Today, the Office of the Information and Privacy Commissioner for British Columbia held that the District of Saanich breached the British Columbia Freedom of Information and Protection of Privacy Act by installing endpoint monitoring software on employee workstations.
The District’s plan was not well conceived – apparently arising out of a plan to shore up IT security because the District’s new mayor was “experienced in the area of IT.”
The District installed a product called Spector 360 – a product billed as a “comprehensive user activity monitoring solution.” This is software that enables the collection of detailed data from “endpoints” on a network. It is not intrusion detection software or software that helps analyze events across a network (which the OPIC noted is in use at other British Columbia municipalities).
The District enabled the software on 13 workstations of “high profile users” to capture a full range of endpoint data, including screenshots captured at 30 second intervals and data about all keystrokes made. The purported purpose of this implementation was to support incident response, a purpose the OIPC suggested could only support an inadequate, reactive IT security strategy.
The OIPC held that the District collected personal information without the authorization it required under FIPPA and failed to notify employees as required by FIPPA. I’ll save on the details because the OIPC’s application of FIPPA is fairly routine. I will note that the OIPC’s position is balanced and seems to adequately respect institutions’ need to access system information for IT security purposes. It acknowledges, for example, that some limited data collection from endpoints is justifiable to support incident response. Not surprisingly, the OIPC does not endorse taking screen shots or collecting keystroke data.
Investigation Report F15-01, 2015 BCIPC No. 15.
Here’s a presentation my partner Ian Dick and I gave today to an audience of in-house counsel. It’s about the why’s and how’s of breach response planning. The wonderful Karen Gordon of Squeaky Wheel Communications also presented on communicating a data breach, and her slides are attached.
On January 5th, Arbitrator Norman of Saskatchewan held that an employer breached its collective agreement by periodically deploying drug detection dogs to screen people entering its mine.
Arbitrator Norman held that the process intruded on a reasonable expectation of privacy based on evidence that the dogs would likely identify off-duty drug use. Though Arbitrator Norman characterized the search invited by a dog sniff as minimally intrusive (and less intrusive than the sampling of bodily substances), he nonetheless held that the employer’s safety-related process was unreasonable. He drew heavily from the Supreme Court of Canada’s Irving Pulp and Paper decision, stating:
The prior threshold stage in the justificatory argument limiting rights under the Charter sets the bar very high; calling for proof of a pressing and substantial objective demonstrably justifiable in a free and democratic society, for the challenged measure. Under ‘Charter values’ analysis, I take the threshold bar to have been set by Irving as “… evidence of enhanced safety risks, such as evidence of a general problem with substance abuse in the workplace.”
While many might agree with the outcome, this reasoning is questionable. The resolution of privacy issues call for a highly contextual balancing of interests. Irving speaks to a particular balance that relates to universal random drug and alcohol testing, a process Arbitrator Norman reasons is relatively intrusive; Irving establishes no “bar” to meet in implementing other safety measures in the workplace whether or not they are related to drug and alcohol use. Moreover, the reference above to the Oakes test is flawed; under a Charter analysis (if such analysis is necessary), the question of whether a search is an “unreasonable search” is distinct from the question of justification under section 1 and Oakes.
USW, Local 7552 and Agrium Vanscoy Potash Operations (5 January 2015, Norman).
Yesterday the Information & Privacy Commissioner/Ontario issued a paper called “Detecting and Deterring Unauthorized Access to Personal Health Information.” The paper adjusts and augments the detailed guidance on hospital data security the IPC provided in December when it issued HO-013.
In issuing HO-013 the IPC articulated numerous requirements in near checklist form. The IPC adds new requirements in Detecting and Deterring. Hospitals that are currently using HO-013 to conduct a gap analysis should now refer to Detecting and Deterring.
One exception to the augmentation is the IPC’s handing of “search controls” – controls that rest on limiting the search functionality of patient record systems. The IPC has backed off noticeably from HO-013 in Detecting and Deterring, which states:
With respect to search controls, it is important to note that open-ended search functionality may facilitate unauthorized access to personal health information in electronic information systems. For example, in the privacy breach involving the use and disclosure of personal health information for the purpose of selling or marketing RESPs, agents of the hospital were able to obtain lists of women who had recently given birth by performing open-ended searches of a patient index. To prevent this, custodians should ensure that the amount of personal health information that is displayed as a result of a search query is limited, while still enabling agents to carry out their employment, contractual or other duties. Open-ended searches for individuals should be prohibited by the search functionality and search capabilities of electronic information systems containing personal health information. Ideally, electronic information systems should be configured to ensure that search criteria return only one record of personal health information. If that is not feasible, then electronic information systems should be configured so that no more than five records of personal health information are displayed as a result of a search query.
The withdrawal makes sense. Search controls can put patient safety at risk, yet even rigid search controls are a questionable deterrent to intentional unauthorized access. Are bad actors really more likely to engage in unauthorized access because information is easy to find?
Hospitals should beware of the distinction between prescriptions that are recommendatory and prescriptions the IPC has the power to enforce. This is most important in considering the heavily-augmented breach response section of Deterring and Detecting. The IPC, for example, returns to an accountability-related idea it has pressed since making order HO-010 in 2010 by suggesting that hospitals should provide affected individuals with the name of “the agent that caused the privacy breach” in a breach notification letter. The IPC has the power to enforce breach response requirements that are derived from section 12 of PHIPA. A number of the prescriptions it makes on breach response (not necessarily the one I have identified above) have a tenuous connection to section 12 and can reasonably be viewed as recommendatory.
On August 7th, British Columbia labour arbitrator Julie Nichols issued a decision that addressed the discharge of an employee who refused to consent to an independent medical examination.
The decision is notable for two reasons.
First, the facts are common. The employee went off and provided medical evidence from a family physician that indicated he needed to change jobs on account of an “acute stress/anxiety reaction.” After receiving three communications from the family physician that were not helpful, the employer sought an IME based on a discretion set out in the collective agreement. Arbitrator Nichols held the employer acted reasonably in the circumstances because it had grounds to question whether the employee had “medicalized” a workplace issue.
Second, the award deals with the scope of information available to an IME provider. Arbitrator Nichols held that non-medical parties (employers, unions, employees) are not in a good position to determine the information needed to conduct an IME and that a reasonable IME process contemplates the collection of some extraneous information by the IME provider. The form at issue permitted the IME physician “to review copies of all medical and/or employment records related to my condition that will assist” and limited this permission by date range. Arbitrator Nichols held the form was reasonable.
Metro Vancouver v Greater Vancouver Regional District Employees’ Union, 2014 CanLII 74955 (BC LA).
The IPC/Ontario issued an order on December 17th in which it noted an inconsistency in its treatment of OHIP billing information as personal information. It said:
As the parties have noted, a number of IPC orders have considered the issue of whether OHIP billings reveal personal information of doctors. In these orders, this office has concluded that OHIP billings that can be connected with specific doctors are their personal information. For example, in Order P-1502, the Commissioner found that payment to a physician for services rendered in connection with the prescription of home oxygen services was a “financial transaction” within the meaning of section 2(1)(b) of the Act, and therefore qualified as personal information. I followed this above approach in Order PO-3200.
Interestingly, the above approach can be contrasted with the treatment of other professionals whose billing information has been ordered disclosed under the Act. In Order PO-3207, I found that information about legal fees paid to a lawyer by a hospital was not exempt from disclosure under the personal privacy exemption, as it was not personal information. In Orders MO-2363 and MO-2927, among others, this office found that the details of fee arrangements between government institutions and professional consultants did not qualify as the personal information of the consultants.
Though making this note, it was unnecessary for the IPC to resolve the inconsistency or depart from its prior decisions to make the order. The information at issue related to payments made to group practice. The IPC held that, in the circumstances, the information did not reveal anything about an individual physician.
Ministry of Health and Long-Term Care (Re), 2014 CanLII 77316 (ON IPC).