Archive | Privacy (Not Workplace) RSS feed for this section

Experts, privilege and security incident response

26 Sep

I’d encourage you to read David Fraser’s blog post from last weekend – The value of legal privilege: Your diligent privacy consultant may become your worst enemy.

David’s basic point is sound: structuring a security or privacy expert retainer to support a privilege claim can prevent your own expert’s advice from being used against you. Most often this is done by having legal counsel retain an expert in anticipation of litigation and for the dominant purpose of litigation, with instructions and conclusions going strictly between counsel and expert.

David explains a scenario in which an organization retained an expert to advise on some form of due diligence connected to a subsequent security incident. The expert was apparently quite candid in its written advice, outlining a security problem that amounted to what David compares to a “dumpster fire.” The organization responded partly but not wholly to the expert’s recommendations. That expert’s report will therefore become, as David says, the plaintiff’s Exhibit A.

Being faced with your own expert’s advice is very bad, hence the soundness of David’s point. My additional point: legal privilege is no solution to a bad client-counsel-expert relationship.

The views on what is a reasonable investigation or remediation in the data security context can vary widely between equally qualified experts. Too often, perhaps driven by conflicting interests, security experts recommend what’s possible and rather than what is “due.” A breach coach can help address this problem, identifying trusted experts and working with them to reach a shared and acceptable understanding of the due diligence required in responding to a security incident. With such a relationship, departing from an expert’s recommendations (even though they are privileged) represents a real and meaningful risk. The facts – i.e., the things done based on an expert’s recommendations – are never privileged. If litigation ensues those facts will be picked apart by other experts, and you want the good ones to view the facts the same way as you and your trusted advisor.

Experts that are prone to floating long lists of options need to be retained under privilege because they are dangerous, but even under privilege their advice is worth little. The prescription: do everything you can to build a great client-counsel-expert relationship. Use a breach coach. Keep a roster of trusted experts on retainer. Don’t use experts retained for due diligence advice to do the very remedial work they recommend.

Advertisements

Ont CA says doctor gross revenue information is not personal information

4 Aug

As reported widely, yesterday the Court of Appeal for Ontario affirmed an IPC/Ontario finding that gross revenue earned by Ontario’s top earning doctors was not their personal information.

There’s not much to the decision. (A number of the grounds for appeal were “optimistic.”) The decision illustrates that information must reveal something of a personal nature about an individual (in the relevant context) to be the individual’s personal information. In the doctors’ case, the link between gross income and the personal finances was not strong, as noted by the Court:

The information sought was the affected physicians’ gross revenue before allowable business expenses such as office, personnel, lab equipment, facility and hospital expenses. The evidence before the Adjudicator indicated, however, that, in the case of these 100 top billing physicians, those expenses were variable and considerable.

In another context, gross revenue information could be personal information. What is and is not personal information is a VERY contextual matter.

Ontario Medical Association v. Ontario (Information and Privacy Commissioner), 2018 ONCA 673.

The right to be forgotten comes to Canada

28 Jan

On Friday, the Office of the Privacy Commissioner of Canada issued a new position on the protection of online reputation. In doing so the OPC recognized a right to have personal information de-indexed from search engine results if it is inaccurate, incomplete or out-of-date. Although the position is in draft, is nonetheless of critical significance to Canadians’ use of the internet – creating a broader variant of the so-called European “right to be forgotten.”

The OPC says the right arises out of two longstanding parts of the Personal Information Protection and Electronic Documents Act – Principle 4.6 and section 5(3).

Principle 4.6 is the accuracy principle. It reads as follows:

4.6 Principle 6 — Accuracy

Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.

4.6.1

The extent to which personal information shall be accurate, complete, and up-to-date will depend upon the use of the information, taking into account the interests of the individual. Information shall be sufficiently accurate, complete, and up-to-date to minimize the possibility that inappropriate information may be used to make a decision about the individual.

4.6.2

An organization shall not routinely update personal information, unless such a process is necessary to fulfil the purposes for which the information was collected.

4.6.3

Personal information that is used on an ongoing basis, including information that is disclosed to third parties, should generally be accurate and up-to-date, unless limits to the requirement for accuracy are clearly set out.

Principle 4.6 dovetails in part with Principle 4.9, which requires organizations to “amend” personal information if it is demonstrably “inaccurate or incomplete.” (Principle 4.9 does not mention currency.)

The OPC’s reasoning is simple. Search engines use and disclose personal information to “provide people with access to relevant information from the most reliable sources available.” This purpose is not served by presenting search results that are not accurate, complete or up-to-date. Though accuracy, completeness and currency are they key concepts, the OPC says that search engines should interpret and apply them in light of the how materially the impugned content affects individuals’ interests and the countervailing (public) interest in continued accessibility.

Section 5(3) of PIPEDA restricts organizations to handling personal information for purposes that a “reasonable person would consider are appropriate under the circumstances.” The OPC says that section 5(3) could also be the basis of a valid de-indexing request, giving the following two examples:

  • Where content is unlawful, or unlawfully published (e.g. where it contravenes a publication ban, is defamatory, or violates copyright; etc.)
  • Where the accessibility of the information may cause significant harm to the individual, and there is either no public interest associated with the display of the search result, or the harm, considering its magnitude and likelihood of occurrence, outweighs any public interest

This newly-recognized right invites de-indexing requests to search engines as the primary means of obtaining relief from online reputational harm, though the OPC has also recognized a right to take down content. The right to take down content is a more limited right, in part because the OPC only has jurisdiction over those who publish personal information “in the course of commercial activity.”

The significance of the new position cannot be understated; there are many Canadians who feel plagued by internet posts that are unflattering if not disparaging. Search engines will not embrace this development – leaving a possibility of an enforcement dispute (and Federal Court input) and vigorous lobbying for a legislative amendment. It may take some time, but watch for a Charter challenge.

You can read the draft report here.

In snooping investigations, disclose the logs

21 Dec

When an employer confronts an employee with an allegation of improper access to personal information, it is important to give the employee the event log data that proves the allegation. It may often be voluminous and difficult to interpret, but presenting a general allegation or summarizing events without particulars will give the employee a good reason to deny the allegation.

This is what happened in this very illustrative British Columbia case in which an arbitrator held he could not infer dishonesty from the grievor’s initial failure to admit wrongdoing because the grievor had not been given log data. Also, if an employee continues to deny responsibility, log data can be difficult to rely upon; even if it can be established to be authentic, there are issues about presenting log data in a meaningful and privacy-protective way. An early admission can go a long way.

Fraser Health Authority (Royal Columbian Hospital) v British Columbia Nurses’ Union, 2017 CanLII 72384 (BC LA).

Tribunal errs by ordering disclosure without redaction – right to redaction?

18 Dec

On November 28th the Nova Scotia Court of Appeal held that the Nova Scotia Workers’ Compensation Appeals Tribunal erred by ordering the disclosure of a worker’s entire file without redaction.

The matter was about a workplace safety insurance claim, and particularly whether a worker’s condition was caused by his work. The Tribunal made the order in response to an employer’s objection to various redactions made to a set of records in the possession of the Workers Compensation Board. Although the employer argued the redacted information was relevant, the Tribunal ordered the unredacted file to be produced because it lacked the resources to vet for relevance, because fairness and the “ebb and flow” of a hearing supported full disclosure and because of the difficulty in making relevance determinations.

Despite the obvious appearance of laziness, the Tribunal framed its decision as rooted in procedural fairness. In response, the Court said: “…there is no principle of procedural fairness… that a litigant who requests disclosure is entitled to see every document it requests, regardless of relevance and without a relevance ruling by an impartial arbiter.”

Implicit in this statement is a concern for the worker’s privacy interest. The Tribunal had recognized this interest in a policy manual that it disregarded in making its order, though there are aspects of the Court’s reasoning that suggest a more broadly based right to redaction.

The Court gave this guidance on how to vet for relevance:

The person who vets for relevance must keep in mind that material should be disclosed for its connection to the “proposition[s] being advanced” by the parties, to borrow Justice Rothstein’s phrase, and not merely to justify an anticipated conclusion on the merits of those propositions. The vetting official may not be able to foretell precisely how the evidence will be martialed. So the ambit of disclosure should allow the parties some elbow room to strategize for the engagement.

Baker v. Nova Scotia (Workers’ Compensation Appeals Tribunal), 2017 NSCA 83.

What’s a breach coach?

29 Sep

I hate the term “breach” – please call them “security incidents” – but the term “breach coach” is certainly ingrained. Posting today’s presentation on the role of the coach as I step out the door to an insurance sector event. The simple, self-serving and valid message: call a coach first.

Who’s the HIC?

28 Sep

Who is the “health information custodian” when an institution with an educational mandate provides health care? PHIPA gives institutions choice. Here’s a presentation I gave yesterday in which I argue that the institution (and not its employed practitioners) should assume the role of the HIC. Also includes some simple content on the new PHIPA breach notification amendment.