Court won’t redact or take down its decision

15 Sep

On September 7th, the Court of Appeal for British Columbia dismissed an application to have part of its reasons redacted or to have the reasons withdrawn from the Court’s website. 

The applicant believed that part of the reasons – released in 2004 – were harmful to his reputation, a problem he said was facilitated by internet search. The Court dismissed the application because redaction would offend the principle of finality. It held that redaction alone would effectively amount to an amendment of the Court’s (substantive) conclusions. (This is a non-obvious point of principle of some significance.) The Court also relied on the open courts principle, which it affirmed. 

MacGougan v. Barraclough, 2017 BCCA 321 (CanLII).

Advertisements

NIST’s recommended password policy evolves

12 Aug

As imperfect a means of authentication as they are, “memorized secrets” like passwords, pass phrases and PINs are common, and indeed are the primary means of authentication for most computer systems. In June, the National Institute of Standards and Technology issued a new publication on digital identity management that, in part, recommends changes to password policy that has become standard in many organizations – policy requiring passwords with special characters.

Here is what the NIST says:

Memorized secrets SHALL be at least 8 characters in length if chosen by the subscriber. Memorized secrets chosen randomly by the CSP or verifier SHALL be at least 6 characters in length and may be entirely numeric. If the CSP or verifier disallows a chosen memorized secret based on its appearance on a blacklist compromised values, the subscriber SHALL be required to choose a different memorized secret. No other complexity requirements for memorize secrets SHOULD be imposed.

The NIST believes that the complexity derived from special characters is of limited benefit to security, yet creates (well known) useability problems and promotes “counterproductive” user behaviour – writing passwords down or storing them electronically in plain text. It’s better, according to the NIST, to allow for long passwords (that may incorporate spaces) and use other protective measures such as password blacklists, secure hashed password storage and limits to the number of failed authentication attempts.

The NIST publication includes other related guidance, including a recommendation against routine password resetting.

NIST Special Publication 800-63B – Digital Identity Guidelines (June 2017)

Consent form decision imposes strict transparency requirement for handling employee medical information

9 Aug

Disputes about employer medical information consent forms are now common. It’s not hard to pick apart a form, and employers tend to suffer “cuts and bruises.” In once such case an arbitrator has recently held that an employer must identify “anyone with whom the information would be shared” in a consent form. The arbitrator also held that an employer must subsequently (and seemingly proactively) give notice of who is handling information:

I agree with the employer that it is not practical to obtain a new consent every time a manager or HR Specialist who is absent is temporarily replaced. However, the employer must advise the employee of the employer’s need and intention to share health information with a replacement and identify that individual by name and title. This would enable the employee to revoke the consent if he/she does not wish the health information to be shared with the individual replacing the manager or HR Specialist. If and when it becomes necessary to share health information with HR or legal services in order to seek advice, or to obtain approval from senior management with delegated authority, the employee should be informed of the title or office only of the person with whom information will be shared. The employee’s consent would not be required for the employer to be able to do so.

While there’s no debating an employee’s right of control, the degree of transparency required here is very high and operationally challenging in the least. “Person-based consents” (as opposed to “purpose-based consents”) can also restrict important flows of information in subtle yet problematic ways.

The best argument against person-based consents is one that refers to the public policy that is reflected in the Personal Health Information and Protection Act (which does not govern employers acting as employers except via section 49). Even in the health care context – where the standard should be higher, not lower than in the employment context given the limited range of information processed by employers – consent is deemed to exist for a certain purpose and information can flow to any health care provider for that purpose. This is subject to a “lock box” that gives patients the ability to shield their information from specific individuals, but the lock box essentially functions as an opt out. (For the nuances of how PHIPA’s “circle of care” concept works, see here.) Transparency is satisfied by the publication of a “written public statement” (a policy really) that “provides a general description of the custodian’s information practices.” There’s no reason to require more of employers.

OPSEU and Ontario (Treasury Board Secretariat), Re, 2017 CarswellOnt 11994.

All About Information Turns Ten!

2 Aug

Ten years ago on a Saturday morning in early August something inspired me to upload a post on employee surveillance to a WordPress site. I can’t remember what I called the site at that time, but the title was lame and had my name in it. Ten years and 973 posts later, “All About Information” still exists. It has facilitated a good deal of my learning and has fostered connections with some valued colleagues who work outside of my own firm, Hicks Morley. As for its merits, at the very least All About Information is now a sizable catalog of notable Canadian cases that are… well… about information. Thank you to those who have made guest posts and comments and those who have kindly corrected my numerous typos. And thank you especially to you, the reader.

Dan Michaluk

“Steep hill” to climb for defamation plaintiffs when suing on matters of public interest

29 Jul

On July 25th, the Ontario Superior Court of justice dismissed an action under a new provision of the Ontario Courts of Justice Act intended to dissuade persons from bringing “strategic lawsuits against public participation” – so called “SLAPP” suits.

The plaintiff is a company that operates a gravel pit. It sued a Stouffville teacher who made two postings to Facebook about a municipal approval that allowed an expansion of the company’s operation. The defendant made the posts without reading the engineering report the plaintiff had filed with the municipality or taking any other significant steps to inform herself of the issue. She said the defendant would profit significantly from the approval, the municipality would not, and the defendant “would potentially poison our children.” When the plaintiff demanded an apology, the defendant apologized. The plaintiff sued anyway.

The plaintiff agreed that the defendant’s expression related to a matter of public interest – leaving the plaintiff to establish that its proceeding had “substantial merit,” that the defendant had “no valid defence” and that it had suffered (or was likely to suffer) “sufficiently serious harm” in order to survive dismissal under the CJA’s anti-SLAPP provision. The Court held that none of these criteria were met, dismissed the action and awarded $7,500 in damages to the plaintiff (in part reflecting how the plaintiff conducted its proceeding and in part reflecting the defendant’s failure to adduce medical evidence in support of her damages claim).

The judgement means that the burden on a party seeking civil redress for statements made about a matter of public interest is high. In this case, for example, it did not matter that the plaintiff took few steps to inform herself of the issue or used the “unfortunate” word “poison”; informed or not, the Court said the plaintiff had a right to enter the public forum and use emphatic language in doing so without the risk of being sued. Justice Lederer explained:

I am inclined to the view that the legislature did more than just “tilt the balance somewhat”. Rather the legislature created a steep hill for the plaintiff to climb before an action like this one is to be permitted to proceed. The legislation directs that we place substantial value on the freedom of expression over defamation in the public sphere. To put it simply, those who act in the public realm need to realize that not everybody will accept what they wish to do or agree with what they say and may make statements that go beyond what may seem, to the recipient, to be appropriate.

United Soils Management Ltd. v. Mohammed, 2017 ONSC 4450.

IPC decides on request for threat assessment records

22 Jul

On June 30th, the Information and Privacy Commissioner/Ontario issued an interim order regarding a request for records of a school board’s threat assessment process – a request made by the student who was the subject of the assessment. 

The IPC held that input given by student witnesses was exempt because its disclosure would constitute an unjustified invasion of privacy and that opinions expressed by members of the board’s threat assessment team were exempt because their disclosure could reasonably be expected to threaten the members’ safety. This is decision rests on the facts before the IPC in this case, though sets out a roadmap for shielding the most sensitive information in a threat assessment file.

The IPC decided to give notice to staff members before deciding whether information related to them (other than opinions) should be released. The matter continues. 

Toronto Catholic District School Board (Re), 2017 CanLII 45048 (ON IPC). 

No relief for victims of harassment – Ont CA

22 Jul

I’ve written here about the difficult position an employer/organization is placed in when its employees are harassed by “outsiders.” On July 20th the Court of Appeal for Ontario illustrated the difficulty by affirming a decision that denied relief from such harassment that a municipality (and its mayor) sought on behalf of the mayor, councillors and staff. The decision suggests that an employer’s duty to provide a safe and harassment free environment provides no basis for a civil remedy. 

Rainy River (Town) v. Olsen, 2017 ONCA 605.