It’s been a busy last couple months on a number of fronts. Here are a couple of presentations I’ve delivered recently – a privacy updated delivered to the Canadian Association of University Solicitors in beautiful Cape Breton, NS (on outsourcing to the cloud and liability for data loss and misuse) and another to the Ontario Association of Children’s Aid Societies (on the claims context for data loss claims, incident prevention and incident response). Happy thanks giving everyone!
On June 25th Arbiator Surdykowski awarded $200 in damages to an employee who underwent an unwarranted breathalyser test following a safety incident. The employer administered the test based on a mistaken belief that it was required by policy even though there was no basis for believing the employee was intoxicated. The employee suffered no particular harm.
Compass Minerals Canada Corp. and Unifor, Local 16-O (Walden), Re (June 25, 2016, George T. Surdykowski Member, Ontario Arbitration) 127 C.L.A.S. 286.
Today, the Office of the Information and Privacy Commissioner for British Columbia held that the District of Saanich breached the British Columbia Freedom of Information and Protection of Privacy Act by installing endpoint monitoring software on employee workstations.
The District’s plan was not well conceived – apparently arising out of a plan to shore up IT security because the District’s new mayor was “experienced in the area of IT.”
The District installed a product called Spector 360 – a product billed as a “comprehensive user activity monitoring solution.” This is software that enables the collection of detailed data from “endpoints” on a network. It is not intrusion detection software or software that helps analyze events across a network (which the OPIC noted is in use at other British Columbia municipalities).
The District enabled the software on 13 workstations of “high profile users” to capture a full range of endpoint data, including screenshots captured at 30 second intervals and data about all keystrokes made. The purported purpose of this implementation was to support incident response, a purpose the OIPC suggested could only support an inadequate, reactive IT security strategy.
The OIPC held that the District collected personal information without the authorization it required under FIPPA and failed to notify employees as required by FIPPA. I’ll save on the details because the OIPC’s application of FIPPA is fairly routine. I will note that the OIPC’s position is balanced and seems to adequately respect institutions’ need to access system information for IT security purposes. It acknowledges, for example, that some limited data collection from endpoints is justifiable to support incident response. Not surprisingly, the OIPC does not endorse taking screen shots or collecting keystroke data.
Investigation Report F15-01, 2015 BCIPC No. 15.
I presented today at the Canadian Institute’s program on advanced administrative law. My topic was about how to deal with the privacy interests of affected non-parties. Here are my slides, revised based on my evolving understanding of this (difficult) issue. My thesis as it stands: we need to develop a principled exception to the audi alteram partem rule that governs when affected non-parties get notice and right to be heard. Courts and admin law decision makers appear to be attracted to solution that rests on the involvement of an appropriate representative party, but the current solutions are not driven by any express principle.
On July 14th, Arbitrator Kuttner ordered an employer (and MFIPPA institution) to disclose retiree contact information to a union and to deliver a notice to retirees about his production decision.
MFIPPA does not apply to employment-related records nor, in general, does it give employees and retirees of MFIPPA institutions privacy rights. Arbitrator Kuttner seemed to accept this in finding that MFIPPA did not preclude him from making the requested order, though he also made a finding that the requested disclosure was permissible under MFIPPA as a “consistent purpose.”
More significant is how Arbitrator Kuttner dismissed the employer’s argument that the procedural rights of affected retirees must be respected in determining the production motion. He said:
The situation before me is far removed from that dealt with by the [Court of Appeal for Ontario’s decision] in Re Bradley. There are not here two groups of employees covered by the same collective agreement competing for benefits under its terms, with one group stripped of benefits previously accorded in favour of another group to which they are newly afforded. Rather a bargaining agent, bound to represent fairly before an employer a discrete group of retired employees whose common interests under a collective agreement are in jeopardy, seeks disclosure of their personal contact information held by the employer, so that it can fulfill its representational role. As discussed above, that role is one with common law underpinnings, now rooted in the LRA, and recognized by the parties to the Collective Agreement. Of note in PIPSC v. Canada (Revenue Agency) supra, where employee privacy rights were at issue, is the Supreme Court’s comment that “the usual practice” is not to give affected employees notice of such proceedings, and the same would hold here in the case of retirees.
Arbitrator Kuttner nonetheless considered it “appropriate” to advise the retirees of his production decision and ordered the employer to deliver the letter I’ve attached below.
CUPE, Local 27 and The Greater Essex County District School Board (14 July 2014, Kuttner).
Here’s a copy of a 10 minute prepared address I gave to a client seminar today on CASL readiness. Four practical points to guide your readiness initiative.
Happy New Year!
2013 was a good and busy year for your AAI primary contributor. I’ve paddled a traditional paddleboard for about twelve years now but committed to a dedicated year of competition in 2013, knocking off my first Molokai 2 Oahu crossing with a surprisingly good result and a win (!) against a small but core group of prone paddlers at the Chattajack 31 in Tennessee. I’m over 40 but feel like a kid again and am going to channel my current paddling obsession into another year of competition. If all goes well, I’ll repeat the Molokai 2 Oahu crossing and add a first time result in the famed and highly-competitive Catalina Classic. If you’re in Toronto and prone paddling looks interesting get in touch in the Spring. I’d be glad to loan a board and go for a paddle.
This is all to say that AAI suffered slightly from paddling-, family- and practice-induced anemia in 2013. We posted about 75 entries. They were on the most relevant of content, selected more conservatively than in years past, but this was lower output for a blog that’s now has 825 entries since its birth in the summer of 2007. We’ll aim for more of the same in 2014, thank you for reading and hope you enjoy. We hope you had a nice holiday and are feeling invigorated and ready for a good 2014!