Another Roundup brought to you mostly by Twitter, which remains a wonderful distraction. I’ve also found a few new blogs, including one by Winnipeg privacy lawyer Brian Bowman. I look forward to following Brian’s writings and meeting him in person when we both speak at a Toronto privacy conference this May (details to come).
Here are some recent developments in the domain that you may find noteworthy. They are about monitoring and auditing employee computer use, government e-mail management and consent rules in privacy statutes.
Monitoring and auditing employee computer use
On June 8th I’ll be speaking at the OBA’s Hot Issues in Privacy Law seminar and have promised a paper on monitoring and auditing employee computer use. My yet-to-be proven thesis is that we Canadians are moving from period in which a blunt employer-friendly rule prevailed – one relying on systems owner rights – to a period in which Courts and labour arbitrators will impose a balancing rule. There’s early indication in Canadian case law that supports this thesis – the Daniel Potter case on privilege waiver and the University of British Columbia spyware case, for example. There’s not much recent Canadian case law though, so I’m planning on reviewing American case law, including the much-discussed Quon v. Arch Wireless case.
Quon made the news a few weeks back, when on January 27th the United States Court of Appeals for the Ninth Circuit denied a petition for rehearing en banc. The Court thereby endorsed its previous finding that a California police department violated an officer’s Fourth Amendment rights by auditing his text messages to determine why he and others were consistently exceeding monthly character limits.
While I make no comment on American law, I do think the facts in Quon illustrate why having a standard computer use policy is not necessarily enough to immunize employers from employee challenges now that most permit or condone some degree of personal use. This shift is likely to pressure Canadian courts and labour arbitrators to go behind broad “no expectation of privacy” statements in policy, leaving employers who tolerate personal use with a choice: (a) fight against an expectation of privacy by clearly and consistently communicating the details of a routine monitoring and periodic audit program through multiple means or (b) reckon with an expectation of privacy and implement controls to ensure that all searches are likely to withstand a reasonableness challenge.
Thank you to the Proskauer Rose privacy law group for their excellent coverage of Quan. For more on this topic, law student and blawgger Omar Ha-Redeye posted a related piece at Slaw just today and I wrote a paper in 2007 on the the basics of employee surveillance law. These rough ideas to be developed and more to come.
Government e-mail management
Employers are not the only ones who face challenges associated with e-mail management and communication systems that are used for mixed purposes. The Executive Office of the (United States) President’s challenges are detailed nicely by Joan Indiana Rigdon in an article published in this month’s DC Bar magazine. She outlines how legitimate attempts at segregating personal and political e-mails from official e-mails have led to widespread abuse of presidential record keeping legislation. Very interesting, and hints at the challenge of enforcing single purpose communication systems in organizations.
Consent rules in privacy statutes
And finally, knowledge management consultant Peter West sent me a link to this January 2009 paper by the Center for Democracy & Technology. (Thank you!) It contains the Center’s policy position on personal health information protection. Notably, the Center has changed its position on the role of informed consent, reasoning that an over-reliance on consent can harm privacy protection. It explains:
The ability of individuals to exercise control over their personal health inforamtion is one important element of privacy protection, and a comprehensive privacy and security framework should set out circumstances where patient consent or authorization must be obtained. However, consent is not a panacea. As appealing as it may seem in concept, in practice over-reliance on consent puts the burden for data privacy on csonumers and provides very weak protection for personal health information in a digital envrionment.
In isolation, without other legal limits, mandating consent is more likely to lead to overbroad information-sharing than to the protection of patietn privacy. Over-reliance on consent can confer disproportaionate bargaining power on providers and othes seeking approval for disclosure. This is especially true if patients are offered all-or-nothing disclosure options in circumstances in which they are unlikely to withold consent, or even to understand the choices they are making. In particular, when patients are seeking care or applying for insurance, they often authorize disclosures without a full appreciation of the scope of their consent and with an inadequate understanding of how their privacy is being protected.
This rings true.
One of the challenges with our commercial privacy legislation, PIPEDA, is that it features a very absolute (though contextual) consent rule. Organizations faced with PIPEDA compliance can get distracted by the consent rule and equate achieving compliance with obtaining consent. I have been coaching to this misunderstanding recently by using a concept I call the “three pillars of privacy protection” – informed consent, reasonable and proportional use and reasonable safeguards. If I had to explain what informational privacy legislation does in 10 second or less I’d describe the three pillars. I see this idea reflected in the Center’s paper, and am happy for it.
On a personal note, I just got back from a very short surf trip to Halifax. As a Torontonian, I’m allowed to say that it’s the best city in Canada – hands down. Here are a couple of pics from the first of two good but cold surf sessions, both of my good buddy Alex. Getting in the water has made me feel human again!