People are abuzz about this April 9th order of the Information and Privacy Commissioner/Ontario in which Adjudicator Corban held that e-mails received by a solicitor employed by the City of Ottawa in his personal capacity were under the custody or control of the City and subject to public access.
The IPC rejected the City’s argument, which rested on a by-law that deemed personal e-mails to be transitory and subject to immediate disposal and the permission it had granted employees to use its computer systems for incidental personal use. The IPC said:
I accept that the City has no objection to the “incidental personal use of City assets such as computers” and the creation or receipt of personal e-mails by its employees. However, I am not persuaded that by allowing for personal usage and by addressing the disposal of such e-mails in its Records Retention By-law the City has given up its authority over personal e-mails stored on City servers…
In my view, the fact that the City has explicitly stated that employees are permitted to use the e-mail system for incidental personal use but that personal use of City computers may be monitored for unauthorized use by the City’s Information and Technology staff, supports a conclusion that the City does have the authority to regulate the treatment of those records even if it chooses not to do so.
This order is reminiscent of (though far less sexy than) the Bobbie Malmer case out of Kentucky. It is also consistent with the traditional view on control of information stored on corporate computer systems. Though the application of our commercial sector privacy legislation, PIPEDA, does not hinge on custody or control, the Federal Court recently found that personal e-mails were not subject to PIPEDA in Johnson v. Bell Canada.
I’ll be speaking about employer access to personal e-mails at a couple of upcoming seminars, including the OBA’s Hot Topics in Privacy Law. Access is a different issue than the control issue (an idea touched upon in this order), but is related and also bound up in developing expectations of privacy based on personal use. An extremely engaging issue right now!
[Addendum. Query whether this outcome is consistent with the purpose of freedom of information legislation? Should the concept of “control” be significantly narrower for the purposes of triggering a right of access than in other circumstances (e.g. for litigation or regulatory production requirements)?]