Imagine a rule that says you cannot speed unless you make your own policy that you can. Would you make such a policy for yourself? I suspect you would. Last fall, five Western University students encountered a real-life version of this scenario. The law prohibits Ontario universities from collecting personal information from their students. Yet in August, Western made a policy requiring students to provide proof of COVID-19 vaccine shots and boosters or face suspension. It sounds like an easy court case, but the Ontario Superior Court dismissed the students’ challenge. Western had created a policy to collect the information, the Court said, effectively giving universities a free pass to collect whatever personal information they like.
Privacy rights in Canada are patchwork and not robust. But in most provinces public institutions, at least, are prohibited from collecting personal information unless they cannot carry out their activities without it. Under the Ontario Freedom of Information and Protection of Privacy Act (FIPPA), universities may not collect personal information unless it is “necessary to the proper administration of a lawfully authorized activity.” They need student addresses and emails, for example, to send notices and schedules.
But this exception does not include vaccine status, said the students’ lawyers (of whom I was one). In 2022-23, Western was the only university in Ontario to demand it. All other universities ran their programs without it. Western, the students argued, was able to do the same. Collecting vaccine status was not strictly necessary for the university to function, and therefore did not fit within the exception.
Western can make whatever policies it likes, responded its lawyers. As a self-governing institution, making policies is one of its “activities.” Since it made a policy to collect proof of vaccination, collecting proof of vaccination was its “activity.” The activity of collecting proof of vaccination cannot be administered without collecting proof of vaccination. That information is “necessary to the activity,” they said, and therefore not prohibited.
If that makes your head hurt, it’s not because it’s clever. Universities are indeed self-governing institutions. They have broad powers to govern their spaces. But they are also public institutions subject to the laws of the land. They negotiate their own contracts, but they cannot breach the Employment Standards Act. They set their own financial policies, but they must obey the Income Tax Act. FIPPA is privacy protection law that limits their authority to collect information.
But not according to the Superior Court. In September, the Court accepted Western’s argument and dismissed the students’ challenge. The university’s policy to collect personal information was itself an “activity” under the statute, the judge concluded. The policy “is a ‘lawfully authorized activity’ … The activity is the Policy.” By creating a policy to collect information, Western had exempted itself from the prohibition. The law may as well have read, “No institution shall collect personal information unless the institution creates a policy to collect the information.”
In 2013, the Supreme Court of Canada said privacy plays a fundamental role in the preservation of a free and democratic society. The ability of individuals to control their personal information “is intimately connected to their individual autonomy, dignity and privacy. These are fundamental values that lie at the heart of a democracy.” Legislation that protects personal information, the Court suggested, should be regarded as “quasi-constitutional.” Almost a decade later, the Ontario Court hearing the Western case rendered FIPPA’s privacy protection toothless.
Once upon a time, courts insisted that public bodies required specific statutory authority to act. “I know of no duty of the Court which it is more important to observe, and no powers of the Court which it is more important to enforce, than its power of keeping public bodies within their rights,” wrote Lord Lindley in an 1899 U.K. case, “The moment public bodies exceed their rights they do so to the injury and oppression of private individuals.”
Today courts are more likely to defer to public institutions to act in whatever way they deem to be in the public good. If the Western ruling is correct, any university could create policies that require students to submit information about sexually transmitted infections, drug use, DNA, mental health, sexual orientation, criminal records and more. The Court’s decision has defeated the purpose of the legislation.
In the end, the students prevailed. In November, before an appeal could be heard (but after an unknown number of students took vaccines and boosters against their better judgment), Western withdrew the policy with little explanation. But its unchecked power to dictate terms over student privacy remains. Don’t like laws that prohibit collecting information from your students? Make a policy that allows you to do it anyway.
The original version of this post was published by The Financial Post, and has been reprinted with permission.