Arbitrator orders $3,000 in privacy damages

18 Nov

On April 27th, Arbitrator Knopf ordered that $3,000 in damages be paid to a grievor for breach of privacy and harassment because:

  • the grievor’s personnel file contained an inexplicable notation that the grievor advised his supervisor that he injured his penis while cooking nude at home; and
  • the employer contacted the grievor’s doctor to confirm the doctor’s signature without justification and without consent.

Ms. Knopf said that these claims were “serious enough to warrant damages, buy they were not profoundly damaging to [the grievor’s] reputation or harmful to his privacy, nor did they have a negative impact on his benefit claims, status in the workplace or reputation in general.”

York (Regional Municipality) v Canadian Union of Public Employees, Local 905, 2017 CanLII 56454 (ON LA).

Advertisements

Arbitrator issues principled decision on identification of grievors and other complainants

17 Nov

On September 5th, Arbitrator Abramsky dismissed a motion to anonymize the name of an individual who had grieved harassment, discrimination and a reprisal.

In  making its request, the Union rested heavily on the fact the grievance would invite the disclosure of the grievor’s medical information – information about a learning disability and back problems. It also argued that no purpose would be served by publication of the grievor’s identity.

Ms. Abramsky held that the open court principle applied to the statutory tribunal for whom she was sitting (the GSB in Ontario) and that openness was therefore presumed absent a “compelling reason.” In doing so, she endorsed the following statement about the identification of individuals who file serious complaints:

This rationale – that litigants who make serious accusations should not do so “from behind a veil of anonymity, assured that they will not be identified if they are found not to be credible, their allegations are rejected” – has significant resonance.  It is very easy to make serious assertions and claims.  When doing so – and pursuing such a claim – litigants should not be able to hide behind anonymity, absent a compelling reason to allow it.  Confidence in the administration of justice – and the open court principle – requires it.

Ms. Abramsky also held that medical information can vary in sensitivity and that, in the circumstances, anonymization was not justified.

Ontario Public Service Employees Union (Cull) v Ontario (Health and Long-Term Care), 2017 CanLII 71798 (ON GSB).

Cyber insurance and incident response practice

17 Nov

Here’s a deck from a Monday panel presentation that I participated in with some colleagues from the sector.  It features a cyber incident scenario and some questions. See if you can answer them, and if you’d like to have a discussion, please comment or get in touch.

What’s a breach coach?

29 Sep

I hate the term “breach” – please call them “security incidents” – but the term “breach coach” is certainly ingrained. Posting today’s presentation on the role of the coach as I step out the door to an insurance sector event. The simple, self-serving and valid message: call a coach first.

Who’s the HIC?

28 Sep

Who is the “health information custodian” when an institution with an educational mandate provides health care? PHIPA gives institutions choice. Here’s a presentation I gave yesterday in which I argue that the institution (and not its employed practitioners) should assume the role of the HIC. Also includes some simple content on the new PHIPA breach notification amendment.

OPC gives guidance, argues for more enforcement power

24 Sep

It’s hard being the Office of the Privacy Commissioner of Canada. The OPC is responsible making sure all is right in commercial sector and federal government sector privacy. It has a pretty small operating budget, yet issues in these sectors are meaty and novel – I dare say harder to deal with than the privacy issues raised in the health and provincial public sectors. More than anything, meeting the OPC mandate is particularly challenging because the mandate is to enforce a principled statute that affords a “right to privacy” that lacks a well-understood meaning.

It is in this context that the OPC issued its 2016-2017 Annual Report to Parliament. The report includes a 24 page “year in review” on PIPEDA that follows the OPC’s public consultation on informed consent and some polling work that shows 90% of Canadians are concerned about their privacy. The OPC concludes that the PIPEDA commercial sector regime is at a crossroads – making some suggestions about new directions, giving some practical guidance and arguing for more enforcement power.

This post is to highlight the most significant new directions and practical guidance and to provide a short comment on the argument for more enforcement power.

The most significant new directions and practical guidance:

  • The OPC will expect organizations to address four elements in obtaining informed consent – what personal information is being collected, who it is being shared with (including an enumeration of third parties), for what purposes is information collected, used or shared (including an explanation of purposes that are not integral to the service) and what is the risk of harm to the individual, if any.
  • The OPC will draft and consult on new guidance that will explicitly describe those instances of collection, use or disclosure of personal information which we believe would be considered inappropriate from the reasonable person standpoint under subsection 5(3) of PIPEDA (no-go zones).
  • The OPC says that “in all but exceptional cases, consent for the collection, use and disclosure of personal information of children under the age of 13, must be obtained from their parents or guardians” and “As for youth aged 13 to 18, their consent can only be considered meaningful if organizations have taken into account their level of maturity in developing their consent processes and adapted them accordingly.”
  • The OPC will encourage industry to develop codes of practice and fund research for the purpose of developing codes of practice to address more particular, sector-specific challenges – presumably a mechanism by which organizations will be able to seek safe harbour.
  • The OPC will make greater use of its power to initiate investigations “where [it sees] specific issues or chronic problems that are not being adequately addressed.”

Then, there’s the OPC’s argument for more enforcement powers. Specifically, the OPC wants Parliament to drop the “reasonable grounds” restriction from its audit power so it can engage in truly proactive audits, it wants the power to levy fines and it wants PIPEDA to feature a private right of action – all of which would invite a departure from the ombudsman model the OPC has operated under since PIPEDA came into force in 2004.

I personally dislike the ombudsman model of enforcement because it doesn’t come with the procedural safeguards associated with more formal enforcement models and can therefore give the ombudsman a frightening degree of “soft” power. This said, the prospect of big fines and lawsuits based on substantive rules that are poorly defined and understood is even more frightening to to those in the business of privacy compliance and defence. This is the irony of the OPC report: at the same time the OPC admits that the substance of the PIPEDA is, at the very least, “challenged” it asks to enforce it with a new hammer. Now going through an admittedly bad experience with CASL – legislation that the OPC would argue is much more “ineffective” than PIPEDA (see p. 34) – we can readily foresee the wasted compliance costs that the proposed change to PIPEDA could invite. Even if business is indeed responsible for the great concern about privacy that the OPC’s polling effort reveals, this is nonetheless a valid position for business to take going forward.

Court sends matter back to arbitrator to consider redaction request

22 Sep

On September 13th, the Federal Court of Appeal held that the Public Service Labour Relations and Employment Board was not functus officio and ought to have entertained an employer’s request to redact witness names.

The employer claimed it made an unopposed request to obscure the identities of several non-union witnesses during the Board’s hearing. When the Board issued a decision that included full names, the employer wrote the Board and asked for a correction. The Board disagreed that the employer had made a request during the hearing and held it was functus officio. The employer brought an application for judicial review, compounding the problem by filing an un-redacted copy of the decision on the Court’s public record.

The Court accepted affidavit evidence from the employer and held that it had, in fact, made an unopposed request during the hearing. Alternatively, the Court held that the Board had the power to amend its decision based on section 43 of the Public Service Labour Relations Act. The Court also ordered that its record be treated as confidential and that the applicant file new materials with witness names replaced by initials, stating, “So doing provides little, if any, derogation to the open courts principle as [the witnesses’s] identities are not germane to the decisions.”

This is an unfortunate example of (a) rising sensitivities regarding the inclusion of personal information in judicial and administrative decisions and (b) the need to be careful about it. This affair (which shall continue) could have been avoided if the parties had asked the Board to make a formal order during course of the hearing. The employer also ought to have brought a motion for a sealing order at the outset of its judicial review application, before filing un-redacted materials (a point that the Court made in its decision).

Hat tip to Ian Mackenzie.

Canada (Attorney General) v Philps, 2017 FCA 178 (CanLII).