This edition of the Information Roundup is brought you by Twitter.

No kidding! I’ve been on it for about a week and half now and it’s caused quite a switch in how I pick up information from the web.  Many thanks to the folks at Unfiltered Orange, who are the likely source of two out of the three topics that I think will interest you this week.  They relate to… personal e-mails on work computers, the management of social insurance numbers by employers and National Instrument 31-103 and security firm record-keeping.

Personal e-mails on work computers

Personal use of employer computer systems is a pet issue for me, and I was blown away to read about how “personal” e-mails on work computers are treated under European data collection laws in Data Collection: Nothing Personal. This article, by litigation support professional Bill Onwusah, describes how European companies have to mind their process of collecting e-mails for production in litigation so that employees’ personal e-mails are not collected for subsequent review. He says:

Particularly in mainland Europe, you cannot collect personal data and the mere act of doing so may contravene the local data protection legislation. The fact that it’s stored on a work PC is irrelevant. Users retain personal data as their own.

Wow!  Canadian law still allows employers full control over their e-mail systems provided they give employees notice that they should not expect any privacy in their personal use. Most of the jurisprudence is arbitral and therefore based on collectively bargained rights, but our employment privacy statutes do not necessarily change this basic rule. And recently, in Johnson v. Bell Canada, our Federal Court held that our federal-sector employment privacy statute, PIPEDA, does not even apply to “personal” employee e-mails.

My view is that managing personal information in the production process is a newly important issue for Canadian organizations to reckon with insofar they are willing custodians. Employee personal e-mails do not fit within this category and, given the costs and complexities of of managing production from “mixed” e-mail systems, an approach that relies on clear notification makes for fair and sensible  workplace policy.

Management of SINs by employers

This Proskauer Rose client alert talks about a recently in force New York regulation that deals with employers’ management of Social Security Numbers and other employee “personal identifying information” – including drivers license numbers.  

I don’t believe we have similar legislation regarding drivers licenses in any Canadian province, but our Social Insurance Numbers are regulated by section 237(2)(b) of the federal Income Tax Act.  This provision prohibits employers from using, communicating or “allowing to be communicated” a Social Insurance Number for purposes not related to tax administration without written consent.  Our clients often ask whether SINs (or a variant of them) can be used as identifiers and we generally advise them to stay away from such practices in light of the ITA.  

Proskauer also notes that New York’s General Business Law appears to allow employers to collect an SSN on an employment application form.  Since there is no purpose related to tax administration for doing so, this practice is rightly avoided in Canada. If a Canadian employer needs to ask for a SIN to conduct a background check, this should generally be done towards the end of the recruitment process subject to written consent.

National Instrument 31-103 and security firm record-keeping

I’m just starting my learning process on National Instrument 31-103, so will just link to this Wall Street Technology article on how this new piece of securities regulation will affect record-keeping and e-discovery at Canadian securities firms.

 

On a personal note, Seanna was off at Deerhurst this week for a five day sales conference. Being a single father was rewarding and not as hard as I thought it would be, but I’m still recovering from being a solo bedfellow to our hairless cat. “Buffalo” is a Cornish Rex and, if you know the breed, they are very lovable and very needy. He normally sleeps under the covers with his head on Seanna’s pillow. She’s fine with this and I’m happy to give them both a kiss when I leave early to work.  (He’ll actually protest if I ignore him!) Dear Buffalo, however, drives me nuts when Seanna goes away.  I finally got fed up on her last night of absence and locked myself in the walk-in closet with a sleeping bag.  Not to slight Seanna in any way, but I’m sure glad to have my side of the bed back!

See ya!

Dan

On August 7th, the Office of the Federal Privacy Commissioner of Canada issued a report dismissing a PIPEDA outsourcing complaint filed by Philippa Lawson of the Canadian Internet Policy an Public Interest Clinic.

The report echoes the position the OPC established in Case Summary 313 and Case Summary 333 – that is, that the transfer of personal information into the United States does not necessarily breach the safeguarding requirement in PIPEDA because it exposes the information to the dictates of United States law, but that notification is required given the principle of openness. The OPC does give a little more detail on the required standard of notification in this report than it has done in the past:

Finally, organizations that outsource the processing of personal information must provide sufficient notice with respect to the existence of service-provider arrangements, including notice that any foreign-based service provider may be required by the applicable laws of that country to disclose personal information in the custody of such service provider to the country’s government or agencies. In this respect, CanWest respected its obligation by reliably informing its subscribers, new and existing, of its arrangement with a new U.S.-based e-mail provider and of the potential impact on confidentiality of subscriber information. Consequently, Principle 4.1.3 was not contravened.

The report has been posted on CIPPIC’s website. Hat tip to Michael Geist.

On June 11th, the Alberta Court of Appeal held that a judge erred in ordering the production of hard drive images that contained patient files.

The case is about a public health authority’s right to audit files held by one of its former service providers, and in particular, its right of access to files of patients whose treatment the authority only partly funded. These patients also received privately-funded services, but only had one patient record with the service provider, which raised an issue about the authority’s right to look at the files in the course of an audit. This issue was initially litigated up to the Alberta Court of Appeal in 2006.  The Court of Appeal held that the authority had no right of access to the “hybrid files” under public law, but did not consider the authority’s contractual right of audit.

The access dispute was revived again when the service provider sued the authority for unlawfully seeking access to the hybrid files and forcing it to defend its clients’ privacy rights through litigation.  Several computer hard drives containing hybrid files that were imaged in the original dispute and stored at the court were central to the action.  The authority revived its attempt at accessing the hybrid files by filing a counterclaim in which it alleged breach of contract and breach of fiduciary duty. It made a vague allegation in its pleadings that the service provider was double-billing, but did not plead fraud.  (It had no evidence of fraud because any such evidence could only be revealed on an examination of the hybrid files themselves.)

A case management judge ordered the hard drives to be produced to the authority in specie (in their actual form) with a direction not to print or take notes of anything irrelevant and in reliance of the no collateral use rule embedded in the implied undertaking.  The Court of Appeal held this order was made in error and that the authority’s vague pleadings of fraud did not give it a right to the hybrid files.

The Court of Appeal’s judgement (written by Madam Justice Conrad) contains some very principled statements on e-discovery.  She held that a party to litigation will not ordinarily get access to a hard drive, which is simply a receptacle for information.  This is not new, but Madam Justice Conrad also suggested that a judge has a duty to protect irrelevant, confidential and private materials in the event of a production dispute.  She also stressed that orders to inspect a hard drive will only be made on “strong evidence” that a party is attempting to thwart the discovery process and, further, that a court that orders inspection of a hard drive should still ensure that irrelevant and confidential information is protected.  Referring to the order made in 2007 by the Alberta Court of Queen’s Bench in Spar Aerospace (subsequently upheld on appeal), she said:

While I agree with Madam Justice Veit’s decision, I would add a caveat. Even in circumstances where it is clear that a litigant is thwarting the litigation process, and the court deems it appropriate to order production of a hard drive, measures should be taken to protect disclosure of irrelevant and immaterial information which the producing party objects to produce. Although litigation confidentiality exists, many times that will not be sufficient to protect personal, confidential and private material. A judge should always hear representations as to how information that is neither material nor relevant can be protected from exposure, and frame any production order in the least intrusive manner.

Madam Justice Conrad then held that there was no basis justifying an inspection order in the circumstances, that the service provider’s pleading did not put the entire content of the hard drives at issue and that concerns about the cost of separating the records on the hard drive were not established or were at least premature.

The Court also held that the action did not give the authority a right of disclosure that extended to the hybrid files.  It held that the dispute was about the scope of a contractual right of audit and not an allegation of fraud despite the vague allegations pleaded in authority’s counter claim.  It seemed clear to the Court that the authority was attempting to seek what it ultimately wanted (a look at the hybrid files) by the way in which it pleaded its counterclaim.  Madam Justice Conrad said the authority was on a “fishing expedition.”

While an obviously significant e-discovery case, this also says something about records management, the need for third-party access and potential conflicts with personal privacy rights.  If the authority’s funding contract demanded that patient records for funded services be separately maintained, this dispute might have been avoided.

Innovative Health Group v. Calgary Health Region, 2008 ABCA 219 (CanLII).