How to manage a data security incident – Ten tips from a breach practitioner

25 Sep

Here’s a slide deck (including speaking notes) for a presentation I did today at LegalTech Toronto.

I aimed for something practical on the art of breach response by speaking to these ten tips:

  1. Initiate response ASAP
  2. Don’t rest on assumptions
  3. Keep the ball moving
  4. Don’t rush
  5. Obtain objective input
  6. Obtain technical input
  7. Take a broad view of notification
  8. Put yourself in their shoes
  9. Demonstrate commitment to doing better
  10. Apologize


Arbitrator says privacy concern did not justify altering records, wiping phone

22 Sep

On July 2nd, Arbitrator Peltz affirmed the discharge of a university support staff employee who altered billing records for his employer-owned cell phone and later wiped the phone after being directed to retrieve it so it could be examined.

The grievor worked in the university’s technology transfer office in a position of trust. After the university confronted him about excessive personal use of his phone the grievor deleted parts of phone records that showed his calling history. These records were stored on a university shared drive and were therefore to accessible to other employees in the grievor’s department. The grievor said he did this because he was concerned about the disclosure of his call history.

The university discovered the alterations. It called the grievor to an investigation meeting in which it heard the grievor’s position and advised the grievor that he would be placed on paid leave pending an examination of his cell phone and computer records. The grievor went to his office to retrieve his phone. When he did not return his supervisor investigated and found the grievor wiping his phone. The grievor continued over over his supervisor’s direction to stop, responding “I’m just deleting my personal information.”

Arbitrator Peltz found the grievor’s alteration of records to be culpable. He commented:

It is one thing to say that digital privacy is now highly valued in Canadian society. It is something else to claim a unilateral self help remedy without even consulting the employer whose records are being altered.

Arbitrator Peltz also held that the grievor was insubordinate because he intentionally frustrated the university’s plan to conduct a reasonable search. He said that the university had a reasonable concern about “all the greivor’s communications” and that due diligence required a “complete review, excepting personal matters.” Some effort to minimize the impact of the search may have been required according to Arbitrator Peltz, but the grievor should have stated his privacy concern rather than take matters into his own hands by wiping his phone.

University of Manitoba v Association of Employees Supporting Educational Services, 2015 CanLII 49535 (MB LA).

Arbitrator says association has no right of access to harassment investigation reports

21 Sep

On July 15th, Arbitrator Sheehan held that a police association did not have a right of access to a harassment investigation report.

Arbitrator Sheehan held that the employer denied access for “reasonable cause” – the need to encourage witness candour – and therefore acted consistently with its collective agreement. He also dealt with the broader premise for the association’s case and, in doing so, questioned the a finding in which the OLRB held that a union’s representational role justified a similar right of access He said:

I have some difficulty with extrapolating the reasoning in those cases, as support for a much broader proposition that a union will necessarily be entitled to otherwise private/confidential information associated with a particular operational decision of an employer; simply on the basis that the information in question will be of assistance to the union to fulfill its duty of fair representation obligations. Or more particularly, that the union is entitled to such information on the basis it would be helpful to the union in assessing whether it would be appropriate, in the circumstances, to file a grievance.

There are numerous scenarios where the employer has information in its possession that may be quite helpful to the union, in terms of assessing whether there has been a violation of the collective agreement; and therefore, a basis to file a grievance. For example, in a job promotion dispute, the employer typically has information which may involve the confidential evaluations or interview/test results of the candidates. Such information would, obviously, be useful for the union to review in terms of whether in fact a grievance should be filed on behalf of a senior employee not awarded the position. In that sense, the union has an “interest” in the disclosure of the information. The duty of fair representation obligations resting on the union, however, does not transform that “interest” in obtaining the information into a “right” of disclosure, which would obligate the employer to comply with a request to disclose; solely to assist the union, in their assessment of whether there is a basis to file a grievance.

The disclosure of employer documentation arising out of a disciplinary investigation may likewise be of particular assistance to the union in terms of evaluating whether in fact there is a basis to assert a violation of the collective agreement.  Again, as has been previously discussed, if the request for the information should arise in the context of the adjudication of a grievance challenging the issued discipline, there would be a presumptive right (subject to a valid claim of privilege) for the union to obtain production of such arguably relevant documentation. It is, however, an entirely different proposition to suggest, that the employer prior to the filing of a grievance, is obligated to forward that information to the union; on the basis the information may be of assistance to the union, in its assessment of whether there is a basis for filing a grievance.

For similar reasoning see Arbitrator’s Lanyon’s decision in Mount Arrowsmith Teachers’ Association.

Halton Regional Police Services Board v Halton Regional Police Association, 2015 CanLII 47877 (ON LA).

Arbitrator awards damages for substance abuse counsellor’s indiscretions

21 Sep

On June 15th, Arbitrator Michel Picher awarded damages to three employees for the indiscretions of a substance abuse counsellor retained by an employer to provide treatment as part of its substance abuse program. Arbitrator Picher:

  • awarded $5,000 to an employee because the counsellor disclosed his cancer diagnosis to the employer without justification and because the counsellor had counselling sessions with the employee in various public places (including Tim Hortons and Home Depot);
  • awarded $2,500 to an employee because the counsellor answered a telephone call and engaged in a discussion about “sensitive matters” while sitting with another employee (also a client); and
  • awarded $1,500 to the employee who overheard the telephone call because it “would undermine [his] expectation of privacy and confidentiality in communications with [the counsellor].”

The employer argued it hired a reputable provider and was unaware the serious allegations made agains the counsellor until after the union filed a grievance. Arbitrator Picher’s response reflects the approach taken in finding employers liable for workplace harassment (see Robichaud). He said, “The employer cannot disavow or escape responsibility for the actions of its chosen agent and must bear liability for any violation, in the course of his duties, of the rights of the employees in the bargaining unit for which he was responsible.”

Halifax Employers Assn. and ILA269 (2014-L-39), Re, 2015 CarswellOnt 10497.

Arbitrator awards $1,750 per employee for work camp sniffer dog search

20 Sep

Those interested in privacy damages decisions should note this March 21, 2014 arbitration decision that just came to my attention. In it, an arbitrator awarded $1,750 to each employee affected by an employer’s admittedly wrongful sniffer search of a remote work camp. He also awarded $2,250 to an employee affected by a false positive and who testified to the strain that the event cause him. Here is the core of the reasoning:

The effect of the Employer’s violation of privacy rights on employee health, welfare, social, business or financial positions in the present case may be viewed as negligible, particularly given that, by the end of the day in question, every employee knew they were not in any trouble as a result of the search. There were, however, no doubt some lasting effects given that the trust relationship between the Employer and employees was violated, and the Employer did not make acknowledgment of any wrongdoing for a period of over two years subsequent to the violation. Unlike the situation considered by Arbitrator Sims, there was no timely admission of error or apology aimed at rectifying the mistrustful environment caused by the Employer’s improper search.

In the present case the Employer did nothing up until Counsel’s opening statement at these arbitration proceedings that would have served to calm “the employees’ anxieties over the Employer’s attitude towards their right to privacy”, and employees were for a very lengthy period of time left with the impression that Manager Billingsley conveyed at the demonstration to the effect that the Employer was not only unapologetic, but that it had every right to enter and search residences without notification or the presence of its occupants. Further Manager Annibal’s evidence at these proceedings did not include an unequivocal admission that employee privacy was violated, and he left it open as to whether such was the case when he stated he was “sorry if he violated anyone’s privacy.” Despite the opening statement made at these proceedings by Counsel for the Employer over two years after the unlawful incident occurred, little of sincere substance was conveyed to quell the distress and annoyance suffered by the employees as a result of the improper search.

Another factor in the present case that bears on the matter of appropriate remedy is the previous settlement in 2005 between parties on the precise topic of Employer searches without reasonable cause. As a result of this settlement it would be reasonable to conclude the Employer was attuned to the matter of employee privacy rights and unreasonable searches. The Union and its members had a right to rely on the substance of this settlement agreement as protection against further searches without reasonable cause.

I accept the circumstances of the present case warrant an award of damages in the amount of $1,750 to each employee covered by the grievance except Mr. Moretti, who is entitled to $2,250. For clarity, employees are entitled to the damages whether or not they were scheduled to be at Kemano during the week the search occurred. The circumstances do not warrant the cease and desist order sought by the Union.

Note the emphasis on the lack of an early, genuine apology.

Rio Tinto Alcan and Unifor, Local 2301 (Kemano), Re, 2014 CarswellBC 4251.


Arbitrator says outsourcing e-mail system to the cloud lawful

5 Sep

On August 25th, Arbitrator Outhouse held that Dalhousie University did not violate the Personal Information International Disclosure Protection Act by providing e-mail and other IT services via a cloud-based platform. The decision is about compliance with the Nova Scotia statute, though Arbitrator Outhouse does make comment on the interests and risks involved in an outsourcing of this kind.

IPC says a physician acting as assessor is not a health information custodian

5 Sep

On August 25th the IPC/Ontario held that a physician retained to complete a Custody and Access Assessment Report was not acting as a health information custodian, thereby giving helpful guidance on an issue that has been subject to great confusion.

The IPC explained:

The definition of “health care practitioner” in section 3(1) is premised on the fact that the health care practitioner must be providing health care. Further, “health care” as defined in section 2 of PHIPA must be for a “health-related purpose.” In my view, on the facts of this particular case, the service provided by Dr. Morris was not provided for a health-related purpose, but rather for the purpose of assisting the parents, and possibly the courts, to develop a parenting plan which would function in the best interests of the child. Therefore, and for the further reasons set out below, I find that Dr. Morris was not providing health care when he provided a service in this capacity. Consequently, I find that Dr. Morris was not a “health information custodian” as defined in section 3(1) for the purpose preparing the Custody and Access Assessment Report. As set out below, this interpretation of PHIPA is consistent with the decision of this office in complaint number HC-050014-1, with the policy behind subsection 20(2) of PHIPA, with the decision of the Federal Court of Appeal in Wyndowe v. Rousseau, and with public guidance provided by the Ministry of Health and Long-Term Care in relation to the definition of “health care.”

The IPC also dealt with the Divisional Court decision that has contributed to the confusion – Hooper v College of Nurses of Ontario. The IPC said:

The Divisional Court held that pursuant to section 76 of the Health Professions Procedural Code, being Schedule 2 to the Regulated Health Professions Act, 1991, the investigator appointed by the College of Nurses of Ontario had the jurisdiction to request and use the records from the Sunnybrook and Women’s College Health Sciences Centre.  The Divisional Court further held that the Sunnybrook and Women’s College Health Sciences Centre had the jurisdiction to disclose these records to the College of Nurses of Ontario.  The Divisional Court stated that the Occupational Health and Safety Department was providing health care and therefore the information contained in the records at issue was personal health information as defined in section 4 of PHIPA. This decision does not discuss how this interpretation of “health care” would more broadly affect the collection, use, and disclosure of personal health information on the basis of assumed implied consent pursuant to section 20(2) of PHIPA.

On my review of this decision, it was not necessary for the Divisional Court to decide whether or not the Occupational Health and Safety Department was providing health care and therefore that the information contained in the records was personal health information.  If they were not records of personal health information, the disclosure would not be subject to PHIPA.  Alternatively, if they were records of personal health information, the disclosure would be permitted, as the Divisional Court noted, pursuant to sections 9(2)(e) and 43(1)(b) of PHIPA.  As a result, the statement by the Divisional Court that the Occupational Health and Safety Department was providing health care and that the information in the records was personal health information is obiter dicta as it was unnecessary to the decision in the case.

The decision in Hooper is difficult to reconcile with that in Wyndowe, where the Federal Court of Appeal confirmed that physicians performing an independent medical examination are not “health information custodians” for the purpose of PHIPA.  I note that in the Hooper case, the Divisional Court did not have this office’s interpretation of section 20(2) of PHIPA or the findings in HC-050014-1 before it.  In all these circumstances, I am satisfied that the decision in Hooper, as it relates to what constitutes health care and personal health information, is not binding on me.

This is very helpful, in particular to employers who often face an argument that the health care practitioners they retain as assessors and consultants as subject to the “custodial” duties in PHIPA. The only section of PHIPA that typically binds employers and their assessor/consultants is section 49.

Morris (Re), 2015 CanLII 54751 (ON IPC).


Get every new post delivered to your Inbox.

Join 1,590 other followers