All About Information

Employers who are regulated by privacy legislation need to reckon with privacy commissioner oversight in conducting searches of their work systems for evidence of misconduct. This is the clear lesson from the recent and much-discussed Calgary Police Service order of the Alberta OPIC that dealt with the service’s unauthorized access to an employee’s personal e-mail account.

The facts are simple. The service embarked on an internal sexual misconduct investigation that included a review of an employee’s work e-mail account. It conducted a search for the word “password” as a matter of protocol because the sending and receiving of passwords through e-mail is indicative of a number of common IT security problems. The service found a message to an outsider containing the employee’s password to her personal e-mail account, a communication the service said “seemed odd.” Given the employee had also sent “snippets” of confidential service records to others internally, the service accessed the personal account on a theory that the employee was leaking confidential information through the personal e-mail account. It happened to find evidence of work-related sexual misconduct and used it to discipline the employee. The employee later complained to the OPIC under Alberta’s public sector privacy legislation.

The OPIC was not impressed with the service’s professed basis for using the password to access the employee’s personal account, particularly given the investigator had no mandate to determine whether the employee had committed a breach of confidence. It upheld the employee’s complaint.

The result is no surprise. Taking a step in an investigation as intrusive as gaining unauthorized access to a personal e-mail account based significantly on the discovery of a communication that “seemed odd” is problematic. The record shows that the service was clearly on a fishing expedition, and despite the OIPC’s finding, its approach still signals respect for management’s right to investigate. The OIPC says, for example, “It might be policy to for IT to check for data leakage whenever a Public Body employee is being investigated for inappropriate email or computer use, but this cannot extend, without cause, to an employee’s personal email account.”

The simple lesson from the case for employers who are subject to employment privacy regulation – far from all employers – is to develop and implement controls to structure the process of searching work systems for evidence of misconduct. Who authorizes a search? What’s the scope? What routine searches should be conducted? What should the investigator do if he or she finds evidence of wrongdoing that is out of scope? Who is responsible for securing evidence and how? Organizations should have clear answers to these questions before embarking on an IT search.

Order F2012-07 (April 30, 2012).

Yesterday the Alberta Court of Appeal rendered a significant decision ab0ut whether a university is obligated to consider students’ Charter rights in disciplinary proceedings.

This case involved University of Calgary students found guilty of non-academic misconduct in disciplinary proceedings for posting criticisms of a course and its instructor on Facebook. The Court unanimously upheld that part of a judicial review decision which found that the students should not have been found guilty of non-academic misconduct. However, the Court was sharply divided on whether the Charter would apply to this case.  Paperny J.A. found that the Charter applied to the disciplinary proceedings undertaken by the University and that a review committee had failed to take into account the students’ freedom of expression right as protected by the Charter. She rejected the University’s argument that “the application of the Charter in these circumstances undermines the University’s academic freedom or institutional autonomy,” finding that academic freedom and freedom of expression are not competing values. McDonald J.A. found that while it may be time to reconsider whether or not universities are subject to the Charter, the judicial review court erred in undertaking such an analysis in this particular case. O’Ferrall J.A. found that the issue here was not whether the university was a “Charter-free zone,” but whether the university’s disciplinary body ought to have considered whether its discipline violated the students’ right to their freedoms of expressions and association, freedoms which long pre-dated the Charter.

More to come on this decision in a while.

Pridgen v. University of Calgary, 2012 ABCA 139

On March 7th, the Alberta Court of Queen’s Bench found a departed employee in contempt for counseling a contact to destroy evidence for the purpose of interfering with the administration of justice. The Court ordered the employee:

• to produce any and all computers and electronic media in his possession, power or control, for a forensic review to be conducted by a computer expert retained by the plaintiffs;
• to pay for the review and post $30,000 in security for costs; and
• to pay the costs of the contempt motion on a full indemnity basis.

Yesterday the Court of Appeal for Alberta varied the order because it was not well-proportioned. It explained:

As a remedy for the contempt, the chambers judge ordered that the individual appellant pay the cost of the application on a full indemnity basis. While acknowledging that “in the present case no information has been lost”, he nevertheless ordered a full computer forensic investigation. The chambers judge speculated that “it is unclear what else may have been deleted”. The contempt application was based entirely on the efforts to delete the HSE Manual. No allegation was made of the destruction of any other document, nor is there any evidence of any other destruction. Embarking on an expensive fishing expedition at this stage of the litigation is unwarranted. Should the discovery process produce evidence of other problems, further applications for relief can be brought.

Despite allowing the appeal in part, the Court order the appellant to pay the full costs of the appeal “to ensure an effective sanction.”

Fuller Western Rubber Linings Ltd. v Spence Corrosion Services Ltd., 2012 ABCA 137 (CanLII).

On April 26th the Ontario Superior Court of Justice issued an order under section 7(3)(c) of the Personal Information Protection and Electronic Documents Act to allow to credit unions to merge without gaining the express consent of members. It’s not clear that such an order is actually authorized by PIPEDA (and the applicants don’t appear to have given notice to members), but Justice Lauwers listed a number of Ontario commercial list matters in which such permissive orders have been made. He echoed comments made by Justice Farley in “urging that a route be provided that will permit the disclosure of the necessary personal information in such circumstances as these to avoid wasting the court’s time and the parties’ funds.” Bill C-12 received first reading way back last September and will add a “business transaction” exemption to PIPEDA. Its time is obviously overdue!

In the Matter of an Application Under Rules 14.05(3)(d), 2012 ONSC 2530 (CanLII).

The Alberta Court of Appeal dropped a bomb on April 30th by raising extremely broad questions about the constitutionality of Alberta’s commercial sector privacy statute in disposing of a dispute about the right of a union to take images of people who cross a picket line.

Last September the Alberta Court of Queen’s Bench held that the Alberta Personal Information Protection Act violated the right of expression guaranteed by section 2(b) of the Charter because it was disproportionate in restricting unions from engaging in “union journalism” relating to labour disputes and picket lines. The Court’s focus was relatively narrow though, and its Charter-based order focused on the breadth of a scope provision meant to protect journalistic activity and an exclusion for publicly available information.

The Court of Appeal first re-framed the expressive interest at stake as related to labour relations and not journalism. It then held that the statute interfered with this interest in a manner that could not be justified in a free and democratic society.

The Court’s proportionality analysis is remarkable in its breadth. It weighs the purpose of Alberta PIPA – protecting reasonable expectations of privacy, protecting expectations that one can control one’s own image and personal information and limiting the misuse of personal information – against the right of free expression in general. The Court says:

There is, however, a problem relating to proportionality. The constitutional problems with the Act arise because of its breadth. It does not appear to have been drafted in a manner that is adequately sensitive to protected Charter rights. There are a number of aspects to the over-breadth of the Act:

-It covers all personal information of any kind, and provides no functional definition of that term. (The definition of “personal information” as “information about an identifiable individual” is essentially circular.) The Commissioner has not to date narrowed the definition in his interpretation of the Act in order to make it compliant with Charter values.

-The Act contains no general exception for information that is personal, but not at all private. For example, the comparative statutes in some provinces exempt activity that occurs in some public places.

-The definition of “publicly available information” is artificially narrow.

-There is no general exemption for information collected and used for free expression.

-There is no exemption allowing organizations to reasonably use personal information that is reasonably required in the legitimate operation of their businesses.

This appeal clearly demonstrates the impact that the Act can have on protected rights. The legitimate right of the union to express itself and communicate about the strike and its economic objectives have been directly impacted by the Adjudicator’s order. The appellant has not demonstrated why this heavy handed approach to privacy is necessary, given the impact it has on expressive rights.

Regarding remedy, the Court issued a declaration that the restrictive order at issue was unconstitutional and invited the Alberta legislature to “decide what amendments are required to the Act in order to bring it in line with the Charter.”

Look for a leave to appeal application in which the Alberta Commissioner is joined by her counterparts from other provinces at the leave to appeal stage.

United Food and Commercial Workers, Local 401 v Alberta (Attorney General), 2012 ABCA 130 (CanLII).

On March 16th the Federal Court affirmed a Public Service Labour Relations Board order that requires the Canada Revenue Agency to provide the Professional Institute of the Public Service of Canada (a trade union) with the home address and telephone numbers of its bargaining unit members on a quarterly basis.

The order under review was re-issued by the Board after being quashed in 2010 because the Board had simply blessed the parties’ consent order without considering the privacy interests of affected parties. In re-issuing the order (with some newly-imposed security features), the Board held that the disclosure did not breach the federal Privacy Act because CRA’s purpose for obtaining home contact information (contacting employees about the terms and conditions of their employment) was consistent with the use for which PIPSC would use it (discharging its statutory duties as bargaining agent by contacting employees about employment-related matters). The applicant sought review before the Federal Court of Appeal.

The Court of Appeal’s disposition is unremarkable, and turns mainly on the standard of review and other technical matters.

Bernard v. Canada (Attorney General), 2012 FCA 92.