I had fun speaking at the OBA Institute privacy session today. I did a hot topics presentation on (1) the blurring boundary between work and private life, (2) access to stored communications on corporate systems, (3) PIPEDA application to employment in the provinces and (4) the remedial approach to dealing with employees who breach privacy rules.
Case references here:
- Cape Breton-Victoria Regional School Board v. Canadian Union of Public Employees, Local 5050, 2011 NSCA 9.
- State Farm v. Privacy Commissioner of Canada,  FC 736.
- HO-010 (IPC Ontario).
HO-010 is quite the case for Ontario health information custodians. It’s controversial because of the following paragraph on dealing with employees who breach privacy rules:
For other staff members of the hospital involved, knowing that all of the details of the disciplinary action imposed will be publicly disclosed, should serve as a strong deterrent. This is especially true if those details also become known to other employees, either through the actions of the aggrieved individual, the custodian, or both. Employees must understand that, given the seriousness of these types of breaches, their own privacy concerns will take a back seat to the legitimate needs of the victims involved to have a full accounting of the actions taken by the health information custodian. Our primary concern must lie with the aggrieved party, whose privacy was completely disregarded.
This statement suggests (very mildly) that employers should publish information about the outcome of the disciplinary process as a means of remedying a data breach that is caused by intentional employee misconduct. As I comment in the slides below, this suggestion should be approached with great caution.
Thanks to the program chairs and the other speakers. I enjoyed the afternoon!