BCCA – Open courts principle does not provide for “automatic and immediate” access to court records

On December 9th, the Court of Appeal for British Columbia rejected a media challenge that alleged that the Court’s access policy violates section 2(b) of the Canadian Charter of Rights and Freedoms because it precludes wholly unfettered inspection of court records. The Court held that the Charter guarantees no such right, which would be inconsistent with a court’s responsibility for supervising the handling of its records.

The policy that the applicants challenged requires those seeking access to court records in criminal appeals to fill out of a form. Based on the content of completed forms, the Registrar may refer the request to the Chief Justice, who may seek input from the parties. In practice, if parties who are consulted don’t agree that the Court should provide access, those seeking access must file a formal application for access.

The media brought its application after the Court denied administrative access to records (filed in an application for bail pending appeal) that involved the investigation of a police officer for sexual misconduct. The media argued that the policy reverses the burden of justification provided for by Dagenais/Mentuck.

Chief Justice Bauman disagreed, stating:

Unfettered public access to court records is not the promise of the open court principle. That access is subject to supervision by the court, in recognition of the need to protect social values of superordinate importance. Judges have the discretion to order restrictions on access, exercised within the boundaries set by the principles of the Charter:

There is also nothing unlawful, Chief Justice Bauman held, in requiring requesters to confront a matter of administration (which was not associated with any proven material delay) in order to relieve the parties to a proceeding from preemptively seeking a sealing order.

R. v. Moazami, 2020 BCCA 350 (CanLII).

Tinker-ing with Machine Learning: The Legality and Consequences of Online Surveillance of Students

I’ve had a long time interest in threat assessment and its application by educational institutions in managing the risk of catastrophic physical violence, though it has been a good ten years since the major advances in Canadian institutional policy. Here is a pointer to a journal article about an apparent new United States trend – automated monitoring of online and social media posts for threat assessment purposes.

Author Amy B. Cyphert starts with an illustrative scenario that’s worth quoting in full:

In 2011, a seventeen–year–old named Mishka,1 angry that his friends had recently been jumped in a fight, penned a Facebook post full of violence, including saying that his high school was “asking for a [expletive] shooting, or something.” Friends saw the post and alerted school officials, who contacted the police. By the time psychologist Dr. John Van Dreal, who ran the Safety and Risk Management Program for Mishka’s Oregon public school system, arrived, Mishka was in handcuffs.4 Mishka and his classmates were lucky: their school system employed a risk management program, and Dr. Van Dreal was able to help talk with Mishka about what caused him to write the post. Realizing that Mishka had no intention of harming anyone, Dr. Van Dreal helped Mishka avoid being charged with a criminal offense. Dr. Van Dreal also arranged for him to attend a smaller school, where he found mentors, graduated on time, and is today a twenty–five–year–old working for a security firm.

Had Mishka’s story happened today, just eight short years later, it might have looked very different. First, instead of his friends noticing his troubled Facebook post and alerting his school, it might have been flagged by a machine learning algorithm developed by a software company that Mishka’s school paid
tens of thousands of dollars to per year. Although Mishka’s post was clearly alarming and made obvious mention of possible violence, a post flagged by the algorithm might be seemingly innocuous and yet still contain terms or features that the algorithm had determined are statistically correlated with a higher likelihood of violence. An alert would be sent to school officials, though the algorithm would not necessarily explain what features about the post triggered it. Dr. Van Dreal and the risk management program? They might have been cut in order to pay for the third-party monitoring conducted by the software company. A school official would be left to decide whether Mishka’s post warranted some form of school discipline, or even a referral to the authorities.

Cyphert raises good questions about the problem of bias associated with algorithmic identification and about the impact of monitoring and identification on student expression, privacy and equality rights.

My views are quite simple.

I set aside algorithmic bias as a fundamental concern because the baseline (traditional threat assessment) is not devoid of its own problems of bias; technology could, at least in theory, lead to more fair and accurate assessments.

I also put my main concern on the matter of efficacy. Nobody disputes that schools and higher education institutions should passively receive threat reports from community members. My questions. Has the accepted form of surveillance failed? What is the risk passive surveillance will fail? How will it fail? To what degree? Does that risk call for a more aggressive, active monitoring solution? Is there an active monitoring solution that is likely to be effective, accounting concerns about bias?

If active internet monitoring cannot be shown to be reasonably necessary, however serious the problem of catastrophic physical violence, I question whether it can be either legally justifiable or required in order to meet the standard of care. Canadian schools and institutions who adopt new threat surveillance technology because it may be of benefit, without asking the critical questions above may invite a new standard of care with tenuous underpinnings.

Cyphert, Amy B. (2020) “Tinker-ing with Machine Learning: The Legality and Consequences of Online Surveillance of Students,” Nevada Law Journal: Vol. 20 : Iss. 2 , Article 4.
Available at: https://scholars.law.unlv.edu/nlj/vol20/iss2/4

The Five Whys, the discomfort of root cause analysis and the discipline of incident response

Here is a non-law post to pass on some ideas about root cause analysis, The Five Whys, and incident response.

This is inspired by having finished reading The Lean Startup by Eric Ries. It’s a good book end-to-end, but Ries’ chapter on adaptive organizations and The Five Whys was most interesting to me – inspiring even!

The Five Whys is a well-known analytical tool that supports root cause analysis. Taichii Ohno, the father of the Toyota Production System, described it as “the basis of Toyota’s scientific approach.” By asking why a problem has occurred five times – therefore probing five causes deep – Ohno says, “the nature of the problem as well as its solution becomes clear.” Pushing to deeper causes of a failure is plainly important; if only the surface causes of a failure are addressed, the failure is near certain to recur.

Reis, in a book geared to startups, explains how to use The Five Whys as an “automatic speed regulator” in businesses that face failures in driving rapidly to market. The outcome of The Five Whys process, according to Ries, is to make a “proportional” investment in corrections at each five layers of the causal analysis – proportional in relation to to the significance of the problem.

Of course, root cause analysis is part of security incident response. The National Institute of Standards and Technology suggests that taking steps to prevent recurrences is both part of eradication and recovery and the post-incident phase. My own experience is that root cause analysis in incident response is often done poorly – with remedial measures almost always targeted at surface level causes. What I did not understand until reading Ries, is that conducting the kind of good root cause analysis associated with The Five Whys is HARD.

Ries explains that conducting root cause analysis without a strong culture of mutual trust can devolve into The Five Blames. He gives some good tips on how to implement The Five Whys despite this challenge: establishing norms around accepting the first mistake, starting with less than the full analytical process and using a “master” from the executive ranks to sponsor root cause analysis.

From my perspective, I’ll now expect a little less insight out of clients who are in the heat of crises. It may be okay to go a couple levels deep while an incident is still live and while some process owners are not even apprised of the incident – just deep enough to find some meaningful resolutions to communicate to regulators and other stakeholders. It may be okay to tell these stakeholders “we will [also] look into our processes and make appropriate improvements to prevent a recurrence” – text frequently proposed by clients for notification letters and reports.

What clients should do, however is commit to conducting good root cause analysis as part of the post-incident phase:

*Write The Five Whys into your incident response policy.

*Stipulate that a meeting will be held.

*Stipulate that everyone with a share of the problem will be invited.

*Commit to making a proportional investment to address each identified cause.

Ries would lead us to believe that this will be both unenjoyable yet invaluable – good reason to use your incident response policy to help it become part of your organization’s discipline.

Federal Court of Appeal – litigation database privileged, no production based on balancing

On October 20th, the Federal Court of Appeal set aside an order that required the federal Crown to disclose the field names it had used in its litigation database along with the rules used to populate the fields. It held the order infringed the Crown’s litigation privilege.

The case management judge made the order in a residential schools abuse class action. The Crown had produced approximately 50,000 documents, with many more to come. The plaintiffs sought the fields and rules (and not the data in the fields) to facilitate their review. The case management judge, though acknowledging litigation privilege, judged the fields and rules as less revealing than the data in the fields and ordered production in the name of efficient procedure.

The Court of Appeal held that the case management judge erred because they “subordinated the Crown’s substantive right to litigation privilege to procedural rules and practice principles.” It also held, “a party attempting to defeat litigation privilege must identify an exception to litigation privilege and not simply urge the Court to engage in a balancing exercise on a case-by-case basis.”

Canada v. Tk’emlúps te Secwépemc First Nation, 2020 FCA 179 (CanLII).

Sask QB addresses willfulness requirement in a privacy claim

You might be surprised how often lawyers get sued for invading others’ privacy. On October 5th, the Saskatchewan Court of Queen’s Bench struck such a claim on the basis it disclosed no reasonable cause of action.

The defendant lawyer delivered a divorce petition and related documents to another law firm that had represented the plaintiff in the past, but the law firm was not authorized to receive the documents, and the applicable procedural rules called for personal service. The plaintiff pleaded a failure – i.e. that “the defendants failed to do their due diligence in ensuring McKercher LLP represented the plaintiff on the divorce matter.” The plaintiff said this failure caused a privacy violation given the documents contained information about the plaintiff’s income, property and the grounds for divorce.

Notwithstanding the disclosure of this information, the Court held that the the information disclosed by the plaintiff “was not the plaintiff’s to protect.” This is best viewed a finding based on context. The court punctuated the finding nicely by stating:

The point is this. Service of his wife’s petition on counsel who, as the plaintiff states, is a member of a firm with whom he has a solicitor-client relationship cannot reasonably be perceived to be a violation of his privacy.

The Court also held that the disclosure was not “willful,” as required by the Saskatchewan Privacy Act. Justice Klatt reviewed the law and said:

It is fair to say that there is no firm agreement across the country as to what “willfully” entails in the context of privacy legislation (see, for example, Agnew-Americano v Equifax Canada Co., 2019 ONSC 7110). However, I agree with Halvorson J.’s comments in Peters-Brown that “willfully” requires something more than the intentional commission of an act that has the result of violating privacy. In my view, it is more than recklessness, inadvertence or accident.

This narrow view is an authoritative statement on the law of Saskatchewan, though as noted, the requirement varies across Canada. In Ontario, privacy claims can be based on alleged recklessness (a concept with boundaries in the civil context that are still up for debate).

Kumar v Korpan, 2020 SKQB 256 (CanLII).

Cyber defence basics – Maritime Connections

I was pleased to do a cyber defence basics presentation to privacy professionals attending the Public Service Information Community Connection “Maritime Connections” event yesterday. The presentation (below) is based off of recent publications by the New York Department of Financial Services and the Information Commissioner’s Office (UK) as as the (significant) Coveware Q3 ransomware report.

As I said to the attendees, I am not a technical expert and no substitute for one, but those of us outside of IT and IT security who work in this space (along with the predominantly non-technical management teams we serve) must engage with the key technical concepts underpinning IT security if we are to succeed at cyber defence.

I’ll do an updated version next week at Saskatchewan Connections next week. Join us!

The role of legal counsel in ransomware response – cyber divergence on display

Two publications released earlier this month illustrate different views on how to structure ransomware response, and in particular on how to structure the involvement of legal counsel.

On Wednesday of last week, the Ontario Ministry of Government Services issued a bulletin entitled “What is Ransomware and How to Prevent Ransomware Attacks” to the broader public sector. It features a preparation and response playbook that will be much appreciated by the hospitals, universities, colleges, school boards and municipalities targeted by the MGS.

The playbook treats ransomware response as primarily a technical problem – i.e., a problem about restoration of IT services. Legal counsel is mentioned in a statement about incident preparation, but is assigned no role in the heart of the response process. Indeed, the MGS suggests that the Information and Privacy Commissioner/Ontario is the source of advice, even “early on” in an incident:

If you are unable to rule out whether or not PII was compromised (which will likely be the case early on in an incident), contact the Privacy Commissioner of Ontario (416) 326-3333.

Contrast this with what Coveware says in its very significant Q3 ransomware trends report that it released on November 4th. Coveware – arguably the best source of ransomware data – explains that data exfiltration threats now feature in 50% of ransomware incidents and that ransom payments are a poor (and becoming poorer) method of preventing threat actors from leaking what they take. Coveware says:

Accordingly, we strongly advise all victims of data exfiltration to take the hard, but responsible steps. Those include getting the advice of competent privacy attorneys, performing an investigation into what data was taken, and performing the necessary notifications that result from that investigation and counsel.  Paying a threat actor does not discharge any of the above, and given the outcomes that we have recently seen, paying a threat actor not to leak stolen data provides almost no benefit to the victim. There may be other reasons to consider, such as brand damage or longer term liability, and all considerations should be made before a strategy is set.

The Coveware view, shared by Canadian cyber-insurers, is that ransomware is primarily a legal and reputational problem, with significant downside legal risks for institutions who do not engage early with legal counsel.

I favor this latter view, and will say quite clearly that it is bad practice to call a privacy regulator about a potentially significant privacy problem before calling a privacy lawyer. A regulator is not an advisor in this context.

This is not a position I take out of self-interest, nor do I believe that lawyers should always be engaged to coordinate incident response. As I’ve argued, the routine use of lawyers as incident coordinators can create problems in claiming privilege when lawyer engagement truly is for the “dominant purpose of existing or anticipated litigation.” My point is that ransomware attacks, especially how they are trending, leave institutions in a legal minefield. Institutions – though they may not know it – have a deep need to involve trusted counsel from the very start.

Developmental service agency not a health information custodian

On October 29th, the Information and Privacy Commissioner/Ontario held that an organization operating as service agency under the Services and Supports to Promote the Social Inclusion of Persons with Developmental Disabilities Act is not a health information custodian under the Personal Health Information Protection Act.

The issue of the organization’s status came up in an appeal of its access decision. The organization acted as if subject to PHIPA, but the adjudicator raised its status as a preliminary issue, and ultimately held that PHIPA did not govern the request because the organization was not providing a service for community health “whose primary purpose is the provision of ‘health care’.”

Although the organization both handles medical information in providing its services and contributes to the enhancement of individual health, the IPC held that its primary role is the coordination of service and not the provision of health care. It explained:

[34]      In my view, what is common to each of the six services offered by SCS is SCS’ role as a coordinator for, or link to, a wide range of services offered by third parties to individuals with developmental disabilities and/or autism. It is a role of coordination between these individuals (or their family members) and third-party services, which may include assessing each individual’s needs and/or preferences, and matching them to various types of programs in the community. The effect of the individuals’ participation in those third-party programs may well be that it enhances their health, but that does not transform SCS’ role into one that can be described as having a primary purpose of providing health care. In my view, it would be too broad a reading of “health care” to find that SCS’ primary purpose is the provision of health care.

[35]      It is true that SCS serves members of the community who have health challenges. The complainant states that these individuals “have other health issues including mental and neurological diagnoses, speech-language impairments and complex health needs often requiring 24 hours supervision.” However, the fact SCS’ client base has health challenges does not mean that SCS’ primary purpose is the delivery of health care. With respect to the status of third party entities to whom SCS refers for services, I am not satisfied that their status is relevant to the question of whether SCS itself is a HIC. Assuming, without deciding, that at least some of those third party entities are HICs under PHIPA, that does not mean that SCS itself, as a coordinating agency, is a HIC.

This is a good reminder that organizations do not become health information custodians merely by handling medical information or by employing regulated health professionals. They must engage in the provision of “health care,” which the IPC has defined narrowly in this decision and others.

Service Coordination Support (Re), 2020 CanLII 85021 (ON IPC).

Three (literal) highlights from the IPC Ontario submission

If Ontario follows through with its commitment to enact privacy legislation, the IPC/Ontario will break from her current constraints to become a privacy regulator with global relevance. We ought to listen carefully to what she is saying about reform and build a strong sense as to how she is inclined.

On October 16th, Commissioner Kosseim filed her submission to the province. It is detailed, thoughtful and strikingly moderate. It has no talk of the concept of “fundamental human rights” that has drawn the attention of the federal commissioner. Rather, the Commissioner says that balancing privacy rights with legitimate business needs is a “virtue.”

Read the submission yourself, but here are the three parts of it that I highlighted in my own read.

First, the Commissioner says we need to reframe the role of consent and develop more principled exceptions, but consent should still be at the top of the hierarchy of the bases for processing:

Some might propose that the solution lies in a GDPR-like architecture by adopting multiple grounds for lawful processing of data, whereby consent is only one such ground on the same and equal footing as other alternative bases. However, we believe that non-governmental organizations should first be required to consider whether they can obtain meaningful consent and stand ready – if asked – to demonstrate why they cannot or should not do so before turning to permissible exceptions for processing. This approach would be more in keeping with Ontario values that promote individual autonomy and respect consumer choice. Whenever it is reasonable, appropriate, and practicable for people to decide for themselves, they should be given the opportunity to do so.

Second, the Commissioner is clearly interested in AI and its implications and clearly sees value in fostering data-driven innovation, though does not propose any solutions, calling the handling of data-driven innovation “the most challenging piece to get right in any new private sector privacy law.” Here’s my highlight on this issue:

While Purpose Specification, Consent, and Collection Limitation continue to be relevant principles, a more modern private sector privacy law would need to reconsider the weight ascribed to them relative to other principles in certain circumstances. For example, in an era of artificial intelligence and advanced data analytics, organizations must rely on enormous volumes of data, which runs directly counter to collection limitation. Data are obtained, observed, inferred, and/or created from many sources other than the individual, rendering individual consent less practicable than it once was. The very object of these advanced data processes is to discover the unknown, identify patterns and derive insights that cannot be anticipated, let alone described at the outset, making highly detailed purpose specification virtually impossible.

Finally, nobody should underestimate the significance of the potential for Ontario employers to become regulated in respect of their employees. On this issue, the Commissioner’s position is clear:

Individuals should have the ability to perform their jobs with the confidence that their employer will keep them safe, while also respecting their privacy rights. Accordingly, we recommend that any private sector privacy law in Ontario should apply to all employee personal information to fill this glaring gap in privacy protection.

IPC Comments on the Ontario Government’s Discussion Paper, IPC/Ontario, 16 October 2020.

Understanding the Employment-Related Records Exclusion

Here is a copy of the presentation I delivered yesterday at the at the PISCC’s 2020 Ontario Connections Conference. As I told the audience, I’m a confessed FOI nerd. The exclusion is such a unique, important and misunderstood part of our Ontario FOI law that it was good to dive deep on it while in good company.

ALSO, BLG is launching a new webinar series for the provincial public sector called “nuts and bolts.” The first webinar will run in late November, please sign up here, or if you can’t attend in November and want me to put you on our mailing list please DM me.