Category: Uncategorized

Case Report – LSAC allowed to substitute submission of photos for fingerprints

You may have heard about the federal Privacy Commissioner’s May 29th report on the Law School Admission Council’s practice of collecting fingerprints from LSAT test takers.  Her office recommended that LSAC cease the practice but allowed it to substitute a practice of collecting test takers’ photographs.

There are some notable findings in the report.  Namely:

  • the OPC rejected LSAC’s argument that it was engaged in educational rather than commercial activity, finding that its core activities provided a service to its member law schools;
  • the OPC held that fingerprints are more sensitive than voice prints and less sensitive than one’s photographic image; and
  • the OPC made another comment de-emphasizing the significance of cross-border transfers of personal information.

The report also highlights the difficulty of sustaining a collection practice based on deterrence alone.  The case for deterrence is often logically compelling, but proving that collecting information effectively deters misconduct is hard.  (For more on this theme, see the IPC/Ontario’s recent surveillance report.)  LSAC had not once used a fingerprint to identify whether fraudulent test since it started collecting them in the mid-1970, so it was difficult for the LSAC to justify its practice on any ground other than deterrence.  It also claimed that it simply wanted to assure its members that it was doing all it could to ensure the security of the test.  The OPC seemed to accept this purpose as legitimate, but not compelling enough to justify collection of fingerprints. The LSAC proposed collecting photographs as a step-down solution mid-way through the investigation, and the OPC held that this alternative would achieve the appropriate balance because images are “marginally” less sensitive.

Report of Findings:  Law School Admission Council Investigation (29 May 2008, OPC).

Case Report – Divisional Court says reasons for ordering medical exam required

On June 3rd, the Divisional Court quashed a medical assessment order issued by the Ontario College of Nurses because the College did not provide the affected nurse with reasons for its order.

In accordance with the Health Professions Procedural Code, the College’s Executive Committee appointed a board of inquiry to assess the nurse’s capacity. The board of inquiry gave notice to the nurse of its intention to order her to submit to a medical examination (on the threat of suspension) because it had reasonable and probable grounds to believe she was incapacitated. The power to make this order is specified in the Code, as is the requirement to give notice.

The nurse made submissions through counsel, and included two medical opinions and statements from her colleagues that supported her capacity. Regardless, the board ordered an assessment and did not provide reasons for its order. The court award also says the College “refused” to provide the nurse with a record of its proceedings or file the record with the Court, though it did file an Affidavit in its response which attached all the material before it at the time it made its decision.

The Court quashed the order because the College breached the nurse’s right to procedural fairness. It considered that the privacy interest at stake weighed in favour of a high standard, and commented:

Individuals have a legal right to bodily integrity and medical privacy. The right is protected through privacy legislation and through an extensive body of case law dealing with circumstances under which an individual can be compelled to submit to medical examinations and other intrusions on bodily integrity.

The College submits Ms. Cotton had no reasonable legitimate expectation that the Board would give reasons for its decision. It states it has never been the practice at the College for a Board of Inquiry to provide reasons demonstrating reasonable and probable grounds to require a member to submit to a medical examination. We respectfully suggest that the College might wish to re-examine its practice where a medical examination is ordered.

The College further submits that a duty to give reasons is inconsistent with the role of the Board, which was performing a purely investigative function rather than an adjudicative one. We recognize that there may be functions of the Board that are investigative and which are not determinative of the rights of any party. However, an order requiring a person to undergo an invasive medical examination, subject to the penalty of suspension or revocation of licence for refusing to comply, is a determination of rights, even though it may be ordered for an investigative purpose. It is in this context that the duty to observe rules of procedural fairness, including the duty to provide reasons, arises.

Though the substantive basis for ordering a medical assessment is often litigated, judicial comment on the process of ordering an assessment is rare. The outcome in this decision is certainly driven by its specific factual context, but it nonetheless has some broader significance.

Cotton v. College of Nurses of Ontario, 2008 CanLII 26674 (ON S.C.J.).

More thoughts on employee online speech

June is conference season, and this year the hot topic has certainly been online speech. I spoke first in mid-May at our Toronto client conference and posted some ideas about the dangers of over-reaching. Then, last week, I spoke at the Canadian Association of Career Educators and Employers and posted some ideas about applicable privacy principles, human rights and records management concerns.

Today I spoke at our Burlington client conference together with Jonathan Maier. Here are two excerpts from our speech. Please keep in mind we act exclusively on behalf of management, and though we mean to encourage a fair and reasonable approach, our comments are addressed to management’s perspective.

First, some thoughts on necessity and reasonableness in collecting personal information for recruiting purposes:

Finally, the “necessity” and “legitimate purposes” principles are applicable. As against these principles, we are most likely to succeed in justifying screening a candidate’s online presence if we need to do so to see whether it gives rise to a conflict of interest or potential conflict of interest.

To give this some meaning, let me explain two more problematic uses.

One is randomly searching for any “dirt” on prospective employees regardless of the potential for conflict. Even if information is available, privacy principles demand that we have a reason to collect. So if we are only hiring a production employee, for example, can we really justify screening her online presence at all?

The second questionable use is using online information to profile candidates or, in other words, to assess their potential job performance. I can see this as being a legitimate purpose for hiring individuals into some jobs – internet writing or internet marketing jobs for example. Otherwise I have concerns about the validity of profiling. And if you can’t prove your profiling exercise is valid, under privacy principles you have no basis for collecting the information that that will form the basis of your profile.

And now a thought on managing speech by former employees (presented immediately before some ideas on working with ISPs).

There are two key differences in managing online speech by former employees. First, you can’t take away their jobs, so lack practical leverage because you need to sue them or threaten them with a valid lawsuit to get them to take information down. Second, former employees have no duty of loyalty and fidelity. This means that they can say things that are not in your interest, and so long as these things are not defamatory, made in breach of confidence or made in violation of some other law, you won’t have recourse. You need to be able to claim the speech is unlawful in and of itself, which will no doubt leave you having to tolerate some speech you just don’t like.

Now if the speech is unlawful you will have a basis for seeing that it is taken down. But as a word of warning we’d like you to take one thing away from this: have your lawyer do a good up-front assessment of the legality of the speech so you know that you’re taking a position that you can commit to. I’ll come back to the risks of over-reaching in a bit.

I’ve enjoyed addressing this his very relevant topic hope you find these ideas helpful.

HRTO publishes “go forward” rules – summary of disclosure and production framework

On June 30th of this month, the bulk of the Bill 107 amendments to the Ontario Human Rights Code will come into effect and the Ontario system for resolving human rights matters will start allowing for “direct access” to the Ontario Human Rights Tribunal. This week, the Tribunal issued Rules of Procedure for “new applications” – those applications filed after June 30th and applications involving complaints that are currently outstanding at the Commission and that are re-filed as applications after years’ end.

The plain language guide published with the Rules states, “The Tribunal’s goal is to have the hearing completed within one year of receiving a completed application form.” In light of this aggressive goal, I thought it worth a quick summary of the disclosure and production framework contemplated by the rules, which starts up-front during the pleadings stage.

Here’s an overview of what is contemplated:

  • The Application form and the Response form ask the parties to identify (with reasons) “important” documents they, other parties and any third parties posses. The use of the word “important” is significant, and signals an appreciation for proportionality.
  • The Application form and the Response form ask for witnesses names and a short description of why each listed witness is “important.” The identities of potential witnesses are collected by the Tribunal up-front, but are not disclosed between the parties until shortly before a hearing. This indicates that the parties’ witness lists will initially be used for case management purposes.
  • The Tribunal also has a unique power of inquiry. At the request of a party it may order an inquiry where an inquiry is “required” in order to obtain evidence, the evidence “may assist in achieving a fair, just and expeditious resolution of the merits of the application” and ordering an inquiry is “appropriate.” When the Tribunal orders an inquiry it will authorize a person to conduct the inquiry and prepare of written report in accordance with terms of reference. The person conducting the inquiry will have a broad power to gather evidence in making a report, including the power to enter premises without a warrant, to request the production of documents and things, to question witnesses, to demand production of electronically stored information and to take photographs and video recordings. The Tribunal will not ordinarily treat the report as evidence unless the parties consent or unless the author of the report testifies. The Rules establish a preference for inquires to take place early in the process: “[A request for an inquiry] must be made promptly after the party becomes aware of the need for an inquiry.”
  • After the Tribunal confirms the hearing, the parties will have 21 days to deliver and file a list of all “arguably relevant” documents in their possession, including documents over which privilege is claimed. Parties must produce copies of non-privileged documents together with their lists. The Rules do not make any mention of electronic production.
  • The next significant date is 45 days before the first scheduled date of hearing. At this point the parties must exchange and file the following: (1) a list of documents on which they indend to rely; (2) a witness list along with will-say statements; and (3) any expert witness reports or, alternatively, a “full” summary of an expert witness’s evidence. Parties will ordinarily be precluded from relying on documents and witnesses not disclosed in accordance with this requirement.

There is no process for oral discovery (which would be atypical in an administrative procedure) but the Tribunal is offering voluntary mediation, an additional means for the parties and the Tribunal to glean the other sides’ potential evidence and assess the case. In fact, the Tribunal’s plain language guide states that it will use mediation to assess and manage matters that do not settle.

Information Roundup – June 5, 2008

Seanna’s off in Halifax for a five day sales conference and I’m a single parent for the time being. Hugs walked for the first time today too (pretty much all at once). I’m going to have him doing headstands by the time Seanna gets home.

Here’s what I’ve been reading lately.

  • Privacy Commissioner of Canada, “Leading by Example: Key Developments in the First Five Years of the Personal Information Protection and Electronic Documents Act.” There are no new policy statements in here, but it is a great single-source resource for the key jurisprudence on PIPEDA.
  • Cathy Delzeil, “Clamping down on discovery: the new rules of civil procedure.” A really nice summary of the impending changes to the Nova Scotia civil rules. (The Lawyers Weekly)
  • Ralph Losey, “The lessons of Qualcomm: A wake up call for the legal profession.” Mr. Losey argues that Qualcomm is a reminder that litigators have a duty to the court to ensure their representations about document preservation and retrieval are accurate. He also argues, despite how hard it is to get a handle on our clients’ records as externals, that this duty can’t be avoided by retainer agreements that lay the burden at clients’ feet. (E-Discovery Team)
  • Canadian Broadcasting Corporation, “Search Engine” (5 June 2008). Jesse Brown talks to a representative of Proofpoint, a vendor of automated e-mail monitoring solutions, about a study it commissioned on corporate data loss. I haven’t bothered to download the report, but here’s what you pick up from the interview and Proofpoint’s press release: 41% of companies with over 20,000 employees that were surveyed hired people to manually monitor employee e-mail in the last year, 44% of all companies surveyed investigated an e-mail leak of confidential information in the last year and 26% of all companies surveyed fired an employee for breach of an e-mail policy in the last year. Proofpoint commissioned Forrester Consulting, who surveyed 301 American companies with more than 1000 employees. (CBC)

Enjoy!

Case Report – Arbitrator Brent’s teaching evaluation data award upheld

On May 22nd, the Divisional Court dismissed a judicial review of a February 2007 decision by Arbitrator Gail Brent in which she held that the University of Windsor did not violate its faculty collective agreement or the Ontario Freedom of Information and Protection of Privacy Act by publishing teaching evaluation scores on a secure network for access by students and other members of the university community.

It held that Ms. Brent was reasonable in construing the term “personal information” in the relevant collective agreement provision narrowly such that it excluded teaching evaluation scores. It also held, without deciding on the applicable standard of review, that Ms. Brent was correct in deciding that student evaluation records were excluded from FIPPA based on the employment-related records exclusion.

University of Windsor v. University of Windsor Faculty Association, 2008 CanLII 23711 (ON S.C.J.).

Emily Gould’s “Exposed”

If you’re interested in the social media and privacy issue you might like reading Emily Gould’s “Exposed” article, which ran in the New York Times Magazine last weekend. You might also like perusing some of the 1200 comments that the article has spawned.

While many of the commenters are highly-critical of Ms. Gould’s self-centred article about her career as a self-centred blogger, only a few I read acknowledged the irony of entering the public forum themselves in publishing a comment. This may very well demonstrate irresistibility of online expression and the power and relevance of the social media phenomenon. Yes it will shape the law of information and privacy, but it has even greater socio-cultural significance.

I am an obvious fan of Web 2.0 and its potential, but in reading this article it struck me that the extent to which we are relying on online experiences to supplant real world experiences is troubling. Take Ms. Gould’s use of instant messenger technology:

But because we were so busy, we continued to I.M. most of the time, even when we were sitting right next to each other. Soon it stopped seeming weird to me when one of us would type a joke and the other one would type “Hahahahaha” in lieu of actually laughing.

And then, “Depending on how you looked at it, I either had no life and I barely talked to anyone, or I spoke to thousands of people constantly.”

The very best comment I read was from “Flynn” from Los Angeles, who reminds us about what is real in our increasingly virtual world. He tells Ms. Gould, “Turn off the computer, drive to Coney Island and jump in the ocean. Cleanse yourself and start all over again. You won’t be missing a thing.” Must be a surfer.

Case Report – BC OIPC says 41 days too long for breach notification

On May 7th, the British Columbia OPIC issued an investigation report in which it held that the Ministry of Health breached the security measures provision of the British Columbia Freedom of Information and Protection of Privacy Act in circumstances involving the loss of an unencrypted magnetic tapes that contained that contained the personal information of British Columbia residents who received health care in New Brunswick.

The tapes were sent pursuant to the provinces’ reciprocal billing agreement and contained the following personal information: gender, personal health number, birth date, fee code for medical service received and the practitioner number of the health care provider. They were mailed on October 3, 2007 and identified as missing October 25th. Notification to individuals and an offer to pay for credit protection services costing up to $200 was sent on December 11th, about a week before the courier company finished its investigation into why the package was lost.

The OPIC held that the Ministry breached the Act in light of the following actions:

  • sending data on unencrypted magnetic tapes (even though the data on the tapes would not be highly accessible given the near-obsolesce of the medium)
  • not requiring the sender to give notification of when the package would be received and not requiring the sender to use a courier with a tracking service (which contributed to the delay in discovering the package had been lost)
  • not instructing the sender to refrain from sending another unencrypted tape while the incident was still under investigation
  • taking 41 days to notify individuals of the breach

The OIPC also held that the Ministry did not follow best practice by only notifying the OIPC shortly before it gave notice to the affected individuals. It expressed a desire to help public bodies develop effective strategies to mitigate the risk of harm flowing from data breaches.

Investigation Report F08-02, 2008 CanLII 21699 (BC I.P.C.).

Case Report – IPC says personal information in OSR shall not be released

On April 11th the IPC/Ontario denied a parent’s appeal for access to information about an incident that led to the suspension of two students, and in doing so made a significant statement on a student’s privacy interest in information contained in the Ontario Student Record.  

The records at issue were about two students other than the parent’s child, so the Board claimed they were exempt based on the exemption in section 14 – i.e., it claimed that disclosure would constitute an “unjustified invasion of privacy.” It also argued that disclosure should be presumed to constitute an unjustified invasion of privacy based on section 14(3)(d) of MFIPPA (the “educational history” presumption) because the records had been included in the OSR pursuant to the Ministry’s Violence-Free School Policy.  The IPC acknowledged that the OSR is “the core of a student’s educational history” and held that the presumption applied.

It also rejected the requester’s claim that the “public interest override” applied.  Although it recognized that a parent’s interest in ensuring a safe environment for his or her own children and other children was a “compelling public interest,” it did not find that this interest outweighed the special privacy interest of youth at risk:  

I note that Canadian legislation aims to protect young people from negative publicity about activities that may not reflect well on them.  This policy initiative clearly underlies significant provisions about non-publication of information found in the Youth Criminal Justice Act.

Order MO-2291 (11 April 2008, I.P.C./Ont.).

Information Roundup – May 24, 2008

Finally a beautiful weekend in Toronto!  Here are some things I’ve read recently that you might find interesting.

  • Alan Finder, “At One University, Tobacco Money is a Secret.” This is about a restrictive research funding agreement at Virginia Commonwealth University. It includes abnormally strict confidentiality provisions that have drawn some criticism. (New York Times)
  • Peter Timmins, “NSW ADT sticks to ‘disclosure to the world’ but policy needs rethinking.” Mr. Timmins lays out some Australian law on the “disclosure to the world” principle, a privacy-protective principle raised in access to information law that deems the good intentions of a requester to be generally irrelevant. (Open and Shut)
  • Information and Privacy Commissioner/Ontario, “2007 Annual Report.” Most interesting for me is the comment on privacy versus security in light of Virginia Tech and other recent events. Ms. Cavoukian says, “And our attention is drawn away from real issues at hand: bureaucratic inertia, misguided policies, inefficient practices, and poor judgement.” I don’t think this comment was meant to be a critique of our own educational institutions, who all can be seen to be working hard on this issue, but is nonetheless quite a pointed call to action!
  • Linda Greenhouse, “Supreme Court Upholds Child Pornography Law.” A news report on the United States Supreme Court freedom of expression case (R. v. Williams) from last Monday, which the Times has also criticized. (New York Times)

I made contact with Peter Timmins through this blog, and have since been following his Open and Shut freedom of information and privacy blog.  I like the idea that blogging can help build a contact with someone almost exactly half-way around the world with similar interests. I also have a soft spot for Australia because after I articled Seanna and I spent a year there travelling around and camping. We had this idea that we could live on a $5 a day food budget, and still remember standing outside of a MacDonald’s debating about whether we should treat ourselves to an ice cream cone. We also drank a few $4 boxes of wine on that trip! An experience I’ll never forget, and an extremely beautiful country. Check out Open and Shut sometime.

See ya!