college’s arguments, based on its consultations with RideShark, that refer to the “ridesharing” industry, the heightened risk of head hunting of key employees, as well as the impact to RideShark’s market share if its competitive functionality options (i.e. modules), onboarding process and delivery model (i.e. branded domain) were to become known to its competitors, are merely possible or speculative arguments at best. I am not satisfied that the college has established a risk of harm from disclosure of the information at issue that is well beyond the merely possible or speculative.

[74] For example, the type of information withheld under section 17(1) consists of the following:

• URL’s and Login’s that were created during the testing of the RideShark program,
• Instructions on branding the RideShark program at the college, and on how to create an Apple developer account,
• The breakdown of RideShark’s cost to the college to provide its program,
• Discussions of incentive programs for potential users of the program, and
• The name and business address of a RideShark employee.

[75] I find that the evidence does not establish that it could reasonably be expected that the disclosure of this information would prejudice significantly the competitive position or interfere significantly with the contractual or other negotiations of RideShark, or result in undue loss to RideShark. The fact that the disclosure of this information might permit another ridesharing company to compete against RideShark does not mean that the disclosure would prejudice significantly RideShark’s competitive position.

[76] I further find that the harms contemplated in sections 17(1)(a) and (c) are not evident on the records, cannot be inferred from the records, or from the surrounding circumstances in this appeal.

[77] Consequently, I find that the third part of the three-part test has not been met and the information at issue is not exempt from disclosure under section 17(1). I will order the college to disclose the information for which no other exemptions have been claimed to the appellant.

Issue D: Does the discretionary exemption at section 18(1)(d) apply to the records?

[78] The college is claiming the application of section 18(1)(d) to the remaining information at issue which consists of portions of records 3, 11, 30, 31, 32 and 36. As set out above, these records are email chains. The withheld portions of these records consist of URL’s, technical questions and troubleshooting answers, links and two login credentials. Some of the information at issue is duplicated in these records.

[79] Section 18(1)(d) states:

A head may refuse to disclose a record that contains,

information where the disclosure could reasonably be expected to be injurious to the financial interests of the Government of Ontario or the ability of the Government of Ontario to manage the economy of Ontario;

[80] The purpose of section 18 is to protect certain economic interests of institutions. Generally, it is intended to exempt commercially valuable information of institutions to the same extent that similar information of non-governmental organizations is protected under the Act .[31]

[81] Section 18(1)(d) is intended to protect the broader economic interests of Ontarians.[32] For section 18(1)(d) to apply, the institution must provide detailed evidence about the potential for harm. It must demonstrate a risk of harm that is well beyond the merely possible or speculative although it need not prove that disclosure will in fact result in such harm. How much and what kind of evidence is needed will depend on the type of issue and seriousness of the consequences.[33]

[82] The failure to provide detailed evidence will not necessarily defeat the institution’s claim for exemption where harm can be inferred from the surrounding circumstances. However, parties should not assume that the harms under section 18 are self-evident or can be proven simply by repeating the description of harms in the Act .[34]

Representations

[83] The college submits that the information which it claims is exempt under section 18(1)(d) consists of confidential links and credentials for testing and set up, administrator logins, information on how to access the “Seneca Active Directory” and endpoint URL and metadata link for the active directory and an iOS application link.

[84] The college goes on to argue that it applied section 18(1)(d) to limited information in order to protect its economic interests, specifically the integrity of its technology assets and information that was reserved for contracted service providers such as assigned login credentials and protected hyperlinks.

[85] The appellant’s representations do not address section 18(1)(d).

Analysis and findings

[86] As stated above, in order for section 18(1)(d) to apply, the college must provide detailed evidence about the potential for harm that could reasonably be expected to occur should the records be disclosed. In section 18(1)(d) in particular, the harm must be injurious to the financial interests of the Government of Ontario or the ability of the Government of Ontario to manage the economy of Ontario. The college must demonstrate that this risk of harm is well beyond the merely possible or speculative although it need not prove that disclosure will in fact result in such harm.

[87] The college’s evidence is that the disclosure of the information at issue would cause harm to its own economic interests. Based on my review of this evidence, I find that the college has not established the evidence required in order for the exemption that it claimed – section 18(1)(d) – to apply. In particular, I find that the college has not established that the disclosure of the information at issue could reasonably be expected to cause a risk of harm to the financial interests of the Government of Ontario or to the government’s ability to manage Ontario’s economy that is well beyond the merely possible or speculative. I also find that the harm contemplated in section 18(1)(d) cannot be inferred from the surrounding circumstances, nor is it self-evident in the records.

[88] Consequently, I find that the exemption in section 18(1)(d) does not apply to the records. As no further exemptions have been claimed by the college with respect to these records, I will order the college to disclose them to the appellant.

[89] In sum, I find that the exemptions in section 17(1) and 18(1) to not apply and I will order the college to disclose this information to the appellant.

Issue E: Did the college conduct a reasonable search for records?

[90] Where a requester claims that additional records exist beyond those identified by the institution, the issue to be decided is whether the institution has conducted a reasonable search for records as required by section 24.[35] If I am satisfied that the search carried out was reasonable in the circumstances, I will uphold the institution’s decision. If I am not satisfied, I may order further searches.

[91] The Act  does not require the institution to prove with absolute certainty that further records do not exist. However, the institution must provide sufficient evidence to show that it has made a reasonable effort to identify and locate responsive records.[36] To be responsive, a record must be “reasonably related” to the request.[37]

[92] A reasonable search is one in which an experienced employee knowledgeable in the subject matter of the request, expends a reasonable effort to locate records which are reasonably related to the request.[38]

[93] Although a requester will rarely be in a position to indicate precisely which records the institution has not identified, the requester still must provide a reasonable basis for concluding that such records exist.[39]

Representations

[94] The college submits that it conducted a “comprehensive” search for records responsive to the access request involving several departments and experienced employees who are knowledgeable in the subject matter of the request. The college provided an affidavit sworn by its Privacy Officer whose responsibilities include responding to access requests under the Act .

[95] Following receipt of the access request, the Privacy Officer met with a staff member of the Academic Learning Services department, who advised that she had knowledge of and access to the department’s records relating to Smart Commute. The Privacy Officer also contacted the Manager of Campus Services, the Senior Procurement Specialist of Procurement, and the Director of Information Technology Services and requested that they identify any other college employees or departments that may have records related to the request.

[96] The Privacy Officer then sought and received clarification of the access request from the appellant’s then legal counsel,[40] and forwarded this information to the departments identified above, as well as the Senior Manager of Organizational Compliance and the Assistant to the Board of Governors. All of these departments conducted searches for records responsive to the request.

[97] The Privacy Officer subsequently received approximately 325 records from the various departments, with the exception of the Board of Governors, who had not located records responsive to the request.

[98] The Assistant to the Board of Governors advised the Privacy Officer that she had reviewed Board and Committee Academic Planning, Student Affairs, and Finance and Administration meeting minutes, as well as annual reports for any references to ride sharing/carpooling applications. The Assistant advised the Privacy Officer that the search terms “RideShark,” “Rideshare” and “Smart Commute” had been used in the searches.

[99] The appellant’s position is that the college did not conduct a reasonable search for records responsive to his access request. The appellant submits that separate affidavits should have been provided by each staff member who conducted searches for records. In addition, the appellant submits that the college’s decision letter leads him to believe that it narrowed the scope of his request to extent that it claimed no records exist in response to part of his request, which is “impossible.” The appellant states:

[100] The discrepancy in the way the sentence was laid out, as opposed to the original request, changes the demands’ interpretation which in turn can easily lead to the derailment of the original request to that of something completely different. It also falls under the bracket of having limited the scope of the requesters request without him being aware of it or providing him with an explanation for it.

Analysis and findings

[101] For the reasons that follow, I am satisfied and I find that the college conducted a reasonable search for records responsive to the appellant’s access request.

[102] The appellant’s position is that the college unilaterally narrowed the scope of his request. I disagree. I find that the college has provided sufficient evidence that upon receiving the appellant’s access request, it contacted the appellant’s former legal counsel to seek clarification of the request. In response, the appellant’s legal counsel provided the college with a clarified access request. I accept the college’s evidence that it then commenced the search for records in response to the clarified request.

[103] To locate records, I accept that the college conducted searches in its record holdings in the Academic Learning Services department, the Campus Services department, the Procurement department, the Information Technology department, the Organizational Compliance department and the Board of Governors. I also accept the college’s evidence that the searches were conducted by several experienced employees who are knowledgeable in the subject matter of the request.

[104] The Act  does not require the college to prove with absolute certainty that further records do not exist. However, the college must provide sufficient evidence to show that it has made a reasonable effort to identify and locate responsive records. In this case, I find that at least six employees knowledgeable in the subject matter of the request expended a reasonable effort to locate approximately 325 records that were responsive to the request. I also find that it was sufficient for the college to provide its evidence to the IPC by way of one affidavit sworn by the college’s Privacy Officer on its behalf, as opposed to the appellant’s position which is that each staff member who conducted searches should have sworn separate affidavits and provided them to the IPC.

[105] As a result, I find that the college has made a reasonable effort to identify and locate responsive records and I uphold its search for records as being reasonable.

ORDER:

1. I order the college to disclose the portions of records 18 and 19 that do not contain personal information to the appellant by June 2, 2023 but not before May 29, 2023. Enclosed with this order is a copy of these records to the college. I have highlighted the portions that are to be disclosed to the appellant.
2. I order the college to disclose the information it claimed to be exempt under sections 17(1) and 18(1) to the appellant by June 2, 2023 but not before May 29, 2023.
3. I reserve the right to require the college to provide the IPC with copies of the records it discloses to the appellant.
4. I uphold the college’s search for records responsive to the appellant’s access request.

Original signed by:		April 27, 2023
Cathy Hamilton
Adjudicator