On August 27th the Court of Appeal of Manitoba held appeal determinations made by the Court of Queen’s Bench under section 67 of the Manitoba Freedom of Information and Protection of Privacy Act are final and binding, with no further right of appeal.
Klippenstein v Manitoba (Minister of Family Services and Consumer Affairs), 2012 MBCA 78 (CanLII).
On May 14th, Arbitrator Lanyon held that a union has no right to access employer records for the purpose of monitoring adherence to a collective agreement unless the right is contained in the collective agreement itself. He distinguished British Columbia and Ontario case law that establishes a right of access to bargaining unit member contact information that flows from a union’s representational rights, stating:
I conclude that the Millcroft and P. Suns lines of authority apply specifically to the provision of contact information; for example, the names and addresses of employees. However, these decisions cannot be read to compel an employer to provide information whose sole purpose is to assist the union in monitoring the terms and conditions of the collective agreement. Therefore, the B.C. Labour Relations Code does not compel employers to disclose documents whose whole purpose is to assist the union to monitor provisions of the collective agreement outside the grievance/arbitration procedure. If there is such an obligation on an Employer it must be found within the terms of the collective agreement.
In this case, Arbitrator Lanyon held a teachers’ federation had no right to information about occasional teacher assignments under its agreement with a school board. It’s not clear why this analysis was necessary, but Arbitrator Lanyon also held that individual privacy interests weighed against disclosure.
Mount Arrowsmith Teachers’ Association and School District 69 (Lanyon, 14 May 2012).
On August 21st, the Ontario Superior Court of justice declined to strike a defamation claim as barred by absolute privilege because the manner in which the defendants delivered the draft claim to the plaintiff’s employer suggests, as alleged, it was sent to harm the plaintiff and not for the purposes of forwarding the defendants’ litigation.
The defendants, the plaintiff alleges, served the draft claim on his employer with a warning that “‘We didn’t know’ will not be an adequate explanation in this case.” Regardless, the plaintiff also alleges, after the employer sent a brief e-mail to the defendants saying there was no basis for a claim against it, the defendants promptly withdrew their allegations and proceeded against the plaintiff alone. The Court held that these allegations cast sufficient doubts on the defendants’ motives to let the plaintiff’s (counter)claim proceed.
Yesterday the Court of Appeal for Ontario held that the deemed undertaking rule does not apply to documents that a lawyer receives from a client for the purposes of documentary production. The Court held that such documents are not obtained by counsel under compulsion by the Rules and that the purpose of the deemed undertaking is only to protect against misuse of information received by a party to litigation.
In this case, a lawyer wanted to use documents he received from his former client in her matrimonial dispute to defend a defamation claim brought by the former client’s ex-spouse. The Court’s disposition allows him to do so, subject to the former client’s right to a return of her documents and the lawyer’s ability to obtain an order for third-party production.
The New York Times published a story yesterday on the Aurora, Colorado shootings entitled, “Before Gunfire, Hints of ‘Bad News’.” We’re a long way from fully understanding the significance of the shootings, but the Times’ piece is a reasonable consolidation of facts, so I’ll use it here to make the point that discharging a duty to prevent violence rests heavily on the processing of information to understand the nature of a potential threat.
The Times on the Aurora shootings
The Times follows the classic line of inquiry that follows incidents of violence. Who knew what about suspected shooter James Holmes? When? And why didn’t they act?
The Times goes over facts raised very soon after the shootings about concerns held by Holmes’ psychiatrist, also the director of student mental health services at the University of Colorado Denver. Holmes attended UC Denver until he voluntarily withdrew from study about a month before the shooting. The Times also adds new facts garnered from interviews with people who had recent contact with Holmes. Most notably, in May, Holmes told another student that he had purchased a Glock semiautomatic pistol. Holmes also had some puzzling interactions with a different student about his mental condition, warning her to stay away “because I’m bad news.”
We should not be surprised by these findings. As the forensic psychiatrist quoted by the Times notes, “almost without exception, [mass killers’] crimes represent the endpoint of a long and troubled highway that in hindsight was dotted with signs missed or misinterpreted.”
This widely-accepted view is why violence prevention rests so heavily on processing information or, more specifically, on “threat assessment.” Whether a duty to prevent violence is based on workplace health and safety legislation, occupiers liability legislation or common law duties, implementing reasonable employment screening, reasonable physical security controls and a reasonable emergency response plan is not enough. Implementing a reasonable threat assessment system is an important part of violence prevention, and is necessary to manage the risk of violence that is perpetrated by individuals who are “knowable” to an organization (e.g., customers, patients, students, current and former employees and domestic partners of current employees).
What is threat assessment?
Threat assessment is a structured process of identifying, assessing and managing the threat that certain persons may pose to others. It is depicted in this slide I have prepared for an upcoming presentation (details and registration here):
The element of the process that is highlighted by the Times’ article is on the very left of the slide. A duty to employ reasonable threat assessment procedures requires organizations to build and maintain a system for picking up on and evaluating available or knowable information that might indicate a risk of violence. The duty to “know what is reasonable to know” supports the reporting of threats and mere behaviors of concern, supports the imposition of reporting duties on employees and supports the use of communication and training to encourage others (such as students and customers) to report.
Yes, threat assessment systems invite a kind of surveillance. However:
Though threat assessment has an impact on personal privacy, it is a justifiable impact. The British Columbia and Ontario privacy commissioners have published a guideline on violence prevention that declares “life trumps privacy.” Though the guideline focuses on the disclosure of personal information post-assessment and as part of threat management, the principle it supports applies equally to justify the collection of personal information for threat assessment purposes. In fact, one may question whether a disclosure of personal information for threat management purposes can be made responsibility if it is not based on sound fact-based analysis that can only be achieved with through collection of personal information that helps an organization understand the threat.
Hard questions about the Aurora shootings
Though the Times has compiled some facts that, in hindsight, paint a “disturbing portrait of a young man struggling with a severe mental illness who more than once hinted to others that he was losing his footing,” this does not establish that Holmes’ university failed in assessing the threat that he posed. In fact, at this early stage the Aurora shootings raise some very difficult questions about UC Colorado’s responsibility.
First, what does the reasonable educational institution do to encourage student reports? One student received a warning from Holmes and another knew he had a firearm. UC Denver’s website indicates that faculty and staff have a duty to report threatening and concerning behaviors, but it does not appear that the university imposed such a duty on students. Is this approach reasonable? Would such a duty be meaningful or enforceable in any practical way? What did the university do to encourage or facilitate reporting by students? Was that reasonable?
Second, when should health care providers employed by an educational institution report behaviors for threat assessment? Mental health professionals hear about all kinds of concerning behaviors in the course of providing health care. They are duty-bound to keep such information confidential subject to, under our law in Ontario, a belief that disclosure of information is necessary to eliminate or reduce a significant risk of serious bodily harm. Such disclosures will ordinarily invite an immediate (emergency) response by law enforcement and not threat assessment, so the media’s early focus on what Holmes’ psychiatrist knew and disclosed for threat assessment purposes is puzzling.
Third, what duty does an educational institution have to the public at large? UC Denver is a public institution with an educational mandate. It has no public safety mandate and no relationship with the shooting victims. Does its mere engagement in assessing the threat posed by Holmes to its community justify the imposition of a duty of care to others? This is questionable.
For more information on threat assessment
Here are the resources I’ve used in preparing this article and in preparing for my upcoming presentation.
I’d also encourage you to follow David Hyde, who regularly shares insightful information on threat assessment. For David’s recent post on the role of threat assessment in a workplace violence program, click here.
I spent a long day today studying some fairly wacky e-mails on a file and, coincidentally, also had someone ask me to pull together a list of good e-mail practices with a focus on risk management benefits. This got me onto a creative project, and I have produced the following list.
We’ve published an edition of our Information and Privacy Post. As our lead editorial below says, it contains 61 case summaries (mostly from the last 12 months) relating to the protection of confidential business information, electronic evidence, freedom of information, privacy, privilege and production. Please download the full document here.
Dear Friends:
It’s late August 2012, and here’s what’s on our minds.
Our Information and Privacy Post is back. This edition contains 61 case summaries relating to the protection of confidential business information, electronic evidence, freedom of information, privacy, privilege and production.
It has been a remarkable year. Canadian privacy law, in particular, has made a significant shift. With its decision in Jones v Tsige (page 23), the Court of Appeal for Ontario recognized a new common law privacy right. This new tort applies narrowly – to intentional “intrusions” into private affairs – and includes a “highly offensive” standard that defendants can rightly view as prophylactic. Jones v Tsige, however, opens a door. “What’s next?” is the right question to ask.
Will Canadian courts, for example, recognize a cause of action for public disclosure of private facts? Will damage be presumed and, if so, what kind of damage? If liability flows from mere disclosure, will due diligence be a defence? How will the standard of care be calibrated?
Some clarity would be nice given data breach litigation in Canada is now a reality. In the Rowlands case (page 17), the Ontario Superior Court of Justice approved a settlement that was structured on an assumption that the compensable damages suffered by class members would be minimal to non-existent. Justice Lauwers followed a Québec decision from earlier in the year called Mazzona (page 16), in which the Québec Superior Court dismissed a motion for certification because a data breach class action could not be founded on “potential damage” and the petitioner failed to establish she suffered compensable psychological damage. While positive, the real prospect of data breach class action claims that, even with a reasonable defence, might expose an organization to the kind of counsel fees agreed to be paid in Rowlands is certainly a call to data security “behavior modification.”
That kind of behavior modification certainly hasn’t flown from our federal commercial sector privacy statue – the Personal Information Protection and Electronic Documents Act. This statute, which governs the collection, use and disclosure of personal activity in the course of commercial activity in seven out of ten provinces and the three territories, has produced a trail of cases in which applicants have established liability but received very moderate damages or no damages at all (see the cases we’ve indexed under “PIPEDA damages judgments”). While the Office of the Privacy Commissioner of Canada has used PIPEDA to achieve some high-profile successes in dealing with Facebook, it seems the statute is most notorious for causing the frustration of provincial superior court judges, who don’t quite know what to make of it (see the cases we’ve indexed under “Awkward privacy cases”). With amendments that arose from a parliamentary review that commenced way back in 2006 languishing, one might question whether the statute will hold its relevance. The OPC is aware of this issue, and has begun lobbying for the power to impose administrative monetary penalties and make orders, a development for organizations to watch.
So what if privacy protection becomes the responsibility of our judges? Ontario Commissioner Anne Cavoukian made the news this year when she said she’s lost faith in the inclination of judges to protect individual privacy. I don’t agree. Judges are rightly conservative in making new policy. Their effective stewardship of rights under section 8 of the Canadian Charter of Rights and Freedoms shows they are not out of touch with privacy, though judges from Alberta deserve note for routinely trouncing upon the Office of the Information and Privacy Commissioner of Alberta. The most recent trouncing, in United Food and Commercial Workers (page 13), rivals Jones v Tsige for privacy decision of the year and raises some fundamental questions about the permissible scope of privacy legislation under the Charter. The Alberta OIPC has filed leave to appeal to the Supreme Court of Canada.
So these are very interesting times. The change is real and significant. We hope this document helps you get up to date and equipped for the information management and privacy issues coming your way. Of course, if we can help, please get in touch.
Dan Michaluk
Information and Privacy Practice Group Leader
We hope you enjoy. We’d also like to remind you of our upcoming complementary session for in-house counsel (in which we’ll use “The Post” as a reference). It’s called “An Information Management Update for In-House Counsel and will be held on September 19th at our offices in Toronto. Please click here for details and to register.
On August 16th, the Nova Scotia Court of Appeal overturned an order that sealed the record in a matrimonial dispute and substituted an order that favored either a partial publication ban or redaction (at the parties’ option). The case is notable because the substituted confidentiality order was only based on judicial notice of the risk of identity theft that would flow from the misuse of certain kinds of personal information.
The matter is about access to the court file in a Nova Scotia proceeding. The parties resisted a media organization’s request for access, without adducing any evidence, based on an asserted concern about identity theft. The motion judge recognized the risk, held that a partial publication ban could not be policed and held that a redaction order would be cumbersome and costly. She ordered the court file to be sealed in whole.
In overturning the sealing order, the Court of Appeal stressed that a confidentiality order must be established by evidence or by facts that are properly subject to judicial notice. In this regard, it accepted that identity theft is a risk that can be recognized on judicial notice. The Court said:
I accept that judicial notice may be taken of the social fact that “identity theft is real”, in the judge’s words.
I also accept that access to (1) unique personal identifier numbers, namely passport or Social Insurance Numbers, Health Insurance Card or driver’s licence numbers, (2) credit or debit card numbers, (3) unique property identifier numbers, namely numbers for bank accounts or other investment assets or for debt instruments or insurance policies, and serial or registration numbers for vehicles, may assist the use of identity theft to fraudulently access property.
I also accept that (4) dates of birth, (5) names of parents, (6) personal addresses, (7) email addresses and (8) telephone numbers sometimes may not already be in the public domain, and therefore access to that information in a court file possibly could assist with identity theft. I add that this record has no evidence one way or the other whether that information, for Mr. Jacques or Ms. Foster-Jacques, already is in the public domain.
The Court said the motion judge was wrong, however, to find that a partial publication ban could not be policed and that a redaction order would be cumbersome and costly. It held that there was no evidence to support these findings, which rested on judicial notice of dispositive adjudicative facts.
The Court substituted an order that let the parties opt to redact the information set out in the paragraphs quoted above, failing which, the media would be subject to a prohibition on publishing the same information. While stressing the importance of a firm evidentiary foundation for confidentiality orders, this judgment also suggests that a limited confidentiality order to protect against the disclosure or publication of personal information that is commonly used to establish one’s identity should not be difficult to obtain.
Coltsfoot Publishing Ltd v Foster-Jacques, 2012 NSCA 83 (CanLII).
[Hat tip to Peg Duncan of IT and eDiscovery.]
The Supreme Court of Nova Scotia issued judgement in an internet disparagement case on August 7th that has made the media for resulting in the largest damages award for defamation in Nova Scotia history. Notably, the Court also entertained but did not decide upon a novel claim for breach of privacy.
The self-represented plaintiffs obtained default judgement last December and moved for an assessment of damages. The motion was unopposed by the defendant, a resident of Mississippi.
The plaintiffs’ privacy claim seemingly overlapped significantly with their defamation claim, though the Court described the privacy claim as resting at least partly on the publication of private facts. It noted, for example, that the defendant published a home address and a location one of the plaintiffs visited in Europe.
The Court began by stating, “I am satisfied that in an appropriate case in Nova Scotia there can be an award for invasion of privacy or as the Ontario Court of Appeal [in Jones v Tsige] called it, “the intrusion upon seclusion.” This is a significant finding.
The Court questioned, however, whether the facts deemed to be admitted in the case before it fit the elements of the intrusion privacy tort, which is about the gaining of access to private facts and not publication. It also questioned the effect of the overlapping defamation claim. In the end, the Court decided to “leave the issue of a cause of action for intrusion upon section for another day in another proceeding” based on the lack of argument and the overlapping defamation claim. Had the plaintiffs had not been so successful otherwise , they might take issue with this skirting of their privacy claim.
This is not to suggest the plaintiffs’ privacy claim was a good one. It does seem mainly embodied by their defamation claim, with some independent elements about the publication of facts that are too innocuous to warrant a damages award. The Court might have dealt with the claim in the same manner as the Ontario Superior Court of Justice in Warman v Grosvenor, in which the Court held that the damages for breach of privacy only flow from harm that is not subsumed by the torts of defamation (which addresses harm to reputation) and assault (which the Court said addresses the interest in freedom from fear of being physically interfered with).
All About Information 
You must be logged in to post a comment.