On June 4th, the Ontario Court of Appeal affirmed a 2009 Information and Privacy Commissioner/Ontario order to disclose sex offender registry data linked to the first three characters of offenders’ postal codes (so called “forward sortation area” data). The IPC had rejected the Ministry of Community Safety and Correctional Services’ argument that the information could not be disclosed in such a manner without causing a degree of harm to offenders contemplated by the “health and safety exemption” in section 14(1)(e) of the Freedom of Information and Protection of Privacy Act.

Ontario (Community Safety and Correctional Services) v. Ontario (Information and Privacy Commissioner), 2012 ONCA 393.

On April 5th Arbitrator Sims awarded $1,250 to each member of a group of 26 government of Alberta employees because the government checked each employee’s credit without authorization or sufficient justification.

An internal investigator conducted the checks to see if any the employees were in financial difficulty, which he thought might indicate a motive to engage the fraud he was investigating. The government admitted a breach and apologized, but its employees’ union grieved to seek damages. Arbitrator Sims heard the grievance based on an agreed statement of facts that stipulated the employees had “suffered emotional stress in their personal lives and in the workplace.”

Arbitrator Sims relied on the Court of Appeal for Ontario’s decision in Jones v. Tsige and the Federal Court’s decision in Nammo v. Trans Union of Canada in crafting a damages award. He said:

Having weighed all these considerations and the facts in this case, I find this is an appropriate case for a modest award of damages for each grievor, which I set at $1,250.00 per grievor. I accept the point from Nammo (supra) that steps taken to correct a breach do not mean no breach occurred. Here, a breach did occur, and one of real significance in terms of the grievors’ privacy rights and their sense of security and well being as employees. Paragraph 12 of the agreed facts confirm damages, although they are intangible in nature. The Assistant Deputy Minister’s reply at Level II of the grievance procedure speaks of “an environment of mistrust” having been created.

The Department’s clear and unrestrained admission of error and its apology goes some considerable distance in rectifying that mistrustful environment and must have, to a significant degree, calmed the employees’ anxieties over the Employer’s attitude towards their right to privacy. I have also taken into account the fact that the Equifax system does not report on such “soft requests”, although they remain within its system. No steps have apparently been taken to have these entries erased, but they could be and, to the extent that involves cost, the Employer has agreed to cover any such expenditure. Considering the facts overall, I find the conduct and the harm in this case to be considerably less egregious and damaging than that in either Nammo (supra) or Jones.

Alberta v. Alberta Union of Provincial Employees (Privacy Rights Grievance), [2012] A.G.A.A. No. 23 (Sims) (QL).

On March 12th, Ontario arbitrator Joseph Carrier held that electronic records of an employee’s parking activity were admissible as meeting the “best evidence” requirements in the Ontario Evidence Act.

The employer relied on the records in asserting overtime fraud. Its system recorded data (presumably the time of “ins” and “outs”) on a server that it owned and that was overseen by a member of management named MacLeod. MacLeod testified and suggested that the system was functioning properly in the relevant time period, though she did not maintain the server herself and admitted that she was not technically inclined.

Arbitrator Carrier rejected the union’s assertion that expert technical evidence was required to satisfy integrity requirement that applies to evidence recorded by its proponent – i.e., proof “that at all material times the computer system or other similar device was operating properly.” He said:

I have considered those submissions and the provisions of section 34 and am of the view that the requirement respecting the integrity of the computer system need not require the evidence of a technical expert. Rather, the requirement is for evidence to support a finding that the computer system was operating properly at all material times or, if not, that any malfunction did not affect the integrity of the records. In this case, Ms. MacLeod, although she was not directly involved in overseeing the daily operation of the parking lot or the server, as manager of the operation for the hospital was informed of any functional problems both mechanical and electronic and consulted with respect to any proposed repairs or maintenance. As the Lakeridge Hospital Manager responsible for the overall operation of the parking lot, it is my view that her evidence was sufficient to satisfy the requirements of section 7(a) of the legislation. She did not testify, as one might otherwise have expected, that there were recording problems that were brought to her attention or discrepancies between the parking records and the revenues reported. Furthermore, in the words of section 7(a) there were “no other reasonable grounds to doubt the integrity of the electronic records system”. Indeed, Mr. del Junco did not assert, nor did Mr. Koscik, the Grievor, challenge that the records of his entrance and exit from the parking lot during any relevant period were inaccurate. Although one could not expect him to recall any specific day on which he might have entered or exited at times other than those recorded, in general, he did not challenge that the times recorded unfairly reflected his parking usage. In the circumstances, it is my view that the parking records could be properly admitted and relied upon pursuant to these provisions of the Evidence Act.

Arbitrator Carrier also rejected (without giving reasons) an argument that the records were inadmissible because the records were used in breach of the Personal Information Protection and Electronic Documents Act. It is questionable whether PIPEDA applies given the use of the records was in relation to employment in the province.

Lakeridge Health Corporation and OPSEU (12 March 2012, Carrier).

On May 3rd, the Divisional Court held that defendants to regulatory prosecutions under the Provincial Offences Act receive the benefit of “McNeil disclosure” notwithstanding a claim made by OPSEU on behalf of provincial regulatory inspectors.

“McNeil disclosure” is a form of Crown disclosure facilitated by a 2009 Supreme Court of Canada decision. The Court held that the Crown has a positive duty to build-out the Crown brief by making “reasonable inquiries” of other Crown agencies and departments. This duty, said the Court, includes a duty to collect and disclose records of police misconduct, at least where an officer is likely to be a witness at trial and has a record with some arguably relevant blemishes.

After McNeil was issued, the Ontario Ministry of Labour initiated a procedure for conducting CPIC checks on Ontario Occupational Health and Safety Act inspectors to support its disclosure duties. OPSEU grieved, and in March 2011 the Grievance Settlement Board held that the Ministry’s procedure did “not accord with an appropriate exercise of management rights under the [OPSEU/OPS] Collective Agreement.” The Toronto Star headline read, “Province slammed for secret criminal checks on labour inspectors.”

The Divisional Court has now held that the GSB erred in finding that an inspector’s criminal record should not be the subject of first party disclosure pursuant to McNeil. It explained:

A comparison of the role of the investigator in an OHSA prosecution with that of a police officer in prosecutions under the Criminal Code or Controlled Drug and Substances Act does not provide a sufficient basis upon which to differentiate the inspector from the police officer. Though the powers of police officers are broader, the essence of McNeil focuses on the role of police as investigator, accuser and witness. An OHSA inspector has the same role. Furthermore, these regulatory offences can engage severe penal consequences for an accused.

The Crown must exercise its own discretion in deciding what information falls within the parameters of McNeil and what does not, but in the first instance the Crown is obliged to at least obtain the information. Not all police records are relevant to the credibility or reliability of the inspector’s evidence and therefore relevant to the accused’s rights to make full answer and defence. However, there is no reason to think an inspector’s criminal record will have less bearing on the right to make full answer and defence in a regulatory proceeding than a police officer’s record in a criminal prosecution.

I agree with the Crown that McNeil does not just establish a conduit for the disclosure by the police through the Crown’s office; rather it establishes an obligation on the Crown to solicit readily obtainable information, like a CPIC record, or an internal record of misconduct in employment records. The obligation to disclose what is in the “possession and control” of the prosecution is not limited to what it has in its physical possession but also includes readily obtainable information or documents.

This is good news for POA defendants, who will receive the same treatment as criminal defendants based on this reasoning.

The Court also upheld part of the GSB order that imposed certain procedural safeguards to protect inspector privacy. The Court suggested (on a point that doesn’t appear to have been argued) that the GSB jurisdiction to make such a privacy-protective order arose out of its jurisdiction to interpret and apply the Freedom of Information and Protection of Privacy Act. This source of jurisdiction is highly questionable given FIPPA is a records-based statute that has a broad employment-related records exclusion. Indeed, the view that FIPPA does not protect employee privacy is reinforced by the Information and Privacy Commissioner/Ontario’s own position. The IPC has lobbied for elimination of the exclusion so Ontario public sector employees can enjoy statutory privacy rights (see 2004 Annual Report). It also routinely declines jurisdiction over employment-related privacy complaints.

OPSEU v. Ontario, 2012 CarswellOnt 6293, 2012 ONSC 207.

I presented today on the topic of internal investigations and the cloud at the annual Association of Certified Forensic Investigators of Canada fraud conference.

The issue: outsourcing business IT systems to the cloud may impede access to information for audit and investigatory purposes. Data security is front and center in most outsourcings, but audit and investigation capability is also a key concern and is subject to unique requirements. Business owners should recognize that security and audit departments are likely stakeholders in most outsourcing projects and support the best possible needs analysis and requirements definition process.

Here are my slides:

 

Here are some related resources, including some data security resources that came up in discussion.

• J. Cheng, “IBM’s Siri ban highlights companies’ privacy, trade secret challenges”
• Digital Forensics Laboratories, “Digital investigations in the Cloud”
• T. Harbert, “E-discovery in the Cloud? Not so easy”
• W. Manning, “Investigating in the Clouds” (good, but password required)
• Hogan Lovells, “A Global Reality: Governmental Access to Data in the Cloud”
• K. Ruan et al, “Cloud forensics: An overview”
• A. Savvas, “Cloud providers cave into more flexible contracts”
• T. Trappler, “In the Cloud, Your Data Can Get Caught Up in Legal Actions”
• K. Zetter, “FBI Uses ‘Sledgehammer’ to Seize E-Mail Server in Search for Bomb Threat Evidence”

Finally, here’s a link to my comment on the recent Calgary Police Service case, which I used as an intro to a segment on handling an evidence trail that leads to an employee’s personal cloud-based account.

I hope this content helps you approach a pressing issue for internal investigators.

Employers who are regulated by privacy legislation need to reckon with privacy commissioner oversight in conducting searches of their work systems for evidence of misconduct. This is the clear lesson from the recent and much-discussed Calgary Police Service order of the Alberta OIPC that dealt with the service’s unauthorized access to an employee’s personal e-mail account.

The facts are simple. The service embarked on an internal sexual misconduct investigation that included a review of an employee’s work e-mail account. It conducted a search for the word “password” as a matter of protocol because the sending and receiving of passwords through e-mail is indicative of a number of common IT security problems. The service found a message to an outsider containing the employee’s password to her personal e-mail account, a communication the service said “seemed odd.” Given the employee had also sent “snippets” of confidential service records to others internally, the service accessed the personal account on a theory that the employee was leaking confidential information through the personal e-mail account. It happened to find evidence of work-related sexual misconduct and used it to discipline the employee. The employee later complained to the OIPC under Alberta’s public sector privacy legislation.

The OIPC was not impressed with the service’s professed basis for using the password to access the employee’s personal account, particularly given the investigator had no mandate to determine whether the employee had committed a breach of confidence. It upheld the employee’s complaint.

The result is no surprise. Taking a step in an investigation as intrusive as gaining unauthorized access to a personal e-mail account based significantly on the discovery of a communication that “seemed odd” is problematic. The record shows that the service was clearly on a fishing expedition, and despite the OIPC’s finding, its approach still signals respect for management’s right to investigate. The OIPC says, for example, “It might be policy for IT to check for data leakage whenever a Public Body employee is being investigated for inappropriate email or computer use, but this cannot extend, without cause, to an employee’s personal email account.”

The simple lesson from the case for employers who are subject to employment privacy regulation – far from all employers – is to develop and implement controls to structure the process of searching work systems for evidence of misconduct. Who authorizes a search? What’s the scope? What routine searches should be conducted? What should the investigator do if he or she finds evidence of wrongdoing that is out of scope? Who is responsible for securing evidence and how? Organizations should have clear answers to these questions before embarking on an IT search.

Order F2012-07 (April 30, 2012).

Yesterday the Alberta Court of Appeal rendered a significant decision ab0ut whether a university is obligated to consider students’ Charter rights in disciplinary proceedings.

This case involved University of Calgary students found guilty of non-academic misconduct in disciplinary proceedings for posting criticisms of a course and its instructor on Facebook. The Court unanimously upheld that part of a judicial review decision which found that the students should not have been found guilty of non-academic misconduct. However, the Court was sharply divided on whether the Charter would apply to this case.  Paperny J.A. found that the Charter applied to the disciplinary proceedings undertaken by the University and that a review committee had failed to take into account the students’ freedom of expression right as protected by the Charter. She rejected the University’s argument that “the application of the Charter in these circumstances undermines the University’s academic freedom or institutional autonomy,” finding that academic freedom and freedom of expression are not competing values. McDonald J.A. found that while it may be time to reconsider whether or not universities are subject to the Charter, the judicial review court erred in undertaking such an analysis in this particular case. O’Ferrall J.A. found that the issue here was not whether the university was a “Charter-free zone,” but whether the university’s disciplinary body ought to have considered whether its discipline violated the students’ right to their freedoms of expressions and association, freedoms which long pre-dated the Charter.

More to come on this decision in a while.

Pridgen v. University of Calgary, 2012 ABCA 139

On March 7th, the Alberta Court of Queen’s Bench found a departed employee in contempt for counseling a contact to destroy evidence for the purpose of interfering with the administration of justice. The Court ordered the employee:

• to produce any and all computers and electronic media in his possession, power or control, for a forensic review to be conducted by a computer expert retained by the plaintiffs;
• to pay for the review and post $30,000 in security for costs; and
• to pay the costs of the contempt motion on a full indemnity basis.

Yesterday the Court of Appeal for Alberta varied the order because it was not well-proportioned. It explained:

As a remedy for the contempt, the chambers judge ordered that the individual appellant pay the cost of the application on a full indemnity basis. While acknowledging that “in the present case no information has been lost”, he nevertheless ordered a full computer forensic investigation. The chambers judge speculated that “it is unclear what else may have been deleted”. The contempt application was based entirely on the efforts to delete the HSE Manual. No allegation was made of the destruction of any other document, nor is there any evidence of any other destruction. Embarking on an expensive fishing expedition at this stage of the litigation is unwarranted. Should the discovery process produce evidence of other problems, further applications for relief can be brought.

Despite allowing the appeal in part, the Court ordered the appellant to pay the full costs of the appeal “to ensure an effective sanction.”

Fuller Western Rubber Linings Ltd. v Spence Corrosion Services Ltd., 2012 ABCA 137 (CanLII).

On April 26th the Ontario Superior Court of Justice issued an order under section 7(3)(c) of the Personal Information Protection and Electronic Documents Act to allow to credit unions to merge without gaining the express consent of members. It’s not clear that such an order is actually authorized by PIPEDA (and the applicants don’t appear to have given notice to members), but Justice Lauwers listed a number of Ontario commercial list matters in which such permissive orders have been made. He echoed comments made by Justice Farley in “urging that a route be provided that will permit the disclosure of the necessary personal information in such circumstances as these to avoid wasting the court’s time and the parties’ funds.” Bill C-12 received first reading way back last September and will add a “business transaction” exemption to PIPEDA. Its time is obviously overdue!

In the Matter of an Application Under Rules 14.05(3)(d), 2012 ONSC 2530 (CanLII).

The Alberta Court of Appeal dropped a bomb on April 30th by raising extremely broad questions about the constitutionality of Alberta’s commercial sector privacy statute in disposing of a dispute about the right of a union to take images of people who cross a picket line.

Last September the Alberta Court of Queen’s Bench held that the Alberta Personal Information Protection Act violated the right of expression guaranteed by section 2(b) of the Charter because it was disproportionate in restricting unions from engaging in “union journalism” relating to labour disputes and picket lines. The Court’s focus was relatively narrow though, and its Charter-based order focused on the breadth of a scope provision meant to protect journalistic activity and an exclusion for publicly available information.

The Court of Appeal first re-framed the expressive interest at stake as related to labour relations and not journalism. It then held that the statute interfered with this interest in a manner that could not be justified in a free and democratic society.

The Court’s proportionality analysis is remarkable in its breadth. It weighs the purpose of Alberta PIPA – protecting reasonable expectations of privacy, protecting expectations that one can control one’s own image and personal information and limiting the misuse of personal information – against the right of free expression in general. The Court says:

There is, however, a problem relating to proportionality. The constitutional problems with the Act arise because of its breadth. It does not appear to have been drafted in a manner that is adequately sensitive to protected Charter rights. There are a number of aspects to the over-breadth of the Act:

-It covers all personal information of any kind, and provides no functional definition of that term. (The definition of “personal information” as “information about an identifiable individual” is essentially circular.) The Commissioner has not to date narrowed the definition in his interpretation of the Act in order to make it compliant with Charter values.

-The Act contains no general exception for information that is personal, but not at all private. For example, the comparative statutes in some provinces exempt activity that occurs in some public places.

-The definition of “publicly available information” is artificially narrow.

-There is no general exemption for information collected and used for free expression.

-There is no exemption allowing organizations to reasonably use personal information that is reasonably required in the legitimate operation of their businesses.

This appeal clearly demonstrates the impact that the Act can have on protected rights. The legitimate right of the union to express itself and communicate about the strike and its economic objectives have been directly impacted by the Adjudicator’s order. The appellant has not demonstrated why this heavy handed approach to privacy is necessary, given the impact it has on expressive rights.

Regarding remedy, the Court issued a declaration that the restrictive order at issue was unconstitutional and invited the Alberta legislature to “decide what amendments are required to the Act in order to bring it in line with the Charter.”

Look for a leave to appeal application in which the Alberta Commissioner is joined by her counterparts from other provinces at the leave to appeal stage.

United Food and Commercial Workers, Local 401 v Alberta (Attorney General), 2012 ABCA 130 (CanLII).