Ontario arbitrator says Jones v Tsige doesn’t matter

On February 22nd, Ontario arbitrator George Surdykowki held that the Court of Appeal for Ontario’s recognition of an “intrusion upon seclusion” tort does not change rights and obligations related to the use of employee medical information for employment purposes. He said:

I agree with the Union that Jones v. Tsige reinforces the premium value of privacy in Canadian society. But the decision does not establish an additional premium or value
in that respect.

I agree with the Employer that whatever Jones v. Tsige actually stands for in terms of the non-legislated or non-contractual right to privacy, it does not stand for the proposition that asking for or even demanding that an employee disclose confidential medical information for a legitimate purpose constitutes an improper or actionable intrusion on the employee’s right to privacy. Jones v. Tsige does not posit any absolute right to privacy. Although, Jones v. Tsige does mean that the comments about the common law of privacy in paragraph 20 of Hamilton Health Sciences #1 are no longer completely accurate, it does not otherwise alter the fundamental analysis in that case (or in Providence Care, Mental Health Services and other decisions following or flowing from Hamilton Health Sciences #1). It remains the case that an employer is entitled to request and receive an employee’s confidential medical or other information to the extent necessary to answer legitimate employment related concerns, or to fulfill its obligations under the collective agreement or legislation, including the human rights or health and safety legislation (for example). I agree with the Employer that nothing in Jones v. Tsige alters its right to manage its workplace(s), or to obtain confidential medical or other information as required or permitted by legislation or the collective agreement, or which it reasonably requires for a legitimate purpose. Of course, it remains the case that the employer is only entitled to the confidential information necessary for the legitimate purpose. Even then the employee can refuse to disclose her confidential medical or other information, although if she does she must accept the consequences of exercising that right of refusal. Refusing to allow access to necessary confidential medical information may justify the employer’s refusal to allow the employee to continue or return to work, or stymie the accommodation process, result in the loss of disability benefits, or even lead to the loss of employment.

It’s nice to have a clear and strong statement like this “out of the gate.” The medical information management arbitral jurisprudence that deals with justification for collection is well-settled and well-calibrated. Jones v Tsige doesn’t and shouldn’t make a difference.

Complex Services Inc. and OPSEU, Local 278 (February 22, 2012, Surdykowki).

Backup tape searches extraordinary, but searches required at a fee if wanted or needed

The IPC/Ontario issued a significant “e-FOI” decision on February 9th. Here is what it said about retrieving e-mails from backup tapes:

In general, an access request for emails does not require a routine search of backup tapes for deleted emails unless there is a reason to assume that such a search is required, based on evidence that responsive records may have been deleted or lost.

This sets up a kind of presumption that institutions will appreciate, but if a requester asks or if there is an indication that responsive records may have been deleted or lost, an institution must search and retrieve responsive e-mails from backup tapes subject to its right to recover a fee. In many cases requesters will opt not to pursue backup tape searches given the fees such searches are likely to generate. Institutions, however, should be careful to base their fee estimates on good evidence of what the restoration and search effort is likely to entail.

Carleton University (Re), 2012 CanLII 5892 (ON IPC).

SCC issues comprehensive third-party information exemption decision

Yesterday the Supreme Court of Canada issued a comprehensive decision on the third-party information exemption in the federal Access to Information Act. Although the third-party, research based pharmaceutical company Merck, lost its appeal, the decision establishes decent procedural and substantive protection for third-parties.

The matter – about a Health Canada access decision

The matter involves a request made to Health Canada for records related to a New Drug Submission and Supplementary New Drug Submission. Health Canada disclosed some records without providing notice to Merck and gave notice to Merck regarding parts of others with a note that it was “unable to determine” whether the mandatory exemption for third-party information in section 20(1) of the ATIA applied. This led to a Heath Canada decision to disclose numerous records that Merck challenged by way of judicial review. It took issue with the process by which Health Canada administered the request and its decision not to apply section 20(1).

The relevant provisions – the third party information exemption

Section 20(1) is the “third-party information exemption.” It protects the interests of third-parties whose information is under the control of federal government institutions. The three subsections at issue in yesterday’s decision read as follows:

20. (1) Subject to this section, the head of a government institution shall refuse to disclose any record requested under this Act that contains

(a) trade secrets of a third party;

(b) financial, commercial, scientific or technical information that is confidential information supplied to a government institution by a third party and is treated consistently in a confidential manner by the third party;

(c) information the disclosure of which could reasonably be expected to result in material financial loss or gain to, or could reasonably be expected to prejudice the competitive position of, a third party

A head has a duty to refuse to disclose a record containing information fitting within any one of section 20(1)’s three subsections, subject to a duty to sever and disclose non-exempt information that can “reasonably be severed.” A head also has a duty to give notice to an affected third-party (and hear submissions) when the head, “intends to disclose any record requested under this Act, or any part thereof, that contains or that the head of the institution has reason to believe might contain…” information that is exempt under section 20(1).

The majority decision – eleven principles

Justice Cromwell wrote for the six judge majority. He endorsed the following 11 principles (my list) about the scope of the third-party information exemption and the procedure for dealing with requests that engage the exemption:

Most generally, the duty to provide access to government information is equally important to the duty to protect third-party information: “when the information at stake is third party, confidential commercial and related information, the important goal of broad disclosure must be balanced with the legitimate private interests of third parties and the public interest in promoting innovation and development.”
The threshold for giving notice to a potentially affected third-party is low: disclosure without notice “is only justified in clear cases, that is where the head, reviewing all the relevant evidence before him or her, concludes that there is no reason to believe that the record might contain material referred to in s. 20(1).”
A head must give notice to a third-party even in the absence of a firm intention to disclose, including when “in doubt” about the application of section 20(1): “the institutional head ‘intends to disclose’ a record that might contain exempt information if the head concludes that he or she cannot direct either refusal or disclosure without notice.”
A head, however, must make a “serious attempt” to apply the exemption and not simply shift the onus of review to a third-party.
On judicial review of a decision to disclose, a third-party must establish application of section 20(1) on a balance of probabilities. It is an error of law to hold a third-party to a “heavy burden.”
Section 20(1)(a) applies to information that meets the traditional legal test for a “trade secret.” It is an error of law to associate the definition with any particularly restrictive meaning.
Section 20(1)(b) applies to information supplied to government that is “not available from sources otherwise available to the public or obtainable by observation or independent study by a member of the public acting on his or her own.” The information need not have inherent value (as a client list would, for example).
For the purposes of section 20(1)(b), information is not “supplied” if it is “collected by government officials’ observation.” In general, judgements or conclusions expressed by government officials are not “supplied.”
The reasonable expectation of harm that triggers the application of section 20(1)(c) exists when there is “considerably more” than a “mere possibility of harm” and “somewhat less” than a likelihood of harm. It is an error of law to demand harm that is “immediate” and “clear.”
In general, it will be hard to demonstrate that harm will flow from the disclosure of publicly available information and, as a matter of principle, difficult to establish that harm will flow from the misunderstanding of disclosed information.
Declining to sever and produce information from an otherwise exempt record will be justified when the non-exempt information has little meaning on its own or when a cost-benefit analysis otherwise weighs against disclosure.

These principles are likely to have at least some significance to the handling of matters under statutes other than the ATIA. Principle 9, in particular, has the potential to calibrate the handling of harms-based exemptions and promote a uniform standard for proof of harm under all Canadian access statutes.

The dissent – differs on a non-substantive issue

Justice Deschamps wrote for the three judge minority, which would have deferred to the application judge’s findings. The minority did not differ with the majority on any of the 11 principles noted above, and expressly agreed with the majority’s views on the duty to provide notice and on the standard of proof.

Merck Frosst Canada Ltd. v. Canada (Health), 2012 SCC 3.

Non-party privacy tips the balance in favour of Anton Piller

On November 23rd of last year the Alberta Court of Queen’s Bench issued an Anton Piller order based significantly on a concern for the privacy interest of customers whose information the plaintiff alleged had been stolen.

The plaintiff is a BMW dealership that was confronted with a regrettable breach of its sales and customer relationship management system when it failed to remove system privileges from a terminated manager. It alleged the manager gained unauthorized access to the system and downloaded the names, e-mail addresses and “other personal details” of about 5000 customers.

I won’t detail the record, but the Court noted that it contained gaps. It seemed to be swayed by the customer privacy interest at stake and stated that a public interest supported making the order:

I am satisfied that even if Beck is innocent of some or all of the allegations being made against him on an ex parte basis, Bavaria has a public interest and duty under the appropriate Privacy Act legislation, to do everything it can to preserve the integrity of information that appears to have gone missing or unaccounted from almost 5,000 of its customers that it had care and custody of, and that this Order is also in the public interest.

This statement does not make clear why the Court felt the preservation of evidence afforded by an Anton Piller would be privacy-protective. In some circumstances retrieving evidence of misuse might help non-parties mitigate, but perhaps this is really about allowing a plaintiff (and custodian) some assurance that lost personal information has been brought under control (without copies being stashed away). For another case in which an employer attempted to use non-party privacy in enjoining competitive conduct by a departed employee see here.

Bavaria Autohaus (1997) Ltd. v Beck, 2011 ABQB 727 (CanLII).

Ontario IPC orders institution to validate authenticity of record

The Information and Privacy Commissioner/Ontario issued a notable “e-FOI” order on January 19th.

The IPC ordered the Ministry of Community Safety and Correctional Services to validate the authenticity of a 911 call recording that it provided to a requester. The Ministry filed an affidavit about how the recording was extracted from the system on which it was recorded and burned to CD. However, when the requester challenged the recording’s authenticity the Ministry provided the requester with a second CD that the requester successfully claimed did not match the first. The IPC ordered the Ministry to re-produce the CD and provide the requester with a sworn statement about the authenticity of the to-be-produced CD after listening to compare it with the original.

The Ministry adduced evidence of its extraction process that was very strong, but its affidavit seemingly did not capture the entire chain of custody – i.e., the first-produced CD was not marked and identified in the affidavit. This can be done relatively easily by using a hash number or even physically marking the disc that’s produced.

Ontario (Community Safety and Correctional Services) (Re), 2012 CanLII 2815 (ON IPC).

Arbitrator denies production to challenge youth’s credibility

On October 15th of last year Arbitrator Joseph Carrier denied a production request that sought a variety of records relating to a resident of a facility for young offenders.

The request was made before a hearing of a discharge grievance. The employer terminated the grievor based on evidence provided by a resident. The union intended to dispute the resident’s evidence. His credibility would be an issue.

Arbitrator Carrier’s decision requires reasonable particulars to be provided in support of a request for production. It also stands for the proposition that production will not be ordered for the sole purpose of challenging the credibility of a witness.

OPSEU, Local 601 and Northern Youth Services (October 15, 2011, Carrier).

“Stolen” solicitor-client communications to be returned

On January 11th, the Ontario Superior Court of Justice ordered solicitor-client communications to be returned to the exclusive possession of a defendant to a constructive dismissal action and denied the plaintiff a declaration that privilege had been waived based on an alleged “reckless” disclosure.

The plaintiff obtained the communications through her husband, who took them from her employer when he was given access to the employer’s computer to conduct some maintenance.

The Court’s privilege waiver denial is not surprising given the privilege waiver doctrine offers relatively strong protection for solicitor-client communications. Justice Arell also suggested that the administration of justice would be brought into disrepute if stolen communications were to be used in support of an action. This is a more novel idea, though it was expressed in obiter.

Pottruff v. Don Berry Holdings Inc., 2012 ONSC 311 (CanLII).

Privacy tort recognized by Ontario Court of Appeal

The Ontario Court of Appeal issued a very important decision today that recognizes an “intrusion upon seclusion” tort.

Under Ontario law it is now clear that individuals can sue for breach of privacy based on proof of:

an intentional unauthorized intrusion;
which is an intrusion upon private affairs or concerns (i.e., that breaches a reasonable expectation of privacy); and
that is made in circumstances that are highly offensive to the reasonable person.

If these elements are proven, harms that justify the award of moral damages will be presumed. Such damages will be awarded “to mark the wrong that has been done” in an amount that does not ordinarily exceed $20,000, with an amount being set based on:

the nature, incidence and occasion of the defendant’s wrongful act;
the effect of the wrong on the plaintiff‟s health, welfare, social, business or financial position;
any relationship, whether domestic or otherwise, between the parties;
any distress, annoyance or embarrassment suffered by the plaintiff arising from the wrong; and
the conduct of the parties, both before and after the wrong, including any apology or offer of amends made by the defendant.

The Court stressed that valid claims for intrusion upon seclusion will only arise “for deliberate and significant invasions of privacy” and also said that the law will develop affirmative defenses based on countervailing claims for the protection of freedom of expression and freedom of the press.

Jones v. Tsige, 2012 ONCA 32.

Acceptable use policies – answers to ten common employer questions

I’ve been doing substantial work on employer acceptable use policies lately and would like to publish a draft Q&A for feedback.

If you have feedback please comment or send me an e-mail.

Dan

1. What should employers do today to ensure their acceptable use policies effectively manage the implications of personal use?

In light of recent developments, employers should ensure that their acceptable use policies (1) articulate all the purposes for which management may access and use information stored on its system and (2) make clear that engaging in personal use is a choice employees make that involves the sacrifice of personal privacy.

2. What are the most common purposes for employer access?

Consider the following list: (a) to engage in technical maintenance, repair and management; (b) to meet a legal requirement to produce records, including by engaging in e-discovery; (c) to ensure continuity of work processes (e.g., employee departs, employee gets sick, work stoppage occurs); (d) to improve business processes and manage productivity; and (e) to prevent misconduct and ensure compliance with the law.

3. How should employers describe the scope of application of an acceptable use policy?

Acceptable use policies usually apply to “users” (employees and others) and a “system” or “network.” To effectively manage employee privacy expectations, policies should make clear that devices (laptops, handhelds…) that are company owned and issued for work purposes are part of the system or network even though they may periodically be used as stand alone devices.

4. Should employers have controls that limit access to information created by employees even though they don’t want to acknowledge that employees can expect privacy in their personal use?

Access controls are an important part of corporate information security. Rules that control who can access information created by employees (e.g., in an e-mail account or stored in a space reserved for an employee on a hard drive) are, first and foremost, for the company’s benefit. Access controls should be clearly framed as being created for the company’s benefit and not for the purpose of protecting employee privacy.

5. How should passwords be addressed in an acceptable use policy?

Password sharing should be prohibited by policy. Employees should have a positive duty to keep passwords reasonably secure. An acceptable use policy should also make clear that the primary purpose of a password is to ensure that people who use the company system can be reliably identified. Conversely, an acceptable use policy should make clear that the purpose of a password is not to preclude employer access.

6. Does access to forensic information raise special issues?

Yes. Acceptable use policies often advise employees that their use of a work system may generate information about system use that cannot readily be seen – e.g., information stored in log files and “deleted” information. It is a good practice to use an acceptable use policy to warn employees that this kind of information exists and may be accessed and used by an employer in the course of an investigation (or otherwise).

7. How should an employer address the use of personal devices on its network?

Ensuring work information stays on company owned devices has always been the safest policy, though cost and user pressures are causing a large number of organizations to open up to a “bring your own device” policy. Employers who accept “BYOD” should use technical and legal means to ensure adequate network security and adequate control of corporate information stored on employee-owned devices. For example, employers may require employees to agree to remotely manage their own devices as a condition of use and with an understanding that they will sacrifice a good degree of personal privacy.

8. Should an acceptable use policy govern the use of social media?

Only indirectly. An acceptable use policy governs the use of a corporate network. A social media policy governs the publication of information on the internet from any computer at any time. In managing social media risks, employers should stress that publications made from home are not necessarily “private” or beyond reproach, so putting internet publication rules in an acceptable use policy sends a counter-productive message.

9. Should employers utilize annual acknowledgements?

Annual acknowledgements are not a strict requirement for enforcing the terms of an acceptable use policy but are helpful. The basic requirement is to give notice of all applicable terms in a manner that allows knowledge to be readily inferred in the event of a dispute. “Login script” with appropriate warning language is also common and helpful. Nowadays, a good login script will say something like, “If you need a confidential means of sending and receiving personal communications and storing personal files you should use a personal device unconnected to our system.”

10. Are there special concerns for public sector employers?

Most public sector employers in Canada are bound by the Canadian Charter of Rights and Freedoms and by freedom of information legislation. Many have workforces that are predominantly unionized. The guidance to public sector employers on their acceptable use policies is no different than to employers in general, but the need to manage expectations that employees may derive from personal use is particularly strong for public sector employers given the legal context in which they operate.

B.C. court awards nominal damages for privacy breach

The British Columbia Supreme Court awarded nominal damages for a privacy breach on November 23rd of last year.

The plaintiffs advanced the claim under the British Columbia Privacy Act. The Court awarded $100 to a defendant’s estranged mother because the defendant read and made a copy of her will after finding it while searching for her own documents. It also awarded a company operated by the estranged mother $50 because the defendant read and made a copy of a business letter and showed it to others. (The parties agreed that a corporation could sue for breach of privacy under the statute.)

The Court also held that the defendant’s brother, who had merely viewed a copy of the business letter, did not breach the Act.

Fillion v. Fillion, 2011 BCSC 1593 (CanLII).