Category: Privacy (Not Workplace)

IPC comments on use and disclosure of OSR in litigation

On June 15th, the Information and Privacy/Commissioner Ontario dismissed a privacy complaint that alleged a school board breached the Education Act and MFIPPA by producing a student’s OSR in response to his human rights application.

The Board produced the OSR and filed it in a brief of documents to be used at a pending Human Rights Tribunal of Ontario hearing, all pursuant to the Tribunal’s rules. The complainant objected, and in a preliminary hearing, the HRTO directed the complainant to consent or face dismissal of his application. The complainant did not consent, his application was dismissed and he subsequently filed a privacy complaint with the IPC.

The IPC held that MFIPPA prevails over the statutory privilege provision in the Education Act and that the IPC is therefore “not bound to consider section 266 of the Education Act in its deliberations.” It also held that the OSR was information “otherwise available” to the Board and therefore open to its use under the provision of MFIPPA that stipulates that MFIPPA “does not impose any limitation on the information otherwise available by law to a party to litigation.”

The IPC did recommend that, going forward, the Board refrain from unilaterally handling the OSR when its potential use and disclosure is in dispute: “… the Board should make efforts to seek direction from an administrative tribunal or court prior to disclosing the information contained within an Ontario School Record during the course of litigation.”

 York Region District School Board (Re), 2016 CanLII 37587 (ON IPC).

 

BCSC dismisses privacy claim against lawyer

On July 26th, the Supreme Court of British Columbia dismissed a claim against a lawyer based in part on his service of application materials and based in part his conveyance of information about the plaintiff in a casual conversation with another lawyer.

The application that became the subject of the claim was made in an earlier family law proceeding. It was for production of financial documentation from the plaintiff relating to seven companies in which he had an interest.

The defendant represented the plaintiff’s wife. He served the companies with application materials (a notice plus affidavit) without redaction and in an unsealed envelope. Apparently his process server left the materials with two unrelated companies in an attempt to affect service.

The Court dismissed this claim because the lawyer was at all times acting as counsel in furtherance of his client’s interest and was protected by absolute privilege. Justice Griffin commented favorably on the lawyer’s conduct in any event, declining to give effect to the plaintiff’s argument about the need for redaction and sealed envelopes and giving wide berth to counsel’s judgement. She said:

As a matter of ethics, professionalism and good practice generally, I do agree that lawyers should consider the privacy of litigants and not unnecessarily reveal the private information of the opposite party nor should they seek to embarrass the opposite party… But that does not mean that an action lies for a lawyer’s steps in the conduct of litigation if the opposite party does not like how the lawyer exercised his or her judgment in bringing and serving applications which disclose private information.

The “casual conversation claim” arose from a discussion the lawyer had with another lawyer during a break in discovery in another case. The lawyer said he represented a woman whose former husband had sold a business in Alberta for $15 million and that the couple had three young children. Another person who was present came to believe the lawyer was speaking about the plaintiff.

The Court dismissed the claim because the plaintiff had not proven the fact of the $15 million sale was private. More notable is Justice Wilson’s obiter finding that the lawyer’s disclosure was not “wilful” because he could not reasonably have expected the plaintiff to be identified. She said:

I have found the question of whether Mr. Lessing was wilful in violating Mr. Duncan’s privacy to be a difficult one. On balance, however, because the information he stated was very innocuous; he did not reveal names of the persons or the companies; and there is no evidence that he ought to have known someone in the room would know Mr. Duncan, I find that it cannot be said that he “knew or should have known” that what he said would breach Mr. Duncan’s privacy. I therefore find that if Mr. Lessing did breach Mr. Duncan’s privacy it was not a wilful violation of privacy within the meaning of the Privacy Act.

Duncan v Lessing, 2016 BCSC 1386 (CanLII).

Ont CA majority says no Charter right to text in private

In a case that speaks to the bounds of digital privacy, the Court of Appeal for Ontario recently held that a text message sender has no reasonable expectation of privacy in text messages stored on a recipient’s phone.

Text messaging is a unique form of communication. To text certainly invites the feeling of engaging in a private conversation, but a sender’s texts are received by another person who typically has no duty of confidence and who has exclusive control of the “inbox” in which the texts are invariably left to reside. Like digital messages of all kinds, once sent, a text message is beyond control.

The question for courts in these matters is a normative one – what ought to be treated as private in our society? – so the loss of control over information does not necessarily invalidate a Charter-based privacy claim. Nonetheless, there’s a real practical consequence to the loss of control that Courts must reckon with. If they do not, we risk unduly restricting the free flow of information and free expression. Privacy is always a matter of striking an appropriate balance.

The Court issued its balance-striking judgement about text messaging on July 8th. Justice MacPherson wrote for the majority that denied privacy protection, and held that control was of “central importance” in the context. He wrote:

The facts of this case demonstrate that, unlike in Spencer and Cole, the ability to control access to the information is of central importance to the assessment of the privacy claim. We are not talking about the appellant’s privacy interest in the contents of his own phone, or even the contents of a phone belonging to someone else, but which he occasionally used. We are also not dealing with deeply personal, intimate details going to the appellant’s biographical core. Here, we are talking about text messages on someone else’s phone that reveal no more than what the messages contained – discussions regarding the trafficking of firearms.

This is far from being a question of whether the appellant had “exclusive control” over the content. He had no ability to regulate access and no control over what Winchester (or anyone) did with the contents of Winchester’s phone. The appellant’s request to Winchester that he delete the messages is some indication of his awareness of this fact. Further, his choice over his method of communication created a permanent record over which Winchester exercised control.

It has never been the case that privacy rights are absolute. Not everything we wish to keep confidential is protected under s. 8 of the Charter. In my view, the manner in which one elects to communicate must affect the degree of privacy protection one can reasonably expect.

Justice Laforme dissented – clearly differing from the majority on the importance of control, citing numerous cases in which the loss of control has not precluded the recognition of a Charter-protected privacy interest, stressing that privacy is a normative concept and in general ascribing great value to texting in private.

While the debate between majority and minority about the significance of control and standing to raise section 8 of the Charter is important, the majority and minority do not differ by much in principle. Where they clearly do differ is on the value they ascribe to text messaging. To start with the minority, Justice Laforme says texting is the “modern version of a conversation,” and is nearly romantic about it: “In my view, these private communications are an increasingly central element of the private sphere that must be protected under s. 8.”  Justice MacPherson, in contrast, has no interest in constitutionalizing texting. In a humorous and effective appeal to authority, he links to the Ontario health and physical education curriculum, under which we teach 12-year-olds across the province, “If you do not want someone else to know about something, you should not write about it or post it.” This, of course, dovetails with Justice MacPherson’s important point about electing how to communicate. To people older than 12, we typically say something like, “You want privacy, pick up the phone.”

R. v. Marakah, 2016 ONCA 542 (CanLII).

Federal Court of Appeal reverses certification of privacy class action

On June 24th, the Federal Court of Appeal overturned the certification of a number of causes of action in a class action that claims damages for the sending of a letter that identified the sender as the “Marihuana Medical Access Program.”

The intended recipients were, in fact, individuals authorized to possess medical marihuana. They claim the letter disclosed this fact and exposed them to various harms. The Federal Court certified the action last July based on a finding that the claim set out a number of valid causes of action.

The Federal Court of Appeal allowed the action to proceed based on claim alleging that the government’s negligence (and breach of confidence) caused the following damage: costs incurred to prevent home invasion, costs incurred for other personal security, damage to reputation, loss of employment, reduced capacity for employment, and out of pocket expenses. The Court of Appeal affirmed that a claim for such damages is actionable and “not entirely speculative.”

The Federal Court of Appeal overturned certification of three other causes of action:

  • It held that the pleading did not establish a valid claim of contractual breach because it set out no exchange of promises backed by valuable consideration. The existence of an enforceable contractual contract was also not apparent in the circumstances given the arrangement between government and the representative plaintiff was invited and structured by statute.
  • It held that the pleading did not establish a valid claim for public disclosure of private facts because the pleadings did not support a finding that the government “published” private facts: “…the concept of ‘publicity’ means that ‘the matter is made public, by communicating it to the public at large, or to so many persons that the matter must be regarded as substantially certain to become one of public knowledge.'”
  • It held that the pleading did not establish a valid claim for intrusion upon seclusion because it did not support a finding of the required state of mind (i.e., intent or recklessness): “At best, the material facts pleaded support the notion that an isolated administrative error was made.”

The Court’s limitation of the claim to one based on negligence is significant because it precludes access to “moral damages.” While the Court said the pleaded special damages were not so speculative to disallow the claim, it’s questionable whether the actual damages suffered by members of the class amount to much at all.

Canada v John Doe, 2016 FCA 191.

Why “Border Security” was shut down

The media has reported that a Report of Findings recently issued by the Privacy Commissioner of Canada (OPC) led to the cancellation of the television show “Border Security” – a privately produced documentary that covered the operations of the Canada Border Services Agency (CBSA).

How is it that the CBSA was made liable for a breach of the federal Privacy Act for intrusive action taken by an arm’s-length producer?

In its 26-page report the OPC does probe at the degree of control the CBSA exercised over the producer’s activity but ultimately declined to find that the producer’s collection of personal information was also the CBSA’s collection of personal information. The OPC explained:

However, the question of whether the CBSA can be said to be participating in the collection of personal information for the purpose of the Program is not determinative of our finding in this case. In our view, the CBSA is first collecting personal information in the context of its enforcement activities and thereby has a responsibility under the Act for any subsequent disclosure of the information that is collected for, or generated by, such activities.

Following our investigation, we are of the view that there is a real-time disclosure of personal information by the CBSA to Force Four [the producer] for the purpose of Filming the TV Program. Under section 8 of the Act, unless the individual otherwise provided consent, this personal information collected by the CBSA may only be disclosed for the purpose(s) for which it was obtained, for a consistent use with that purpose, or for one of the enumerated circumstances under section 8(2).

By this reasoning the OPC distinguishes the information flow under assessment from one in which CBSA is simply being observed while conducting its operations. The OPC finding seems to rest on the CBSA’s purposeful provision of access to personal information that would have otherwise been inaccessible – access that invites a “real-time” disclosure of personal information. The OPC applies a novel, expansive conception of a “disclosure.”

From time-to-time organizations are faced with a concern about the potentially invasive activities of others on their property or otherwise within their domain. Most often, they can take comfort in the availability of an “it’s not my collection and not my doing” defence. This OPC finding illustrates when such a defence might not be available.

Report of Findings dated 6 June 2016 (PA-031594).

The Saskatchewan OIPC okays health authority’s incident response

On June 8th, the Office of the Saskatchewan Information and Privacy Commissioner issued an investigation report in which it held that a regional health authority responded appropriately to a privacy breach. Most notably, the OIPC reinforced a recommendation about notification included in its 2015 publication, Privacy Breach Guidelines. The recommendation:

Unless there is a compelling reason not to, [health information] trustees should always notify affected individuals.

This is a novel and conservative variation on the normal harms-related principle that guides notification. It is simply a recommendation – and one directed only at public agencies and health information trustees in Saskatchewan. It is notable nonetheless, however, in that it reflects an arguably developing public sector norm. Right or wrong, there is a unique pressure on public sector institutions to notify that should always be considered as part of a public sector institution’s careful response to a data handling incident.

Investigation Report 101-2016 (8 June 2016).

ONSC affirms damages award for “friend’s” leak of work schedule

On April 8th, the Ontario Superior Court of Justice affirmed a $1,500 damages award for a privacy breach that entailed the disclosure of information that the defendant received because she was the plaintiff’s social media friend.

The plaintiff and defendant were pilots who worked for the same airline. The plaintiff shared his work schedule with the defendant though an application that allowed him to share his information with “friends” for the purpose of mitigating the demands of travel. The airline also maintained a website that made similar information available to employees. The defendant obtained the schedule information through one or both of these sites and shared it with the plaintiff’s estranged wife.

There are a number of good issues embedded in this scenario. Is a work schedule, in this context, personal information? Does one have an expectation of privacy in information shared in this context? Does the intrusion upon seclusion tort proscribe a disclosure of personal information?

The appeal judgement is rather bottom line. In finding the plaintiff had a protectable privacy interest, the Court drew significance from the airline’s employee privacy policy. It said:

The policy of Air Canada, that must be followed by all employees, emphasises the privacy rights of the employees. This policy specifically prohibits any employee from disseminating personal information of another employee to third parties without express permission of the other employee. The sharing of personal information between employees is clearly restricted for work related purposes only. Permission to review and obtain this information is not given unless it is for work related purposes. If the information is reviewed and used for any other purpose, this results in conduct that constitutes an intentional invasion of the private affairs or concerns. In addition, I find that a reasonable person would regard this type of invasion of privacy as highly offensive and causing distress, humiliation and anguish to the person.

The defendant did not appeal the $1,500 damages award.

John Stevens v Glennis Walsh, 2016 ONSC 2418 (CanLII).

ONSC grants permanent injunction to address vitriolic internet campaign

On April 17, Justice Broad of the Ontario Superior Court of Justice issued a permanent injunction against a privacy and defamation defendant who he said engaged in a vitriolic campaign to discredit the plaintiff and her father – victims of a violent attack and hostage taking in which the plaintiff’s eight-year-old son was killed by the defendant’s brother-in-law.

A jury found in the plaintiffs’ favour and awarded damages in an amount that has not been published. Justice Broad issued a permanent injunction – an extraordinary remedy – because there was a real possibility that the plaintiffs would not receive any payment. He reasoned:

A possibility means a chance that something will happen, and a real possibility connotes a possibility that is not speculative or lacking in support. It is axiomatic that past behavior can act as a indicator of future behavior. In my view Richard Chmura’s failure to pay the outstanding costs awards, dating back up to more than four years ago, provides a sufficient basis for a finding that there is a real possibility that Julie Craven and John Craven will not receive any compensation, given that enforcement against Mr. Chmura of the damage award may not be possible. The test for the issuance of a permanent injunction preventing any continued or repeated publication of libelous statements about Julie Craven and John Craven has therefore been satisfied.

Craven v Chmura, 2016 ONSC 2406 (CanLII).

Alberta CA comments on meaning of “personal information”

Whether information is “personal information” – information about an identifiable individual – depends on the context. The Court of Appeal of Alberta issued an illustrative judgement on April 14th. It held that a request for information about a person’s property was, in the context, a request for personal information. The Court explained:

In general terms, there is some universality to the conclusion in Leon’s Furniture that personal information has to be essentially “about a person”, and not “about an object”, even though most objects or properties have some relationship with persons. As the adjudicator recognized, this concept underlies the definitions in both the FOIPP Act and the Personal Information Protection Act. It was, however, reasonable for the adjudicator to observe that the line between the two is imprecise. Where the information related to property, but also had a “personal dimension”, it might sometimes properly be characterized as “personal information”. In this case, the essence of the request was for complaints and opinions expressed about Ms. McCloskey. The adjudicator’s conclusion (at paras. 49-51) that this type of request was “personal”, relating directly as it did to the conduct of the citizen, was one that was available on the facts and the law.

The requester wanted information about her property because she was looking for complaints related to her actions. The request was therefore for the requester’s personal information. Note the Court’s use of the word “sometimes”: context matters.

Edmonton (City) v Alberta (Information and Privacy Commissioner), 2016 ABCA 110 (CanLII).

Data breach response – Examining evidence and determining credibility

Having good investigative capacity is essential to good data breach response. More often than not, a post-incident investigation involves gathering evidence from witnesses. Digital forensics is also a common part of a breach investigation, but digital forensic evidence typically complements other testimonial and documentary evidence. For this reason I’m sharing a presentation I did with student conduct officers at Canadian colleges and universities last week, in which my aim was to prepare the audience to deal with a more challenging “credibility case.” It is relevant to human resources practitioners engaged in an investigative capacity post-incident and is relevant to lawyers and others who act as “breach coaches.”