Let’s help our public health authorities by giving them data

This was not the title of the panel I sat on at the Public Service Information Community Connection virtual “confab” today, though it does show the view that I attempted to convey.

John Wunderlich moderated a good discussion that involved Frank Work, Ian Walsh and me. When I haven’t yet formed ideas on a subject, I prepare by creating written remarks, which are typically more lucid then what ends up coming out live! I’ve left you my prepared remarks below, and here are some of the good insights I gained from the discussion:

      • The need for transparency may warrant stand-alone legislation
      • The lack of voice in favour of government data use is not atypical
      • The enhancement of tracing efforts is a narrow public health use
      • The SCC’s privacy jurisprudence ought to foster public trust

All in all, I sustain the view recorded in the notes below: governments should get it done now by focusing on the enhancement of manual contract tracing. Build the perfect system later, but do something simple and privacy protective and learn from it. The privacy risks of this centralizing data from contact tracing apps are manageable and should be managed.

Given that public health authorities already have the authority to collect personal data for reportable diseases, what are the reasonable limits that should be put on COVID-19 data collection and sharing by applications?

It’s not yet a given that we will adopt an approach that will give public health authorities access to application data even though (as your question notes) they are designated by law as the trusted entity for receiving sensitive information about reportable diseases – diagnostic information first and foremost, but also all the very sensitive data that public health authorities regularly collect through public health investigations and manual contact tracing.

What we have here is an opportunity to help those trusted entities better perform their responsibility for tracing the disease. That responsibility is widely recognized as critical but is also at risk of being performed poorly due to fluctuating and potentially heavy demand and resource contraints. Based on a ratio I heard on a Washington Post podcast the other day, Canada’s population of 37 million could use 11,000 contract tracers. From my perspective, the true promise of an app is to help a much smaller population of contract tracers trace and give direction faster.

The most important limit, then, is data minimization. Yes collect data centrally, but don’t collect location data if proximity data will support real efficiency gains in manual contact tracing. Set other purposes aside for the post-pandemic period. Collect data for a limited period of time – perhaps 30 days. Then layer on all your ordinary data security and privacy controls.

Assuming that COVID-19 applications require broad population participation, should or can provincial or federal authorities mandate (or even request) their installation by citizens?

It’s too early to say, though government would be challenged to make a case for mandating installation and use of an application because the data collection would likely be a “search” that must be a “reasonable” search so not to infringe section 8 of the Charter.

To briefly explain the law, there are three distinct legal questions or issues.

First, there needs to be a “search,” which will likely be the case because the data we need to collect will attract a reasonable expectation of privacy.

Second, the search needs to be “reasonable.” If a search is reasonable, it’s lawful: end of analysis.

And, third, a search that is unreasonable can nonetheless be justified as a reasonable limit prescribed by law as can be demonstrably justified in a free and democratic society.

You can’t do the legal analysis until you have a design and until you understand the benefits and costs of the design. It’s quite possible that good thinking is being done, but publicly at least, we still seem to be swimming in ideas rather than building a case and advocating for a simple, least invasive design. We need to do that to cut through the scary talk about location tracking and secondary uses that has clearly found an audience and that may threaten adoption of the optimal policy.

What will be or should be the lasting change that we see coming out of COVID-19, technology and contact tracing?

What I’ve seen in my practice and what you may not realize is that employers are all in control of environments and are actually leading in identifying the risk of infection. Employers will often identify someone who is at risk of infection three, four or five or more days before a diagnosis is returned. They are taking very important action to control the spread of infection during that period without public health guidance. 

Then we have the potential launch of de-centralized “exposure notification” applications, where the direction to individuals will come from the app alone. To make an assessment of risk based on proximity data alone – without the contextual data collected and relied upon by manual contact tracers – is to make quite a limited assessment. It must be that app-driven notifications will be set to notify of exposure when the risk of infection is low, but such notifications will have a broad impact. That is, they will cause people to be pulled out of workplaces and trigger the use of scarce public health resources.

This activity by employers and (potentially) individuals is independent of activity by public health authorities – the entities who are authorized by law to do the job but who also may struggle to do it because of limited resources.

Coming out of this, I’d like us to have resolved this competition for resources and peoples’ attention and to have built a well-coordinated testing and tracing system that puts the public health authorities in control and with the resources and data they need.

“Employee’s” signature accessible to public – NLCA

On June 3rd, the Court of Appeal for Newfoundland and Labrador held that the signature of an “employee” who authorized a vacation leave payout to a senior administrator at a college campus in Qatar was accessible to the public even though the individual was hired by Qatar, and not the College.

The matter turned on the meaning of “employee” under Newfoundland’s now repealed and replaced FOI statute, which at the time exempted all personal information from the right of access subject to an exemption for “information… about a third party’s position, function or remuneration as an officer, employee or member of a public body.” The Court held that the term employee is broad enough to include some independent contractors. It explained:

The statutory context and the purpose of the Act, however, would appear to limit including independent contractors only to those who, by virtue of their contract, are required to perform services for the public body in a manner that involves them as a functional cog in the institutional structure of the organization. It is those persons whose personal information about position and functions which can be regarded as employees and still promote the purpose and object of the legislation. To restrict the definition further would be to shield information about certain aspects of the public body’s operations and functioning from potential public scrutiny. To expand the definition further would equally not promote the object and purpose of the Act because it would allow for disclosure of personal information that does not elucidate the institutional functioning of the public body which is to be held accountable.

The Court’s affirmation of the public’s right of access here is no surprise. For one, the record suggested that the College and Qatar were common employers. More fundamentally, the privacy interest in the signature that would justify the outcome sought by the College was simply too minimal to give its interpretation argument principled force. In Ontario, signatures made in one’s professional capacity are not even considered to be one’s personal information.

College of the North Atlantic v. Peter McBreairty and Information and Privacy Commissioner of Newfoundland and Labrador, 2020 NLCA 19.

CASL survives constitutional challenge, FCA gives some insight

Yesterday the Federal Court of Appeal held that Canada’s Anti-Spam Legislation is intra vires Parliament and Charter-compliant. In doing so it opined on the scope of numerous CASL provisions, most-notably the so called “business-to-business  exclusion.”

CASL applies coast-to-coast-to-coast – passed under the federal trade and commerce power. It is known to be both strict and inelegantly drafted because it applies very broadly but carves out areas of activity piecemeal, though numerous exemptions and exclusions.

None of this caused the Court any problem. It rejected the appellant’s division of powers attack and its attack under sections 2(b), 11, 7 and 8 of the Charter. Ultimately the Court viewed CASL as addressing an important problem of national scope and focused enough to pass muster because its scope of application is tied to “commercial activity” (a concept with sufficient meaning) and because of its numerous exemptions and exclusions: “CASL thus establishes a complex legislative scheme that evinces a considerable degree of tailoring to meet its objectives.”

More practically, the Court affirmed a CRTC finding that e-mails sent by the appellant to market training courses employees of organizations did not fit within the Act’s business-to-business exclusion, which removes commercial electronic messages from all regulation if they are sent by an organization, “to an employee, representative, consultant or franchisee of another organization if the organizations have a relationship and the message concerns the activities of the organization to which the message is sent.”

Regarding the relationship requirement, the Court agreed with the CRTC that it will not be satisfied by mere proof a prior transaction with an employee of the organization to whom a message is sent. The Court used the term “partner organization” to characterize an organization that would qualify for exclusion. It also said that the requirement for exclusion is more demanding than the requirement for being in the type of business relationship that would only trigger deemed implied consent – i.e., an existing business relationship. The Court explained:

Finding an existing business relationship in the present case would permit the appellant to send CEMs to a person—an individual—who had paid the appellant for a course within the preceding two years. Finding a relationship for the purposes of the business-to-business exemption, on the other hand, would allow the appellant to send CEMs to not only the individual who took the course, or the individual who paid for the course, but to every other employee of the organization to which those individuals belong—and organizations can be very large indeed. The latter finding would expose a great many more people to the potentially harmful conduct that it is CASL’s raison d’être to regulate. This suggests, contrary to the appellant’s argument, that the evidentiary requirements for establishing a relationship for the purposes of the business-to-business exemption should in fact be more demanding than for an existing business relationship.

Although this will limit access to the exclusion, the Court did find that phrase “concerns the activities” does not limit organizations to sending e-mails that concern only the core business operations of the recipient organization.

I’ve addressed only the Court’s most significant interpretive finding. Yesterday’s decision also addresses (a) the purpose of CASL, (b) the meaning of “commercial electronic message”, (c) the relevance of one’s job title to establishing deemed implied consent and (d) the prescribed requirements for an unsubscribe mechanism.

3510395 Canada Inc. v. Canada (Attorney General), 2020 FCA 103.

BC OIPC dismisses privacy complaint about conduct of tribunal litigation

On May 1st the British Columbia Office of the Information and Privacy Commissioner dismissed a complaint that alleged a law firm and its client violated BC PIPA by serving a seven-part application for non-party production on seven non-parties to a Human Rights Code proceeding (thereby disclosing more personal information than would have been disclosed in seven separate applications).

Most significantly, the OIPC held that the PIPA provision that states it does not “limit the information available by law to a party to a proceeding” does not limit the OIPC’s jurisdiction and, rather, “merely provides reassurance that PIPA does not restrict the availability of information to a party to a proceeding where that information is available by law.” The OIPC therefore needed to dismiss the complaint on other grounds – in this case based on finding of deemed implied consent and a finding that the disclosure was “required or authorized by law.”

The OIPC did come back to the “party to a proceeding” provision – section 3(4) – in dismissing the complainant’s proportionality argument. It said:

[77]        As I see it, the actions of parties in a court or tribunal proceeding – and whether those actions were necessary or appropriate in light of that forum’s governing law and procedures – is a matter best judged by that court or tribunal. I find support for this approach in s. 3(4) of PIPA. Section 3(4) states that PIPA does not limit the information available by law to a party to a proceeding. This provision ensures that PIPA does not interfere with, or override, statutory or common law processes or rules that make information available to a party to a proceeding.

[78]        Section 3(4) of PIPA requires that I interpret and apply PIPA in a way that does not limit the information available to PLG as a party to the legal proceedings before the Tribunal. In essence, the complainant is calling upon PIPA to censure, regulate and/or impose restrictions on what a party to a Tribunal proceeding can do to obtain information or evidence under the Tribunal’s Rules. I believe that a decision on my part prohibiting a party to a Tribunal proceeding from disclosing personal information in an application made pursuant to Rule 23(2) would, effectively, limit the information available by law to that party and run contrary to s. 3(4).

[79]        Thus, the issue of whether in this particular Tribunal proceeding the respondents complied with the Rules regarding applications for non-party disclosure is a matter that should be left to the Tribunal to decide. The Tribunal is an administrative tribunal empowered by statute to create the Rules that govern its proceedings and to enforce compliance with those Rules. Given it is the adjudicative forum where the complainant pursued her human rights complaint, it is best placed to understand the full context of what took place during its proceedings and to referee the parties’ behaviour.

This text is helpful, though the OIPC could have left litigants wider berth by reading section 3(4) as creating a form of privilege.

[Note that the HRTO did sanction the client (respondent) for serving its seven-part application by awarding the complainant $5,000 in costs.]

Mary- Helen Wright Law Corporation (Pacific Law Group) (Re), 2020 BCIPC 21 (CanLII).

PEICA finds no “search” in interviewing a hacker informant

The headline is sensational, but it aptly describes the issue that the Prince Edward Island Court of Appeal recently addressed in R v Molyneaux. The Court held that the police did not conduct a search (governed by section 8 of the Charter) by interviewing an informant about what she saw when she surreptitiously viewed the accused’s phone.

The police charged the accused with child pornography offences. There was a separate dispute about the seizure of images from the accused’s phone, but the Court of Appeal dealt with the informant’s statement alone. The informant attended the police station for an interview, and told the police that she had viewed numerous pornographic pictures of her child when browsing the accused’s phone. The defence argued that the police conducted a search into the phone by conducting this interview. It relied, in part, on cases that have precluded the police from obtaining private information from commercial actors – namely, R. v. Spencer, 2014 SCC 43 and R. v. Orlandis-Habsburgo, 2017 ONCA 649.

The Court rejected the defence argument, explaining:

Society’s conception of the proper relationship between the investigative branches of the state and the individual surely must allow the police to speak to a witness without prior judicial authorization.

I do not believe that the subject matter of the “search” was Molyneaux’s cell phone or the contents thereof. The police were seeking information that might reveal whether or not a crime occurred, and if so, whether or not they should pursue further investigation.  The subject of the search was K.’s memory of what she saw the morning of December 31, 2017.

The Court distinguished Spencer and Orlandis-Habsburgo as matters arising out of the commercial context, in which expectations differ.

R v Molyneaux, 2020 PECA 2 (CanLII).

FOI reconsideration order highlights important timing issue for Ontario institutions

On May 14th, the IPC/Ontario dismissed a request for reconsideration based on an asserted change of circumstances, a somewhat common happening given the lengthy period of time it now takes to process an FOI appeal.

The IPC had earlier affirmed a decision to deny access to certain information about the OPP’s use of cell site simulators on the basis that the information could reasonably be expected to “reveal investigative techniques and procedures currently in use in law enforcement.” After the IPC made this appeal decision, the requester learned that the OPP had switched to a new model of simulator, apparently after she made her request and before the IPC made its decision. The requester asked for reconsideration so she did not have to start again (by filing a new request and potentially re-arguing an appeal). The requester argued the Ministry’s exemption claim could not stand in light of the “new evidence.”

Assistant-Commissioner Liang declined the reconsideration request, but only on the basis that the newly proffered evidence would not have led her to make a different decision in any event. Assistant-Commissioner Liang noted that the Ministry had not deliberately withheld key evidence, which the IPC has treated as a basis for reconsideration. She did not comment on whether the Ministry ought to have brought forward the change in circumstances or whether its failure to do so might warrant reconsideration.

Appeal hearings are about the propriety of an access decision that is made at a point in time, though can invite respondent institutions to make representations about prospective harms. It goes without saying that institutions should not misrepresent the state of affairs in existence at the time they file their materials with the IPC. And if they have made accurate representations and the circumstances later change, there should be no duty to bring those circumstances to the attention of the IPC and no consequence for failing to do so. This would be a very heavy and impractical burden to bear, and would do harm to the finality owed to respondents. Requesters can and should be made to file new requests that can be the subject of fresh consideration and new access decisions.

Ontario (Solicitor General) (Re), 2020 CanLII 34928 (ON IPC).

No privacy violation to tell complainants that complaint resolved by taking “action”

On February 10th, Arbitrator Oakley dismissed a grievance that alleged a university had violated a professor’s privacy by advising students that it had taken “action” to address their complaint.

Forty-three students complained about a failure to conduct sufficient evaluation by the eighth week of the term as well as inconsistent grading. The Dean investigated and issued a written warning, both actions immediately grieved by the professor and their faculty association. The Dean then sent the following communication to the complainants:

Dear Concerned Students,

Thank you for your patience.

The complaints were reviewed with [G] and the Mount Allison Faculty Association and the University took action to ensure the issues raised were addressed. This action is the subject of a grievance under the relevant collective agreement and is scheduled for arbitration in November. Collective agreements are contracts between an employer and a union governing the relationships between unionized employees and their employer. I cannot disclose any further information until the grievance is resolved by agreement or through arbitration. Please be assured that the issues you raised have been taken seriously by the University and we thank you for raising your concerns.

The professor and faculty association grieved again, relying on provincial privacy legislation, the intrusion tort and a provision of the collective agreement that prohibited the university from disclosing information in the official file.

Arbitrator Oakley dismissed the privacy grievance. He was very careful to root the decision in the facts, stressing that the university did not imply that it had disciplined the grievor.

It is entirely appropriate for Arbitrator Oakley to be so reserved, but it ought to be said that complainants of all kinds have a strong interest in knowing how their complaints are resolved and ought not to be deprived of the basic facts pertaining to resolution, in my own view even if that includes facts about discipline imposed. Privacy is not absolute and does not preclude the meeting of valid competing interests.

Mount Allison Faculty Association v Mount Allison University, 2020 CanLII 33895 (NB LA).

Court says privilege in letters left online waived

On May 5th the Court of Appeal for Newfoundland and Labrador affirmed a finding that a party had waived its solicitor-client privilege in two letters that had been published online.

The letters contained legal opinions to a defendant to an outstanding civil action. They were authored about five and nine years before the action was commenced, but apparently are “highly relevant” to the action. The plaintiffs downloaded the letters from the internet and produced them back to the defendant, which provoked the defendant’s privilege claim.

The defendant had learned the documents were circulating about six months prior to receiving the plaintiffs’ production when contacted by a CBC reporter and one of the plaintiffs (who also posted the letters on her Facebook). It decided not to attempt to take down the letters from the internet because of the expense and, in the Court’s words, because “the genie was out of the bottle and control over the documents would be virtually impossible to maintain.” Strangely, the defendant did not advise its defence counsel of the problem, so defence counsel only asserted privilege after receiving production (again, about six months later).

In these circumstances, the Court of Appeal held that privilege had been waived. Its key findings were as follows:

    • The defendant itself was aware of the publication of the letters well before the plaintiffs produced the letters in the litigation, but did not assert privilege against the plaintiffs. That defence counsel did not know that the letters were circulating until the plaintiffs produced them was irrelevant. Privilege belongs to the client, not its counsel.
    • Plaintiff counsel’s act of downloading of the letters from the internet for use in the litigation ought not be presumed to be improper. Although the Court confirmed that opposing counsel are obliged not to take advantage of an inadvertent disclosure of privileged communications, in this case the letters were somewhat old and it appears that the existence of an inadvertent disclosure was simply not reasonably apparent.
    • It was not wrong for the application judge to consider the lack of evidence about safeguarding efforts in deciding the waiver issue against the defendant: “A privilege-holder ought to be able to provide some evidence of how the privileged documents were safe-guarded to protect the privilege for it is within its power to do so.”

This is a careful judgement that’s directed at the facts. In my reading of it, the Court leaves some (though perhaps limited) room to assert privilege against an opposing party in litigation even though documents make their way inadvertently to the internet and are left there because “the genie is out of the bottle.”

Federation of Newfoundland Indians Inc. v Benoit, 2020 NLCA 16 (CanLII).

Privacy claim against documentary makers dismissed

On April 23rd, the Ontario Superior Court of Justice dismissed two privacy claims brought against the makers of a documentary – one based on the misappropriation of personality tort and the other based on the intrusion upon seclusion tort.

Wiseau (and others) brought the claims against the makers of a movie called Room Full of Spoons – a documentary about Wiseau and his own infamous movie, The Room. The Room has become notorious as one of the worst movies ever made. Room Full of Spoons disclosed Wiseau’s birthdate, birth name and place of birth, facts available to the public but not widely known, in part because Wiseau’s cultivation of mystery about his background.

Wiseau aggressively objected to the release of Room Full of Spoons, according to the Court, in part because he held a financial interest in a competing film. He obtained an injunction in 2017 that was held to have been improperly obtained, leaving Wiseau on the hook for $750,000 in damages.

In addition to making this damages order, Justice Schabas wrote a lengthy judgement that adresses fair dealing and related copyright issues, a passing off claim and various pre-trial and trial procedure issues. I’ll just address his disposition of the two privacy claims.

Justice Schabas dismissed the misappropriation of personality claim because Wiseau was a public figure who cultivated interest (and mystery) in his personality. The defendants’ use of Wiseau’s image to promote Room Full of Spoons (which was limited) was therefore not actionable. Justice Schabas followed Gould Estate, and held that use of Wiseau’s image served the purpose of contributing accurate information “to the public debate of political or social issues or of providing the free expression of creative talent” and was not primarily a means of “commercial exploitation.”

Justice Schabas dismissed the intrusion upon seclusion claim for reasons unrelated to the defendants’ right of expression, finding no “highly offensive” intrusion at all:

Wiseau has failed to make out the elements of the tort in this case.  No personal details of the kind referred to in Jones v. Tsige were disclosed by the defendants. Rather, what was disclosed was Wiseau’s birthplace, his birthdate, and the name he was given at birth and had as a child in Poland. This information was available from public sources, which is how the defendants obtained and confirmed it. Wiseau may be sensitive about this information because he has cultivated an aura of mystery around it, but disclosure of these facts is not, objectively speaking, something which can be described as “highly offensive.”

The idea that Wiseau’s privacy claim could not be sustained because his information was publicly available is significant, though consistent with traditional notions of privacy and confidentiality.

Wiseau Studio, LLC et al. v. Harper et al., 2020 ONSC 2504 (CanLII).

Cyber, secrecy and the public body

Here’s a copy of a presentation I gave yesterday at the High Technology Crime Investigation Association virtual conference. It adresses the cyber security pressures on public bodies that arise out of access-to-information legislation, with a segment on how public sector incident response differs from incident response in the private sector