On July 14th, the Supreme Court of British Columbia dismissed a privacy breach claim against a public body as being within the exclusive jurisdiction of the Office of the Information and Privacy Commissioner for British Columbia.
The plaintiff sued the ICBC and others for wrongs arising out of the collection and use of his personal information. He framed his action in a number of valid legal bases including breach of contract and breach of confidence. The claim referred to duties under the British Columbia Freedom of Information and Protection of Privacy Act; the plaintiff said these references were simply recitations of “material facts.”
The Court found that significant parts of the claim (in their essence) addressed subject matter governed exclusively by FIPPA and its complaint resolution process. It said:
In summary, I conclude that FIPA is an exhaustive legislative scheme for the investigation and adjudication (subject to judicial review) of complaints related to the collection, use and disclosure of personal information in this province. Investigations of complaints about how a public body such as ICBC has collected, used or disclosed personal information are prescribed in FIPA. I am unable to find a role for the civil courts in these matters (except for judicial review).
This issue has been litigated in Ontario. For a case in which the Ontario Superior Court of Justice struck a claim based solely on a breach of MFIPPA, see Sampogna v Smithies. For a more recent case in which the Ontario Superior Court of Justice allowed a privacy breach claim to proceed against an health information custodian and others despite an argument that the Ontario Personal Health Information Protection Act covered the field, see Hopkins v Kay. Hopkins has been appealed to the Court of Appeal for Ontario.
Cook v The Insurance Corporation of British Columbia, 2014 BCSC 1289.
The Court of Appeal of Alberta issued a decision on July 16th that dealt with a significant FOI standing issue among other issues relevant to FOI practitioners.
The Court quashed the Alberta OIPC’s appeal of a lower court decision to quash an order by which the OIPC compelled the Minister of the Environment to disclose a remediation agreement it entered into with Imperial Oil. It also, in obiter, affirmed the lower court’s decision.
The Court quashed the appeal based on a finding that the OIPC had no standing. Alberta case law establishes that a statutory tribunal whose own decision has been quashed on judicial review cannot appeal from that order unless its own jurisdiction is in question. The Court applied this to the OIPC despite the OIPC’s arguments about the unique role of an FOI adjudicator.
In addressing whether the remediation agreement was accessible to the public, the Court held that the agreement was subject to settlement privilege and that the OIPC had erred in finding that settlement privilege does not apply to final agreements. The application of settlement privilege to final agreements gives potentially wide protection to agreements between public institutions and outside parties and is now supported by the the Supreme Court of Canada based on its June 2013 decision in Sable Offshore Energy Inc. v Ameron International Corp.
The Court also interpreted a requirement common to third-party harms exemptions in Canadian FOI statutes that demands information “of the third-party” to qualify. It said:
The exception does not necessarily require ownership in the strict sense; the private party supplying the information would not have to prove that it had a patent or copyright on the information. If the private entity took scientific, financial, or commercial information that was in the public realm, and then applied that information to its specific business, property, and affairs, the resulting data would still be “of the third party”. In other words, it is the information as applied to the business of the third party that would be “of the third party”, not the background scientific or economic principles underlining that information.
The Court held that the OIPC erred in finding that expert reports prepared for Imperial Oil and appended to the agreements did not contain information “of Imperial Oil” because the reports “were developed at the request of the Public Body or in consultation with it.”
Imperial Oil Limited v Alberta (Information and Privacy Commissioner), 2014 ABCA 231 (CanLII).
There are a some notable points in a June 6th decision of the Public Service Labour Relations Board that upholds the discharge of a federal public servant for forwarding e-mails to his personal e-mail account.
The employer had discharged the employee for sending home restricted-access documents about internal job competitions, including documents related to a competition in which he had participated and documents containing the personal information of 108 other employees. The Board held that the grievor, who was an HR assistant, had engaged in a serious breach of trust and caused the employer embarrassment: “Progressive discipline does not apply to this case since very serious misconduct occurred.”
Although the Board dismissed the grievance with this strong and favorable employer endorsement, it did express a “concern” about the manner in which the employer conducted its forensic investigation into the grievor’s system usage. It said:
The grievor also raised concerns about the lack of concern that the employer showed for his privacy, specifically that it gave no specific instructions to Mr. Roussel about protecting the grievor’s privacy when Mr. Roussel conducted his investigation. I am also concerned about it. Furthermore, in the absence of such instructions, Mr. Roussel included in his report personal information about the grievor that had nothing to do with the purpose of the investigation, which was to inquire into the grievor conducting personal business using the employer’s network. I did not report on it since it was irrelevant to deciding the four grievances in front of me. However, this lack of respect for the grievor’s privacy does not reduce the seriousness of his misconduct. At this point, I can recommend only that in the future, the employer take employees’ privacy under consideration when conducting that type of investigation.
It’s not clear from the decision how exactly the employer erred given the Board’s limited description. In any event, employers should create and administer a protocol that governs non-routine access to system information and non-routine system monitoring – e.g., access for the purpose of conducting audits and investigations.
Gravelle v Deputy Head (Department of Justice), 2014 PSLRB 61 (CanLII).
Last Friday’s Supreme Court of Canada’s decision in R v Spencer renders it unlawful for a telecommunications service provider (or any other commercial actor) to voluntarily identify an anonymous internet user to help the police investigate crime.
Spencer is about the means by which police have investigated the trading of child pornography on the internet – i.e., by identifying objectionable online activity that is associated with an IP address and by asking the service provider who assigned the IP address for “subscriber information” that identifies the holder of the account to which the IP address was assigned. This legality of this means of investigation – enabled by service provider cooperation – has been heavily litigated; in 2012, the Court of Appeal for Ontario held that the police do not breach section 8 of the Charter by obtaining the identity of an anonymous internet user without judicial authorization because such a user has no reasonable expectation of privacy.
The Supreme Court of Canada has now unanimously reached the opposite conclusion. The Court stayed true to the case law that establishes that the protection afforded by section 8 of the Charter should not be debased by framing the activity that the proponent seeks to protect as criminal and therefore unworthy of protection. Although the police may have an entirely legitimate interest in pursuing criminal activity that we all can observe on the open internet, the issue according to the Court was (more neutrally) whether “people generally” have a right to use the internet anonymously.
The Court said “yes” and, in doing so, offered some principled support for online anonymity. It also said that the service provider’s contractual terms and the provision of the Personal Information Protection and Electronic Documents Act that allows for voluntary disclosures to law enforcement were both too ambiguous to weigh against a reasonable expectation of privacy finding.
The Court then held that police requests for subscriber information are not reasonable because they are not “authorized by law.” Notably, the Court did not consider whether the search was authorized by the common law nor did it consider the interplay between section 8 of the Charter and the common law constraint on police action, which a majority of Court said is less constraining than section 8 in R v Kang-Brown (see para 56). To the contrary, the Court’s decision in Spencer appears to be heavily driven by the proposition that the police only have the power to ask questions “relating to matters that are not subject to a reasonable expectation of privacy.”
Spencer is a very significant decision on the reasonable expectation of privacy concept, internet anonymity and police powers. More practically, here are two points of significance:
- The Court’s treatment of the provision in PIPEDA that allows for voluntary disclosures to law enforcement – section 7(3)(c.1)(ii) – significantly increases the risk associated with voluntarily disclosing personal information to law enforcement. Organizations subject to PIPEDA will breach the Act if they disclose information that is subject to a reasonable expectation of privacy.
- There’s nothing in Spencer that stops the government from amending PIPEDA or passing legislation to authorize the exact means of investigation that the Court has found to be unlawful. In essence, the Court has deferred a question about whether the means of investigation – if authorized by law – would be “reasonable.”
R v Spencer, 2014 SCC 43 (CanLII).
Yesterday the Supreme Court of Canada held that the “advice and recommendations” exemption in Ontario’s freedom of information legislation exempts both suggested courses of action and evaluative analysis from the right of public access.
The advice and recommendations exemption provides public servants with a zone of privacy in which to make good decisions that are free from the pressures of partisan politics. Justice John Evans of the Federal Court of Appeal has described the purpose the exemption as follows:
It would be an intolerable burden to force ministers and their advisors to disclose to public scrutiny the internal evolution of the policies ultimately adopted. Disclosure of such material would often reveal that the policy-making process included false starts, blind alleys, wrong turns, changes of mind, the solicitation and rejection of advice, and the re-evaluation of priorities and the re-weighing of the relative importance of the relevant factors as a problem is studied more closely. In the hands of journalists or political opponents this is combustible material liable to fuel a fire that could quickly destroy governmental credibility and effectiveness.
The Supreme Court of Canada held that the IPC/Ontario’s interpretation of the advice and recommendations exemption as shielding only the recording of a “suggested course of action that will ultimately be accepted or rejected by the person being advised” was unreasonable. It said that the IPC’s interpretation gave insufficient meaning to the word “advice,” which has a broader meaning than the word “recommendation.” It also said the IPC’s interpretation unduly limited the protective purpose of the exemption.
The Supreme Court of Canada’s ruling applies equally to government ministries and other Ontario FOI institutions. It means that recordings of decision-supportive “evaluative analysis” made by public servants, employees, consultants and others will generally be exempt from the right of public access. This may include, for example, lists of alternatives with comments about advantages and disadvantages or simply lists of alternatives. It may also include, according to the Court, drafts of the same kind of recordings.
John Doe v Ontario (Finance), 2014 SCC 36 (CanLII).
On April 2nd, the Ontario Superior Court of Justice dismissed an application for the disclosure of detailed employee payroll information from an employer to its partner in a joint venture.
The partner was partially responsible for the employer’s wage bill and relied on its right to inspect records under the joint venture agreement. The employer argued that, despite the agreement, it could not disclose employee personal information without violating PIPEDA. As an alternative, the employer offered to have an audit conducted and share the results. The partner felt this was insufficient.
Justice Perell held that he had no power to make an order that would relieve the parties from the PIPEDA consent requirement, stating “s. 7(3)(c) of PIPEDA does not provide a free-standing jurisdiction to grant exemptions.” He dismissed the application without prejudice to the filing of a new application based on the “activation” of another PIPEDA exemption.
Mountain Province Diamonds Inc v De Beers Canada Inc, 2014 ONSC 2026 (CanLII).