Archive | Uncategorized RSS feed for this section

All About Information Turns Ten!

2 Aug

Ten years ago on a Saturday morning in early August something inspired me to upload a post on employee surveillance to a WordPress site. I can’t remember what I called the site at that time, but the title was lame and had my name in it. Ten years and 973 posts later, “All About Information” still exists. It has facilitated a good deal of my learning and has fostered connections with some valued colleagues who work outside of my own firm, Hicks Morley. As for its merits, at the very least All About Information is now a sizable catalog of notable Canadian cases that are… well… about information. Thank you to those who have made guest posts and comments and those who have kindly corrected my numerous typos. And thank you especially to you, the reader.

Dan Michaluk

Court affirms IPC decision on doctor payments

6 Jul

On June 30th, the Divisional Court affirmed an Information and Privacy Commissioner/Ontario decision that the amounts billed to OHIP by top billing doctors did not constitute the doctors’ personal information.

The Court’s decision is a standard of review decision – i.e., one that accepts the IPC’s decision as reasonable. Notably, the Court was influenced by an argument made by the doctors that (pre-expense) billing amounts do not fairly represent personal income yet could be misconstrued as such by the public. The answer to such arguments is an easy one for most FOI adjudicators and courts: provide an explanation to the public if you think you’ll be misunderstood. The Court didn’t say that in this case, but noted that the doctors’ argument was supportive of the IPC decision that their billing amounts were not revealing enough to be personal information.

Otherwise, the Court made short work of the doctors’ attempts to impugn the IPC’s reasoning and an argument that the IPC procedure gave rise to a reasonable apprehension of bias.

Ontario Medical Association v Ontario (Information and Privacy Commissioner), 2017 ONSC 4090 (CanLII).

Two presentations all about information

5 Apr

Here are two recent presentations that may be relevant to you – one on finding internet evidence that I presented last Saturday at our firm’s PD day and another from a few days earlier on privacy, data security and CASL compliance at financial services firms. If you work in management and something catches your eye that raises questions do get in touch.

 

Why your author has been quiet of late

5 Apr

I’m not one to apologize for not blogging enough! This blog has been a labour of love since 1997 and has always been about my own need for exploration, learning and expression.

I’m happy, though, to explain that I’ve been busy with practice and also side tracked by some big adventures with my maturing family – most involving the ocean and a paddleboard or surfboard.  Here’s a video from last month’s adventure – one involving a 22 mile paddle (prone) to Catalina Island (off of LA), running the Catalina Marathon the next day and then paddling 22 miles back. I’ve never had a nature experience quite like the one we had paddling over (as you’ll see). With all the craziness in the world there still is plenty for which to be grateful.

Best regards and thank you for reading.

Dan

Two recent privacy and cyber presentations

10 Oct

It’s been a busy last couple months on a number of fronts. Here are a couple of presentations I’ve delivered recently – a privacy updated delivered to the Canadian Association of University Solicitors in beautiful Cape Breton, NS (on outsourcing to the cloud and liability for data loss and misuse) and another to the Ontario Association of Children’s Aid Societies (on the claims context for data loss claims, incident prevention and incident response). Happy thanks giving everyone!

 

Arbitrator awards nominal damages for unwarranted breathalyser test

21 Aug

On June 25th Arbiator Surdykowski awarded $200 in damages to an employee who underwent an unwarranted breathalyser test following a safety incident. The employer administered the test based on a mistaken belief that it was required by policy even though there was no basis for believing the employee was intoxicated. The employee suffered no particular harm.

Compass Minerals Canada Corp. and Unifor, Local 16-O (Walden), Re (June 25, 2016, George T. Surdykowski Member, Ontario Arbitration) 127 C.L.A.S. 286.

BC OIPC addresses network security and endpoint monitoring

30 Mar

Today, the Office of the Information and Privacy Commissioner for British Columbia held that the District of Saanich breached the British Columbia Freedom of Information and Protection of Privacy Act by installing endpoint monitoring software on employee workstations.

The District’s plan was not well conceived – apparently arising out of a plan to shore up IT security because the District’s new mayor was “experienced in the area of IT.”

The District installed a product called Spector 360 – a product billed as a “comprehensive user activity monitoring solution.” This is software that enables the collection of detailed data from “endpoints” on a network. It is not intrusion detection software or software that helps analyze events across a network (which the OPIC noted is in use at other British Columbia municipalities).

The District enabled the software on 13 workstations of “high profile users” to capture a full range of endpoint data, including screenshots captured at 30 second intervals and data about all keystrokes made. The purported purpose of this implementation was to support incident response, a purpose the OIPC suggested could only support an inadequate, reactive IT security strategy.

The OIPC held that the District collected personal information without the authorization it required under FIPPA and failed to notify employees as required by FIPPA. I’ll save on the details because the OIPC’s application of FIPPA is fairly routine. I will note that the OIPC’s position is balanced and seems to adequately respect institutions’ need to access system information for IT security purposes. It acknowledges, for example, that some limited data collection from endpoints is justifiable to support incident response. Not surprisingly, the OIPC does not endorse taking screen shots or collecting keystroke data.

Investigation Report F15-01, 2015 BCIPC No. 15.