BCCA addresses public right of access to “a record of a question”

21 Apr

On April 13th, the Court of Appeal for British Columbia held that a rubric for an undergraduate admissions test administered by UBC was excluded from British Columbia’s public sector access and privacy act as a “record of a question.” It interpreted this phrase purposely, as encompassing “anything that is inregral to the question such that disclosure would defeat the purpose of the question for future use.”

University of British Columbia v. Lister, 2018 BCCA 139 (CanLII).

Advertisements

Financial institution compliance presentation – privacy, data security and anti-spam

31 Mar

I’ve been doing a survey presentation in the Osgoode PDP program on financial institution compliance for the last five years now. Here’s this year’s deck.

What’s new? The V-Tech security measures report by the Office of the Privacy Commissioner of Canada, the Canadian Securities Administrators Staff Notice 33-321 (and some much more meaty guidance by the CSA) and the reduction of the Compufinder fine under CASL. See below for more.

 

The right to be forgotten comes to Canada

28 Jan

On Friday, the Office of the Privacy Commissioner of Canada issued a new position on the protection of online reputation. In doing so the OPC recognized a right to have personal information de-indexed from search engine results if it is inaccurate, incomplete or out-of-date. Although the position is in draft, is nonetheless of critical significance to Canadians’ use of the internet – creating a broader variant of the so-called European “right to be forgotten.”

The OPC says the right arises out of two longstanding parts of the Personal Information Protection and Electronic Documents Act – Principle 4.6 and section 5(3).

Principle 4.6 is the accuracy principle. It reads as follows:

4.6 Principle 6 — Accuracy

Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.

4.6.1

The extent to which personal information shall be accurate, complete, and up-to-date will depend upon the use of the information, taking into account the interests of the individual. Information shall be sufficiently accurate, complete, and up-to-date to minimize the possibility that inappropriate information may be used to make a decision about the individual.

4.6.2

An organization shall not routinely update personal information, unless such a process is necessary to fulfil the purposes for which the information was collected.

4.6.3

Personal information that is used on an ongoing basis, including information that is disclosed to third parties, should generally be accurate and up-to-date, unless limits to the requirement for accuracy are clearly set out.

Principle 4.6 dovetails in part with Principle 4.9, which requires organizations to “amend” personal information if it is demonstrably “inaccurate or incomplete.” (Principle 4.9 does not mention currency.)

The OPC’s reasoning is simple. Search engines use and disclose personal information to “provide people with access to relevant information from the most reliable sources available.” This purpose is not served by presenting search results that are not accurate, complete or up-to-date. Though accuracy, completeness and currency are they key concepts, the OPC says that search engines should interpret and apply them in light of the how materially the impugned content affects individuals’ interests and the countervailing (public) interest in continued accessibility.

Section 5(3) of PIPEDA restricts organizations to handling personal information for purposes that a “reasonable person would consider are appropriate under the circumstances.” The OPC says that section 5(3) could also be the basis of a valid de-indexing request, giving the following two examples:

  • Where content is unlawful, or unlawfully published (e.g. where it contravenes a publication ban, is defamatory, or violates copyright; etc.)
  • Where the accessibility of the information may cause significant harm to the individual, and there is either no public interest associated with the display of the search result, or the harm, considering its magnitude and likelihood of occurrence, outweighs any public interest

This newly-recognized right invites de-indexing requests to search engines as the primary means of obtaining relief from online reputational harm, though the OPC has also recognized a right to take down content. The right to take down content is a more limited right, in part because the OPC only has jurisdiction over those who publish personal information “in the course of commercial activity.”

The significance of the new position cannot be understated; there are many Canadians who feel plagued by internet posts that are unflattering if not disparaging. Search engines will not embrace this development – leaving a possibility of an enforcement dispute (and Federal Court input) and vigorous lobbying for a legislative amendment. It may take some time, but watch for a Charter challenge.

You can read the draft report here.

BCCA – No privacy claim against lawyer

13 Jan

On January 9th, the Court of Appeal for British Columbia affirmed the dismissal of a claim against a lawyer that was based in part on his service of application materials and in part on his conveyance of information about the plaintiff in a casual conversation with another lawyer.

The application that became the subject of the claim was made in an earlier family law proceeding. It was for production of financial documentation from the plaintiff relating to seven companies in which he had an interest.

The defendant represented the plaintiff’s wife. He served the companies with application materials (a notice plus affidavit) without redaction and in an unsealed envelope. Apparently his process server left the materials with two unrelated companies in an attempt to affect service. The plaintiff also argued that the defendant should have crafted his application materials to protect the plaintiff’s privacy – serving notices “containing only information relevant to the particular relief that might concern each company.”

The Court held that the impugned action was deemed not to be an invasion of privacy based on section 2(3)(b) of the British Columbia Privacy Act, which states that the publication of a matter is not a violation of privacy if “the publication was privileged in accordance with the rules of law relating to defamation.” The defendant, the Court explained, was acting in the course of his duty to his client, and occasion protected by absolute privilege.

The “casual conversation claim” arose from a discussion the defendant had with another lawyer during a break in discovery in another case. The defendant said he represented a woman whose former husband had sold a business in Alberta for $15 million and that the couple had three young children. Another person who was present came to believe the defendant was speaking about the plaintiff.

The Court affirmed the trial judge’s finding that the plaintiff failed to prove the information disclosed was private and subject to a reasonable expectation of privacy. More significantly, it affirmed an obiter finding that that the defendant’s disclosure was not wilful.

Duncan v Lessing, 2018 BCCA 9 (CanLII).

 

Surreptitious recording of IME warrants a re-do

3 Jan

On December 28th, Justice Sweeny ordered a plaintiff to submit to another medical examination because he surreptitiously recorded a prior examination, commenting:

The surreptitious recording of the examination was improper. The effect of this recording is the doctor would now, most likely, be subject to cross-examination on issues as to what exactly happened in the course of the examination. The evidence of the plaintiff is also relevant. Mr. Cruz may be examined or cross-examined on the transcript. If the doctor was aware of the recording, he may have conducted his examination a different way. He may have been clearer in the language used. He may have been more specific is instructions given to the plaintiff. Much of the communication that goes on is nonverbal. The doctor was denied an opportunity to ensure that his words and conduct were being accurately recorded.

Cruz and Cruz v. Saccucci, 2017 ONSC 7737.

BC arbitrator endorses non-consensual sharing of personal information with union

24 Dec

On March 8th of this year, arbitrator Kinzie held that an employer did not breach the British Columbia PIPA by disclosing amounts earned by bargaining unit members to their certified bargaining agent. He made the following principled statement about when the exception to the PIPA consent rule would be engaged by disclosures by an employer to bargaining agent:

As the party to the collective agreement with the Employer, which agreement governs the terms and conditions of employment of the Employer’s employees, the Union, in my view, is an equal partner with the Employer to those employment relationships.  They have the same legitimate interest in the management of those relationships.  Therefore, I am of the view that the disclosure of employee personal information by the Employer to the Union regarding employees in the Union’s bargaining unit that is relevant to a matter concerning the interpretation and/or the application of the collective agreement would not violate Section 19 of the Personal Information Protection Act if their consent was not obtained because such disclosure, in my view, would be “reasonable” for the purposes of “managing” an employment relationship governed by the terms of that agreement.

Notably, the employer had called the BC OIPC for advice and was apparently told “definitely NOT [to] turn that info over to anybody.”

Comox Valley Distribution Ltd. v United Steelworkers, Local 1-1937, 2017 CanLII 72391 (BC LA).

Div Ct. quashes IPC decision for failure to identify PI under consideration

22 Dec

On December 18th, the Divisional Court quashed an IPC/Ontario order that affirmed a municipal institution’s decision to apply the public interest override in disclosing an internal investigation report. The Court held that the IPC erred by not identifying the personal information under consideration in its reasons:

[67]           The Commissioner is essentially asking this court to undertake the detailed analysis of the information in the Report described above, decide what portions of the Report fall within the s. 14 personal information exemption, and then assess the reasonableness of the Commissioner’s application of the s. 16 test based on that conclusion.  That is not the role of this court.  That complex analysis goes beyond supplementing the reasons.   It amounts to asking this court to review the reasonableness of the Commissioner’s decision based on our own assessment of what was exempted under s. 14 rather than based on what the Commissioner decided was exempted.

[68]           Given the acknowledged need to disclose only that portion of the exempted information that meets the s. 16 “clearly outweighs” balancing test, each piece of personal information that is exempted under s. 14 must form part of the analysis that the section requires.  In this case, we do not know what the Commissioner was weighing as against the public interest.  This is not a matter of considering what reasons could be offered in support of the decision; it is a matter of not knowing what his decision was on that complex issue, which is prerequisite to the application of s. 16.  This is especially important in regard to the application of s.16 because the public interest override, which is rarely used, can have a major impact on individuals whose personal information would normally be protected by a statutory exemption.

Barker v. Ontario (Information and Privacy Commissioner), 2017 ONSC 7564 (CanLII).