On September 19th, the Human Rights Tribunal of Ontario dismissed an application that alleged a school board breached the Ontario Human Rights Code by using an Ontario Student Record in defence of a prior application.

Section 266 of the Ontario Education Act deems an OSR to be “privileged for the information and use of supervisory officers and the principal, teachers and designated early childhood educators of the school for the improvement of instruction and other education of the pupil.” It also explicitly states that an OSR is not admissible in evidence without parental consent.

In the prior application (which involved the same parties), the board had used the OSR in its response. This led the applicant to seek an order prohibiting the respondent from further relying on the OSR. The Tribunal denied the applicant’s request and, instead, held that it would dismiss the application as an abuse of process unless the applicant provided a consent. The applicant withdrew its application and filed a subsequent application that directly attacked the board’s use of the OSR, which the applicant alleged was discriminatory and a reprisal.

The Tribunal held that the board’s actions were absolutely privileged. It said:

The entire Application in this case is based on statements made in the respondent’s pleadings and the pre-hearing disclosure of documents to the applicant by the respondent in the course of a proceeding before the Tribunal. The respondent’s impugned statements and actions were thus clearly made and/or performed on occasions of absolute privilege. The applicant therefore cannot rely on them to found a claim under the Code. The Application must be dismissed on this basis alone.

The Tribunal also held that there was no reasonable prospect that the applicant would succeed on the merits.

GA v York Region District School Board, 2012 HRTO 1787 (CanLII).

On October 2nd, Arbitrator Albertyn partly upheld a suspension issued for taking photos in the workplace without authorization and refusing to delete them as directed. Here is what he said:

I have found that the Grievor refused to delete the photographs of the restaurant from his cellphone when asked to do so by the Employer. The images were likely of the restaurant, of an employee and of its proprietor. These images did not belong to the Grievor. All or some of them belonged to the Employer. The Employer was entitled to require that the Grievor delete them. That was a legitimate instruction from the Employer to the Grievor. His refusal amounted to insubordination.

The employer did not have a policy, and posted a memo that addressed photo taking in the workplace after the incident. Arbitrator Albertyn suggests that the employer did not need a policy to order the photos to be deleted.

Swiss Chalet Restaurant #1178 v United Food & Commercial Workers Canada, Local 206, 2012 CanLII 57387 (ON LA).

The Court of Appeal for Ontario issued a significant judgment yesterday in which it held that the police did not breach section 8 of the Charter by obtaining the identity of an anonymous internet user without judicial authorization. The decision touches deep questions about anonymity and the rights of citizens (corporate or otherwise) to help law enforcement.

The case is about a child pornography investigation that started with a concern about the trading of contraband on a German website. The trading was done openly, but under the cover of pseudonyms. The RCMP obtained information that child pornography had been downloaded to computers at various IP addresses in Canada. It requested and obtained information from a Canadian internet service provider (ISP) that linked three downloads to the accused.

The key issue for the Court was whether the accused had a reasonable expectation of privacy in the circumstances. The same issue was before the Court of Appeal for Saskatchewan in two cases last year, and it reached a different reasonable expectation of privacy finding in each case, arguably because the commercial terms imposed by the ISP in each case differed.

One key to the Court of Appeal for Ontario’s rejection of a privacy claim is its characterization of the information at issue. The Crown argued that the ISP merely disclosed a name and address. The defence argued that the ISP disclosed information that would reveal “browsing history” and “the details of an individual’s Internet activities.” The Court accepts neither position. It characterizes the information as follows:

The police did not want the subscriber information so as to be able to identify the appellant as a customer of Bell Sympatico. That fact alone was of no value to the police. Nor does the appellant contend that he has a reasonable expectation of privacy with respect to the fact that he is a client of Bell Sympatico. The police wanted the information because they believed it could potentially identify the appellant as the person who had anonymously accessed child pornography on three separate occasions over the Internet. Translated into the content neutral language required for the purposes of s. 8, the police wanted the information because of what it could potentially tell them about the appellant’s Internet activity on three occasions. They sought to connect an identity to certain activity: see Slane & Austin, at pp. 500-503.

The Court’s reference to “content neutral” pays heed to case law that establishes that the protection afforded by section 8 of the Charter should not be debased by framing the activity that the proponent seeks to protect as criminal and therefore unworthy of protection. R v Wong, for example, was a case about the surveillance of unlawful gaming in a hotel room. The Supreme Court of Canada said that the privacy interest at stake was about the right to use a hotel room in private, not the right to use a hotel room for unlawful activity in private.

But does yesterday’s decision really treat the privacy interest at stake as neutral?

In the above quote the Court links the interest at stake to the anonymous downloading of pornography. It explains that broader, more neutral framing is not possible based on the record:

I cannot, however, go so far as Mr. Dawe, and counsel for the intervener, who relying on the comments of Cameron J.A. in Trapp, at paras. 32-37, argue that the information sought by the police would provide “an electronic roadmap of the appellant’s travels on the Internet”. That description, while consistent with the language used in Trapp, at para. 36, goes beyond the evidentiary record in this case. Adapting the intervener’s metaphor to the evidence adduced here, I would say that the police sought information capable of putting the appellant at a specific place, at a specific time in the course of his travels on the Internet.

The only activity occurring at the specific place and specific time at issue is criminal activity. The Court’s framing is proper based on evidence that established the dynamic nature of IP addresses, but it points to criminal activity and is therefore not neutral.

Then, in another very significant part of its analysis, the Court assigns significant weight to the ISP’s interest in “preventing the criminal misuse of its services.” It says that it is legitimate for an ISP to choose, for reasons relating to civic engagement or out of pure self-interest, to make a limited, voluntary disclosure to police – especially so given the repugnance of child pornography.

This analysis rests on far more fundamental concerns than an analysis that focuses on the commercial terms between an ISP and its subscribers. As the Saskatchewan cases might illustrate, an analysis that rests on commercial terms is flimsy and leaves to much to depend on a private arrangement that may vary by circumstance. An analysis that rests on a system owner’s interest in preventing the use of its property as an instrument of crime is strong. It is the kind of analysis that employers (also system owners) have said is missing from the Court of Appeal for Ontario’s last third-party disclosure decision, R v Cole.

Recognizing that system owners have a legitimate interest in preventing misuse of their systems may be strong and proper, but it is not neutral. The Court addresses this by saying that the nature of the offence under investigation is relevant to the reasonableness of an ISP’s response to a police request, but not the reasonable expectation of privacy analysis itself. Is this really a meaningful distinction?

All of this is to stress the complexity of this decision, with which I agree. People who trade child pornography engage in criminal activity in public and in a manner that creates an obvious digital trail. They hold the thinnest veil of anonymity, the maintenance of which rests on the outlook of an ISP. Whether an ISP should be able to take a value-laden, non-neutral stance against crime seems like it will be the fighting ground on any appeal.

R v Ward, 2012 ONCA 660.

Here are my slides from a presentation today at the Canadian Institute’s internal investigations seminar. The over-arching message: investigation tactics that used to get an unqualified green light are now becoming subject to risk, so investigators need to think and act with an understanding that the reasonableness of every step may be subject to judgment.

The Supreme Court of Canada issued a decision in a highly-anticipated cyberbullying decision today. It held that children who are subject to sexualized cyberbullying, as a class, deserve privacy protection – at least enough protection to justify allowing them to proceed anonymously. After a quick first read of what will be a very discussed decision, I raise two questions for consideration.

Question one – What does proceed anonymously mean?

The Court used the term “proceed anonymously,” which it did not define. The applicant, notably, had merely requested that she and her litigation guardian be referred to by initials in all documents on the court record. By the Court’s somewhat qualified rejection of the applicant’s (other) request to ban publication of the allegedly defamatory Facebook postings, the Court seems to suggest that “proceed anonymously” means something more. The Court said, “If the non-identifying information [in the Facebook postings] is made public, there is no harmful impact since the information cannot be connected to A.B.” This suggests that “proceed anonymously” refers to an allowance to use initials plus a limited publication ban on identifying information.

Question two – What is the protected class?

The other question about the decision is about the scope of the class the Court intended to protect. Some text in the decision would suggest the class is limited to children subject to sexualized cyberbullying:

The girl’s privacy interests in this case are tied both to her age and to the nature of the victimization she seeks protection from. It is not merely a question of her privacy, but of her privacy from the relentlessly intrusive humiliation of sexualized online bullying…

As a result, in an application involving sexualized cyberbullying, there is no need for a particular child to demonstrate that she personally conforms to this legal paradigm.

At the same time, the Court made a number of broad statements about the impact of bullying on children in general, whether online or in the physical world and whether sexualized or based on some other vulnerability. For example:

If we value the right of children to protect themselves from bullying, cyber or otherwise, if common sense and the evidence persuade us that young victims of sexualized bullying are particularly vulnerable to the harms of revictimization upon publication, and if we accept that the right to protection will disappear for most children without the further protection of anonymity, we are compellingly drawn in this case to allowing A.B.’s anonymous legal pursuit of the identity of her cyberbully.

Perhaps the best way to read the decision is that its binding effect extends to sexualized cyberbullying, but it is also authority for like protection in other bullying scenarios experienced by children.

AB v Bragg Communications Inc, 2012 SCC 46.

Last week my colleagues Amy Tibble and Frank Cesario and I presented to a group of in-house counsel on a selection of pressing issues related to information management and privacy. Our three take-away messages were:

• You should take control of the “zone of privacy” on sensitive legal matters by issuing a communication protocol. Beware of over reaching.
• You have a leadership role to play in causing your organization to better manage the risks associated with data loss. The messages about internal responsibility recently made by the IPC/Ontario are relevant to most organizations given the increased prevalence of data loss class action claims.
• We need to help arbitrators draw a better distinction between the role of an occupational health department and the role of an employee  health care provider. The key risk relates to safety-related accountability for information held by employers and not assessed or acted upon based on perceived privacy restrictions.

Here are our slides. I hope the slides and these notes help generate some ideas.

On September 11th the Ontario Small Claims Court dismissed a motion to strike a privacy claim brought by a police officer who was video recorded in the course of his duties.

The individual defendant was arrested by the officer. He recorded the arrest on video and published a video called “Arrested riding my E-Bike” on YouTube, who allegedly did not take the video down when contacted by the plaintiff.

YouTube brought the motion to strike. The Court dismissed it because YouTube did not meet the relatively onerous requirement to strike an Ontario small claims action. After referring to the Court of Appeal for Ontario decision in Jones v Tsige, the Court said, “I find that the plaintiffs [sic] claim does in fact disclose a reasonable cause of action and is not inflammatory, a waste of time, a nuisance or an abuse of the court process.”

Vertolli v YouTube LLC, [2012] OJ NO. 4275 (SCJ) (QL).

On August 27th the Court of Appeal of Manitoba held appeal determinations made by the Court of Queen’s Bench under section 67 of the Manitoba Freedom of Information and Protection of Privacy Act are final and binding, with no further right of appeal.

Klippenstein v Manitoba (Minister of Family Services and Consumer Affairs), 2012 MBCA 78 (CanLII).