IPC/Ontario issues basic cyber hygiene decision

On July 5th, the IPC/Ontario held that an Ontario medical clinic breached its PHIPA safeguarding duties by:

  • Allowing staff to use personal e-mail accounts to send patient information provided staff referred to patients only by by initials, medical reference numbers or accession numbers
  • Allowing the posting of login credentials (on sticky notes or the equivalent) to enable shared access to two computers
  • Failing to abide by the IPCs model for agent information and instruction, which requires annual privacy training and the re-signing of confidentiality agreements on an annual basis

The clinic self-corrected upon receiving the complaint, but not without defending its posting of login credentials by explaining that the two computers were physically secure and did not contain patient information. It shouldn’t have bothered. Its information and instruction failure aside, the clinic committed plain and basic network security wrongs. The IPC’s decision is notable for calling them out.

A Medical Clinic (Re), 2022 CanLII 61410 (ON IPC).

Location awareness technology on construction job site okay, says arbitrator

On January 14th, a British Columbia labour arbitrator dismissed an allegation that an employer breached British Columbia PIPA and the terms of a collective agreement by employing location awareness technology to manage employees on its construction job sites.

The employer used phone based technology to “manage and track […] employee attendance, including administering attendance requirements and payroll, and identifying and investigating inaccurate time keeping.” It adduced evidence problems with incidents of inaccurate logging of work and other attendance problems that it had discovered “by happenstance” through supervisors who managed crews across multiple work sites.

The employer installed the technology on work phones for use on job sites. The technology gathered data about whether an employee was within a work zone (along with distance away from the zone) once every three minutes. This data could not be reviewed until 24 hours later except for a “roll call” function that supervisors could use to check on employee location at any given time.

There is a line of British Columbia location tracking jurisprudence favourable to employers marked by a leading case decided by former Commissioner Elizabeth Denham – Schindler Elevator. The Schindler case, though, involved GPS technology installed in mobile workforce vehicles, partly for safety-related purposes – not phone based technology used on a job site to improve productivity. The union also argued that Schindler should no longer be followed because it pre-dated the Supreme Court of Canada’s alcohol testing decision in Irving Pulp & Paper.

The Board disagreed, and affirmed and applied Schindler. It held:

  • the information was not sensitive;
  • the collection was “reasonably likely” to be effective in satisfying its purposes;
  • the manner of collection was reasonable, in particular because the collection of data was minimized to what was necessary (not precise location and not continuous monitoring); and
  • the employer was entitled to collect the information even though there were other means of addressing its attendance problems, and is not required to exhaust all available alternatives.

This is a helpful decision for employers. While continuing to signal an aversion to “continuous monitoring” and highlighting the need for data minimization, the decision allows for the use of location awareness technology on a job site, which I believe is a Canadian first. It was also quite clear that this employer was motivated by distrust, which unions have argued aggravates the impact of monitoring. The employer did a good job of adducing evidence to prove it had legitimate concerns, but the Board also endorsed the proposition made in Schindler that there is “nothing remarkable” about an employer checking on compliance with work rules.

Kone Inc. v International Union of Elevator Constructors, Local 82, 2022 CanLII 1018 (BC LA).

Appellate court’s decision on teachers’ privacy rights in Ontario

I’ve stuck my neck out in the BLG Insights article linked below in saying that the Court of Appeal for Ontario got a recent school search case wrong. Privacy claims are unpredictable, and can hook on ideas held by decision-makers in a way that impedes common sense outcomes. This is one of those cases in my view, and does harm to security and safety on a number of levels.

Practically, Ontario organizations ought to be addressing the very subject matter of this case in preparation for an October legislative change that will require workplace monitoring policies. The new legislation doesn’t change the right to “monitor,” but organizations shouldn’t view their policies as neutral. Rather, advocacy in support of several essential organizational interests should be embedded in that policy so clear need for balance is established from the start.

https://www.blg.com/en/insights/2022/07/appellate-courts-decision-on-teachers-privacy-rights-in-ontario

Intrusion upon seclusion is an intentional tort – Ont CA

The Court of Appeal for Ontario has addressed an important point about the intentionality element in the intrusion upon seclusion tort.

The Court dismissed an appeal by a nurse who claimed her employer’s liability insurer had a duty to defend her from claims that arose out of her unauthorized access to patient information. The issue was whether policy language limiting coverage for “expected” or “intended” injury applied, which required the Court to analyze whether an allegation that one has committed the intrusion tort is an allegation of intentional conduct.

The Court said “yes,” and made clear that recklessness is a form of intentional conduct:

Although the Jones decision does not contain a definition of “reckless,” it places reckless conduct side-by-side with intentional or deliberate conduct. Jones adopted the Restatement’s formulation of the tort as involving an intentional intrusion. As well, the decision limited claims for intrusion upon seclusion only to “deliberate and significant intrusions of personal privacy”: Jones, at para. 72. One cannot tease from the discussion in Jones any support for the proposition advanced by Ms. Demme that Jones’ inclusion of a reckless act within the tort of intrusion upon seclusion could involve unintentional conduct.

The Court also articulated the precise state of mind that meets the intentionality element:

For that tort, the relevant intention is the defendant’s intention to access private patient records. If that is demonstrated, the nature of the tort is such that the intention to access the records amounts to an intention to cause injury. 

The appellant had argued that she lacked the intent to cause injury and therefore ought to have been covered.

Demme v. Healthcare Insurance Reciprocal of Canada, 2022 ONCA 503 (CanLII).

Application for non-profit investigation as open as any court proceeding, SKCA

On June 20th, the Court of Appeal for Saskatchewan affirmed the lifting of a sealing order and publication ban over arguments made by a non-profit corporation that its mandate warranted an exception to the general rule of court openness.

The corporation was subject to an application for an inspection under section 214 of The Non-Profit Corporations Act of Saskatchewan based on alleged misuse of funds by its Executive Director. The corporation provides shelter and sustenance to impoverished and at-risk clientele, and argued its ability to provide these services would be impeded by the conduct of an open hearing, in particular before its holiday fundraising drive. It further argued that an application for inspection under section 214 was an “investigatory proceeding” in which it was more likely that “incomplete and misleading” subject matter would be aired.

The Court disagreed with the corporation. Although harm to the corporation’s vulnerable clientele could constitute a “serious risk to an important public interest” (as required for a discretionary order that limits openness), the corporation’s case for harm was too speculative, lacking particulars as to when and what clients would likely be affected. In rejecting the corporation’s broader argument about investigatory proceedings, the Court said, “The open courtprinciple applies to all manner of proceedings, absent valid legislation which limits its application.”

Windels v Canadian Broadcasting Corporation, 2022 SKCA 72 (CanLII)https://canlii.ca/t/jpw4q.

ABCA says no reasonable expectation of privacy in IP addresses

On June 13th, a majority of the Court of Appeal of Alberta held that an IP address alone is not subject to a reasonable expectation of privacy such that it is protected by section 8 of the Charter.

The police had identified a series of fraudulent online transactions and asked a credit card processor for the matching IP addresses. The processor provided the police with two IP addresses, and the police then obtained a production order to require Telus to identify the two Telus subscribers. Unlike in the leading Supreme Court of Canada case R v Spencer, the police sought prior judicial authorization to identify the subscribers. Did they do wrong, however, by obtaining the IP addresses first?

The majority said “no,” and relied on the protection granted by Spencer in finding that there was no reasonable expectation of privacy in the IP addresses alone.

In Spencer, police obtained, without judicial authorization, the IP address and its subscriber data. Thus, without a court order, the police believed the following: Matthew Spencer was using the internet to download child pornography at a specifically named address. By contrast, the police here obtained, without judicial authorization, only IP addresses. Based on this abstract information, police believed a person who committed fraud used the IP addresses. They did not know who. They only knew the IP addresses belonged to TELUS and they ascertained this information through a publicly available internet lookup site. To get the name and address of the subscriber, they lawfully served TELUS with a production order. Thus, without a court order, they believed only this: an unknown person using a known IP address was committing fraud from an unknown address.

An IP address does not tell police where the IP address is being used or, for that matter, who is using it. Nor is there a publicly available resource from which the police can learn this or other subscriber data. To get the core biographical information such as an address, name, and phone number of the user, the police must obtain and serve a production order on the ISP in accordance with Spencer. That is what the police did here.

The dissenting judge held that, notwithstanding Spencer, IP addresses have investigative value as “digital breadcrumbs” and could be used to discover the identity of an unknown internet user. She held that – from a normative perspective – the Charter ought to apply to the police process of gathering electronic evidence right from the beginning.

R v Bykovets, 2022 ABCA 208 (CanLII).

Recent cyber presentations

Teaching is the best way of learning for some, including me. Here are two recent cyber security presentations that may be of interest:

  • A presentation from last month on “the law of information” that I delivered to participants in the the Osgoode PDP program on cyber security
  • Last week’s presentation for school boards – Critical Issues in School Board Cyber Security

If you have questions please get in touch!

ABCA decision on defending allegations about privileged communication

On April 12th, the Court of Appeal of Alberta held that a defendant waived solicitor-client privilege by affirmatively pleading that its counsel had no instructions to agree to a time extension for filing a prospectus.

The defendant faced a lawsuit that alleged its counsel gave a time extension and had the actual authority to do so. The majority judges explained that a party faced with such an allegation about a privileged communication can make a bald denial and safely rest on its privilege. The defendant went further, thereby putting its privileged communications in issue.

PetroFrontier Corp v Macquarie Capital Markets Canada Ltd, 2022 ABCA 136 (CanLII).

IPC upholds university vaccination policy

On April 5th, the Information and Privacy Commissioner/Ontario affirmed a University of Guelph requirement that students in residence for the 2021/2022 academic year be fully vaccinated.

The IPC has jurisdiction to consider whether a public body’s collection of personal information is “necessary” to a lawfully authorized activity based on the Freedom of Information and Protection of Personal Privacy Act. The necessity test has been endorsed by the Court of Appeal for Ontario as strict. Where personal information would merely be helpful to the activity, it is not “necessary” within the meaning of FIPPA. Similarly, where the purpose can be accomplished another way, a public body is obliged to chose the other route.

The IPC’s affirmation of the University’s policy (and its collection of personal information) rested heavily on a letter the University had received from the Wellington-Dufferin-Guelph Health Unit in July 2021. It said:

I am writing to recommend in the strongest possible terms that the University of Guelph require a full (two-dose) course of COVID-19 vaccines for all students living in residence during the 2021-22 school year. Additionally, the University should continue to recommend strongly that all other students, faculty and staff receive both doses of the vaccine.

Students beginning or returning to their studies this fall are looking forward to a safe and relational post-secondary experience. Adding this significant layer of protection will help create a more normal fall on campus. Strong vaccination rates across the University are an important part of student physical and mental well-being, and should contribute peace of mind to all Gryphons.

The IPC affirmation is significant not only because it supports a vaccine mandate based on the strict FIPPA necessity standard, but also because of its adoption of this letter and its reasoning. While mandates must certainly be based on science that establishes that vaccination reduces the risk of exposure, the privacy commissioners, labour arbitrators and judges who will continue to be called upon to evaluate mandates must recognize that they are also based on a need for stability and mental well-being.

We thought we were though the pandemic, and are now in Wave Six. Will there be a Wave Seven? And although the province is trying to give us the stability we all crave by committing to laissez faire policy, why should our public bodies be precluded from adopting stable, medium-term policy that prioritizes safety?

University of Guelph (Re), 2022 CanLII 25559 (ON IPC).

GSB addresses use of surveillance footage

In a decision first released last September, the Grievance Settlement Board partly upheld a grievance that challenged the use of video surveillance footage in Ontario correctional facilities.

It has become standard to establish the purpose of workplace video surveillance as supportive of safety and security and to proscribe the use of surveillance technology as a replacement for supervision. In principle this distinction makes sense, though in practice it is unclear and has led to disputes.

In this case, the GSB affirmed the employer’s use of video footage to address misconduct discovered incidentally during a legitimate surveillance footage review that was occasioned by a security incident. Vice-Chair Anderson said:

The evidence as to why the surveillance camera was placed in the central control module was scant.  The ISPPM indicates “audio and video technology are tools to enhance safety and security”.  Sgt Essery’s evidence suggests that was the purpose for the camera in the central control module. It is clear the duties of the officers in the control module are reasonably necessary to the safety and security of inmates, staff and property in the building.  I infer the ability, if necessary, to observe central control module officers in the performance of those duties has a safety and security function.  The camera is also used to observe the hallway next to the central control module through which inmates pass, in particular when they are being escorted to or from the segregation units.  There is no dispute that this has a safety and security function.  There is no evidence that the camera was placed in the central control module for any other purposes.  I conclude its placement was done in good faith for purposes permitted by Appendix COR10.

The GSB also recognized that the employer could justify the use surveillance video to spot check compliance with a procedure because the spot check and procedure were both to uphold safety and security – the primary purpose of video surveillance. In the circumstances, however, the GSB held that the employer had not proven a sufficient need for such spot checks.

The practical lesson for employers is to be wary of vague and unbounded promises to refrain from using video surveillance. The matter is one of nuance.

Ontario Public Service Employees Union (Union) v Ontario (Solicitor General), 2021 CanLII 95740 (ON GSB).