Archive by Author

No civil claim for misappropriated contact information says Ont SCJ

3 Nov

On October 25th the Ontario Superior Court of Justice dismissed certification motions in two actions that claimed damages for the misappropriation of contact information from a hospital information system. The information was taken and used to sell RESPs to the families of newborns.

Most significantly, the Court held there was no viable cause of action for intrusion upon seclusion because the information that was misappropriated did not support a breach that was serious enough to meet the standard established by the Court of Appeal for Ontario in Jones v Tsige. Justice Perell explained:

[151]      I generally agree with the Defendants’ arguments. It is plain and obvious in the case at bar that there is no tenable cause of action for intrusion on seclusion because there was no significant invasion of personal privacy and a reasonable person would not find the disclosure of contact information without the disclosure of medical, financial, or sensitive information, offensive or a cause for distress humiliation and anguish. The contact information that was the objective of the intrusion in the immediate case was not private, there was not a significant invasion of privacy, and the invasion of privacy was not highly offensive to an objective person.

[152]      In other words, in the immediate case, it is not the case that the disclosure of just contact information intrudes on the class members’ significant private affairs and concerns, and in the immediate case, it is not the case that the disclosure of contact information would be highly offensive to a reasonable person and cause her distress, humiliation, and anguish.

[153]      Generally speaking, there is no privacy in information in the public domain, and there is no reasonable expectation in contact information, which is in the public domain, being a private matter. Contact information is publicly available and is routinely and readily disclosed to strangers to confirm one’s identification, age, or address. People readily disclose their address and phone number to bank and store clerks, when booking train or plane tickets or when ordering a taxi or food delivery. Many people use their health cards for identification purposes. Save during the first trimester, the state of pregnancy, and the birth of child is rarely a purely private matter. The news of an anticipated birth and of a birth is typically shared and celebrated with family, friends, and colleagues and is often publicized. The case at bar is illustrative. All the proposed representative plaintiffs were not shy about sharing the news of the newborns.

Much will be said about this judgement. Here are some thoughts.

First. There’s an ambiguity . Justice Perell says there’s no reasonable expectation of privacy in the circumstances and the invasion is not “highly offensive.” How can there be an invasion if there’s no reasonable expectation of privacy? Reading the analysis as a whole, Justice Perell seems to be saying that there is an expectation of privacy (and a privacy breach), but not one that meets the “highly offensive” standard set in Jones v Tsige. This is a first.

Second. Justice Perell doesn’t use the “reasonable expectation of privacy” concept to delineate whether or not there has been an intrusion. I wish he did. For clarity’s sake, I’d like to see a merging of the REP doctrine developed in the Charter jurisprudence with the tort analysis. We’re talking about the same thing.

Third. Justice Perell was able to view the incident through a technical lens, analyzing each data element on its own and not in the broader context. Compare how he viewed the matter to the Toronto Star editors of this article. The difference is amazing.

Fourth. I don’t read paragraph 153 as endorsement of so-called “third-party doctrine.” Rather, it’s a very broad finding about the publicity of contact information. Contact information is too public in its quality to attract the protection of the common law, says Justice Perell. Compare this view to that of the Alberta OPIC, who has found that the loss of e-mail addresses alone (to a hacker, mind you) gives rise to a “real risk of significant harm.” Justice Perell’s finding (consistent with Jones v Tsige) suggests that the privacy statutes offer greater protection than the common law.

Fifth, I can’t help but think we’ll be litigating about what is and isn’t a breach of privacy for an eternity.

Broutzas v. Rouge Valley Health System, 2018 ONSC 6315 (CanLII).

Advertisements

FCA articulates standard for a counsel’s eyes only order

26 Oct

On October 22nd, the Federal Court of Appeal affirmed a counsel’s eyes only order, affirming that such orders are available in Federal Court (despite the impact on the solicitor-client relationship) when there is a “real and substantial risk that is grounded in the evidence.” It based its affirmation on the following analysis of the facts:

The judge noted that Mr. O’Hara was the sole employee of the appellant and the driving mind behind its product development and business decisions. The judge had a well-founded concern that it would be difficult, if not altogether artificial, to expect Mr. O’Hara to completely divorce his mind from that information. Given the small and highly competitive market in which the parties both operate, this would have obvious and significant consequences for the respondents.

Arkipelago Architecture Inc. v. Enghouse Systems Limited, 2018 FCA 192 (CanLII).

GSB finds PHIPA doesn’t govern occupational health information

20 Oct

Neither public nor private sector employees in Ontario have statutory privacy rights. This has been lamented by the IPC itself.

Ontario unions, however, often rely on the Ontario privacy statutes – FIPPA and PHIPA – to forward privacy grievances. This reliance is unnecessary given arbitrators recognize implicit privacy rights, and has caused the jurisprudence to become incredibly muddled. The worst case is the Divisional Court’s Hooper decision, a (non-labour) case that the IPC has effectively said is wrongly decided. I agree. Hooper needs to be challenged and decisively overruled.

In the interim, we’ll have litigation like that in a recent case decided by the GSB. It’s hard to distinguish Hooper, but Arbitrator Dissanyake distinguished Hooper as follows:

It is apparent, therefore, that in each of those cases, the employer was found to be providing some form of health care to its employees. For that purpose it was held that “health care” is not limited to making a diagnosis. It was broader. There is no evidence that the employer in the instant matter provides any health care to its employees even in the broader sense. It does collect some types of health information related to employees, but the purpose is not in any way related to provision of health care. The purpose is to deal with workplace implications of employees’ health issues on the rights and obligations under the collective agreement and legislation.

I suppose the practical lesson for employers is to be very clear about the purpose of the occupational health function, saying things like this:

  • This white coat you are dealing with is a specialist that is part of our human resources team.
  • This is about assessing you to meet our human resources needs, not helping you get better.
  • Sure we’ll keep your information secure and treat it as confidential, but we’ll also use it for all our occupational health purposes, providing our employees and agents with access in accordance with the “need to know” principle.
  • Please understand. Your personal physician is your source of health care.

Tell your employees. Tell your occupational health staff. Say it loud. Say it proud.

Ontario Public Service Employees Union (Union) v Ontario (Treasury Board Secretariat), 2018 CanLII 55851 (ON GSB).

Arbitrator upholds driving safety system with in-cab cameras

20 Oct

On May 24th, Arbitrator Saunders of British Columbia affirmed an employer’s implementation of a driving safety system that featured an in-cab camera that recorded continuously, with access to feed limited to certain defined “triggering events” and reasonable cause scenarios.

There’s a good discussion of “sensitivity” and whether Irving Pulp and Paper requires employers to prove a “demonstrated safety problem” to justify the use of any exercise of management rights that touches upon a reasonable expectation of privacy. Arbitrator Saunders said it does not:

I read the Court’s endorsement of Arbitrator Picher’s award in Nanticoke, to reflect an underlying concern about the extreme privacy intrusion occasioned by random drug and alcohol testing. On that basis, it was concluded that an intrusion amounting to “a loss of liberty and personal autonomy” can only be justified by negotiated provisions or by a compelling countervailing interest, such as a demonstrated problem that cannot be adequately addressed by less invasive means. A corresponding level of intrusion is not present on the facts of the present case.

Accordingly, I do not find that Irving posits a dangerous workplace and a demonstrated safety problem as prerequisites in all cases safety is invoked to justify privacy intrusions, much less the intrusion imposed by overt video surveillance. Rather, the existence of safety infractions or the risk of accidents, remain to be factored in the proportionality assessment—the more serious the intrusion, the more compelling the justification required.

Arbitrator Saunders then affirmed the employer’s implementation based, in part, on a finding that the employer’s utilization of employee images was “confined to intermittent safety-related events and is only viewed to advance legitimate incident-based objectives.”

Lafarge Canada Inc. v Teamsters, Local Union No. 213, 2018 CanLII 69607 (BC LA).

Transparency, open courts and administrative tribunals: implications of Toronto Star v AG Ontario

19 Oct

Here’s some commentary I submitted in support of my panel appearance on Wednesday at the above-named OBA conference.

It appears there are not too many fans of the Toronto Star decision among administrative tribunal practitioners, though the tribunals themselves seem to be more ambivalent. I’m among those who don’t like the policy implications of Toronto Star. For insight please read my commentary.

On Wednesday I spoke about the practical impact of practicing under truly presumptive, court-like openness in which no adjudicative decision (with due process rights) stands between a requester and a client’s filings. In short, it will invite the application of a new analysis prior to making any filing. What in here is confidential? Can I compromise – making my client’s case without it? At what cost? Is it better to seek a confidentiality order of some sort? At what cost? Does the media require notice of my motion? At what cost? Did I mention cost?

I encouraged tribunal staff in attendance to think about how critical a concern privacy has become and how individuals expect and are owed, at a minimum, due process. In my view requiring applications for access (made on notice) is a model for access that’s more consistent with the object of administrative justice – specialized, low cost, accessible justice.

Experts, privilege and security incident response

26 Sep

I’d encourage you to read David Fraser’s blog post from last weekend – The value of legal privilege: Your diligent privacy consultant may become your worst enemy.

David’s basic point is sound: structuring a security or privacy expert retainer to support a privilege claim can prevent your own expert’s advice from being used against you. Most often this is done by having legal counsel retain an expert in anticipation of litigation and for the dominant purpose of litigation, with instructions and conclusions going strictly between counsel and expert.

David explains a scenario in which an organization retained an expert to advise on some form of due diligence connected to a subsequent security incident. The expert was apparently quite candid in its written advice, outlining a security problem that amounted to what David compares to a “dumpster fire.” The organization responded partly but not wholly to the expert’s recommendations. That expert’s report will therefore become, as David says, the plaintiff’s Exhibit A.

Being faced with your own expert’s advice is very bad, hence the soundness of David’s point. My additional point: legal privilege is no solution to a bad client-counsel-expert relationship.

The views on what is a reasonable investigation or remediation in the data security context can vary widely between equally qualified experts. Too often, perhaps driven by conflicting interests, security experts recommend what’s possible and rather than what is “due.” A breach coach can help address this problem, identifying trusted experts and working with them to reach a shared and acceptable understanding of the due diligence required in responding to a security incident. With such a relationship, departing from an expert’s recommendations (even though they are privileged) represents a real and meaningful risk. The facts – i.e., the things done based on an expert’s recommendations – are never privileged. If litigation ensues those facts will be picked apart by other experts, and you want the good ones to view the facts the same way as you and your trusted advisor.

Experts that are prone to floating long lists of options need to be retained under privilege because they are dangerous, but even under privilege their advice is worth little. The prescription: do everything you can to build a great client-counsel-expert relationship. Use a breach coach. Keep a roster of trusted experts on retainer. Don’t use experts retained for due diligence advice to do the very remedial work they recommend.

Ont CA says doctor gross revenue information is not personal information

4 Aug

As reported widely, yesterday the Court of Appeal for Ontario affirmed an IPC/Ontario finding that gross revenue earned by Ontario’s top earning doctors was not their personal information.

There’s not much to the decision. (A number of the grounds for appeal were “optimistic.”) The decision illustrates that information must reveal something of a personal nature about an individual (in the relevant context) to be the individual’s personal information. In the doctors’ case, the link between gross income and the personal finances was not strong, as noted by the Court:

The information sought was the affected physicians’ gross revenue before allowable business expenses such as office, personnel, lab equipment, facility and hospital expenses. The evidence before the Adjudicator indicated, however, that, in the case of these 100 top billing physicians, those expenses were variable and considerable.

In another context, gross revenue information could be personal information. What is and is not personal information is a VERY contextual matter.

Ontario Medical Association v. Ontario (Information and Privacy Commissioner), 2018 ONCA 673.