Category: Privacy (Not Workplace)

Arbitrator dismisses privacy breach grievance based on actions of a snooping employee

On March 15th, the Grievance Settlement Board (Ontario) dismissed a grievance against the government for one employee’s intentional “snooping” into another employee’s employment insurance file.

Intentional unauthorized access to personal information by a trusted agent is a somewhat common scenario that has not yet been addressed by labour arbitrators. While arbitrators have taken jurisdiction over privacy grievances on a number of bases, privacy grievances have typically addressed intentional employer action – e.g. the administration of a drug test or the installation of a surveillance camera. This case raises an issue about an employer’s obligation to secure employee personal information and its liability for intentional access by another person. Can a reasonable safeguards duty arise inferentially out of the terms of a collective agreement? Is there some other source of jurisdiction for such claims? It is not clear.

The GSB ultimately finds jurisdiction in the Municipal Freedom of Information and Protection of Privacy Act, which it finds is an “employment-related statute” that can be the basis of arbitral jurisdiction. This is unfortunate because MFIPPA, in general, excludes employment-related records (and hence employees). There are now a handful of arbitral decisions that neglect to consider and apply the (very important) exclusion.

Having found jurisdiction rooted in MFIPPA, oddly, the GSB does not consider whether the government (or the Ministry’s head) failed to meet the MFIPPA “reasonable measures to prevent unauthorized access” security standard. Instead, it applied a vicarious liability analysis and dismissed the grievance. I’ll quote the GSB analysis in full:

41      Being guided by the principles set out in Re Bazley, I am of the view that the Employer is not vicariously liable for actions of Ms. X. Simply put, the “wrongful act” was not sufficiently related to conduct authorized by the Employer. Indeed, the accessing of the grievor’s EI file had nothing to do with the work assigned to employees. Employees were able to and indeed did access EI files but only in those instances where it was necessary to assist their clients.
42      The evidence established that the Employer had clear and sufficient policies regarding the protection of private information. Privacy matters were discussed with employees at the point that they were hired and although those policies could have and perhaps should have been formally reviewed more frequently by management, employees were reminded of their obligations frequently by way of a “pop up” upon entering their computers.
43      Further, Ms. Smith, a co-worker of the grievor, who testified for the Union was very forthright in her cross-examination that she knew that she was not to access the private information of anyone for her own interest. Moreover, this intrusion was the first time that she knew of anyone in the workplace doing such a thing. It might well be argued that this reinforces the view that the policy was known and followed in the workplace. Certainly there was no evidence of any other breach.
44      This intrusion was not an abuse of power. It was not an instance where someone with power over the grievor utilized their authority to carry out the wrong. It was a coworker — indeed I am of the view that it was the action of a rogue employee who, for her own purposes accessed the grievor’s EI file. It was not an action that could be seen to “further the Employer’s aims.” Indeed this activity was done without the sanction or knowledge of the Employer. I accept the Employer’s evidence that it knew nothing of the intrusion until being told by a coworker of the grievor and upon learning took immediate action to investigate and manage the issue and the Ms. X who received a significant suspension.
45      Finally, it must be recalled that this Board dismissed the grievor’s allegations that the Employer and her coworkers were bullying and harassing her in a separate decision. Accordingly it seems to me that it cannot be said that the intrusion into her EI records by Ms. X was “related to friction, confrontation or intimacy inherent in the employer’s enterprise.”
Whether an organization is vicariously liable for an employee’s intentional unauthorized access to personal information is a very significant legal issue. This analysis will receive significant attention.

Ontario and OPSEU, Re, 2015 CarswellOnt 3885.

IPC Ontario says a disclosure on the internet is just another disclosure

The Information and Privacy Commissioner/Ontario issued a notable investigation report on March 20th. It held that the City of Vaughan did not breach the Municipal Freedom of Information and Protection of Privacy Act by publishing personal information from a minor variance application on the internet.

The information in a minor variance application is required by statute to be accessible to the public, but by statutory language that speaks to “making available” and allowing for “inspection.” The complainant did not take issue with access to her information, but did not want her information published on the internet. The IPC essentially held that disclosure was authorized, and also that disclosure by internet publication was just another disclosure. Its key text is as follows (with my emphasis):

A concern raised in Gombu was that disclosing records in an electronic format was detrimental
to privacy because it removed the de facto privacy protection created by the relative obscurity of
paper records. As noted by the Court, circumstances have changed such that records are expected
to be provided in electronic format. Part of this is the ease of use for individuals wishing to
access records and databases which in turn increase transparency. Indeed, in Gombu this was the
complainant’s stated purpose for requesting an electronic copy of the database.

In confirming that the records could be disclosed in bulk electronic format, the Court noted that
this would make them more easily accessible with minimal further intrusion upon personal
information contained within given that they were already subject to disclosure.

In the circumstance of this complaint, sections 1.0.1. and 44(10) of the Planning Act and 253 of
the Municipal Act, taken together, specifically override the privacy interest of individuals
engaging the minor variance process and, as in Gombu, mandate the disclosure of personal
information in association with that process. I conclude that the City’s decision to disclose the
complainant’s personal information in electronic format is in compliance with the Act.

In response to the argument that this information should not be disclosed via the Internet, in the
circumstances of this complaint I cannot identify any basis that would prohibit information
otherwise subject to the section 32 exceptions from being disclosed via the Internet. I note that
Committees of Adjustment are required to demonstrate accountability via a transparent process
that permits individuals to participate, scrutinize and to hold institutions such as the City
accountable. As such, making these records available online facilitates this goal in a manner
consistent with the Act.

The IPC praised the City for administering a public record redaction procedure that allows individuals to request redaction. It also said the City should explore the use of web search exclusion technologies so that personal information it publishes on the internet is not readily searchable. This seems like a recommendation about best practices rather than one that is rooted in the statute.

Privacy Complaint Report MC13-67

IPC tweaks data security guidance from HO-013

Yesterday the Information & Privacy Commissioner/Ontario issued a paper called “Detecting and Deterring Unauthorized Access to Personal Health Information.” The paper adjusts and augments the detailed guidance on hospital data security the IPC provided in December when it issued HO-013.

In issuing HO-013 the IPC articulated numerous requirements in near checklist form. The IPC adds new requirements in Detecting and Deterring. Hospitals that are currently using HO-013 to conduct a gap analysis should now refer to Detecting and Deterring.

One exception to the augmentation is the IPC’s handing of “search controls” – controls that rest on limiting the search functionality of patient record systems. The IPC has backed off noticeably from HO-013 in Detecting and Deterring, which states:

With respect to search controls, it is important to note that open-ended search functionality may facilitate unauthorized access to personal health information in electronic information systems. For example, in the privacy breach involving the use and disclosure of personal health information for the purpose of selling or marketing RESPs, agents of the hospital were able to obtain lists of women who had recently given birth by performing open-ended searches of a patient index. To prevent this, custodians should ensure that the amount of personal health information that is displayed as a result of a search query is limited, while still enabling agents to carry out their employment, contractual or other duties. Open-ended searches for individuals should be prohibited by the search functionality and search capabilities of electronic information systems containing personal health information. Ideally, electronic information systems should be configured to ensure that search criteria return only one record of personal health information. If that is not feasible, then electronic information systems should be configured so that no more than five records of personal health information are displayed as a result of a search query.

The withdrawal makes sense. Search controls can put patient safety at risk, yet even rigid search controls are a questionable deterrent to intentional unauthorized access. Are bad actors really more likely to engage in unauthorized access because information is easy to find?

Hospitals should beware of the distinction between prescriptions that are recommendatory and prescriptions the IPC has the power to enforce. This is most important in considering the heavily-augmented breach response section of Deterring and Detecting. The IPC, for example, returns to an accountability-related idea it has pressed since making order HO-010 in 2010 by suggesting that hospitals should provide affected individuals with the name of “the agent that caused the privacy breach” in a breach notification letter. The IPC has the power to enforce breach response requirements that are derived from section 12 of PHIPA. A number of the prescriptions it makes on breach response (not necessarily the one I have identified above) have a tenuous connection to section 12 and can reasonably be viewed as recommendatory.

HO, HO, HO-013 – Big order for Ontario hospitals lands just before the holidays

On December 16th the Information and Privacy Commissioner/Ontario issued its 13th order under the Personal Health Information Protection Act. It contains very detailed prescriptions pertaining to the PHIPA data security standard in section 12. The standard is contextual – i.e., the standard of care is always based on all the “circumstances.” However, given Ontario hospitals face similar foreseeable risks, hospitals should pay very close heed to the prescriptions in HO-013.

I’ll spare you a description of the background and get to the point. Here is a bulleted summary of the data security prescriptions in HO-13. Rather than describe each in detail I will give you very short (synthesized) descriptions and page references.

  1. Ensure that patient information systems support audits and investigations of system misuse. Collect reliable data on all access, copying, disclosure, modification and disposal of patient records. Retain data for a reasonable period of time. Pages 23 to 29.
  2. Conduct periodic audits for patient information system misuse: “Audits are essential technical safeguards for electronic information systems.” Conduct random audits on all system activity. Run a special audit program for “high profile” patients. Pages 32 to 34.
  3. Ensure that patient information systems feature reasonable search controls. Search controls should limit the ability of agents to perform “open-ended” searches. Pages 29 to 32.
  4. Ensure that patient information systems feature a login notice that appears on its own screen and requires express acknowledgement. Page 22.
  5. Conduct regular and comprehensive privacy training pursuant to a privacy training program policy. Require pre-authorization training and annual re-training. Training materials should be detailed and contain certain information prescribed in HO-013. Pages 34 to 36.
  6. Communicate regularly about privacy compliance and compliance duties pursuant to a privacy awareness program policy. Page 36.
  7. Administer a “pledge of confidentiality” that contains certain information prescribed in HO-013. Require agents to sign pre-authorization and annually. Pages 37 and 38.
  8. Maintain and administer a privacy breach management policy that meets particular requirements specified in HO-013. Pages 40 and 41.

Most hospitals will already have data security programs that feature many of the elements in the list above. Regardless, there are detailed requirements in HO-013 (not included in the summary above) that invite hospitals to conduct a broad gap analysis. Some gaps are likely to be closed easily and others may require the investment of additional ongoing resources – e.g., gaps with respect to training and communication programming. The most problematic prescriptions in HO-013 are those related to the modification of patient information systems. The prescriptions regarding search controls, for example, seem problematic and may create system usability (search) problems. The responding hospital did raise concerns about usability that the IPC dismissed.

Order HO-013 (IPC Ontario).

Newfoundland privacy breach class action moves forward

On November 14th the Supreme Court of Newfoundland and Labrador Trial Division held that the pleadings in a privacy breach class action disclose a reasonable cause of action.

Even for an application of the Hunt v Carey standard, the Court did not probe at the pleadings with any significant force. It:

  • held that an alleged failure to establish safeguards was enough to found a “willful violation” claim;
  • held that a question about whether Newfoundland’s statutory privacy tort could operate together with the common law vicarious liability doctrine should be determined at trial;
  • held that the availability of the common law intrusion upon seclusion tort in Newfoundland should be determined at trial;
  • allowed a negligence claim for distress and humiliation to proceed even though no specific psychiatric illness or prolonged psychological injury was pleaded because “the threshold of compensable harm will depend on the evidence at trial”; and
  • held that the availability of contract claim for non-economic loss should be determined at trial.

The Court struck claims for breach of statute, breach of the Charter and breach of fiduciary duty. The Court remains seized of the certification application.

Hynes v Western Regional Integrated Health Authority, 2014 CanLII 67125 (NL SCTD).

Police disclosure of accused’s HIV status breaches s 7, stay denied

On July 7th, Justice Block of the Ontario Court of Justice held that the police breached MFIPPA and section 7 of the Canadian Charter of Rights and Freedoms by disclosing an accused person’s status as HIV-positive without a reasonable belief that the individual posed a significant risk of harm to others.

The accused  was a youth pastor who was charged with luring a person believed to be under the age of sixteen. Charges followed after the accused offered to give fellatio to a sex crimes detective who was posing as a fifteen year old. After his arrest, the accused volunteered his status as HIV-positive, and the police published a media release that described the accused’s status for the purpose of alerting individuals who had been in contact with the accused to they could seek testing or treatment services.

Justice Block was shocked at the assumptions that the police employed. He said:

Mr Gowdy was intensely private about his sexual interests. His family, church community and the bulk of his friends were unaware of his sexual orientation. His church regards homosexual practises as sinful. The evidence suggests that this deeply closeted pastor would have had furtive occasional sexual encounters with men he knew little or nothing about. Whether or not Mr Gowdy was evasive, there was no admission in his interview that these prior sexual contacts were unaware of his HIV status, other than contacts he had after his exposure to HIV but before his diagnosis. There was no admission that he engaged in activities that carried the risk of transmission after his exposure. No steps were taken to find out if the medical authorities treating Mr Gowdy had already traced his contacts.

Justice Block held the disclosure was not authorized by the Police Services Act and breached MFIPPA and the right to be free from “serious state-imposed psychological stress” that is guaranteed by section 7 of the Charter. He said that a police media release that names a person HIV-positive must be authorized by a police chief or properly authorized designate and must be based on a reasonable belief that the disclosure will ameliorate a significant risk of harm to the public. More questionably, reasoning that the Police Services Act is a “complete code,” he suggested that the police cannot release such information about a person who has only been charged with an offence.

Justice Block denied a stay, but chided the police for their “well-intentioned” demonstration of “profound ignorance.”

R v Gowdy, 2014 ONCJ 592 (CanLII).

Tort damages awarded for privacy breach in Ontario

On October 31st, the Ontario Superior Court of Justice ordered general damages for breach of privacy under our new tort.

This is another love triangle case involving an improper access to personal information. The defendant worked at Legal Aid Ontario. The plaintiff was her boyfriend’s ex. The defendant accessed the plaintiff’s legal aid file without authorization, learned she had dealings with Children’s Aid and threatened to call Children’s Aid to have the plaintiff’s children taken from her. The plaintiff gave evidence that Children’s Aid investigated, but failed to prove this was because of the plaintiff’s disclosure. The plaintiff also unsuccessfully alleged that she lost a job because of the breach or – to be more precise – the anxiety caused by the breach.

Legal Aid Ontario settled and the defendant did not defend the action.

The Court dismissed all  special damages claims and said that the evidence showed “irritation rather than devastation.” On a $100,000 claim, it awarded a modest amount for general damages. The judgement unfortunately records the damages award at both $7,500 and $10,000. The Court also awarded $6,500 in partial indemnity costs.

McIntosh v Legal Aid Ontario, 2014 ONSC 6136.

 

BC court strikes privacy breach claim as being within OIPC’s exclusive jurisdiction

On July 14th, the Supreme Court of British Columbia dismissed a privacy breach claim against a public body as being within the exclusive jurisdiction of the Office of the Information and Privacy Commissioner for British Columbia.

The plaintiff sued the ICBC and others for wrongs arising out of the collection and use of his personal information. He framed his action in a number of valid legal bases including breach of contract and breach of confidence. The claim referred to duties under the British Columbia Freedom of Information and Protection of Privacy Act; the plaintiff said these references were simply recitations of  “material facts.”

The Court found that significant parts of the claim (in their essence) addressed subject matter governed exclusively by FIPPA and its complaint resolution process. It said:

In summary, I conclude that FIPA is an exhaustive legislative scheme for the investigation and adjudication (subject to judicial review) of complaints related to the collection, use and disclosure of personal information in this province. Investigations of complaints about how a public body such as ICBC has collected, used or disclosed personal information are prescribed in FIPA. I am unable to find a role for the civil courts in these matters (except for judicial review).

This issue has been litigated in Ontario. For a case in which the Ontario Superior Court of Justice struck a claim based solely on a breach of MFIPPA, see Sampogna v Smithies. For a more recent case in which the Ontario Superior Court of Justice allowed a privacy breach claim to proceed against an health information custodian and others despite an argument that the Ontario Personal Health Information Protection Act covered the field, see Hopkins v Kay. Hopkins has been appealed to the Court of Appeal for Ontario.

Cook v The Insurance Corporation of British Columbia, 2014 BCSC 1289.

No reasonable expectation of privacy in bad breath

On January 7th, the Ontario Superior Court of Justice overturned a trial decision that had recognized a Charter-protected expectation of privacy in the odour emanating from one’s breath. A doctor who had treated the accused following a motor vehicle accident told a police officer that the accused’s breath smelled of alcohol, following which the police obtained an warrant to seize a blood sample. The Court also noted that the doctor was not acting as a state agent in making his observation and reporting to the police.

R v Maureen Daly, 2014 ONSC 115 (CanLII).