Category: Privacy (Not Workplace)

BC class action alleging vicarious liability for employee’s snooping to proceed

Yesterday the Court of Appeal for British Columbia held that a class action alleging vicarious liability for breach of the British Columbia Privacy Act should not be struck.

The claim is based on an allegation that an ICBC employee improperly accessed the personal information of about 65 ICBC customers. The Court dismissed ICBC’s argument that the Privacy Act only contemplates direct liability because its statutory tort rests on wilful misconduct. The Court reasoned that a requirement of deliberate wrongdoing is not incompatible with vicarious liability.

ICBC also raised a seemingly dangerous policy question for a data breach defendant: “Should liability lie against a public body for the wrongful conduct of its employee, in these circumstances?” The Court said this question should be answered based on a full evidentiary record.

While allowing the vicarious liability claim to proceed, the Court held that the plaintiff could not found a claim on an alleged breach of the safeguarding provision in British Columbia’s public sector privacy act. It did consider whether to recognize a common law duty to abide by the safeguarding provision, but held that it should not do so based on policy grounds, including the need to defer to the comprehensive administrative remedial regime provided for by the legislature.

Ari v Insurance Corporation of British Columbia, 2015 BCCA 468 (CanLII).

Cybersecurity and data loss (short presentation)

Here’s a 10 minute presentation I gave to the firm yesterday that puts some trends in context and addresses recent breach notification amendments.

CORRECTION. I made a point in this presentation that the Bill 119 amendments to PHIPA remove a requirement to notify of unauthorized “access” – a positive add given the statute does not include a harms-related threshold for notification. Section 1(2) of the Bill, I have now noticed, amends the definition of  “use” as follows: “The definition of ‘use’ in section 2 of the Act is amended by striking out ‘means to handle or deal with the information” and substituting ‘means to view, handle or otherwise deal with the information.’ The removal of “access” from the breach notification provision will therefore not invite a change.

How to manage a data security incident – Ten tips from a breach practitioner

Here’s a slide deck (including speaking notes) for a presentation I did today at LegalTech Toronto.

I aimed for something practical on the art of breach response by speaking to these ten tips:

  1. Initiate response ASAP
  2. Don’t rest on assumptions
  3. Keep the ball moving
  4. Don’t rush
  5. Obtain objective input
  6. Obtain technical input
  7. Take a broad view of notification
  8. Put yourself in their shoes
  9. Demonstrate commitment to doing better
  10. Apologize

Enjoy!

Arbitrator says outsourcing e-mail system to the cloud lawful

On August 25th, Arbitrator Outhouse held that Dalhousie University did not violate the Personal Information International Disclosure Protection Act by providing e-mail and other IT services via a cloud-based platform. The decision is about compliance with the Nova Scotia statute, though Arbitrator Outhouse does make comment on the interests and risks involved in an outsourcing of this kind.

IPC says a physician acting as assessor is not a health information custodian

On August 25th the IPC/Ontario held that a physician retained to complete a Custody and Access Assessment Report was not acting as a health information custodian, thereby giving helpful guidance on an issue that has been subject to great confusion.

The IPC explained:

The definition of “health care practitioner” in section 3(1) is premised on the fact that the health care practitioner must be providing health care. Further, “health care” as defined in section 2 of PHIPA must be for a “health-related purpose.” In my view, on the facts of this particular case, the service provided by Dr. Morris was not provided for a health-related purpose, but rather for the purpose of assisting the parents, and possibly the courts, to develop a parenting plan which would function in the best interests of the child. Therefore, and for the further reasons set out below, I find that Dr. Morris was not providing health care when he provided a service in this capacity. Consequently, I find that Dr. Morris was not a “health information custodian” as defined in section 3(1) for the purpose preparing the Custody and Access Assessment Report. As set out below, this interpretation of PHIPA is consistent with the decision of this office in complaint number HC-050014-1, with the policy behind subsection 20(2) of PHIPA, with the decision of the Federal Court of Appeal in Wyndowe v. Rousseau, and with public guidance provided by the Ministry of Health and Long-Term Care in relation to the definition of “health care.”

The IPC also dealt with the Divisional Court decision that has contributed to the confusion – Hooper v College of Nurses of Ontario. The IPC said:

The Divisional Court held that pursuant to section 76 of the Health Professions Procedural Code, being Schedule 2 to the Regulated Health Professions Act, 1991, the investigator appointed by the College of Nurses of Ontario had the jurisdiction to request and use the records from the Sunnybrook and Women’s College Health Sciences Centre.  The Divisional Court further held that the Sunnybrook and Women’s College Health Sciences Centre had the jurisdiction to disclose these records to the College of Nurses of Ontario.  The Divisional Court stated that the Occupational Health and Safety Department was providing health care and therefore the information contained in the records at issue was personal health information as defined in section 4 of PHIPA. This decision does not discuss how this interpretation of “health care” would more broadly affect the collection, use, and disclosure of personal health information on the basis of assumed implied consent pursuant to section 20(2) of PHIPA.

On my review of this decision, it was not necessary for the Divisional Court to decide whether or not the Occupational Health and Safety Department was providing health care and therefore that the information contained in the records was personal health information.  If they were not records of personal health information, the disclosure would not be subject to PHIPA.  Alternatively, if they were records of personal health information, the disclosure would be permitted, as the Divisional Court noted, pursuant to sections 9(2)(e) and 43(1)(b) of PHIPA.  As a result, the statement by the Divisional Court that the Occupational Health and Safety Department was providing health care and that the information in the records was personal health information is obiter dicta as it was unnecessary to the decision in the case.

The decision in Hooper is difficult to reconcile with that in Wyndowe, where the Federal Court of Appeal confirmed that physicians performing an independent medical examination are not “health information custodians” for the purpose of PHIPA.  I note that in the Hooper case, the Divisional Court did not have this office’s interpretation of section 20(2) of PHIPA or the findings in HC-050014-1 before it.  In all these circumstances, I am satisfied that the decision in Hooper, as it relates to what constitutes health care and personal health information, is not binding on me.

This is very helpful, in particular to employers who often face an argument that the health care practitioners they retain as assessors and consultants as subject to the “custodial” duties in PHIPA. The only section of PHIPA that typically binds employers and their assessor/consultants is section 49.

Morris (Re), 2015 CanLII 54751 (ON IPC).

Ontario court issues significant and conservative decision on scope of privacy tort

On August 31st, the Ontario Superior Court of Justice issued a significant decision on the scope of the common law privacy tort – both declining to recognize a cause of action based on “public disclosure of private facts” and articulating how the protection granted by the recognized “intrusion” tort is circumscribed by the interest in free expression.

The case involved a claim against the CBC that the plaintiff – a researcher and professor at Memorial University in Newfoundland – framed both in defamation and breach of privacy. The claim arose out of an investigative journalism program that the CBC aired about the plaintiff’s ethics. The plaintiff alleged wrongs arising out of the words the CBC used in its broadcast and the CBC’s “investigative techniques.” These techniques included receiving and using a confidential report from an anonymous source.

Justice Mew first declined to recognize a claim based on the alleged public disclosure of private facts (or false light publicity). He reasoned that the law of defamation adequately addressed the wrong at issue in the case before him in a manner that carefully balanced the competing interests at stake. He said:

The CBC defendants submit, and I agree, that to expand the tort of invasion of privacy to include circumstances of public disclosure of embarrassing private facts about a plaintiff, would risk undermining the law of defamation as it has evolved and been pronounced by the Supreme Court. To do so would also be inconsistent with the common law’s incremental approach to change.

Justice Mew did, however, allow the jury to consider the whether the CBC committed an intrusion upon the plaintiff’s seclusion because, unlike a defamation claim, an intrusion claim “focuses on the act of intrusion, as opposed to dissemination or publication of information.” This finding left the jury with a difficult exercise in balancing competing rights. In instructing the jury, Justice Mew articulated a kind of immunity for receiving confidential information from whistle-blowers (without the use of unlawful means) and drew upon the defamation defences to circumscribe the intrusion tort as follows:

If you conclude that the actions of the CBC did not breach any laws, were not actuated by malice, or did not fall outside the scope of responsible communication, there would be no basis upon which you can find the CBC defendants liable for invasion of privacy. As to what constitutes malice and responsible communication, you should apply the same considerations that pertain to the defences of fair comment and responsible communication described by me earlier in relation to the defamation claim. If you have considered those questions (4 and 5) and have concluded that the defence of responsible communication should succeed, then you should answer “No” to question 8, since it would be inconsistent with the recognition of the place of responsible communication in the balancing exercise that I mentioned just now if a journalist whose actions benefit from the protection of that defence in a defamation claim were to remain exposed to a claim for invasion of privacy arising from her journalistic activities. Put another way, the prerequisite that there must be no lawful justification for the invasion of a person’s private affairs or concerns will be hard, if not impossible, to satisfy if there has been a finding that such an invasion occurred during the course of responsible journalistic activities.

Chandra v CBC, 2015 ONSC 5303 (CanLII).

Ontario decision suggests corporation can sue for breach of privacy

On February 19th, the Ontario Superior Court of Justice declined to strike a pleading that alleged a company unlawfully interfered with a competitor’s economic relations by receiving confidential information about a client (BC Cancer) that was sought after by both organizations. The Court held that the pleading was sustainable because BC Cancer had an arguable claim against the recipient organization based on the “intrusion upon seclusion” tort, suggesting that the tort is available to natural persons and corporations. As stressed by the Court, on a motion to strike a court errs on the side of permitting a novel but arguable claim to proceed to trial.

Fundraising Initiatives v Globalfaces Direct, 2015 ONSC 1334 (CanLII).

Reasonable necessity not enough to justify collection under Ontario’s public sector statutes

Section 38(2) is an important provision of Ontario’s provincial public sector privacy statue. It requires institutions to satisfy a necessity standard in collecting personal information. Ontario’s municipal public sector privacy statute contains the same provision.

On May 4th, the Divisional Court dismissed an Liquor Control Board of Ontario argument that the Information and Privacy Commissioner/Ontario had erred by applying a higher standard than “reasonable necessity” in resolving a section 38(2) issue. The Divisional Court held that the Court of Appeal for Ontario’s Cash Converters case establishes just such a standard:

The LCBO relies upon Cash Converters to support its submission that the IPC erred in not interpreting “necessary” as meaning “reasonably necessary.” However, Cash Converters does not interpret “necessary” in this way. In fact, it suggests the opposite. Arguably, something that is “helpful” to an activity could be “reasonably necessary” to that activity. Yet, the Court of Appeal makes it clear that “helpful” is not sufficient.

It’s hard to fathom a legislative intent to prohibit a practice that is, by definition “reasonable.” If the LCBO seeks and is granted leave to appeal this could lead to an important clarification from the Court of Appeal on a strict interpretation of section 38(2) that has stood for some time. The LCBO practice at issue – which involves collecting the non-sensitive information of wine club members to control against the illegal stockpiling and reselling of alcohol – is a good one for testing the line.

Liquor Control Board of Ontario v Vin De Garde Wine Club, 2025 ONSC 2537.

Ontario arbitration award addresses remedy for privacy violation

On February 24th the Grievance Settlement Board (Ontario) held that an employer should provide a grievor with three days’ paid vacation as a remedy for the consequences of an (admitted) security breach. The breach apparently allowed other employees to read incident reports involving the grievor, who alleged this caused him psychological distress. The GSB made its finding after conducting an informal med-arb process.

Ontario Public Service Employees Union (Grievor) v Ontario (Liquor Control Board of Ontario), 2015 CanLII 14198 (ON GSB).