OPC issues important decision for federally-regulated employers on access to “mixed personal information”

Federally-regulated employers should pay heed to OPC report of findings 2013-004, issued in July 2013. It contains the most detailed guidance on how to administer requests for access to personal information about employees that is received from other employees in confidence – information sometimes called “mixed personal information.”

The OPC adopts the case-by-case balancing of interests approach endorsed by the Federal Court of Appeal in a Privacy Act case called Pirrie: “In determining the right to have access to this information under PIPEDA, the interests of the individuals concerned should be balanced against each other along with the public interest for and against disclosure.”

This test does not support a “bright line,” so the OPC guidance is welcome. It uses 2013-004 to distinguish between two scenarios:

The OPC held that notes containing peer feedback that an employer received in conducting a routine performance feedback process were exempt from the right of access. It helped that the employer had provided the complainant with a high-level summary of feedback and helped that the complainant himself had expressly promised to his peers that their feedback would be given anonymously.
The OPC distinguished its prior treatment of information gathered in an internal investigation from witnesses when the investigation led to the complainant’s dismissal from employment. The OPC affirmed the complainant’s right of access in this scenario, but specified that the complainant required access to her personal information “as part of her efforts to be re-instated in her position,” which suggests that the complainant had either commenced litigation or that litigation was reasonably contemplated. The OPC also noted, “there were no formal assurance made that the information the investigation participants provided would be kept confidential.”

This gives federally-regulated employers some indication of the OPC’s perspective on a common and significant access issue, though the analysis invited by the Pirrie test is very contextual and outcomes will differ based on a wide range of potentially relevant facts. While the OPC’s decision on access to information gathered from witnesses in an internal investigation might be of some concern to employers, employers cannot provide witnesses with an absolute promise of confidentiality given witness statements may be producible in litigation. If the OPC decision merely suggests that witness statements are likely to be accessible under PIPEDA when litigation is reasonably contemplated it will be rather harmless in its impact.

Bank provides former employee with insufficient access to his personal information, 2013 CanLII 71855 (PCC).

BC arbitrators embrace openness in face of broad request for grievor annonymity

Two British Columbia arbitrators have held that, despite British Columbia PIPA, shielding a grievor’s identity from the public is an exception to the general rule of openness.

Both cases involved discharge grievances brought by the United Food and Commercial Workers, Local 1518. The Local argued that grievor identities should not be revealed in an arbitration award without individual consent. It based its argument on the consent requirement in British Columbia PIPA and, alternatively, by arguing that anonymity should be the default in a proper exercise of arbitral discretion.

Arbitrator Sanderson issued a brief award on July 22nd. He concluded that the shielding of a greivor’s identity is a matter within an arbitrator’s discretion notwithstanding British Columbia PIPA. Arbitrator Sanderson also held that “the open court principle should prevail in decisions of labour arbitrators” though an anonymity order may be granted as justified based on proof of an “unreasonable impact” on personal privacy.

Arbitrator Lanyon issued an award on October 28th. Like Arbitrator Sanderson, Arbitrator Lanyon held that identification of a grievor is the norm, with a discretion to grant anonymity as otherwise as justified. Arbitrator Lanyon also added:

that there is a particular pubic interest in disclosing the identity of those charged with serious disciplinary offences;
that an aribtrator’s balancing should be principled, recognizing “the importance of privacy and the difficulties that may arise as a result of publication on the awards on the internet”; and
that arbitrators should be open to “lesser protections” in addressing the potential harms associated with publication, at the very least by refraining from publishing sensitive identifying information such as birth dates and social insurance numbers.

Neither arbitrator’s means of resolving the consent requirement in British Columbia PIPA is particularly clear, though both view the issue as governed by arbitral discretion. In applying this discretion, both arbitrators dismissed the Local’s request because it was made as a matter of right and not on any fact-based justification. The Lanyon award indicates that the Local had plans to appeal any award “not in accord with its views of this matter.”

Husband Food Ventures Ltd v United Food and Commercial Workers International Union, Local 1518 (unreported, 22 July 2013, Sanderson).

Sunrise Poultry Processors Ltd v United Food & Commercial Workers, Local 1518, 2013 CanLII 70673 (BC LA, Lanyon).

[Note also that most recent Advocate’s Quarterly (vol 42, 2013) has an article entitled The Protection of Privacy Interests in Administrative Adjudication in Ontario by Chris Berzins, who has written often on this topic. Chris’s most recent article calls on the Ontario/IPC to give better guidance to Ontario administrative bodies on how to to address the privacy issues related to the publication of decisions as well as other privacy issues related to their adjudicative proceedings.]

Privacy claim survives based on allegation of pretexting

On October 23rd, the Ontario Superior Court of Justice allowed a borderline privacy claim to proceed because it alleged the deceptive use of personal information to obtain evidence for a family law proceeding.

The plaintiffs brought a motion to vacate a non-dissipation order on their developed property so they could build on another property. In support of the motion, one of the plaintiffs swore and filed an affidavit that included financial data that supported the need to mortgage the developed property.

The respondent to the motion (the former spouse of one of the plaintiffs) lived with a mortgage broker, who took some of the financial data and obtained a letter of interest that suggested construction financing on the undeveloped property was an option. The respondent filed the letter and succeeded in her response to the motion, at which point the plaintiffs took issue with the mortgage broker’s conduct and eventually filed suit.

Justice Hambly was most troubled with the misimpression allegedly given by the mortgage broker to the finance company, who said that it thought the mortgage broker asked for the letter on behalf of the plaintiff. Assuming that the mortgage broker was acting on behalf of the respondent’s counsel (as he pleaded), Justice Hambly said that is was not clear “that a party or a person acting on the instructions of a party can release private personal financial about another party derived from the court files in a family law action to a third party for the purpose of getting an opinion under the guise that he is acting in the other party’s interest without the other party’s consent.”

Rosati v Cornelio, 2013 ONSC 6461 (CanLII).

The wheels of justice must turn – intrusion upon seclusion claim dismissed

On November 27th, Justice Carole Brown of the Ontario Superior Court of Justice dismissed a intrusion upon seclusion and negligence claim brought against lawyers who had acted in the defence of a personal injury claim. The claim alleged the lawyers acted unlawfully by:

providing the plaintiff’s medical information to and requesting addendum reports from defence medical exports for the purposes of trial and discussing the contents of the reports at trial;
serving copies of a Rule 30:10 (third-party production) motion; and
obtaining the plaintiff’s university transcript for purposes of trial.

This is not surprising, though the university transcript was apparently obtained in advance of trial after service of a summons to witness. Justice Brown noted that the defendants did not deceive the summonsed witness and that, in any event, the plaintiff herself adduced the transcript at trial.

Baines v Sigurdson Courtlander, 2013 ONSC 6892 (CanLII).

IPC says full balancing applies in mixed personal information cases

On September 27, 2013 the Information and Privacy Commissioner/Ontario issued a significant decision on the exemption from the right of access to personal information in section 38(b) of MFIPPA (and 49(b) of FIPPA by implication) by finding that a disclosure that is presumed to constitute an unjustified invasion of privacy for the purpose of answering a general records access request is not so presumed for the purpose of answering a request for access to one’s own personal information.

Individuals have a right of access to their own personal information that is in the custody or control of Ontario institutions subject to a number of discretionary exemptions, including an exemption that applies if “the disclosure would constitute an unjustified invasion of another individual’s personal privacy.” This exemption often arises in cases in which individuals seek access to personal information about themselves that is contained in complaints and incident reports (which record information from witnesses, complainants and others about more than one person).

The “unjustified invasion” question is informed by the mandatory exemption for unjustified invasion of personal privacy that applies to “general records” access requests. The mandatory exemption includes a provision that deems certain disclosures to be a presumed unjustified invasion. Here is the MFIPPA provision:

14(3) A disclosure of personal information is presumed to constitute an unjustified invasion of personal privacy if the personal information,

(a) relates to a medical, psychiatric or psychological history, diagnosis, condition, treatment or evaluation;

(b) was compiled and is identifiable as part of an investigation into a possible violation of law, except to the extent that disclosure is necessary to prosecute the violation or to continue the investigation;

(c) relates to eligibility for social service or welfare benefits or to the determination of benefit levels;

(d) relates to employment or educational history;

(e) was obtained on a tax return or gathered for the purpose of collecting a tax;

(f) describes an individual’s finances, income, assets, liabilities, net worth, bank balances, financial history or activities, or creditworthiness;

(g) consists of personal recommendations or evaluations, character references or personnel evaluations; or

(h) indicates the individual’s racial or ethnic origin, sexual orientation or religious or political beliefs or associations.

In Seguin Township, Adjudicator Cropley held that the application of this deeming provision does not end the analysis in a personal information request as it does in a general records request. A head should go on to consider the other relevant factors (including those listed in the Act) to determine if, on the balance, the invasion of privacy to the person other than the requester is “unjustified” in the circumstances. Adjudicator Cropley said that her interpretation consistent “legislature’s intent in creating a separate, discretionary exemption claim that makes a distinction between an individual seeking another individual’s personal information and an individual seeking his own personal information.” It invites both greater access to personal information and greater uncertainty in dealing with access to personal information requests.

Seguin (Township) (Re), 2013 CanLII 64274 (ON IPC).

Voluntary bank disclosure to police lawful

On August 7th, Justice Fuerst of the Ontario Superior Court of Justice held that the police did not breach an individual’s reasonable expectation of privacy by receiving information from two banks and using the information to obtain restraint orders.

The judgement is notable for the Court’s recognition of the banks’ legitimate interest in providing voluntary assistance to the police. Justice Fuerst said:

The bank was directly implicated in allegations of money-laundering. It had a legitimate interest in preventing the criminal misuse of its services, particularly in circumstances where accounts associated to the applicant were alleged to be offence-related property subject to forfeiture.

Disclosing personal information to the police (within certain parameters) is permitted by section sections 7(3)(c.1) and 7(3)(d) of the Personal Information Protection and Electronic Documents Act, which Justice Fuerst noted in her reasonable expectation of privacy analysis. Section 7(3)(d) authorizes disclosures initiated by commercial organizations. Notably, Justice Fuerst held that section 7(3)(d) allows for some two-way dialogue between the disclosing organization and the police: “It is unreasonable to interpret s. 7(3)(d) so narrowly that police officers to whom information is given by organizations like banks about possible criminal activity can do no more than passively receive it and are prevented from asking for specifics or details necessary to take steps in response.”

R v Kenneth James, 2013 ONSC 5085 (CanLII).

Cyber liability issues – risks, prevention and response

Here’s a one hour private presentation my partner Jeff Goodman and I gave to a group of risk management professionals yesterday. I’d be happy to come to your organization and conduct a similar presentation if you’re interested. Please get in touch.

Intrusive mobile application class action certified in Québec

On June 27, the Superior Court of Québec certified a class action about the alleged intrusive nature of free applications offered through Apple’s “App Store.”

The petitioner alleges that Apple breached various Québec statutes by failing to inform users that free applications would facilitate the collection and use of their personal information, including their “geolocation.” The petitioner also claims that individuals were harmed (a) by the loss of computing resources and (b) by being led to overpay for their Apple devices, such devices being “inextricably linked” to undesirable characteristics associated with free applications distributed through the App Store. The petitioner asked the Court to grant certification so he could prosecute Apple on on behalf of all residents in Canada who downloaded free applications from December 1, 2008 to present.

Apple attacked the action’s suitability for certification on a number of bases. Most fundamentally, it complained that the action provided for an “infinite variety of classes” – for example (and at the least), classes of individuals who were exposed to applications with different information-gathering characteristics. Nonetheless, the Court granted certification of a Québec only class. Its analysis is very forgiving, especially in addressing Apple’s (very valid) concerns about the individualized nature of a consent dispute, which the Court dismissed as follows:

In the Court’s view, all of the Respondents’ arguments regarding the consent or lack thereof, the voluntary provision of information by Class Members and other similar elements that distinguish Class Members between them can be raised by them in their defence or alternatively when dealing with the « lien de causalité ».

Hat tip to BLG and its privacy law blog for this post.

Albilia c Apple Inc, 2013 QCCS 2805 (CanLII).

Settlement approved in Canadian cyber attack suit

On June 10th, the Ontario Superior Court of Justice approved a settlement in a class action brought against Sony of Canada Ltd. and others. The action (for breach of contract) followed an April 2011 cyber attack that targeted accountholder information of approximately 4.5 million individuals enrolled in various Sony online services. The following is the Court’s summary of the settlement:

Class Members who had a credit balance in their PSN or SOE account at the time of the Intrusions but have not used any of their accounts shall receive cash payments for credit balances.
The Sony Entities will make available online game and service benefits to class members geared principally to the type of account (PSN, Qriocity, and/or SOE) held by the class member at the time of the Intrusions.
The settlement benefits are available through a simple process. To become entitled to benefits, Class Members need only to complete a claim form.
The Sony Entities will reimburse any Class Members who can demonstrate that they suffered Actual Identity Theft, as defined in the Settlement Agreement. Class Members that prove Identity Theft can submit claims for reimbursement of out-of-pocket payments (not otherwise reimbursed) for expenses that are incurred as a direct result of the Actual Identity Theft, up to a maximum of $2,500.00 per claim.
The Sony Entities are to pay for the costs associated with providing notice of the Settlement Agreement and the settlement approval hearing, all administration costs, as well as an agreed amount for plaintiffs’ lawyers’ fees and expenses ($265,000).

The parties sent a notice of certification and notice of motion for settlement approval to 3.5 million e-mail addresses. Fifteen percent of the e-mails were returned as undeliverable, 28 individuals opted out and nobody objected.

Justice Perell noted that the agreement was premised on the understanding that there has in fact been no improper use of personal information resulting in identity theft. He also said, “The Settlement Agreement reflects the state of the law, including possible damage awards, for breach of privacy/intrusion upon seclusion and loss/denial of service claims.”

Maksimovic v Sony of Canada Ltd, 2013 CanLII 41305 (ON SC).

In dispute over custodianship of medical files, balance favours established clinic

On May 22nd the Ontario Superior Court of Justice ordered medical files to be returned to a clinic by a departing doctor who claimed she had an independent practice and was the legal custodian of the files.

Justice Perell dismissed the defendant’s argument that a corporation could not be a “health information custodian” under the Personal Health Information Protection Act and held that the plaintiff clinic had made out a strong prima facie case that it had such status. His suggestion that the defendant was also a health information custodian could best be understood as a function of the qualified burden of proof on an interlocutory motion given, under PHIPA, there can be only one custodian of a record of personal health information.

Justice Perell’s balance of convenience analysis is noteworthy. He said the following about the public interest in providing patients with access to their personal health information pending final resolution of the dispute:

In considering the balance of convenience, it is appropriate to consider the interests of the patients whose health records have been removed from a health clinic to the home of a health care practitioner. In my opinion, a patient will have better access to his or her health records and the health care practitioner who will treat the patient during Dr. Simon’s semi-retirement will have better access to the health records if the records are at professional offices with normal business hours and full-time staff.

A plaintiff in a similar situation could similarly attempt to make a case for return of records based on a claim to relatively superior security measures, though the stakes of pursuing such an approach would be high.

Note that the plaintiff consented to a term permitting the defendant doctor to make copies of any file relating to a patient she had treated. This is a sensible thing to offer in a dispute over custodianship, but again, is inconsistent with the single custodian rule.

1615540 Ontario Inc. carrying on business as Healing Hands Message v Simon, 2013 ONSC 2986 (CanLII).