BCCA denies access to total costs spent on a litigation matter

On August 21st, the Court of Appeal for British Columbia held that a requester had not rebutted the presumption of privilege that applied to the total amount spent by government in an ongoing legal dispute. 

The Court first held that the presumptive privilege for total legal costs recognized by the Supreme Court of Canada in Maranda v Richer applies in the civil context. Then, in finding the requester had not rebutted the privilege, the Court engaged in detailed discussion about how the timing of the request and the surrounding context will weigh in the analysis.

The Court’s analysis is as complex as it is lengthy. Ultimately, the outcome rested most heavily on (a) the timing of the request (early into trial), (b) the identity of the requester (who was a party) and (c) the degree of information about the matter available to the public (which was high). The Court felt these factors supported the making of strong enough inferences about confidential solicitor-client communications that sustaining privilege was warranted.

More generally, the decision stresses the presumption of privilege and associated onus of proof. Despite Maranda, it is easy to think that total legal fees spent on matter are accessible subject to the privilege holder’s burden of justification. Precisely the opposite is true.

British Columbia (Attorney General) v. Canadian Constitution Foundation, 2020 BCCA 238 (CanLII).

IPC wades into shadow IT mess, may never again

The Information and Privacy Commissioner/Ontario issued a decision about a security incident on July 9th in which it made clear, after participating in a health information custodians’ efforts to recover lost data, that this burden falls on custodians alone.

The incident involved a clinician at an unnamed rehabilitation clinic and her estranged spouse, who reported to the clinic that he possessed 164 unique files containing the personal health information of 46 clinic clients on two computers that belonged to the clinician. The clinician explained the existence of the files as a by-product of secure access and inadvertent, though the the files appear to have been purposely moved from temporary storage to a Google drive at some point, possibly by the spouse

The spouse was not particularly cooperative. This led the IPC, who the clinic had notified, to engage with the spouse together with the clinic over a several month period. The IPC took the (questionable) position that the spouse was in breach of duties under section 49(1) of PHIPA.

In the course of these dealings the spouse reported he had also received e-mails with attached assessment reports from the clinician for printing purposes. The clinician said she had thought she had adequately de-identified the reports, though one included a full patient name and others (as the IPC held) contained ample data to render patients identifiable.

All of the detritus was eventually deleted to the satisfaction of the clinic and IPC. The clinic reconfigured its means of providing secure remote access to adresses the risk of local storage and beefed up its administrative policies and training. There is no mention of implementing a digital loss prevention solution.

The IPC decision is notable for two points.

First, the IPC made clear that custodians should not rely on the IPC to help with data recovery (which can be very expensive):

It is clear that interactions between the Clinic and the Spouse had been very challenging, chiefly due to the Spouse’s changing positions throughout this investigation. However, the obligations on a health information custodian to contain the breach remain, even in the face of challenging circumstances.  The Privacy Breach Guidelines are clear that there is an obligation on the health information custodian to retrieve any copies of personal health information that have been disclosed and ensure that no copies of personal health information have been made or retained by anyone who was not authorized to receive the information.  Nothing in the legislation or these guidelines transfers this obligation to the IPC.

Second, the clinic was less skeptical of the clinician than it might otherwise have been, and did not issue discipline. The IPC accepted this, and re-stated its deferential position on employee discipline as follows:

With respect to the Clinic’s decision, I am satisfied that it was reasonable in the circumstances. This office has stated that its role is not to judge the severity or appropriateness of sanctions taken by a custodian against its agents (see PHIPA Decision 74).  However, the IPC can taken into account a custodian’s disciplinary response as part of its assessment of whether the custodian has taken reasonable steps to protect personal health information against unauthorized access.

A Rehabilitation Clinic (Re), 2020 CanLII 45770 (ON IPC).

Arbitration board dismisses spoliation motion

On May 6th, the Ontario Grievance Settlement Board dismissed a union motion for the ultimate spoliation remedy – granting of a grievance based on an abuse of process.

The Union made its motion in a seemingly hard fought discipline and discharge case. The Union’s pursuit of electronically stored information “to review the life cycle of certain documents that were exhibits in order to test the integrity and reliability of the documents” began after the employer had put its case in through 40 days of witness testimony. The ESI motion itself took 13 days, and at some point the employer agreed to conduct a forensic examination of certain data. Unfortunately, just before it was about to pull the data, three computers were wiped as part a routine hardware renewal process. Ooops.

Based on two more hearing days the Board held the destruction of the data was inadvertent and not even negligent. Arbitrator Petryshen said:

It is not surprising that the Employer or FIT did not arrange for the imaging of the three bailiff computers prior to September of 2017 because no one considered that there was a risk of losing that data.  Although management at the OTO unit and FIT knew that government computers were replaced every four years, it was reasonable for OTO management to expect that they would be notified when the computers in OTO unit were about to be refreshed. 

Although this is quite forgiving, Arbitrator Petryshen’s finding that the “the granting of grievances due to a loss of potentially relevant documents is an extraordinary remedy” is quite consistent with the prevailing law. In 2006, the Court of Appeal for Ontario quashed an arbitration award that allowed a grievance based on an employer’s inadvertent destruction of relevant evidence, and the Court of Appeal for Alberta’s leading decision in Black & Decker says that even negligent destruction of relevant evidence will not amount to an abuse of process.

Ontario Public Service Employees Union (Pacheco) v Ontario (Solicitor General), 2020 CanLII 38999 (ON GSB).

Let’s help our public health authorities by giving them data

This was not the title of the panel I sat on at the Public Service Information Community Connection virtual “confab” today, though it does show the view that I attempted to convey.

John Wunderlich moderated a good discussion that involved Frank Work, Ian Walsh and me. When I haven’t yet formed ideas on a subject, I prepare by creating written remarks, which are typically more lucid then what ends up coming out live! I’ve left you my prepared remarks below, and here are some of the good insights I gained from the discussion:

      • The need for transparency may warrant stand-alone legislation
      • The lack of voice in favour of government data use is not atypical
      • The enhancement of tracing efforts is a narrow public health use
      • The SCC’s privacy jurisprudence ought to foster public trust

All in all, I sustain the view recorded in the notes below: governments should get it done now by focusing on the enhancement of manual contract tracing. Build the perfect system later, but do something simple and privacy protective and learn from it. The privacy risks of this centralizing data from contact tracing apps are manageable and should be managed.

Given that public health authorities already have the authority to collect personal data for reportable diseases, what are the reasonable limits that should be put on COVID-19 data collection and sharing by applications?

It’s not yet a given that we will adopt an approach that will give public health authorities access to application data even though (as your question notes) they are designated by law as the trusted entity for receiving sensitive information about reportable diseases – diagnostic information first and foremost, but also all the very sensitive data that public health authorities regularly collect through public health investigations and manual contact tracing.

What we have here is an opportunity to help those trusted entities better perform their responsibility for tracing the disease. That responsibility is widely recognized as critical but is also at risk of being performed poorly due to fluctuating and potentially heavy demand and resource contraints. Based on a ratio I heard on a Washington Post podcast the other day, Canada’s population of 37 million could use 11,000 contract tracers. From my perspective, the true promise of an app is to help a much smaller population of contract tracers trace and give direction faster.

The most important limit, then, is data minimization. Yes collect data centrally, but don’t collect location data if proximity data will support real efficiency gains in manual contact tracing. Set other purposes aside for the post-pandemic period. Collect data for a limited period of time – perhaps 30 days. Then layer on all your ordinary data security and privacy controls.

Assuming that COVID-19 applications require broad population participation, should or can provincial or federal authorities mandate (or even request) their installation by citizens?

It’s too early to say, though government would be challenged to make a case for mandating installation and use of an application because the data collection would likely be a “search” that must be a “reasonable” search so not to infringe section 8 of the Charter.

To briefly explain the law, there are three distinct legal questions or issues.

First, there needs to be a “search,” which will likely be the case because the data we need to collect will attract a reasonable expectation of privacy.

Second, the search needs to be “reasonable.” If a search is reasonable, it’s lawful: end of analysis.

And, third, a search that is unreasonable can nonetheless be justified as a reasonable limit prescribed by law as can be demonstrably justified in a free and democratic society.

You can’t do the legal analysis until you have a design and until you understand the benefits and costs of the design. It’s quite possible that good thinking is being done, but publicly at least, we still seem to be swimming in ideas rather than building a case and advocating for a simple, least invasive design. We need to do that to cut through the scary talk about location tracking and secondary uses that has clearly found an audience and that may threaten adoption of the optimal policy.

What will be or should be the lasting change that we see coming out of COVID-19, technology and contact tracing?

What I’ve seen in my practice and what you may not realize is that employers are all in control of environments and are actually leading in identifying the risk of infection. Employers will often identify someone who is at risk of infection three, four or five or more days before a diagnosis is returned. They are taking very important action to control the spread of infection during that period without public health guidance. 

Then we have the potential launch of de-centralized “exposure notification” applications, where the direction to individuals will come from the app alone. To make an assessment of risk based on proximity data alone – without the contextual data collected and relied upon by manual contact tracers – is to make quite a limited assessment. It must be that app-driven notifications will be set to notify of exposure when the risk of infection is low, but such notifications will have a broad impact. That is, they will cause people to be pulled out of workplaces and trigger the use of scarce public health resources.

This activity by employers and (potentially) individuals is independent of activity by public health authorities – the entities who are authorized by law to do the job but who also may struggle to do it because of limited resources.

Coming out of this, I’d like us to have resolved this competition for resources and peoples’ attention and to have built a well-coordinated testing and tracing system that puts the public health authorities in control and with the resources and data they need.

“Employee’s” signature accessible to public – NLCA

On June 3rd, the Court of Appeal for Newfoundland and Labrador held that the signature of an “employee” who authorized a vacation leave payout to a senior administrator at a college campus in Qatar was accessible to the public even though the individual was hired by Qatar, and not the College.

The matter turned on the meaning of “employee” under Newfoundland’s now repealed and replaced FOI statute, which at the time exempted all personal information from the right of access subject to an exemption for “information… about a third party’s position, function or remuneration as an officer, employee or member of a public body.” The Court held that the term employee is broad enough to include some independent contractors. It explained:

The statutory context and the purpose of the Act, however, would appear to limit including independent contractors only to those who, by virtue of their contract, are required to perform services for the public body in a manner that involves them as a functional cog in the institutional structure of the organization. It is those persons whose personal information about position and functions which can be regarded as employees and still promote the purpose and object of the legislation. To restrict the definition further would be to shield information about certain aspects of the public body’s operations and functioning from potential public scrutiny. To expand the definition further would equally not promote the object and purpose of the Act because it would allow for disclosure of personal information that does not elucidate the institutional functioning of the public body which is to be held accountable.

The Court’s affirmation of the public’s right of access here is no surprise. For one, the record suggested that the College and Qatar were common employers. More fundamentally, the privacy interest in the signature that would justify the outcome sought by the College was simply too minimal to give its interpretation argument principled force. In Ontario, signatures made in one’s professional capacity are not even considered to be one’s personal information.

College of the North Atlantic v. Peter McBreairty and Information and Privacy Commissioner of Newfoundland and Labrador, 2020 NLCA 19.

CASL survives constitutional challenge, FCA gives some insight

Yesterday the Federal Court of Appeal held that Canada’s Anti-Spam Legislation is intra vires Parliament and Charter-compliant. In doing so it opined on the scope of numerous CASL provisions, most-notably the so called “business-to-business  exclusion.”

CASL applies coast-to-coast-to-coast – passed under the federal trade and commerce power. It is known to be both strict and inelegantly drafted because it applies very broadly but carves out areas of activity piecemeal, though numerous exemptions and exclusions.

None of this caused the Court any problem. It rejected the appellant’s division of powers attack and its attack under sections 2(b), 11, 7 and 8 of the Charter. Ultimately the Court viewed CASL as addressing an important problem of national scope and focused enough to pass muster because its scope of application is tied to “commercial activity” (a concept with sufficient meaning) and because of its numerous exemptions and exclusions: “CASL thus establishes a complex legislative scheme that evinces a considerable degree of tailoring to meet its objectives.”

More practically, the Court affirmed a CRTC finding that e-mails sent by the appellant to market training courses employees of organizations did not fit within the Act’s business-to-business exclusion, which removes commercial electronic messages from all regulation if they are sent by an organization, “to an employee, representative, consultant or franchisee of another organization if the organizations have a relationship and the message concerns the activities of the organization to which the message is sent.”

Regarding the relationship requirement, the Court agreed with the CRTC that it will not be satisfied by mere proof a prior transaction with an employee of the organization to whom a message is sent. The Court used the term “partner organization” to characterize an organization that would qualify for exclusion. It also said that the requirement for exclusion is more demanding than the requirement for being in the type of business relationship that would only trigger deemed implied consent – i.e., an existing business relationship. The Court explained:

Finding an existing business relationship in the present case would permit the appellant to send CEMs to a person—an individual—who had paid the appellant for a course within the preceding two years. Finding a relationship for the purposes of the business-to-business exemption, on the other hand, would allow the appellant to send CEMs to not only the individual who took the course, or the individual who paid for the course, but to every other employee of the organization to which those individuals belong—and organizations can be very large indeed. The latter finding would expose a great many more people to the potentially harmful conduct that it is CASL’s raison d’être to regulate. This suggests, contrary to the appellant’s argument, that the evidentiary requirements for establishing a relationship for the purposes of the business-to-business exemption should in fact be more demanding than for an existing business relationship.

Although this will limit access to the exclusion, the Court did find that phrase “concerns the activities” does not limit organizations to sending e-mails that concern only the core business operations of the recipient organization.

I’ve addressed only the Court’s most significant interpretive finding. Yesterday’s decision also addresses (a) the purpose of CASL, (b) the meaning of “commercial electronic message”, (c) the relevance of one’s job title to establishing deemed implied consent and (d) the prescribed requirements for an unsubscribe mechanism.

3510395 Canada Inc. v. Canada (Attorney General), 2020 FCA 103.

BC OIPC dismisses privacy complaint about conduct of tribunal litigation

On May 1st the British Columbia Office of the Information and Privacy Commissioner dismissed a complaint that alleged a law firm and its client violated BC PIPA by serving a seven-part application for non-party production on seven non-parties to a Human Rights Code proceeding (thereby disclosing more personal information than would have been disclosed in seven separate applications).

Most significantly, the OIPC held that the PIPA provision that states it does not “limit the information available by law to a party to a proceeding” does not limit the OIPC’s jurisdiction and, rather, “merely provides reassurance that PIPA does not restrict the availability of information to a party to a proceeding where that information is available by law.” The OIPC therefore needed to dismiss the complaint on other grounds – in this case based on finding of deemed implied consent and a finding that the disclosure was “required or authorized by law.”

The OIPC did come back to the “party to a proceeding” provision – section 3(4) – in dismissing the complainant’s proportionality argument. It said:

[77]        As I see it, the actions of parties in a court or tribunal proceeding – and whether those actions were necessary or appropriate in light of that forum’s governing law and procedures – is a matter best judged by that court or tribunal. I find support for this approach in s. 3(4) of PIPA. Section 3(4) states that PIPA does not limit the information available by law to a party to a proceeding. This provision ensures that PIPA does not interfere with, or override, statutory or common law processes or rules that make information available to a party to a proceeding.

[78]        Section 3(4) of PIPA requires that I interpret and apply PIPA in a way that does not limit the information available to PLG as a party to the legal proceedings before the Tribunal. In essence, the complainant is calling upon PIPA to censure, regulate and/or impose restrictions on what a party to a Tribunal proceeding can do to obtain information or evidence under the Tribunal’s Rules. I believe that a decision on my part prohibiting a party to a Tribunal proceeding from disclosing personal information in an application made pursuant to Rule 23(2) would, effectively, limit the information available by law to that party and run contrary to s. 3(4).

[79]        Thus, the issue of whether in this particular Tribunal proceeding the respondents complied with the Rules regarding applications for non-party disclosure is a matter that should be left to the Tribunal to decide. The Tribunal is an administrative tribunal empowered by statute to create the Rules that govern its proceedings and to enforce compliance with those Rules. Given it is the adjudicative forum where the complainant pursued her human rights complaint, it is best placed to understand the full context of what took place during its proceedings and to referee the parties’ behaviour.

This text is helpful, though the OIPC could have left litigants wider berth by reading section 3(4) as creating a form of privilege.

[Note that the HRTO did sanction the client (respondent) for serving its seven-part application by awarding the complainant $5,000 in costs.]

Mary- Helen Wright Law Corporation (Pacific Law Group) (Re), 2020 BCIPC 21 (CanLII).

PEICA finds no “search” in interviewing a hacker informant

The headline is sensational, but it aptly describes the issue that the Prince Edward Island Court of Appeal recently addressed in R v Molyneaux. The Court held that the police did not conduct a search (governed by section 8 of the Charter) by interviewing an informant about what she saw when she surreptitiously viewed the accused’s phone.

The police charged the accused with child pornography offences. There was a separate dispute about the seizure of images from the accused’s phone, but the Court of Appeal dealt with the informant’s statement alone. The informant attended the police station for an interview, and told the police that she had viewed numerous pornographic pictures of her child when browsing the accused’s phone. The defence argued that the police conducted a search into the phone by conducting this interview. It relied, in part, on cases that have precluded the police from obtaining private information from commercial actors – namely, R. v. Spencer, 2014 SCC 43 and R. v. Orlandis-Habsburgo, 2017 ONCA 649.

The Court rejected the defence argument, explaining:

Society’s conception of the proper relationship between the investigative branches of the state and the individual surely must allow the police to speak to a witness without prior judicial authorization.

I do not believe that the subject matter of the “search” was Molyneaux’s cell phone or the contents thereof. The police were seeking information that might reveal whether or not a crime occurred, and if so, whether or not they should pursue further investigation.  The subject of the search was K.’s memory of what she saw the morning of December 31, 2017.

The Court distinguished Spencer and Orlandis-Habsburgo as matters arising out of the commercial context, in which expectations differ.

R v Molyneaux, 2020 PECA 2 (CanLII).

FOI reconsideration order highlights important timing issue for Ontario institutions

On May 14th, the IPC/Ontario dismissed a request for reconsideration based on an asserted change of circumstances, a somewhat common happening given the lengthy period of time it now takes to process an FOI appeal.

The IPC had earlier affirmed a decision to deny access to certain information about the OPP’s use of cell site simulators on the basis that the information could reasonably be expected to “reveal investigative techniques and procedures currently in use in law enforcement.” After the IPC made this appeal decision, the requester learned that the OPP had switched to a new model of simulator, apparently after she made her request and before the IPC made its decision. The requester asked for reconsideration so she did not have to start again (by filing a new request and potentially re-arguing an appeal). The requester argued the Ministry’s exemption claim could not stand in light of the “new evidence.”

Assistant-Commissioner Liang declined the reconsideration request, but only on the basis that the newly proffered evidence would not have led her to make a different decision in any event. Assistant-Commissioner Liang noted that the Ministry had not deliberately withheld key evidence, which the IPC has treated as a basis for reconsideration. She did not comment on whether the Ministry ought to have brought forward the change in circumstances or whether its failure to do so might warrant reconsideration.

Appeal hearings are about the propriety of an access decision that is made at a point in time, though can invite respondent institutions to make representations about prospective harms. It goes without saying that institutions should not misrepresent the state of affairs in existence at the time they file their materials with the IPC. And if they have made accurate representations and the circumstances later change, there should be no duty to bring those circumstances to the attention of the IPC and no consequence for failing to do so. This would be a very heavy and impractical burden to bear, and would do harm to the finality owed to respondents. Requesters can and should be made to file new requests that can be the subject of fresh consideration and new access decisions.

Ontario (Solicitor General) (Re), 2020 CanLII 34928 (ON IPC).

No privacy violation to tell complainants that complaint resolved by taking “action”

On February 10th, Arbitrator Oakley dismissed a grievance that alleged a university had violated a professor’s privacy by advising students that it had taken “action” to address their complaint.

Forty-three students complained about a failure to conduct sufficient evaluation by the eighth week of the term as well as inconsistent grading. The Dean investigated and issued a written warning, both actions immediately grieved by the professor and their faculty association. The Dean then sent the following communication to the complainants:

Dear Concerned Students,

Thank you for your patience.

The complaints were reviewed with [G] and the Mount Allison Faculty Association and the University took action to ensure the issues raised were addressed. This action is the subject of a grievance under the relevant collective agreement and is scheduled for arbitration in November. Collective agreements are contracts between an employer and a union governing the relationships between unionized employees and their employer. I cannot disclose any further information until the grievance is resolved by agreement or through arbitration. Please be assured that the issues you raised have been taken seriously by the University and we thank you for raising your concerns.

The professor and faculty association grieved again, relying on provincial privacy legislation, the intrusion tort and a provision of the collective agreement that prohibited the university from disclosing information in the official file.

Arbitrator Oakley dismissed the privacy grievance. He was very careful to root the decision in the facts, stressing that the university did not imply that it had disciplined the grievor.

It is entirely appropriate for Arbitrator Oakley to be so reserved, but it ought to be said that complainants of all kinds have a strong interest in knowing how their complaints are resolved and ought not to be deprived of the basic facts pertaining to resolution, in my own view even if that includes facts about discipline imposed. Privacy is not absolute and does not preclude the meeting of valid competing interests.

Mount Allison Faculty Association v Mount Allison University, 2020 CanLII 33895 (NB LA).