On July 27th the Supreme Court of Yukon ruled that a surreptitiously recorded telephone conversation was inadmissible in a family law proceeding.

The issue arose in an application to formalize a child support and access arrangement relating to a five year old child. The father was concerned about negative comments made by the mother to the child during phone calls she made during his period of access. The father recorded one such call. The mother was on speaker phone and knew that he “was in the room” while she spoke with her child. The father sought to adduce a transcript of the recording.

Despite commenting that the evidence was “highly probative to the extent that it confirms the mother’s blatant attempt to manipulate the child,” the Court excluded the evidence. It held that it would bring the administration of justice into disrepute to admit evidence obtained in breach of section 184(1) of the Criminal Code (intercepting a private communication) and that admitting the evidence would encourage a practice that was not in the best interests of the child.

There’s a section in The Law of Evidence in Canada that suggests a judge hearing a civil matter does not have a discretion to exclude relevant and reliable evidence even though it was obtained through unlawful means, though the Court cites to some British Columbia judgements that suggest otherwise. (I have not yet reviewed these judgements, but will.) The Court also does not explain the basis for finding that the father breached section 184(1) by making the recording, a finding that is debatable given the mother was on speaker with the father in the room and given the Criminal Code definitions of “private communication” and “intercept.”

BDC v BJB, 2012 YKSC 64 (CanLII).

On Tuesday, the Information and Privacy Commissioner/Ontario issued her report on the Elections Ontario data breach – a breach involving the loss of two USB keys containing unencrypted personal information of between 1.4 to 2.4 million electors. There are a number of relevant technical findings in the report, but overall the Commissioner used the occasion to send a message about the need for a well-functioning internal responsibility system.

The internal responsibility system concept is well known to health and safety practitioners. An IRS is a system of accountability within an organization in which all individuals – from executives, to middle management, to supervisors, to workers – have an assigned responsibility for addressing occupational hazards. Ryerson University Professor Peter Strahlendorf illustrates how an IRS works by reference to the causal analysis that is conducted after a workplace accident:

If a worker makes a mistake and causes an accident, we can see how very often there was a prior failure of a supervisor to train, coach, observe, job plan, motivate, and so on. So, if the supervisor can be said to have caused the accident in part, then we can see that frequently the manager did not properly select and train the supervisor, or did not develop programs needed by the supervisor, or did not properly allocate resources or staff the workplace.

Where the direct causes of an accident involve unsafe conditions, tools, machines, processes and structures, we can often bypass the worker and supervisor in our causal analysis and see the failure of the mid-level to senior manager to properly apply design standards or allocate resources.

Managers cause accidents; they just cause them in different ways than workers and supervisors. However many layers there are in an organization we can see a causal connection back to the accident. Presidents cause accidents. They can fail to lead, to set policy, to ensure a proper delegation of authority, to inspire a proper safety culture, to design a workable organizational structure or to allocate resources.

The striking feature of most Canadian privacy statues is that they do not assign duties throughout an organizational hierarchy. Unlike health and safety statutes, privacy statutes typically impose duties on organizations themselves or “heads” of organizations but do not impose legal duties on employees and others who handle personal information. The imposition of statutory legal duties on employees and agents is more common in Canadian health privacy legislation, but the duties imposed are very general.

The Commissioner measured Elections Ontario against Ontario’s provincial public sector privacy statute – the Freedom of Information and Protection of Privacy Act. FIPPA features a data security provision typical of Canadian privacy legislation: “Every head shall ensure that reasonable measures to prevent unauthorized access to records in his or her institution are defined, documented and put in place, taking into account the nature of the records to be protected.” It’s up to the head – most often a cabinet minister or board chair – to determine what duties to assign to whom, to assign the duties and to enforce the duties, all without the backing of statute. As Elections Ontario might illustrate, this is a difficult task that should not be taken lightly.

The Commissioner’s Elections Ontario report describes a total failure of internal responsibility. Workers failed to follow the identified protocol for data handling. The two supervisors on the privacy-sensitive project regularly worked at a different building than the workers handling the data. Middle management appointed two supervisors who were not competent to deal with data protection; one apparently thought encryption involved zipping and password protecting files. Senior management put in place a policy framework that the Commissioner said included significant flaws. She also suggested that senior management, after the matter was escalated, failed in providing the leadership necessary to muster an appropriate breach response and remedial plan. There were enough problems in the Commissioner’s eyes to justify a bottom-to-top flogging.

The problem with privacy legislation is that it seems to suggest that data protection is too easy. If data protection were easy enough to be handled by a single accountable person we would never have data breaches. In reality, data protection is complex. It involves risks that need to be managed through a coordinated bottom-to-top effort, especially involving the competent supervision of individuals.

The consequences of failure are frightening. The Commissioner’s report must be terribly painful to Elections Ontario and its management, and will serve as a handy road map for prosecution in the now-commenced class proceeding.

Elections Ontario’s Unprecedented Privacy Breach: A Special Investigation Report (31 July 2012).

We try not to use this blog for too much direct promotion but are genuinely excited about our recently-announced September 19th information management and privacy session for in house counsel.

Here’s a program description.

This session is an update for in house legal counsel on critical information management issues. We will focus on current developments and their practical implications. Topics will include:

• Things you must do now to maintain access to business system information
• Recent privilege cases and what they mean for in house counsel
• Data security, breach response and privacy class actions – implications for you and your organization
• Employee medical information management – essentials and developments

­

The session will be held at:

Hicks Morley Toronto Office
77 King Street West, 39th Floor
Toronto
8:30 a.m. – 10:30 a.m.

View Map ­­

Your presenters will be Daniel J. Michaluk, ­Frank J. Cesario and Amy R. Tibble.

We’ve planned the 1.5 hour session to have 30 minutes of professional content that is accredited by the Law Society of Upper Canada. Accreditation is pending.

If you are in-house counsel who follows this blog, even if not a Hicks Morley client, we would be happy for you to attend on a complementary basis. Please register here.

On July 25th the Information and Privacy Commissioner for British Columbia  issued a significant report on public sector criminal background checks, pushing the government of British Columbia to further tailor the scope of its program.

The report was about the province’s screening program and not vulnerable sector checks governed expressly by British Columbia criminal record check legislation. The program seems to be a top notch program. For example, it applies based on a job classification scheme developed based on a risk assessment, it limits police checks in favor of CPIC checks and it features adjudication of positive results by a body at arms length from the hiring department.

Nonetheless, the Commissioner conducted a very close review and took issue with a number of aspects of the program, especially its breadth. For example:

• She held that four out of the ten job classifications to which a background check requirement applies are redundant or drafted too broadly. According to the Commissioner, for example, a mere responsibility for handling personal information should not attract a background check requirement given there are other means of controlling for misuse of personal information (like access control and access logging, she mentioned).
• She held that requiring a check when dictated by third-parties was “fundamentally flawed”: “Government should determine when it will conduct criminal record checks on its employees and it should ensure that it only conducts record checks when it is authorized by FIPPA to do so.”
• She held that post-employment checks should not be a routine requirement except for “particularly sensitive functions” and when someone is hired into a new position with a significantly different risk profile.

The third-party finding is aggressive, but might have been conceived by the Commissioner as a means of giving the British Columbia government bargaining power over the third-parties with whom it deals. The post-employment check limitation is also a significant constraint. In making this finding the Commissioner drew from Arbitrator Michel Picher’s finding in a case involving  firefighters at the City of Ottawa. The Commissioner’s finding in this report and her adoption of Mr. Picher’s principled statements are likely to be taken together as quite authoritative.

The Commissioner also addresses issues related to the identification of candidates, notification and record retention.

Investigation Report F12-03 (25 July 2012, Information and Privacy Commissioner for British Columbia).

On July 13th the Ontario Superior Court of Justice held that it did not have jurisdiction to order a federal government institution to produce a personnel file to a deceased employee’s estate.

The estate sought the file because it was trying to determine if the deceased had the mental capacity to designate an unknown third party as beneficiary under his pension plan. The Court’s decision that it lacked jurisdiction to order production is very qualified. It rested to some degree on the record filed, but the Court does hint that it lacked jurisdiction because the motion was for production of information that could be accessed via the federal Privacy Act. In any event, the Court said that, as a matter of discretion, it would not have granted an order that allows one to circumvent the Privacy Act: “Finally, it is apparent to me that even were there some sort of inherent right of this court to make the production order, I would not order it in the face of the clear process for obtaining production of private or personal information under the Privacy Act.”

MacDonald Estate v Department of National Defence, 2012 ONSC 4155 (CanLII).

Canadian data breach litigation is still in its early phase. On July 3rd, the Ontario Superior Court of Justice approved a settlement in a significant class action that was brought after a public health nurse lost a USB key containing the personal information of about 85,000 individuals who had been immunized during the 2009 H1N1 scare.

The settlement involved the creation of a claims period open until August 1, 2016 to allow class members to claim for economic loss but no damages payment otherwise. As Justice Lauwers explained, the defendant and its insurer agreed to accept the risk of economic harm over the six and a half year claim period, after which, he held, “the risk will be virtually eliminated.”

In approving the settlement, Justice Lauwers stressed that the plaintiff faced a difficult case given, as time passed, his ability to prove compensable damages worsened. He said:

It is important to consider the context in which this case developed. The USB key was lost on or about December 16, 2009. In the midst of the anxiety created by that loss, the action was started on April 26, 2010. The certification motion was heard on December 16, 2010 with the decision rendered on February 4, 2011, and the certification order signed on April 26, 2011. Over the course of this action, anxiety about the abuse of private information has given way to the realization that it is now probable that no one has the missing USB key. This inference comes from the fact that no class member has claimed that information on the key has been used to financially damage his or her interests. This case, it bears emphasizing, would look far different if information from the lost USB key had been abused by a wrongdoer…

As a matter of law, in my view, the chances of success, in the circumstances as they have unfolded since the USB key was lost, are quite low.

Justice Lauwers approved an agreement to pay $500,000 in costs (including taxes and disbursements) to class counsel plus an amount equal to 25% of any claims paid. Though loss to individuals was not the basis for this amount, it equals about $5.99 per affected individual for a suspected breach involving the loss of name, address, telephone number, gender, date of birth, Ontario health number, health card expiration date, name of primary care provider and “some additional personal health information.”

Rowlands v Durham Region Health, 2012 ONSC 3948 (CanLII).

Here is another case in which an arbitrator held that an employer did not have grounds to order an employee to attend a psychiatric assessment. Ontario Arbitrator Nimal Dissanyake issued his order on April 3, 2012. He was driven by a number of factors:

• the employee had demonstrated a pattern of angry behavior, but had not made an express or implied threat;
• the employer did not base its assessment direction on input from a company physician/advisor;
• the employer’s decision-maker admitted that he (simply) had doubts about the employee’s mental health; and
• the employer disciplined the employee for the same behavior that caused it to issue its assessment direction.

While Arbitrator Dissanyake rejects “a technical rule that conduct that had been the subject of discipline in the past may not be relied upon in requiring an IME,” his reasoning suggests that basing a discipline charge and an order to attend an IME on the same behavior is problematic. While employers should be careful about picking their means of managing aggressive or angry behavior in the workplace, question whether an employee can have the mental capacity to commit a workplace offence and, at the same time, have a mental condition that (on reasonable grounds) requires assessment.

IBEW, Local 636 and Niagara Peninsula Energy Inc. (Dissanyake, 3 April 2012).