Executive Summary: Key Legal and Evidentiary Issues

• Classification of COVID-19 vaccine Adverse Events Following Immunization (AEFI) forms as “personal health information” under The Health Information Protection Act (HIPA), displacing access rights under The Freedom of Information and Protection of Privacy Act (FOIPPA).
• Tension between the public’s right of access to government-held records and the competing obligation to protect patient privacy, including when records contain intertwined health and biographical data.
• Limits of de-identification and severance, including whether detailed medical and contextual data from AEFI forms can be anonymised without creating an unacceptable risk of re-identification.
• Scope of any statutory duty on a health trustee to assist an applicant by de-identifying records or creating new records or columns to provide more granular, statistical-type information.
• Application of narrow statutory exceptions for disclosure of personal health information (research, health or safety concerns) and whether a private requester can invoke them to access others’ health data.
• Assessment of whether additional demographic and clinical data sought from the spreadsheet and AEFI forms could be reasonably severed without enabling the identification of individual patients.

Factual background

The case arises from an information-access dispute over data about adverse effects following COVID-19 vaccination in Saskatchewan. The Saskatchewan Health Authority (SHA), together with Indigenous Services Canada and the Northern Inter-Tribal Health Authority, collected reports of adverse events from individuals who received COVID-19 vaccines. These reports were recorded by health care practitioners on standardized “Adverse Events Following Immunization” (AEFI) forms. The Ministry of Health then took information from these AEFI forms and entered it into a spreadsheet used to track and monitor adverse reactions to the COVID-19 vaccines. The spreadsheet contained 18 columns, including a unique identifier and health region; patient initials, gender and age; the type of health care provider; the date and lot number of the vaccine; a series of “yes/no” fields describing whether the event was reportable, serious, unusual or expected; timing and duration of the adverse reaction; descriptions of the reaction and treatment; the patient’s outcome; recommendations by a medical health officer; and other contextual notes relating to the vaccination. The AEFI forms themselves contained a broader and more detailed set of information than the spreadsheet. In addition to a unique episode number and region identifier, they captured the patient’s name, date of birth, age, gender, health card number, address and phone number, the source of the information, the jurisdiction where the immunization occurred, and the immunization date. They also documented whether the patient was pregnant or breastfeeding at the time of immunization, the patient’s prior medical history (including medications, herbal supplements, existing medical conditions, acute illnesses or injuries, allergies, and prior positive COVID-19 test results), as well as any previous adverse reactions to COVID-19 vaccines, their impact, outcome, and level of care and treatment received.

The initial access request and Commissioner review

The applicant, Randolph Dean Schiller, originally requested disclosure of the entire Ministry spreadsheet containing the adverse event data. The Ministry disclosed some columns, but refused to disclose others—initially withholding columns 1–4 and 6–18. Mr. Schiller then applied to the Office of the Information and Privacy Commissioner for a review of the Ministry’s decision. The Commissioner recommended that the Ministry continue to withhold columns 2–4, but disclose the remaining columns. Following that report, the Ministry ultimately agreed to release the information in columns 8–18, while redacting columns 1–4 and removing gender identifiers from the disclosed data. Mr. Schiller’s appeal to the court was brought under section 57(1) of FOIPPA, challenging the Ministry’s refusal to disclose withheld material from the spreadsheet.

Expansion of the appeal to cover AEFI forms

During the access dispute, Mr. Schiller learned, through affidavit evidence from Ministry official Morag Granger, that the spreadsheet data were derived from the underlying AEFI forms. On discovering that those forms existed, he sought their disclosure for a two-year period from December 2021 to December 2023. In an earlier interim ruling in 2025, the Court allowed his appeal to be amended or interpreted broadly so that his challenge encompassed not only the spreadsheet but also his new request for the AEFI forms themselves. Thus, by the time of the 2026 merits decision, the court was dealing with both: the residual dispute over redacted spreadsheet columns and the broader request for the underlying AEFI forms.

Statutory framework: HIPA and FOIPPA

The decision turns on the interaction between two Saskatchewan statutes: The Health Information Protection Act (HIPA) and The Freedom of Information and Protection of Privacy Act (FOIPPA). HIPA governs “personal health information” and is designed primarily to protect the confidentiality of individuals’ health records. It allows people to access their own health information but does not create a general public right to access others’ health records. Personal health information is broadly defined in section 2(m) of HIPA to include information about an individual’s physical or mental health, health services provided to them, information derived from testing or examination, information collected in the course of providing health services, and certain registration details. HIPA also defines “de-identified personal health information” in section 2(d) as personal health information from which identifying information has been removed, and stipulates at section 3(2) that the Act does not apply to statistical or de-identified personal health information that cannot reasonably be expected, alone or combined with other information, to identify individuals. Section 4 of HIPA is critical: it provides that FOIPPA does not apply to personal health information in the custody or control of a HIPA trustee (such as a provincial health authority or the Ministry acting in that role). Consequently, if records qualify as personal health information under HIPA, access is governed exclusively by HIPA, not FOIPPA. FOIPPA, in contrast, is a general access-to-information statute. Section 5 establishes a broad right of access to records under the control of a government institution, subject to exemptions. Section 5.1 requires institutions to respond openly, accurately and completely, and to provide explanations of terms, codes or abbreviations on request. Section 8 imposes a duty to sever: where a record contains information to which access is refused, the institution must disclose as much as can reasonably be severed without revealing exempt information. FOIPPA’s definition of “personal information” in section 24(1.1) expressly excludes personal health information as defined in HIPA, reinforcing the idea that personal health information falls under HIPA alone. Against that legislative backdrop, the court emphasized the differing policy aims of the two regimes: HIPA focuses on protecting patient privacy and regulating trustees’ use and disclosure of health information, while FOIPPA is oriented toward maximizing public access to governmental records other than personal health information.

Characterization of the AEFI forms as personal health information

The first major issue was whether the AEFI forms were personal health information under HIPA. The court found that each AEFI form was unique to an individual patient, completed in the process of or incidental to the provision of health services, and filled with medical and identifying data. They detailed the patient’s health status, immunization history, pregnancy or breastfeeding status, existing conditions, medications, prior illnesses or injuries, allergies, COVID-19 testing history, and previous adverse reactions and their treatment. Because the adverse events were recorded as part of medical care and vaccine surveillance, the information clearly fell within the statutory definition of personal health information. The court distinguished between the spreadsheet, which contained selected information extracted from the forms, and the forms themselves, which contained much more detailed and sensitive personal health and identifying information. It concluded that the elements of the AEFI forms that were not already captured and disclosed via the spreadsheet were personal health information under section 2(m) of HIPA. Once the AEFI forms were characterized as personal health information in the hands of a HIPA trustee, FOIPPA’s access provisions could not be used to compel disclosure of those forms.

Access rights and exemptions under HIPA

Because Mr. Schiller was seeking the personal health information of other people, he could not rely on HIPA’s provisions granting individuals access to their own records. Instead, he had to show that his request fit within one of HIPA’s limited disclosure exceptions that would permit the trustee to provide him with others’ health information. He argued that the information, once de-identified, would effectively be raw data or statistical information and thus outside the scope of HIPA. He also referred generally to disclosure for research purposes. The court rejected these arguments. On the research point, section 29 of HIPA permits use or disclosure of personal health information for research only where the project has been approved by a research ethics committee designated by the Minister and other statutory criteria are satisfied. Mr. Schiller produced no evidence of any such ethics approval or that he met the conditions for the research exception. On that basis, the court held that section 29 could not justify disclosure. Mr. Schiller also pointed to section 27(4) of HIPA, which allows a trustee to disclose personal health information without consent where, for example, the trustee believes on reasonable grounds that disclosure will avoid or minimize a danger to the health or safety of any person, or where disclosure is needed to monitor, prevent or reveal abusive or dangerous use of publicly funded health services. The court found that this provision is permissive—granting the trustee discretion to disclose in certain circumstances—but does not give an individual a right to demand disclosure of other persons’ health information. There was no basis to require the Ministry to exercise that discretionary power in Mr. Schiller’s favour. The applicant also alleged that the Ministry had breached a duty to assist under section 35 of HIPA, but the court held that this duty applies only when someone seeks access to their own personal health information. Because Mr. Schiller sought information about third parties, section 35 could not assist him.

De-identification, statistical information and risk of re-identification

A significant part of Mr. Schiller’s case was that the Ministry should be ordered to de-identify the AEFI forms and then disclose them, on the theory that once de-identified they would either cease to be personal health information under section 3(2) of HIPA or would be reduced to statistical information. The court accepted that HIPA contemplates de-identification and that trustees should, where practicable, use or disclose de-identified personal health information if it will serve the purpose (section 23(4)). However, it found no statutory duty on the Ministry to undertake de-identification specifically to meet this access request. Affidavit evidence from Ministry officials included the Ontario Information and Privacy Commissioner’s De-Identification Guidelines for Structured Data, which highlighted the complexity and risk inherent in de-identifying detailed health datasets. The court noted that de-identification involves removing or modifying direct and indirect identifiers so that individuals cannot reasonably be identified, even when the data are combined with other available information, and that the risk of re-identification can never be reduced to zero. In this case, the AEFI forms contained highly granular medical and contextual data, including combinations of demographic information, clinical histories, outcomes and contextual notes. The court concluded that de-identification would be particularly difficult and that, even if attempted, the risk of individuals being identified or re-identified from the modified data remained significant, especially when cross-referenced with information already disclosed or information known in local communities. In light of HIPA’s protective purpose and the statutory scheme, the court held that the Ministry was not required to de-identify the AEFI forms for Mr. Schiller’s benefit and that, in any event, the privacy risks were too great to justify such an order.

Severance and duty to assist under FOIPPA

Mr. Schiller also attempted to rely on FOIPPA’s severance provision, arguing that any personal health information in the records could be redacted while non-health “personal information” (such as age, gender, ethnicity and certain other demographics) and broader statistical data could be disclosed. With respect to the AEFI forms themselves, the court held that once they were characterized as personal health information in the custody of a trustee, FOIPPA’s access and severance provisions simply did not apply because of section 4 of HIPA and the exclusion of personal health information from FOIPPA’s definition of personal information. From HIPA’s perspective, there is a duty to consider severance only where an individual seeks access to his or her own personal health record (section 38). That provision did not apply because Mr. Schiller was not asking for his own records. There was therefore no legal obligation on the Ministry to attempt severance of others’ personal health information for him. Turning to the spreadsheet, which was being treated under FOIPPA, Mr. Schiller argued that the Ministry should be required to disclose remaining redacted columns (including age, gender, ethnicity and aspects of prior health history) or to insert new columns containing additional aggregate or coded information derived from the AEFI forms. The court accepted that FOIPPA does impose a duty to assist (section 5.1) and a duty to sever (section 8) in respect of records covered by the Act. However, it drew a line between severing existing records and being compelled to create new ones. Under FOIPPA, a government institution must make reasonable efforts to locate and disclose existing records and explain codes or terms, but it is not required to create new records or reconfigure data solely in response to an access application unless some other statute or legal obligation requires such records to exist.

Risk of identification from additional spreadsheet data

On the question of whether any further disclosure from the spreadsheet was required, the court focused on the risk of identifying individual patients when biographical and clinical data were combined. Mr. Schiller had already received many columns of clinical and contextual information about the adverse events, including location codes and descriptive information about reactions and outcomes. He sought additional demographic detail such as age, gender, ethnicity and prior health concerns, contending that these could be treated as non-health personal information and disclosed under FOIPPA. The court relied again on de-identification principles outlined in the Ontario Guidelines, which recommend removing indirect identifiers (such as gender, age ranges, event dates, and specific diagnoses or procedures) when de-identifying health datasets. The Ministry argued, and the court accepted, that adding more demographic and clinical columns, even without direct identifiers like names or health card numbers, would significantly increase the risk that individual patients could be singled out, especially when combined with existing disclosed information and with knowledge within particular geographic or community settings. Given that Mr. Schiller already had location codes and detailed descriptions of adverse events, the court found that providing additional demographic fields would raise the risk of patient identification to an unacceptable level. It held that the non-health “personal information” Mr. Schiller sought from the spreadsheet could not reasonably be severed and disclosed without compromising privacy.

No obligation to create new records or columns

Mr. Schiller urged the court to compel the Ministry to create a new record by adding columns to the existing spreadsheet to capture further data points (for example, gender, race, age, prior health concerns, pregnancy or lactation status) in a form he believed would be suitably anonymised or statistical. He submitted that this would be a straightforward technical exercise. The court declined to make such an order. It held that FOIPPA’s duty to assist does not extend to creating new records in response to an access application where no such record currently exists, save where some separate statutory or legal requirement obliges a government body to create that record. While Alberta’s former FOIPPA statute had contained an express duty to create records in certain circumstances, the Court noted that this provision was not part of Saskatchewan’s legislation and, in any event, had been repealed in Alberta and replaced with a new regime that did not maintain that duty. In the absence of a similar provision in Saskatchewan, the Ministry had no obligation to manufacture a new data product simply to accommodate the applicant’s preferred format or level of detail.

Outcome and disposition

Ultimately, the court held that the AEFI forms were personal health information within the meaning of HIPA and that Mr. Schiller could not bring himself within any of the Act’s limited exceptions that might permit disclosure of others’ health information. Because HIPA displaced FOIPPA in relation to those records, he had no general right of access to them. With respect to the spreadsheet and any non-health personal information embedded in or derivable from it, the court found that further severance and disclosure were not reasonably possible without creating an unacceptable risk that patients could be identified when the data were combined with information already released or otherwise available. It also confirmed that the Ministry had no statutory duty to de-identify the records for him or to create new records or additional columns to satisfy his request. On that basis, the court dismissed his appeal. The successful party was the Government of Saskatchewan (Ministry of Health), and the decision does not specify any monetary award, costs, or damages in favour of the Ministry; the total amount ordered in its favour cannot be determined from the judgment.