On September 28th, the Information and Privacy Commissioner/Ontario affirmed a $140,132 fee estimate and decision to deny a request to waive the same.
The requester was interested in matters related to the expenditure of funds on a new hospital site in Windsor. In relation to this interest, he sought hospital e-mails from 17 accounts that spanned a nine year period. The requester provided 100 search terms that were broad and seemingly un-targeted at the subject matter of interest.
The hospital generated its estimate based on an application of the requester’s terms. It estimated 145,000 pages of responsive records and calculated the estimate based on the (standard) two minutes of preparation time per page. It did not include time for its search.
The IPC upheld the fee estimate and the fee waiver denial. It said, “a fee waiver would shift an unreasonable burden of the cost to hospital.”
I’ve been tracking “e-FOI” decisions for many years, and believe this to be the highest estimate the IPC has affirmed. In general, and thankfully, the IPC has been pragmatic in handling fee, fee estimate and fee waiver appeals. This is important given how expensive it can be to process e-mail requests and because the law ought to encourage requesters to work with institutions to tailor their requests.
On October 3rd, the Ontario’s cyber security Expert Panel issued its report to Minister of Public and Business Service Delivery, Kaleed Rasheed.
His Honour said, “The Expert Panel’s recommendations will form the foundation of our cyber security policies and help develop best practices shared across all sectors as well as inform future targeted investments in our cyber capabilities and defences.”
Those recommendations are:
Regarding governance: Ontario should reinforce existing governance structures to enable effective cyber security risk management across the BPS.
Regarding education and training: Ontario should continue to develop diverse and inclusive cyber security awareness and training initiatives across all age-levels of learning, supported by a variety of common and tailored content and hands-on activities.
Regarding communication: Ontario should implement a framework that encourages BPS entities to share information related to cyber security securely amongst each other with ease.
Regarding shared services: Ontario should continue to develop, improve, and expand shared services and contracts for cyber resiliency across the BPS, considering sector-specific needs where required.
Here are three issues of significance to public sector instutions and their insurers.
FIRST, the governance recommendation contemplates more government oversight, including through “a single oversight body, employing a common operating model [and] clearly establishing accountabilities.”
Institutions require more funding to address cyber security risks. This recommendation is positive because it will lay the necessary groundwork.
As suggested by the Expert Panel, the current relationship between government and institutions is somewhat confused. Government is engaged an informal kind of oversight that lacks effectiveness and can rightly put institutions on guard because its measures are unclear. Institutions will benefit from clear and simple accountabilities and – did I say it already? – the funding to meet those accountabilities.
SECOND, the communication recommendation encompasses threat information sharing, with the Expert Panel stating, “Ontario should establish a unified critical information sharing protocol to ensure quick communication of cyber incidents, threat intelligence, and vulnerabilities amongst BPS organizations.”
This is to rectify what the Expert Panel says is the “unidirectional” flow of threat information, which is reported to government but is not yet “broadly shared across the BPS.” Institutions know that government currently craves the early reporting of threat information, but the perceived benefit is still minimal. The Expert Panel recommendation is positive in that it may lead to their receipt of more timely, more enriched threat information.
THIRD, the shared services recommendation addresses the cyber insurance coverage problem now faced by the public sector. The expert panel states:
Ontario should investigate options for establishing a self-funded cyber insurance program to support the delivery of services such as breach coaching, incident response, and recovery to which all BPS organizations can subscribe.
There is a form of self-funded cyber coverage available various parts of the Ontario public sector through insurance reciprocals. This coverage is expanding, and the role of reciprocals is becoming more important now that the insurance market has become so hard. Primary coverage by reciprocals, even if limited in scope, can make secondary coverage more obtainable for public sector institutions.
The “breach coaching” reference above gives me pause, though I understand it to be indicative of how the role of expert legal counsel in incident response was borne out of the cyber insurance market (with the term coined by cyber risk and insurance company NetDiligence, I believe).
Breach coaching is simply expert legal advice by another name. It is funded by cyber insurance for those who have coverage, and insurers have required their insureds to use vetted and approved legal advisors in responding to incidents because they understand the risk mitigating (and cost reducing) value of this specialized legal service. Public sector institutions without coverage bear all the same risks as those with coverage, and without proper advice are at great peril. The need for proper legal advice one reason is why it is so important to solve the public sector coverage problem, though institutions dealing with a major cyber incident should not consider legal advice to be optional.
Earlier this year, the Federal Court dismissed a claim that a column in a spreadsheet was subject to solicitor-client privilege because disclosure would reveal legal advice obtained prior to its development.
Solicitor-client privilege (literally) protects advisory communications between a solicitor and its client, and it can protect such communications if they find their way into other documents. For example, if two employees of a lawyer’s client discuss the (corporate) lawyer’s advice confidentially via e-mail, their description of the advice may be redacted in response to a production requirement because its disclosure would reveal the solicitor-client communication.
In this case, a corporate taxpayer argued that a column in a spreadsheet was protected by solicitor-client privilege based on the same rationale. It relied on an affidavit that explained that it received legal advice prior to the development of the column and that disclosure of the column would reveal it “by what is being computed, how the computation is done,” and “by associated text in the reacted column.” The Court exercised its discretion to review the prior legal advice and held that the column was simply the “operational outcome or end product of legal advice” and not protected.
This is a fact specific, though illustrative outcome. Even the fact of obtaining legal advice on a particular matter is sensitive and ought normally be kept secret because, once disclosed, inferences can be drawn about advice taken based on the “operational outcome” or “end product” of the advice. Of course, a lawyer’s legal advice can be either be accepted or rejected or followed precisely or loosely, but clients are often drawn to back the legitimacy of their actions by reference to their careful adherence to legal advice. That’s plainly a risk.
In this case, it is unclear whether something precipitated the (more basic) disclosure of an advisory relationship, but one can see how arguing the resulting inference can be very awkward and risky. The only way to do it is to “double down” and disclose more about the advisory relationship and the resulting inference. If not it inviting of waiver in the underlying advice (which the Court did not find here), it seems to be one step down a slippery slope to that outcome.
On July 20th, the Court of Appeal for Saskatchewan held that an accused person who drove his pickup truck through a highway intersection and stuck a semi-truck did not have a reasonable expectation of privacy that precluded the police from seizing a control module and its data from his vehicle before it was towed away.
The accident was horrible. There were six people in the truck with the accused, three of whom died, two of whom were children. The police charged the accused with dangerous driving and criminal negligence, and the prosecution relied on evidence retrieved from the wrecked pickup truck at the scene of the accident. Specifically, the police seized the truck’s Airbag Control Module (ACM) from under the driver’s seat. The ACM contained an Event Data Recorder (EDR) with data about the vehicle’s operation during the five seconds before impact in tenth of a second intervals – specifically, speed, accelerator pedal (% full), manifold pressure and service brake (on/off), seatbelt pretensioner readings, airbag deployment readings.
There are competing lines of Canadian jurisprudence regarding the warrantless seizure of on board vehicle computers and their data. The leading Ontario case is Hamilton, a Ontario Superior Court of Justice case that recognizes a reasonable expectation of (informational) privacy. In Yogeswaran, though, the Ontario Superior Court of Justice held that the territorial privacy interest in one’s vehicle is enough to preclude police search and seizure without prior judicial authorization.
Conversely, in Fedan, the Court of Appeal for British Columbia held that one’s territorial privacy interest in their vehicle is extinguished when the vehicle is seized and that EDR data is not associated with a strong enough informational privacy interest to warrant Charter protection.
The Court of Appeal for Saskatchewan followed Fedan. It reasoned that the accused’s truck, being totally destroyed on the side of a public roadway, was in the total control of the police whether or not it was yet to be formally seized based on section 489(2) of the Criminal Code. It concluded:
…the claim to a territorial privacy interest by Mr. Major in that component of his vehicle is weak. While a warrant could have been obtained, that does not mean one was required. I find that the state of the vehicle, Mr. Major’s loss of control over it, the nature of the ACM as a mechanical safety component installed by the manufacturer, and the focused task by Cpl. Green in locating and removing only it, do not support the continued existence of an objectively reasonable territorial privacy interest at the point when the vehicle was entered
Regarding informational privacy, the Court made the point that not all digital evidence is equally sensitive or revealing of one’s “biographical core.” EDR data of the kind at issue is limited to data about the operation of a vehicle immediately before an accident, and provides no “longer-term information about the driving habits of the owner or operator of a vehicle.” The Court concluded:
After considering the two lines of cases regarding EDR data, I find myself in substantial agreement with the reasoning from Fedan for the characterization of the data stored in the EDR. As in Fedan, the data here “contained no intimate details of the driver’s biographical core, lifestyle or personal choices, or information that could be said to directly compromise his ‘dignity, integrity and autonomy’” (at para 82, quoting Plant at 293). It revealed no personal identifiers or details at all. It was not invasive of Mr. Major’s personal life. The anonymous driving data disclosed virtually nothing about the lifestyle or private decisions of the operator of the Dodge Ram pickup. It is hard to conceive that Mr. Major intended to keep his manner of driving private, given that the other occupants of the vehicle – which included an adult employee – and complete strangers, who were contemporaneously using the public roadways or adjacent to it, could readily observe him. His highly regulated driving behaviour was “exposed to the public” (Tessling at para 47), although not to the precise degree with which the limited EDR data, as interpreted by the Bosch CDR software, purports to do. While it is only a small point, I further observe that a police officer on traffic patrol would have been entitled to capture Mr. Major’s precise speed on their speed detection equipment without raising any privacy concerns.
On July 5th, the IPC/Ontario held that an Ontario medical clinic breached its PHIPA safeguarding duties by:
Allowing staff to use personal e-mail accounts to send patient information provided staff referred to patients only by by initials, medical reference numbers or accession numbers
Allowing the posting of login credentials (on sticky notes or the equivalent) to enable shared access to two computers
Failing to abide by the IPCs model for agent information and instruction, which requires annual privacy training and the re-signing of confidentiality agreements on an annual basis
The clinic self-corrected upon receiving the complaint, but not without defending its posting of login credentials by explaining that the two computers were physically secure and did not contain patient information. It shouldn’t have bothered. Its information and instruction failure aside, the clinic committed plain and basic network security wrongs. The IPC’s decision is notable for calling them out.
On January 14th, a British Columbia labour arbitrator dismissed an allegation that an employer breached British Columbia PIPA and the terms of a collective agreement by employing location awareness technology to manage employees on its construction job sites.
The employer used phone based technology to “manage and track […] employee attendance, including administering attendance requirements and payroll, and identifying and investigating inaccurate time keeping.” It adduced evidence problems with incidents of inaccurate logging of work and other attendance problems that it had discovered “by happenstance” through supervisors who managed crews across multiple work sites.
The employer installed the technology on work phones for use on job sites. The technology gathered data about whether an employee was within a work zone (along with distance away from the zone) once every three minutes. This data could not be reviewed until 24 hours later except for a “roll call” function that supervisors could use to check on employee location at any given time.
There is a line of British Columbia location tracking jurisprudence favourable to employers marked by a leading case decided by former Commissioner Elizabeth Denham – Schindler Elevator. The Schindler case, though, involved GPS technology installed in mobile workforce vehicles, partly for safety-related purposes – not phone based technology used on a job site to improve productivity. The union also argued that Schindler should no longer be followed because it pre-dated the Supreme Court of Canada’s alcohol testing decision in Irving Pulp & Paper.
The Board disagreed, and affirmed and applied Schindler. It held:
the information was not sensitive;
the collection was “reasonably likely” to be effective in satisfying its purposes;
the manner of collection was reasonable, in particular because the collection of data was minimized to what was necessary (not precise location and not continuous monitoring); and
the employer was entitled to collect the information even though there were other means of addressing its attendance problems, and is not required to exhaust all available alternatives.
This is a helpful decision for employers. While continuing to signal an aversion to “continuous monitoring” and highlighting the need for data minimization, the decision allows for the use of location awareness technology on a job site, which I believe is a Canadian first. It was also quite clear that this employer was motivated by distrust, which unions have argued aggravates the impact of monitoring. The employer did a good job of adducing evidence to prove it had legitimate concerns, but the Board also endorsed the proposition made in Schindler that there is “nothing remarkable” about an employer checking on compliance with work rules.
I’ve stuck my neck out in the BLG Insights article linked below in saying that the Court of Appeal for Ontario got a recent school search case wrong. Privacy claims are unpredictable, and can hook on ideas held by decision-makers in a way that impedes common sense outcomes. This is one of those cases in my view, and does harm to security and safety on a number of levels.
Practically, Ontario organizations ought to be addressing the very subject matter of this case in preparation for an October legislative change that will require workplace monitoring policies. The new legislation doesn’t change the right to “monitor,” but organizations shouldn’t view their policies as neutral. Rather, advocacy in support of several essential organizational interests should be embedded in that policy so clear need for balance is established from the start.
The Court of Appeal for Ontario has addressed an important point about the intentionality element in the intrusion upon seclusion tort.
The Court dismissed an appeal by a nurse who claimed her employer’s liability insurer had a duty to defend her from claims that arose out of her unauthorized access to patient information. The issue was whether policy language limiting coverage for “expected” or “intended” injury applied, which required the Court to analyze whether an allegation that one has committed the intrusion tort is an allegation of intentional conduct.
The Court said “yes,” and made clear that recklessness is a form of intentional conduct:
Although the Jones decision does not contain a definition of “reckless,” it places reckless conduct side-by-side with intentional or deliberate conduct. Jones adopted the Restatement’s formulation of the tort as involving an intentional intrusion. As well, the decision limited claims for intrusion upon seclusion only to “deliberate and significant intrusions of personal privacy”: Jones, at para. 72. One cannot tease from the discussion in Jones any support for the proposition advanced by Ms. Demme that Jones’ inclusion of a reckless act within the tort of intrusion upon seclusion could involve unintentional conduct.
The Court also articulated the precise state of mind that meets the intentionality element:
For that tort, the relevant intention is the defendant’s intention to access private patient records. If that is demonstrated, the nature of the tort is such that the intention to access the records amounts to an intention to cause injury.
The appellant had argued that she lacked the intent to cause injury and therefore ought to have been covered.
On June 20th, the Court of Appeal for Saskatchewan affirmed the lifting of a sealing order and publication ban over arguments made by a non-profit corporation that its mandate warranted an exception to the general rule of court openness.
The corporation was subject to an application for an inspection under section 214 of The Non-Profit Corporations Act of Saskatchewan based on alleged misuse of funds by its Executive Director. The corporation provides shelter and sustenance to impoverished and at-risk clientele, and argued its ability to provide these services would be impeded by the conduct of an open hearing, in particular before its holiday fundraising drive. It further argued that an application for inspection under section 214 was an “investigatory proceeding” in which it was more likely that “incomplete and misleading” subject matter would be aired.
The Court disagreed with the corporation. Although harm to the corporation’s vulnerable clientele could constitute a “serious risk to an important public interest” (as required for a discretionary order that limits openness), the corporation’s case for harm was too speculative, lacking particulars as to when and what clients would likely be affected. In rejecting the corporation’s broader argument about investigatory proceedings, the Court said, “The open courtprinciple applies to all manner of proceedings, absent valid legislation which limits its application.”
On June 13th, a majority of the Court of Appeal of Alberta held that an IP address alone is not subject to a reasonable expectation of privacy such that it is protected by section 8 of the Charter.
The police had identified a series of fraudulent online transactions and asked a credit card processor for the matching IP addresses. The processor provided the police with two IP addresses, and the police then obtained a production order to require Telus to identify the two Telus subscribers. Unlike in the leading Supreme Court of Canada case R v Spencer, the police sought prior judicial authorization to identify the subscribers. Did they do wrong, however, by obtaining the IP addresses first?
The majority said “no,” and relied on the protection granted by Spencer in finding that there was no reasonable expectation of privacy in the IP addresses alone.
In Spencer, police obtained, without judicial authorization, the IP address and its subscriber data. Thus, without a court order, the police believed the following: Matthew Spencer was using the internet to download child pornography at a specifically named address. By contrast, the police here obtained, without judicial authorization, only IP addresses. Based on this abstract information, police believed a person who committed fraud used the IP addresses. They did not know who. They only knew the IP addresses belonged to TELUS and they ascertained this information through a publicly available internet lookup site. To get the name and address of the subscriber, they lawfully served TELUS with a production order. Thus, without a court order, they believed only this: an unknown person using a known IP address was committing fraud from an unknown address.
…
An IP address does not tell police where the IP address is being used or, for that matter, who is using it. Nor is there a publicly available resource from which the police can learn this or other subscriber data. To get the core biographical information such as an address, name, and phone number of the user, the police must obtain and serve a production order on the ISP in accordance with Spencer. That is what the police did here.
The dissenting judge held that, notwithstanding Spencer, IP addresses have investigative value as “digital breadcrumbs” and could be used to discover the identity of an unknown internet user. She held that – from a normative perspective – the Charter ought to apply to the police process of gathering electronic evidence right from the beginning.
All About Information 
You must be logged in to post a comment.