Export Development Canada (Re), 2022 OIC 41
OIC file number: 5819-02244
Institution file number: A-2019-00080
The complainant alleged that Export Development Canada (EDC) had improperly withheld information under subsections 18.1(1) (confidential financial, commercial, scientific or technical information of EDC) and 24(1) (disclosure restricted by another law) of the Access to Information Act in response to an access request for a summary of all financial assistance provided by EDC to Canadian companies in Honduras over $50,000, from 2009 to 2019.
EDC could not show that it met all the requirements for these exemptions. In particular, EDC did not demonstrate how the information at issue, which is shared with and retained by EDC’s customers, belonged to EDC as required in subsection 18.1.. As for subsection 24(1) of the Act, EDC invoked section 24.3 (Privileged Information) of the Export Development Act but failed to demonstrate how the information was “obtained” by, rather than “created” by EDC.
The Information Commissioner ordered that EDC disclose the policy types (acronyms), policy numbers, and maximum liability amounts that had been withheld under paragraph 18.1(1) and subsection 24(1).
EDC gave notice that it would partially implement the order, disclosing the policy types (acronyms) but not the policy numbers and maximum liability amounts. To this effect, EDC indicated that it did not agree with the Information Commissioner of Canada’s interpretation of section 24.3 of the Export Development Act and indicated that it would be seeking a review by the Federal Court.
The complaint is well founded.
 The complainant alleged that Export Development Canada (EDC) had improperly withheld information under subsections 18.1(1) (confidential financial, commercial, scientific or technical information of EDC) and 24(1)(disclosure restricted by another law) of the Access to Information Act in response to an access request for a summary of all financial assistance provided by EDC to Canadian companies in Honduras over $50,000, from 2009 to 2019.
 When an institution withholds information under an exemption, it bears the burden of showing that refusing to grant access is justified.
 During its investigation, the Office of the Information Commissioner (OIC) sought EDC’s representations on the exemptions claimed. EDC provided detailed representations. However, I am not satisfied that EDC has met its burden of demonstrating that the majority of the information at issue warrants being withheld under either paragraph 18.1(1) or subsection 24(1).
Paragraph 18.1(1): confidential financial, commercial, scientific or technical information of Export Development Canada
 Subsection 18.1(1) allows institutions to refuse to release trade secrets or confidential financial, commercial, scientific or technical information belonging to the Canada Post Corporation, Export Development Canada, the Public Sector Pension Investment Board and VIA Rail Canada Inc.
 To claim this exemption with regard to financial, commercial, scientific or technical information, institutions must show the following:
- The information is financial, commercial, scientific or technical.
- The information belongs to one of the four above-named institutions.
- That institution has consistently treated the information as confidential.
 When these requirements are met, institutions must then reasonably exercise their discretion to decide whether to release the information.
 However, subsection 18.1(2) specifically prohibits institutions from using subsection 18.1(1) to refuse to release information that relates to the following:
- the general administration of the four above-named institutions, including information related to travel, lodging and hospitality expenses (as per section 3.1); or
- any activity carried out by the Canada Post Corporation that is fully funded out of parliamentary appropriations—that is, the Consolidated Revenue Fund.
Does the information meet the requirements of the exemption?
 The record at issue consists of a chart setting out the policy types (by acronym), policy numbers, company names and maximum liability amounts per policy, associated with EDC insurance policies of $50,000 (plus) in Honduras between 2009-2019. As understood, EDC relies on subsection 18.1(1) to refuse to disclose all information within this chart, with the exception of the column headings.
 Having considered the applicability of this exemption, I accept that the information at issue is financial and / or commercial information, thereby meeting the first requirement of subsection 18.1(1). EDC, however, did not establish that the further requirements (that the information “belongs to” EDC, and has consistently been treated by the EDC as confidential) are met.
 The meaning of the words “belongs to” in subsection 18.1(1) have yet to be interpreted by the courts. Legislative sources, however, suggest that at the time of subsection 18.1(1)’s enactment, these words were understood to mean that the institution must have total control / sole ownership.
 This interpretation is in keeping with guidance offered by the Treasury Board Secretariat (TBS). Within its Access to Information Manual, TBS instructs that the words “belongs to”, within the context of subsection 18.1(1), mean that the information is an institution’s “proprietary information”, citing as examples information that is patentable or that an institution may want to license.
 This interpretation is also consistent with interpretations of similar exemptions in other freedom of information statutes. For instance, paragraph 18(1)(a) of Ontario’s Freedom of Information and Protection of Privacy Act -- which exempts information that, in part, “belongs to” the government of Ontario -- is interpreted as requiring:
“…some proprietary interest in [the information] either in a traditional intellectual property sense - such as copyright, trade mark, patent or industrial design - or in the sense that the law would recognize a substantial interest in protecting the information from misappropriation by another party.” (Order PO-1763,  OIPC No 42 at paragraph 34).
 In the present instance, policy types, policy numbers, company names and maximum liability amounts is all information shared with and retained by EDC’s customers. On its face, then, this information is equally controlled and / or owned by the customers. In turn, it is not apparent how this information is proprietary to EDC.
 During the investigation, EDC maintained that information may “belong to” more than one party. Alternatively, it claimed that information being in the possession or control of another party does not mean that the information “belongs to” that party.
 With regard to policy numbers, EDC explained that it assigns and issues the numbers to its customers and that its customers have no right or ability to change or alter their policy number. It also maintained that this information is used by EDC as part of its internal financial management system.
 Regarding maximum liability figures, EDC explained that while customers have access to their own insurance information, only EDC has the totality of these figures. Therefore, because maximum liability amounts when added together would reveal information exclusively belonging to EDC, individual maximum liability amounts must also “belong to” EDC.
 In making these representations, however, EDC did not point to any authorities in support of its position that exclusive control / ownership is unnecessary for information to “belong to” EDC. Given EDC’s onus of establishing that the requirements of subsection 18.1(1) are met and interpretive aides supporting a conclusion that the words “belongs to” denotes exclusive control / ownership, I am unable to accept that exclusive control / ownership is unnecessary without being directed towards authority or interpretive aides supporting EDC’s interpretation.
 I am also not satisfied that the information at issue “belongs to” EDC on the grounds that it is “used” as part of EDC’s internal financial management system. EDC failed to establish that “use of” information is synonymous with information that “belongs to” EDC.
 As for EDC’s argument that individual maximum liability amounts “belong to” EDC because this information’s disclosure would facilitate the calculation of aggregate amounts that are exclusively controlled / owned by EDC, I note that there are no apparent restrictions on EDC-supported companies’ sharing or disclosure of this information. The fact that EDC might more readily be able to aggregate these figures is insufficient, in my view, to establish that individual maximum liability amounts is information that “belongs to” EDC.
 The third requirement needed to establish the applicability of subsection 18.1(1) is the requirement that the information be consistently treated as confidential by EDC. Paragraph 20(1)(b) of the Act contains similar language and therefore, provides guidance in the interpretation of this criterion. A mere assertion that the information has been kept confidential, without direct and convincing evidence, is not sufficient.
 EDC maintained that policy numbers and maximum liability amounts have been kept confidential in keeping with Section E of its Disclosure Policy. This Section specifies that the following information is confidential and will not be disclosed by EDC “without the required consents”:
E) Financial, business or proprietary information which might prove to affect EDC’s activities in capital or financial markets or to which such markets may be sensitive or which might prove to affect EDC’s competitive position, including details of liquidity investments, estimates of future borrowings, or redemptions of borrowings, expected rates of interest or rates of return and financial ratios.
 In considering EDC’s representations, I note that although EDC’s Disclosure Policy restricts EDC’s use and dissemination of certain of information, the policy numbers and maximum liability amounts have been disclosed to the respective customers. Furthermore, EDC has provided no evidence of any restrictions on the customers’ ability to, in turn, disseminate this information (including, for instance, confidentiality agreements in place). In the absence of any direct and convincing evidence, I am unable to conclude that the information has consistently been treated as confidential by EDC.
 I also note that the information at issue is limited to financial assistance above $50,000 in Honduras during a specified timeframe. It is therefore not apparent how aggregating the individual maximum liability amounts listed would actually reflect EDC’s exposure at any point in time or reveal information somehow proprietary to EDC. In turn, it is not clear how this information’s disclosure might reasonably be expected to affect EDC’s activities in capital or financial markets and / or its competitive position so as to squarely fall within Section E of EDC’s own Disclosure Policy, as alleged.
 In light of the above, I am not convinced that the information at issue warrants exemption under subsection 18.1(1).
 Given my above findings, there is no need to examine whether EDC reasonably exercised its discretion to decide whether to release information under this exemption.
Subsection 24(1): disclosure restricted by another law
 Subsection 24(1) requires institutions to refuse to release information the disclosure of which is restricted by a provision set out in Schedule II of the Access to Information Act.
Does the information meet the requirements of the exemption?
 In its representations, EDC maintained that all of the information at issue is exempted under subsection 24(1) and, by extension, subsection 24.3(1) of the Export Development Act (EDA). Subsection 24.3(1) reads as follows:
24.3 (1) Subject to subsection (2), all information obtained by the Corporation in relation to its customers is privileged and a director, officer, employee or agent of, or adviser or consultant to, the Corporation must not knowingly communicate, disclose or make available the information, or permit it to be communicated, disclosed or made available.
(2) Privileged information may be communicated, disclosed or made available
(a) for the purpose of the administration or enforcement of this Act and legal proceedings related to it;
(b) for the purpose of prosecuting an offence under this Act or any other Act of Parliament;
(c) to the Minister of National Revenue solely for the purpose of administering or enforcing the Income Tax Act or the Excise Tax Act; or
(d) with the written consent of the person to whom the information relates.
 In support of its position, EDC stated that subsection 24.3(1) of the EDA is intended to place it on equal footing with private banking institutions, codifying the common law duty of banker’s confidentiality. Therefore, all information obtained by EDC through the keeping of EDC’s customer accounts is protected under this provision. By way of example, EDC explained that whether a particular agreement contains standard EDC clauses or negotiated information is irrelevant to the application of subsection 24.3(1) of the EDA as it is ultimately information obtained by EDC through the keeping of its customers’ accounts.
 Having carefully considered EDC’s representations, I am not satisfied that all of the information at issue (specifically policy types, policy numbers and maximum liability amounts) is information “obtained by” EDC in relation to its customers. In turn, I cannot agree that this information falls within the scope of the restriction of subsection 24.3(1) of the EDA.
 Subsection 24.3(1) of the EDA prevents the disclosure of information obtained by EDC relating to its customers. This is distinct from capturing all information created by EDC in relation to those customers. Had Parliament intended for the scope of the restriction to include all information created by EDC in relation to its customers, it could have included such language in the provision. In this regard, I note that subsection 24.3(1) was enacted at the same time as sections 16.1 to 16.4 of the Act, as part of the 2006 Accountability Act. Sections 16.1 to 16.4 use the words “obtained and created”. The omission of the word “created” in subsection 24.3, in contrast to sections 16.1 to 16.4 must be interpreted as having meaning.
 On its face, policy types, policy numbers and maximum liability amounts is not information obtained by EDC in relation to its customers. Instead, this is information created by EDC. With regard to the latter, while recognizing that maximum liability amounts may be based in part on information obtained by EDC, the amounts ultimately reflect EDC decisions based on internal analysis of the information before it and there is no indication that these amounts reflect or reveal any information directly obtained by EDC.
 In contrast, I agree that the names of EDC customers, within the specific context of the responsive records, reflect information directly obtained by EDC in relation to customers. I am therefore satisfied that the disclosure of this limited information is restricted by subsection 24.3(1) of the EDA and, in turn, falls within the scope of subsection 24(1) of the Act.
 The complaint is well founded.
Under subsection 36.1(1) of the Act, I order the President of EDC to:
- Disclose the policy types (acronyms), policy numbers, and maximum liability amounts, currently withheld under paragraph 18.1(1) and / or subsection 24(1).
Institutions must abide by the terms of subsection 37(4) when disclosing any records in response to my order.
On June 22, 2022, I issued my initial report to the President of EDC setting out my order.
On July 20, 2022, the President of EDC gave me notice that she would be partially implementing my order. The President of EDC advised that EDC will disclose the policy types (acronyms) but would not disclose the policy numbers and maximum liability amounts. Specifically, the President of EDC indicated that she did not agree with my interpretation of the Export Development Act, RSC 1985, c E-20 (the “EDC Act”), and in particular s. 24.3 (1) of the EDC Act. As such, EDC has indicated that it intends to seek a review of my order by the Federal Court.
When a complaint falls within the scope of paragraph 30(1)(a), (b), (c), (d), (d.1) or (e) of the Act, the complainant and institution have the right to apply to the Federal Court for a review. They must apply for this review within 35 business days after the date of this report and serve a copy of the application for review to the relevant parties, as per section 43.
Related litigation proceeding before the Federal Court: Export Development Canada v. The Information Commissioner of Canada, T-1793-22. The steps taken in this proceeding are available using the following link: Federal Court - Court Files (fct-cf.gc.ca)