Category: Privacy (Not Workplace)

Government’s collection of census information does not breach Charter

On May 2nd, the Court of Appeal for Saskatchewan held that the federal government does not breach section 8 of the Charter by collecting census information under threat of prosecution.

The Court held that the collection does not interfere with a reasonable expectation of privacy given the context in which the (admittedly sensitive) information is collected – a context that includes statutory assurances of limited use and confidentiality. It explained:

Thus , the question is not whether Ms. Finley had an expectation of privacy or even a reasonable expectation of privacy in dictionary terms. The question must be linked to the overall context of the case. In this case, the question must be cast in these terms: whether a reasonable person would expect to have privacy in the information requested by the 2006 Long Form Census, which the government wishes to collect exclusively for statistical purposes to aid it in implementing sound and effective public policy, with no criminal or quasi – criminal repercussions flowing from the disclosure of such information, and with the specific information collected being ultimately generalized and “delinked” from the individuals being required to so disclose. The trial judge answered this critical question negatively and the summary conviction appeal court judge found no error of law, mixed fact and law or fact in her conclusion.

The Court did not address an argument by the Crown that section 8 is not engaged by merely asking someone to provide information, an argument rejected in each of the two lower court decisions that led to the appeal.

R v Finlay, 2013 SKCA 47.

Court orders safekeeping of medical records held by departed employee

On March 7th, the Ontario Superior Court of Justice issued an order to secure medical records held by a former employee of an addiction clinic.

The employee had copies of urinalysis reports stored on her personal e-mail account at the time of termination because she had used her personal e-mail account for work purposes. She allegedly used her continuing possession of the e-mails to extort the employer into offering reinstatement and later refused to return the e-mails, arguing they were evidence of the employer’s wrongdoing. (It is not clear from the decision what wrongdoing the employee alleges.)

The Court granted an ex parte order after applying the test for an Anton Piller. Notably, the order required the employee to turn control of her e-mail account to an independent supervising solicitor authorized to copy and retain the e-mails, delete the e-mails on the account and return control of the account to the employee. The Court authorized the employer to serve the order by e-mail.

Garber v Robinson, 2013 ONSC 1427 (CanLII).

The science of breach prevention and the art of breach response

Data loss prevention and response is a big topic now! The HRSDC lost hard drive is about a huge (but seemingly benign) incident that has attracted great attention. We also have the Obama administration’s attention to corporate network security – such attention given at a time in which sacrifices are being made to corporate network security based on trends such as BYOD.

Here is a practical guide that we’ve prepared to address the salient issues. We hope it’s useful to you.

Court orders theraputic records to be returned to their maker despite privacy claim

On March 8th the Ontario Superior Court of Justice ordered the return of therapeutic records allegedly obtained through fraudulent means despite an argument that such return would cause harm to the individuals to whom the records related.

The records were created by a psychotherapist and hypnotist alleged to have held himself out as a medical doctor. He took notes of sessions with a number of complainants that the police seized but that were no longer needed for investigation or for trial. The Crown asked the Court to hold the return of the records based on section 37 of the Canada Evidence Act because returning the records would, “encroach upon a specific public interest and privacy concern of the alleged victims of this fraudulent conduct.”

The Court dismissed the Crown’s application, questioning whether a privilege or privacy claim could apply to information known by the accused and records created by the accused. It said:

In my view, s. 37 of the Evidence Act does not apply to the facts of this case. The seized notes and records belong to the respondent and should be returned to him. I agree with Mr. Chambers’ submission that s. 37 is intended to apply where an accused seeks disclosure of of records or information generated by the state and its agents or through the interaction between complainants and third parties, which have never been in the accused possession.

R v Kent, [2013] O.J. No. 1037 (SCJ) (QL).

Social media and the law – three nuggets and one blawger’s tale #ALC2013

I’m posting this from beautiful Edmonton, where I presented at the Alberta Law Conference social media session together with Diane McLeod-McKay (Alberta OIPC, Director, Alberta PIPA) and Doug Jasinski (Skunkworks Creative Group). Thank you to our Chair and warm host, uber-librarian Shaunna Mireau (Field Law). It was a nice balanced session, with a little marketing and communication, a little core privacy and a little “other,” all of which came together nicely to give helpful picture to our lawyer audience.

I was the “other.” My slides are below and deal with (1) the “licensed communicator” concept for governing business use of social media, (2) the social media civil production cases and (3) preservation of social media evidence. I also (as asked) spoke a little about my own blogging experience, an enjoyable first.

Judicial review not the regular means to challenge PIPEDA investigation reports

On January 15th the Federal Court dismissed two judicial review applications brought by a self represented applicant who took issue with two OPC investigation findings made under under PIPEDA. The Court held that an application under section 14 of PIPEDA, which invites a de novo hearing, was an adequate alternative remedy to judicial review:

In conclusion, I find that there is an adequate alternative remedy provided by section 14 of the PIPEDA that would have been the appropriate recourse to deal with all matters raised concerning the complaint, the OPC reports and the investigation that followed. When comparing the recourse provided by section 14 of the PIPEDA with the possibilities offered by judicial review, which is discretionary and extraordinary in nature and limited to the review of the reports and the documentation contained in the certified record, I find that the former is the appropriate recourse as the intent of the legislator to this effect is clear. I will not therefore exercise my discretion to judicially review the reports of the Privacy Commissioner, and I will dismiss both applications for judicial review.

In making this finding the Court suggested that a judicial review application to allege bias or that the OPC committed some other procedural injustice might be amenable to judicial review.

Kniss v Canada (Privacy Commissioner), 2013 FCC 31.

Court understands that PIPEDA does not limit its power to assist execution creditors

The Ontario Superior Court of Ontario issued an endorsement on November 19th that demonstrates a proper understanding of the Court of Appeal for Ontario’s judgement in Citi Cards v Pleasance. Justice Morgan said (with emphasis added):

Both parties’ counsel concede that the mortgage companies are wary about disclosing information about a mortgage debt to anyone other than the debtor himself due to the operation of Ontario’s [sic] privacy legislation . The Personal Information Protection and Electronic Documents Act (“PIPEDA”) would seem to prohibit banks and other organizations from making precisely the type of voluntary disclosure that the Plaintiff seeks. It is little wonder, therefore, that the Plaintiff cannot obtain the up to date mortgage statements by simply asking the mortgagees for them.

The Court of Appeal has pointed out in Citi Cards Canada Inc. v. Pleasance, 2011 ONCA 3 (CanLII), 2011 ONCA 3, at para. 29, that under PIPEDA “[a]n organization may disclose personal information…only if the disclosure is [authorized by one of the exemptions]”. Those exemptions are contained in section 7.3 of PIPEDA. That section provides, inter alia, that disclosure of information is permitted by an organization such as Griffin’s mortgagees where that disclosure is “required to comply with a subpoena or warrant issued or an order made by a court…” The Plaintiff did not join the mortgagees as respondents to the motion before me, but he is of course free to do so at a future date.

The last statement suggests that a Court will entertain a motion for production of a mortgage statement from a mortgagee notwithstanding PIPEDA. Citi Cards says that courts should grant such orders sparingly given PIPEDA protects the privacy of mortgagors but does not mean that a court is prohibited from making such an order. There has been some confusion about this point.

McBean v Griffin, 2012 ONSC 6555 (CanLII).

BCSC says PIPA does not have quasi-constitutional status

The British Columbia Supreme Court issued an oral judgment last January that appears to just recently have been published. The Court found that the clear right to membership information given to members of a co-op under the British Columbia Cooperative Association Act does not conflict with  prohibitions in the British Columbia PIPA and is not superseded by  prohibitions in British Columbia PIPA. Justice Gaul commented:

While the respondent is correct in noting that the Supreme Court of Canada in Lavigne considered the “quasi‑constitutional” nature of privacy legislation, the court did so with specific reference to the Privacy Act RSC, 1985, c. P-21. This federal legislation focuses on the privacy obligations of governmental organizations as opposed to private organizations. That is an important distinction when it comes to the case before me because the PIPA is a legislative enactment designed to govern the privacy obligations of private organizations. I am unpersuaded that the PIPA has any “quasi-constitutional” roots or purpose that would give it the special status the respondent argues it has.

The Court issued a declaration that any member of the respondent co-op in good standing may obtain a copy of its membership list.

Pearson v Peninsula Consumer Services Cooperative, 2012 BCSC 1725 (CanLII).

Ministry of Labour breaches FIPPA in administering an OLRB production order

On November 9th the Information and Privacy Commissioner/Ontario held that the Ministry of Labour breached FIPPA’s safeguarding duty after it investigated the administration of a production order made by the Ontario Labour Relations Board.

The directors of a bankrupt employer appealed an order to pay wages and vacation pay to 309 former employees to the OLRB. The directors and the prosecutor agreed to a consent order that required production of relevant financial information about the 309 employees, and the prosecutor agreed to one or more participating employees that all 309 employees (as parties to the proceeding) would receive the production. The OLRB mailed an unencrypted CD-ROM containing the 309 employees’ names, social insurance numbers, total annual remuneration, period of earnings and address information. After complaints were lodged by some recipients the OLRB attempted to recall the mailing, but in the end did not recover 137 of the CD-ROMs.

The production order itself was the real source of difficulty here, but the IPC rightly acknowledged it had no jurisdiction to scrutinize the OLRB’s exercise of procedural powers. Instead, the IPC looked at the adequacy of the OLRB’s and Ministry’s security practices, recommending first that the OLRB take the added precaution of making clear to parties that they can request orders to restrict the manner and scope of disclosure. The IPC also held that the Ministry ought to have used a bonded courier service, ought to have considered encryption and ought to have attempted to confirm addresses.

Is this an adequate resolution? What can be done that respects tribunals’ independence but promotes better protection of privacy?

Ontario (Labour) (Re), 2012 CanLII 71576 (ON IPC).

IPC/Ontario issues report on outsourcing to USA resident vendors and more

On June 27th, the Information and Privacy Commissioner/Ontario issued a significant report on the Ministry of Natural Resources’ use of an American company to maintain the primary database for its hunting and fishing licensing system.

The Commissioner has made public statements downplaying the significance of the USA PATRIOT Act to data security outsourcing risks, but this is the first time she has expressed these views formally. She says:

There may be no greater area of confusion and misunderstanding than fear of the PATRIOT Act. The PATRIOT Act has invoked unprecedented levels of apprehension and consternation – far more than I believe is warranted. For the reasons outlined on pages 5 and 6, the feared powers were available to law enforcement long before the passage of the PATRIOT Act, through a variety of other legal instruments. In my view, these fears are largely overblown, and focusing on them unduly constitutes a pointless exercise. I believe it is far more productive to compel organizations to be fully responsible and accountable for the services they provide or outsource. As noted earlier, my position on this remains that you can outsource services, but you cannot outsource accountability. Flowing from that, one critical question prevails: Have reasonable steps been taken to ensure privacy and security, regardless of where the data resides? The measures taken by MNR, as described in this report, represent a good example of such accountability.

This is of help to Ontario public sector institutions who have needed to account for significant perceived risks related to the PATRIOT Act in approaching hosted service projects, many likely associated with lower risks than the MNR project. One might wonder how many useful, cost-saving initiatives have been parked because of a requirement that all personal information be stored in Canada by a Canadian company. The Commissioner’s report should be liberalizing, though outsourcing in and outside of Canada will always be associated with special data security risks that institutions need to carefully manage.

Fortunately, the Commissioner also uses this report to give some good guidance on outsourcing in the Ontario public sector, largely approving of the manner by which the MNR went about its outsourcing. Her focus is on the commercial contract between the MNR and its vendor, which she held contained nine “necessary provisions” to achieve the “reasonable measures” data protection standard under FIPPA. Ontario public sector institutions should pay heed to these provisions and, more generally, the design and development process described towards the front of the Commissioner’s report.

Hat tip to David Fraser, who gets a nice nod in this report from the Commissioner for his work on the PATRIOT Act.

Reviewing the Licensing Automation System of the Ministry of Natural Resources: A Special Investigation Report (June 27, 2012).