Scope of employer’s forensic examination criticized by PSLRB

There are a some notable points in a June 6th decision of the Public Service Labour Relations Board that upholds the discharge of a federal public servant for forwarding e-mails to his personal e-mail account.

The employer had discharged the employee for sending home restricted-access documents about internal job competitions, including documents related to a competition in which he had participated and documents containing the personal information of 108 other employees. The Board held that the grievor, who was an HR assistant, had engaged in a serious breach of trust and caused the employer embarrassment: “Progressive discipline does not apply to this case since very serious misconduct occurred.”

Although the Board dismissed the grievance with this strong and favorable employer endorsement, it did express a “concern” about the manner in which the employer conducted its forensic investigation into the grievor’s system usage. It said:

The grievor also raised concerns about the lack of concern that the employer showed for his privacy, specifically that it gave no specific instructions to Mr. Roussel about protecting the grievor’s privacy when Mr. Roussel conducted his investigation. I am also concerned about it. Furthermore, in the absence of such instructions, Mr. Roussel included in his report personal information about the grievor that had nothing to do with the purpose of the investigation, which was to inquire into the grievor conducting personal business using the employer’s network. I did not report on it since it was irrelevant to deciding the four grievances in front of me. However, this lack of respect for the grievor’s privacy does not reduce the seriousness of his misconduct. At this point, I can recommend only that in the future, the employer take employees’ privacy under consideration when conducting that type of investigation.

It’s not clear from the decision how exactly the employer erred given the Board’s limited description. In any event, employers should create and administer a protocol that governs non-routine access to system information and non-routine system monitoring – e.g., access for the purpose of conducting audits and investigations.

Gravelle v Deputy Head (Department of Justice), 2014 PSLRB 61 (CanLII).

 

The ins and outs of the e-FOI process

Here’s a presentation I delivered today in an Ontario Hospital Association webcast. I’ve been following “e-FOI” developments for a while and was happy to finally build and deliver a presentation to lend some structure to the topic. Stay tuned for more!

In dispute over custodianship of medical files, balance favours established clinic

On May 22nd the Ontario Superior Court of Justice ordered medical files to be returned to a clinic by a departing doctor who claimed she had an independent practice and was the legal custodian of the files.

Justice Perell dismissed the defendant’s argument that a corporation could not be a “health information custodian” under the Personal Health Information Protection Act and held that the plaintiff clinic had made out a strong prima facie case that it had such status. His suggestion that the defendant was also a health information custodian could best be understood as a function of the qualified burden of proof on an interlocutory motion given, under PHIPA, there can be only one custodian of a record of personal health information.

Justice Perell’s balance of convenience analysis is noteworthy. He said the following about the public interest in providing patients with access to their personal health information pending final resolution of the dispute:

In considering the balance of convenience, it is appropriate to consider the interests of the patients whose health records have been removed from a health clinic to the home of a health care practitioner. In my opinion, a patient will have better access to his or her health records and the health care practitioner who will treat the patient during Dr. Simon’s semi-retirement will have better access to the health records if the records are at professional offices with normal business hours and full-time staff.

A plaintiff in a similar situation could similarly attempt to make a case for return of records based on a claim to relatively superior security measures, though the stakes of pursuing such an approach would be high.

Note that the plaintiff consented to a term permitting the defendant doctor to make copies of any file relating to a patient she had treated. This is a sensible thing to offer in a dispute over custodianship, but again, is inconsistent with the single custodian rule.

1615540 Ontario Inc. carrying on business as Healing Hands Message v Simon, 2013 ONSC 2986 (CanLII).

Access to e-mails, text messages and other ESI

I did double-duty today, also presenting on issues relating to control of corporate information in light of business computing trends like BYOD and cloud computing at day one of Osgoode PDP’s e-discovery certificate program. My slides are below.

Justice David Brown and Master Calum McLeod have written a number of the judgements I’ve blogged about here. I was able to stay for their lunch presentations on addressing the e-discovery burden. Justice Brown warned of a coming apocalypse (death by seppuku, to be precise) unless something gives way to break the e-discovery burden, starting with adversarial behavior in the discovery process. Master McLeod delivered similar message, though more from his in the trenches perspective – noting the wisdom of including ADR mechanisms into discovery plans and bifurcated discovery. Take note.

Child porn files seized from work computer admissible

On March 6th, the British Columbia Court of Appeal held that an accused’s section 8 Charter rights were violated when his work computer was seized by the police without a warrant but allowed the admission of evidence from the computer because it would not bring the administration of justice into disrepute.

The case illustrates that the standard for finding an objective reasonable expectation of privacy on a work computer following the Supreme Court of Canada’s decision in R v Cole is very low. While the record in Cole weighed particularly in favor of  an expectation of privacy finding, in this more recent case, the were no special facts. The employee (a school principal), for example, only used his work computer for browsing the internet. The Court nonetheless recognized a Charter-protected privacy interest.

Unfortunately, as in Cole, the record in this case did not appear to support any discussion of whether the computer was networked or the impact of the employer’s control over its network.

For an essay on what Cole means for employers, click here.

R v McNeice, 2013 BCCA 98 (CanLII).

 

 

Court orders safekeeping of medical records held by departed employee

On March 7th, the Ontario Superior Court of Justice issued an order to secure medical records held by a former employee of an addiction clinic.

The employee had copies of urinalysis reports stored on her personal e-mail account at the time of termination because she had used her personal e-mail account for work purposes. She allegedly used her continuing possession of the e-mails to extort the employer into offering reinstatement and later refused to return the e-mails, arguing they were evidence of the employer’s wrongdoing. (It is not clear from the decision what wrongdoing the employee alleges.)

The Court granted an ex parte order after applying the test for an Anton Piller. Notably, the order required the employee to turn control of her e-mail account to an independent supervising solicitor authorized to copy and retain the e-mails, delete the e-mails on the account and return control of the account to the employee. The Court authorized the employer to serve the order by e-mail.

Garber v Robinson, 2013 ONSC 1427 (CanLII).

The science of breach prevention and the art of breach response

Data loss prevention and response is a big topic now! The HRSDC lost hard drive is about a huge (but seemingly benign) incident that has attracted great attention. We also have the Obama administration’s attention to corporate network security – such attention given at a time in which sacrifices are being made to corporate network security based on trends such as BYOD.

Here is a practical guide that we’ve prepared to address the salient issues. We hope it’s useful to you.

Municipality breaches privacy statute by communicating via Facebook

Last September 27th, the Newfoundland and Labrador OIPC held that a municipality breached the Newfoundland Access to Information and Protection of Privacy Act because an employee, in the course of her duties, identified the Facebook accounts of two members of the public and messaged them through her own Facebook account.

The OIPC held that this use of Facebook led the municipality to engage in an improper use of personal information and breach its safeguarding duty. One problem, according to the OIPC, was the use of a means of communication not governed at all by the municipality:

Facebook is a social media website that is accessible from any computer or device which is capable of accessing the internet. In this sense, the use of Facebook by the Town employee may be akin to the removal of personal information from the Town office. This is further exacerbated by the use of the employee’s own personal account to engage in this communication. From this perspective, the information must be protected in the same manner as used by other public bodies which allow for the removal of personal information from their facilities.

The OIPC made clear, however, that communicating personal information through a Facebook account in a public body’s name is also inappropriate. It said:

For the various security and identification issues outlined above, there is no way to ensure that personal information is properly protected on these websites. If an individual requests that communications with a public body be carried out in this manner, the public body must first satisfy itself that the identity of the Facebook account holder is confirmed, and furthermore that express consent be obtained from the individual acknowledging that the privacy of the communication cannot be guaranteed.

The OIPC gives little reasoning about why communicating through a Facebook account in a public body’s name is less secure than communicating through other kinds of corporate email services, but the concept of channelling communications that include personal information through a consumer service like Facebook (which is neither designed as an email service nor targeted at business) raises obvious concerns.

Report P-2012-001 (27 November 2012, OIPC Newfoundland).

Social media and the law – three nuggets and one blawger’s tale #ALC2013

I’m posting this from beautiful Edmonton, where I presented at the Alberta Law Conference social media session together with Diane McLeod-McKay (Alberta OIPC, Director, Alberta PIPA) and Doug Jasinski (Skunkworks Creative Group). Thank you to our Chair and warm host, uber-librarian Shaunna Mireau (Field Law). It was a nice balanced session, with a little marketing and communication, a little core privacy and a little “other,” all of which came together nicely to give helpful picture to our lawyer audience.

I was the “other.” My slides are below and deal with (1) the “licensed communicator” concept for governing business use of social media, (2) the social media civil production cases and (3) preservation of social media evidence. I also (as asked) spoke a little about my own blogging experience, an enjoyable first.

Arbitrator says that an employer owes an employee no duty to investigate reasonably suspected wrondoing

On December 21st, Ontario arbitrator Ian Anderson dismissed a termination grievance brought by an employee who was terminated for bringing personal computing devices into a high-security workplace and downloading significant volumes of unauthorized (and risky) software onto an employer’s network.

The outcome is driven by the facts, but Arbitrator Anderson did deal with an asserted employer duty to investigate suspected wrongdoing. He dismissed the union’s argument that the employer could not charge the grievor with the downloading offence given it did not investigate and discover the grievor’s downloading sooner, at the same time it discovered and disciplined the grievor with excessive internet use. Arbitrator Anderson said:

The Union suggests that an employer has a responsibility to investigate potential misconduct of which it has reasonable suspicion. Put differently, the Union suggests that in order to justify discipline delayed on the basis of earlier lack of knowledge of the alleged misconduct, there must previously have been no reasonable basis to suspect that misconduct.

The Union’s argument, as I understand it, is not restricted to circumstances that might give rise to estoppel. Absent some provision in the collective agreement, I do not agree that there is such a general duty of investigation on an employer. Nor, in my view, is this proposition supported by the cases relied upon by the Union.

General Dynamics Land Systems v National Automobile, Aerospace, Transportation and General Workers Union (Caw-Canada, Local no 27), 2012 CanLII 86240 (ON LA).