Month: January 2009

Information Roundup – 11 January 2009

This edition of the Information Roundup is brought you by Twitter.

No kidding! I’ve been on it for about a week and half now and it’s caused quite a switch in how I pick up information from the web.  Many thanks to the folks at Unfiltered Orange, who are the likely source of two out of the three topics that I think will interest you this week.  They relate to… personal e-mails on work computers, the management of social insurance numbers by employers and National Instrument 31-103 and security firm record-keeping.

Personal e-mails on work computers

Personal use of employer computer systems is a pet issue for me, and I was blown away to read about how “personal” e-mails on work computers are treated under European data collection laws in Data Collection: Nothing Personal. This article, by litigation support professional Bill Onwusah, describes how European companies have to mind their process of collecting e-mails for production in litigation so that employees’ personal e-mails are not collected for subsequent review. He says:

Particularly in mainland Europe, you cannot collect personal data and the mere act of doing so may contravene the local data protection legislation. The fact that it’s stored on a work PC is irrelevant. Users retain personal data as their own.

Wow!  Canadian law still allows employers full control over their e-mail systems provided they give employees notice that they should not expect any privacy in their personal use. Most of the jurisprudence is arbitral and therefore based on collectively bargained rights, but our employment privacy statutes do not necessarily change this basic rule. And recently, in Johnson v. Bell Canada, our Federal Court held that our federal-sector employment privacy statute, PIPEDA, does not even apply to “personal” employee e-mails.

My view is that managing personal information in the production process is a newly important issue for Canadian organizations to reckon with insofar they are willing custodians. Employee personal e-mails do not fit within this category and, given the costs and complexities of of managing production from “mixed” e-mail systems, an approach that relies on clear notification makes for fair and sensible  workplace policy.

Management of SINs by employers

This Proskauer Rose client alert talks about a recently in force New York regulation that deals with employers’ management of Social Security Numbers and other employee “personal identifying information” – including drivers license numbers.  

I don’t believe we have similar legislation regarding drivers licenses in any Canadian province, but our Social Insurance Numbers are regulated by section 237(2)(b) of the federal Income Tax Act.  This provision prohibits employers from using, communicating or “allowing to be communicated” a Social Insurance Number for purposes not related to tax administration without written consent.  Our clients often ask whether SINs (or a variant of them) can be used as identifiers and we generally advise them to stay away from such practices in light of the ITA.  

Proskauer also notes that New York’s General Business Law appears to allow employers to collect an SSN on an employment application form.  Since there is no purpose related to tax administration for doing so, this practice is rightly avoided in Canada. If a Canadian employer needs to ask for a SIN to conduct a background check, this should generally be done towards the end of the recruitment process subject to written consent.

National Instrument 31-103 and security firm record-keeping

I’m just starting my learning process on National Instrument 31-103, so will just link to this Wall Street Technology article on how this new piece of securities regulation will affect record-keeping and e-discovery at Canadian securities firms.

 

_dsc2809On a personal note, Seanna was off at Deerhurst this week for a five day sales conference. Being a single father was rewarding and not as hard as I thought it would be, but I’m still recovering from being a solo bedfellow to our hairless cat. “Buffalo” is a Cornish Rex and, if you know the breed, they are very lovable and very needy. He normally sleeps under the covers with his head on Seanna’s pillow. She’s fine with this and I’m happy to give them both a kiss when I leave early to work.  (He’ll actually protest if I ignore him!) Dear Buffalo, however, drives me nuts when Seanna goes away.  I finally got fed up on her last night of absence and locked myself in the walk-in closet with a sleeping bag.  Not to slight Seanna in any way, but I’m sure glad to have my side of the bed back!

See ya!

Dan

Come to “What every lawyer needs to know about privacy”

This is a pitch for the OBA Privacy Law section’s “What every lawyer needs to know about privacy” session.  It’s at the Metro Convention Centre on February 2nd from 1:15 pm to 4:30 pm.  Details here.

There’s a good line up, with a year-in-review talk along with sessions on the new telemarketing regulation and privacy and litigation (a favorite topic of mine).

I’ll be speaking with Professor Avner Levin on workplace privacy in a discussion moderated by Howard Simkevitz.  We’ve been planning the discussion for the last couple of days and have decided to spend a good deal of it on the workplace privacy issues related to Web 2.0.  Dr. Levin and other members of the Ryerson University Privacy and Cyber Crime Institute at the Ted Rogers School of Management have recently published a leading study on the perceptions of risk of young Canadians engaged in online socializing and how their behaviors meet with the use of online social networks by business for commercial and human resources purposes.  The study is entitled The Next Digital Divide:  Online Social Network Privacy and has attracted significant attention. We plan to hit on the major legal and policy issues relating to the workplace that flow from the study as well as touch on the key other “need to knows” about workplace privacy.

We’d love to see you there!

Dan

Case Report – IPC says university foundation is not part of university under FIPPA

Unlike many entities designated as “institutions” under FIPPA, universities have complex corporate structures and are often affiliated with related corporations. Though the definition of “institution” in FIPPA is fairly black and white – it rests primarily on express designation – the issue of FIPPA’s scope of application has been of some concern to Ontario universities since they came under the Act in 2006.

On December 1st of last year, the IPC issued an order on point and did see the analysis as being simple and based on corporate status. Adjudicator Smith concluded:

I find that the YUF is a separate corporation from the corporation that is the University. Therefore, I find that the YUF is not part of the University and that it is not subject to the provisions of the Act.

Though records held by a non-regulated corporation but “controlled” by a FIPPA-regulated institution are subject to the right of public access, this order does lend some clarity to an important issue for universities.

Order PO-2738, 2008 CanLII 68864 (ON I.P.C.).

Case Report – Arbitrator issues strong award in allowing employer to implement biometric timekeeping

On December 15th, Arbitrator Lorne Slotnick dismissed a grievance that challenged the implementation of a biometric timekeeping system.

The employer purchased a Kronos system and required employees to enrol. The system works by matching a person’s partial fingerprint against a 348 byte numeric representation or “template” of the fingerprint that is created in the enrolment process. The employer brought evidence that fingerprint templates were kept secure and could not readily be used to recreate a fingerprint image that could be used by law enforcement. The employer also admitted that it did not have a serious “buddy punching” problem but wanted the superior biometric system anyway.

Arbitrator Slotnick applied a balancing test and dismissed the grievance because the employer had proven a concrete benefit to the system and its invasiveness was minimal. He used the following strong langauge in doing so:

How great is the infringement on privacy of employees? In my view, the evidence reveals it to be extremely small, almost negligible. In fact, labelling this an “invasion” of privacy strikes me as linguistic excess. When employees enrol in the system, a scan of less than half of a fingertip is taken. Enrolment, the evidence indicates, takes less than a minute. There is no physical intrusion, no furnishing of any bodily substance, no exposure of any part of the body that is considered private. Employees do not provide a fingerprint, nor can the scan that is provided be reconstructed into a fingerprint.

Natrel asked me to contrast these facts with the kinds of personal information that is routinely gathered by this employer and others, such as employees’ home phone numbers, signatures, home addresses and social insurance numbers. The union argued this was an irrelevant consideration. I disagree. The type of information given as a matter of course by employees to their employers indicates clearly that a certain level of infringement of privacy is understood and accepted by all workplace parties – provided there is some legal or business justification and provided the information is protected and used only for the purpose for which it is given. No evidence is necessary for me to note that in addition to the information mentioned above, many employers request other sorts of information such as photographs of employees for use on identification cards or bank account numbers for direct deposit of pay. These are accepted intrusions, they are part of the modern workplace, and in my view are far more invasive and far more open to the possibility of misuse or abuse than a scan of part of a fingertip that is converted to a jumble of numbers and deleted right away.

Unionized employers have been cautious about implementing biometric timekeeping systems since Arbitrator Tims upheld two similar grievances in Dominion Colour and IKO Industries, the latter being upheld on judicial review. Though no one arbitrator is bound by another, the facts underlying most challenges to these systems are similar. This decision and two similarly permissive decisions of the Alberta OPIC from last year (see here) are therefore persuasive and tip the balance of authority in employers’ favour. In fact, Abitrator Slotnick noted that Dominion Colour and IKO Industries were not distinguishable on their facts, but that he preferred a different balancing of interests.

Agropur (Natrel) v. Milk and Bread Drivers, Dairy Employees, Caterers and Allied Employees (Teamsters Local Union No. 647), 2008 CanLII 66624 (ON L.A.).

Case Report – BCCA says non-occupant has standing to challenge search warrant

In a fact-driven award released on January 2nd, the British Columbia Court of Appeal held that an accused person who did not occupy premises discovered to be a grow operation had standing to challenge a search of the premises.

The accused lived elsewhere, but the Court inferred possession and control from evidence showing the accused was the owner, possessed keys and was seen there on a few occasions in the two weeks before the search. It held that the trial judge erred in denying standing merely because the accused was not an occupant and that based on possession and control and all the circumstances, the accused had a reasonable expectation of privacy that he was entitled to exercise.

R. v. Vi, 2008 BCCA 481 (CanLII).

Privacy Post 2008 Year in Review Published

I’m happy to announce that we’ve published the Information and Privacy Post “2008 Year in Review.” This years’ edition covers 100 cases from 2008 on the law of privacy and access to information, protection of confidential business information and the law of production. Co-editor Paul Broad and I also have done a forward to the annual that discusses the following five highlights:

  1. Ontario Court of Appeal says journalists can’t shield wrongdoers…appeal pending (on National Post)
  2. Three civil privacy claim cases out of Ontario… the dawning of a new era? (on Nitsopoulos, Warman and Colwell)
  3. SCC says privacy commissioner can’t adjudicate on privilege claims (on Blood Tribe, E.F.A. Merchant and Proplus)
  4. Alberta Court of Appeal decision lends some clarity to pleas for a spoliation remedy (on Black & Decker and Commonwealth Marketing Group)
  5. SCC says what’s disclosed in the discovery room stays in the discovery room (on Juman v. Doucette)

We hope you enjoy!

Dan

Information Roundup – 3 January 2009

I took a break from case law over the holiday, but did do some other reading and listening. Here are some bits you might find interesting on the recent FERPA “health and safety exemption” amendments, privacy as a concept and data and records administration.

FERPA amendments.  The Proskauer Rose Privacy Law Blog reports that the United States Department of Education has published finalized amendments to the Family Educational Rights and Privacy Act.  Notably, the Department received comments critical of its proposed “rational basis” standard for disclosure in health and safety emergencies.  (See Yasmin Nissim’s paper for a view that would suggest the amendment is a consequence of “moral panic.”) The DOE defends the new standard in the comments to the final regulations, but has reacted to the pro-privacy feedback by requiring institutions to record the “articulable and significant threat” to health and safety that forms the basis for a health and safety related disclosure.

Privacy as a concept.  If you’re inclined to academic writing, you may like an article by Karen Eltis of the University of Ottawa entitled, “Can the Reasonable Person Still Be ‘Highly Offended’? An Invitation to Consider the Civil Law Tradition’s Personality-Rights Based Approach to Tort Privacy.” As you might expect, it’s a critique of the reasonable expectation of privacy doctrine, which Professor Eltis describes as the prevailing tort standard in common law jurisdictions.  I’ve read similar critiques before, but wasn’t familiar with the strong dignity-based conception of privacy that prevails in civil law, a conception that Professor Eltis supports.  Check out Dan Solove’s Understanding Privacy if you’re interested in reading more about conceptualizing privacy.  

Data and records administration.  Lastly, this New York Times article on the archiving of Bush administration data is worth a check.  Would it surprise you that the administration is not immune from the problem of ballooning data stores?   The article does raise how open government legislation adds some significant complexity to the challenge of records management, an issue for the public sector as a whole and one touched on in the most recent This Week in Law. Also related: this video lecture of computer scientist Kai Li on “disk-based de-duplication storage.”  Super-technical and mostly over my head, but I did find the general description of how corporate data management works very enlightening. You may too.

img_0032We had a great holiday at home in TO. Unable to get away, we had a nice time kicking around with family. Hugo (20 months now) discovered snow.  I got all excited after a big storm and hauled him over to nearby Withrow Park with a new toboggan at 7:30 am. Not a sole around and it was about minus fifteen centigrade. I gave him serious snow job on our first run and he freaked. So we’re more into father-son shoveling now and, as the attached picture might suggest, he’ll live to toboggan another day. (Seanna and I got each other a new camera over the holiday. We’re having great fun with it and she’s encouraged me to post this picture. You may see more personal pictures over time, though I’m still feeling somewhat shy.)

I hope you’re as rested and charged up about this year as I am.  Best wishes.

Dan

I’m twittering

On the Rogers’ technology adoption curve it’d be fair to deem me either a “sleepy early adopter” or a “relatively early majoritarian.” So after reading a number of raves from inside and outside the legal blogging community about Twitter and its great successes in 2008, I figured it was about time to join in.

Yesterday I brought my long-dormant Twitter account to life and am now following basically anybody I know whose Twittering in the Canadian legal community as well as some of the more profound legal Twitterers from south of the border. Have I missed you? Please let me know.

My very early impression is that Twitter is both amazingly impersonal and amazingly intimate. Could there be a tool more ready-made to facilitate the merger of personal and professional lives?

So I’m enthused, and am looking forward to using Twitter together with this blog in the upcoming year. I plan on pushing more bite sized information and privacy content out through Twitter and saving a little more context for my regular “Information Roundup” feature. Twitter may also help me bring the content of this blog into focus by giving me a good vehicle for collaborating on all the other things I find interesting. I’ll need to ease my way into more personal tweets, but something tells me that won’t take long.

Please follow if you care!

Dan