Arbitrator orders $25,000 in damages for privacy breach

Arbitrator Stout’s April 28th decision has received ample coverage, but I’d like this site to be a relatively complete repository of privacy damages awards. Mr. Stout ordered an employer to pay $25,000 in general damages after a supervisor disclosed an employee’s visual disability to three other employees after learning of the disability in a prior arbitration proceeding. The supervisor apologized orally and in writing, which presumably mitigated the breach. He did not testify, however, and Mr. Stout inferred that the disclosure was undertaken as retaliation for the outcome of the prior arbitration, a significant aggravating factor. The grievor also suffered distress that required him to undergo medical treatment and the employer “did very little” to remedy the breach in its response (e.g., discipline on the supervisor).

Canadian Pacific Railway Company v Teamsters Canada Rail Conference, 2016 CanLII 25247 (ON LA).

USB key treated as a private receptacle by labour tribunal – but why?

On March 29th the Grievance Settlement Board (Ontario) held that a government employer did not breach its collective agreement or the Charter by examining a USB key that it found in the workplace.

They key belonged to an employee who used it to store over 1000 files, some of which were work-related and allegedly confidential and sensitive. Remarkably, the employee also stored sensitive personal information on the key, including passport applications for his two children and a list of his login credentials and passwords. The key was not password protected and not marked in any way that would identify it as belonging to the employee.

The employee lost the key in the workplace. The employer found it. An HR employee inserted they key in her computer to read its contents. She identified the key as possibly belonging to the employee. She gave the key to the employee’s manager, who inserted it in his computer on several occasions. The manager identified that the key contained confidential and sensitive information belonging to the employer. The manager then ordered a forensic investigation. The investigation led to the discovery of a draft of an e-mail that disparaged the manager and had earlier been distributed from an anonymous e-mail account.

The GSB held that the employee had a reasonable expectation of privacy – one so limited as not to be as “pronounced” as the expectation recognized in R v Cole. The GSB also held, however, that the employer acted with lawful authority and reasonably. The reasonableness analysis contains some helpful statements for employers, most notably the following statement on the examination of “mixed-use receptacles” (my words):

The Association argues that the search conducted by Mr. Tee was “speculative” and constituted “rummaging around” on the USB key. It asserts that if Mr. Tee had been interested in finding files which might contain government data, he would have or should have searched directories which appeared to be work related, such as EPS, TPAS or CR. I do not find this a persuasive argument. As noted in R. v. Vu, in discussing whether search warrants issued in relation to computers should set out detailed conditions under which the search might be carried out, such an approach does not reflect the reality of computers: see paras. 57 and 58. Given the ease with which files can be misfiled or hidden on a computer, it is difficult to predict where a file relevant to an inquiry will be found. It may be filed within a directory bearing a related name, but if the intention is in fact to hide the file it is unlikely that it will be. Further, the type of file, as identified by the filename extension, is not a guarantee of contents. A photograph, for example can be embedded in a Word document. Provided that the Employer had reasonable cause to view the contents of the USB key in the first place (as I have found there was in this case), an employee who uses the same key for both personal and work related purposes creates and thereby assumes the risk that some of their personal documents may be viewed in the course of an otherwise legitimate search by the employer for work related files or documents.

I learned about this case shortly before it was decided and remarked that it was quite bizarre. I couldn’t fathom why anyone would be so utterly irresponsible to store such sensitive information on a USB key. This is one reason why I’m critical of this decision, which treats this employee’s careless information handling practice as something worthy of protection. The other reason I’m critical of this decision is that it suggests the expectation of privacy recognized in Cole is higher than contemplated by the Supreme Court of Canada – which remarked that Richard Cole’s expectation of privacy was not “entirely eliminated” by the operational realities of the workplace. Not all of our dealings with information demand privacy protection, and in my view we need to make the reasonable expectation of privacy threshold a real, meaningful threshold so management can exercise its rights without unwarranted scrutiny and litigation.

I also should say that it’s very bad to stick USB keys found lying around (even in the workplace) into work computers (or home computers), at least without being very careful about the malware risk. That’s another reason why USB keys are evil.

Association of Management, Administrative and Professional Crown Employees of Ontario (Bhattacharya) v Ontario (Government and Consumer Services), 2016 CanLII 17002 (ON GSB).

Late apology and lack of correction results in increased privacy damages award

There has been some public discussion of the recent arbitration award by Arbitrator Knopf in which she awarded an employee $1,000 in damages for breach of privacy. The following is my view about what organizations should take from Ms. Knopf’s award.

The case is about one employer who shared a medical note with another employer. The other employer also employed the employee and wanted to confirm its understanding of her fitness for work and need for accommodation.

The note the employer disclosed stated, “pt is able to perform the duties of Dietary Aide at St. Pat’s home.” The disclosure was made by a contractor who managed the employee. He also told the other employer that the employee (a) was not currently being accommodated, (b) had no work-related restrictions and (c) was working her regularly scheduled shifts.

The employer admitted liability, and it appears that damages were awarded based only on the disclosure of the medical note. This is notable because it is debatable whether it was wrong for the employer disclose “a” and “c” as noted above. The information I’ve noted as “a” is not received from a health information custodian and therefore is not regulated by statute. The information I’ve noted as “c” is also note received from a health information custodian and is also arguably not personal information. I’m not suggesting the employer was clearly right in disclosing “a” and “c,” but it was also not clearly wrong.

The most important part of the award is the damages analysis, most notably Ms. Knopf’s comments the employer’s delayed apology and lack of corrective action. She said:

This Employer has apologized to the Grievor in the course of these proceedings and affirmed its desire to maintain and to continue a positive relationship with the Grievor. However, this apology was only offered once the Union refined and narrowed the claim for relief in the course of preparation for this hearing, even though the breach of the Confidentiality Policy was apparent from the outset. Therefore almost three (3) years had gone by. The evidence also disclosed that the Employer had not required its contractors to abide by this Policy and there is no evidence to suggest that it has done so to date. Employers often criticize grievors who do not offer timely apologies in situations of wrongdoing. Employers should be held to the same standard. The apology from the Employer is clearly meaningful and significant, but it did come very late and it lacks completion, given the apparently continuing failure to insist on compliance with its Confidentiality Policy by the contractors who serve the residents and interact with the members of this bargaining unit.

The most common and preferred strategy for responding to a loss of data is to conduct a good early assessment and “take lumps” – including by issuing an appropriate apology and committing to corrective action. This case supports the use of that strategy.

St. Patrick’s Home of Ottawa Inc. v Canadian Union of Public Employees, Local 2437, 2016 CanLII 10432 (ON LA).

Big data and the workplace – a briefing note

I was recently asked to create a minimalistic briefing note on “big data and the workplace” for a group of experienced employment lawyers. Here is what I wrote.

Employers are using data analytics to derive insights about their employees. They are then using the insights to make decisions about individual employees and potential employees. The objective is to make better human resources decisions.

The first and major big data application for employers was hiring. Hiring analytics involves merging historical data about candidates and employees into a database and using software to analyze the data to identify measurable candidate attributes that correlate with successful employment.

Today, employers use data analytics for a range of other applications – those supporting performance management, health and safety and security, for example. All these applications involve a similar process, similar technology and similar techniques to those involved with hiring analytics.

The use of workplace data analytics is popular and legitimate. It is naïve to suggest that the use of data analytics is wrong-headed, though there are legal risks.

The greatest risk is the risk of liability under anti-discrimination statutes. One can hardly blame employers for attempting to determine which candidates are most likely to be successful. Some argue that the use a good predictive model can actually reduce discriminatory bias!

This optimistic view of workplace data analytics is theoretically sound, but problematic in practice. The discrimination risk exists, in part, because the predictive models are typically developed by third-parties can be poorly understood by the employer-enduser – i.e., predictive models exist in a “black box.” This may make defending the use of even the most sound model very costly and risky. And when a model produces a result that disadvantages those with certain protected personal characteristics, a human rights tribunal will certainly question “Why?” “Is there a systemic discrimination problem that underscores the result?” When diversity is now valued by business, workplace data analytics, if used mechanically, can lead organizations to swim against the flow.

Privacy is also an issue, though there is a disconnect between potential employee perceptions and actual privacy impact. Strictly speaking, analyzing data to derive insights about a population is not a use of personal information at all. Service providers and employers are wary of privacy concerns, and usually do not publish insights about small populations (where the risk of identification is high). Employers should also communicate with employees about the nature of their analysis with a view to putting employees at ease and reducing the risk of complaints that arise out of a misunderstanding.

Ensuring the analysis is “true statistical analysis” will address part of the privacy concern associated with the the use of workplace data analytics, though there is still a significant data handling issue that will remain. Workplace data analytics involves compiling existing data (and sometimes augmenting it) to create a large data source. Even if the data source may only be used to understand a populations or groups within a population, to support sound statistical analysis it must include data that is linked to individuals. The data source could therefore be compromised and cause harm to individual privacy. Data security – particularly given the data source will almost always be handed by a third party) – is of paramount importance.

Criminal reference checks for current hospital employees ruled improper

In a decision from last May that just came to my attention, Arbitrator Stout ruled that a hospital’s policy that required all current employees to undertake vulnerable sector criminal record checks violated its nurses collective agreement.

Although British Columbia legislation supports periodic checks on vulnerable sector employees, the hospital’s policy was first of its kind in the Ontario hospital sector. Ontario employer’s have had difficulty justifying such checks. Arbitrator Picher’s comment about the distinction between pre-employment and in-employment checks in City of Ottawa is both authoritative and restrictive.

The person who presents himself or herself at the door of a business or other institution to be hired does so as a stranger. At that point the employer knows little or nothing about the person who is no more than a job applicant. In my view, the same cannot be said of an individual who has, for a significant period of time, been an employee under the supervision of management. The employment relationship presupposes a degree of ongoing, and arguably increasing, familiarity with the qualities and personality of the individual employee. The employer, through its managers and supervisors, is not without reasonable means to make an ongoing assessment of the fitness of the individual for continued employment, including such factors as his or her moral rectitude, to the extent that it can be determined from job performance, relationships with supervisors and other employees, and such other information as may incidentally come to the attention of the employer through the normal social exchanges that are common to most workplaces. On the whole, therefore, the extraordinary waiver of privacy which may be justified when a stranger is hired is substantially less compelling as applied to an employee with many months, or indeed many years, of service.

Mr. Picher did state that in-employment checks can be used for employees exercising “particularly sensitive functions.”

In this case, Arbitrator Stout held that the employer had not proven a “current problem” or “real risk.” Arbitrator Stout was also significantly influenced by the structural problem with vulnerable sector checks – i.e. they return sensitive “non-conviction information” for which employers generally have no need.

Rouge Valley Health System v Ontario Nurses’ Association, 2015 CanLII 24422 (ON LA).

Wellness be dammed – universal medical assessments not allowed

On November 12th, Arbitrator Dorsey held that an employer could not implement universal “fitness for duty” testing.

The program would require drivers responsible for carrying liquid and compressed gas to be tested once every five years. The employer framed the testing as fitness for duty testing, but the program featured urinalysis and bloodwork to look for “disorders, including anemia, infection and leukemia.” In other words, the program looked (at least partly) rooted in the promotion of wellness, though requiring employees to participate in a wellness program with an (invasive) medical assessment feature is aggressive by Canadian standards, if not unprecedented.

Arbitrator Dorsey appeared to appreciate this problem, and decided the matter by finding that the particular collective agreement provision upon which the employer relied did not have the “clear and express language” necessary to authorize universal testing. He also said that truck transportation is not so safety sensitive an endeavour “regardless of the nature of the product being transported” to justify an exception to normal preference for individualized, for cause testing.

Teamsters Local Union No 213 v Linde Canada Limited, 2015 CanLII 73757 (BC LA).

Arbitrator dismisses video surveillance grievance, makes principled statements

On November 12th, British Columbia labour arbitrator Stan Lanyon dismissed a policy grievance that challenged the implementation of a video surveillance system in an equipment production and maintenance plant.

Surveillance cases are driven by their facts, but Arbitrator Lanyon did dismiss a union argument that overt and covert surveillance are equally invasive: “covert surveillance is more a more egregious violation of privacy because it is capable of causing more distress, anguish and embarrassment.”

As significantly, he held that surveillance systems can be justified without evidence of “a past history of serious breaches of safety, or security issues.”

Finally, Arbitrator Lanyon recognized a difference between using cameras for disciplinary (or supervisory) purposes and using video surveillance footage in the investigation of incidents. This distinction is not clearly drawn in some case law (and employer policies), but is important.

Kadant Carmanah Design v International Association of Machinists and Aerospace Workers, District 250, 2015 CanLII 79278 (BC LA).

Arbitrator says privacy concern did not justify altering records, wiping phone

On July 2nd, Arbitrator Peltz affirmed the discharge of a university support staff employee who altered billing records for his employer-owned cell phone and later wiped the phone after being directed to retrieve it so it could be examined.

The grievor worked in the university’s technology transfer office in a position of trust. After the university confronted him about excessive personal use of his phone the grievor deleted parts of phone records that showed his calling history. These records were stored on a university shared drive and were therefore to accessible to other employees in the grievor’s department. The grievor said he did this because he was concerned about the disclosure of his call history.

The university discovered the alterations. It called the grievor to an investigation meeting in which it heard the grievor’s position and advised the grievor that he would be placed on paid leave pending an examination of his cell phone and computer records. The grievor went to his office to retrieve his phone. When he did not return his supervisor investigated and found the grievor wiping his phone. The grievor continued over over his supervisor’s direction to stop, responding “I’m just deleting my personal information.”

Arbitrator Peltz found the grievor’s alteration of records to be culpable. He commented:

It is one thing to say that digital privacy is now highly valued in Canadian society. It is something else to claim a unilateral self help remedy without even consulting the employer whose records are being altered.

Arbitrator Peltz also held that the grievor was insubordinate because he intentionally frustrated the university’s plan to conduct a reasonable search. He said that the university had a reasonable concern about “all the greivor’s communications” and that due diligence required a “complete review, excepting personal matters.” Some effort to minimize the impact of the search may have been required according to Arbitrator Peltz, but the grievor should have stated his privacy concern rather than take matters into his own hands by wiping his phone.

University of Manitoba v Association of Employees Supporting Educational Services, 2015 CanLII 49535 (MB LA).

Arbitrator says association has no right of access to harassment investigation reports

On July 15th, Arbitrator Sheehan held that a police association did not have a right of access to a harassment investigation report.

Arbitrator Sheehan held that the employer denied access for “reasonable cause” – the need to encourage witness candour – and therefore acted consistently with its collective agreement. He also dealt with the broader premise for the association’s case and, in doing so, questioned the a finding in which the OLRB held that a union’s representational role justified a similar right of access He said:

I have some difficulty with extrapolating the reasoning in those cases, as support for a much broader proposition that a union will necessarily be entitled to otherwise private/confidential information associated with a particular operational decision of an employer; simply on the basis that the information in question will be of assistance to the union to fulfill its duty of fair representation obligations. Or more particularly, that the union is entitled to such information on the basis it would be helpful to the union in assessing whether it would be appropriate, in the circumstances, to file a grievance.

There are numerous scenarios where the employer has information in its possession that may be quite helpful to the union, in terms of assessing whether there has been a violation of the collective agreement; and therefore, a basis to file a grievance. For example, in a job promotion dispute, the employer typically has information which may involve the confidential evaluations or interview/test results of the candidates. Such information would, obviously, be useful for the union to review in terms of whether in fact a grievance should be filed on behalf of a senior employee not awarded the position. In that sense, the union has an “interest” in the disclosure of the information. The duty of fair representation obligations resting on the union, however, does not transform that “interest” in obtaining the information into a “right” of disclosure, which would obligate the employer to comply with a request to disclose; solely to assist the union, in their assessment of whether there is a basis to file a grievance.

The disclosure of employer documentation arising out of a disciplinary investigation may likewise be of particular assistance to the union in terms of evaluating whether in fact there is a basis to assert a violation of the collective agreement. Again, as has been previously discussed, if the request for the information should arise in the context of the adjudication of a grievance challenging the issued discipline, there would be a presumptive right (subject to a valid claim of privilege) for the union to obtain production of such arguably relevant documentation. It is, however, an entirely different proposition to suggest, that the employer prior to the filing of a grievance, is obligated to forward that information to the union; on the basis the information may be of assistance to the union, in its assessment of whether there is a basis for filing a grievance.

For similar reasoning see Arbitrator’s Lanyon’s decision in Mount Arrowsmith Teachers’ Association.

Halton Regional Police Services Board v Halton Regional Police Association, 2015 CanLII 47877 (ON LA).

Arbitrator awards damages for substance abuse counsellor’s indiscretions

On June 15th, Arbitrator Michel Picher awarded damages to three employees for the indiscretions of a substance abuse counsellor retained by an employer to provide treatment as part of its substance abuse program. Arbitrator Picher:

awarded $5,000 to an employee because the counsellor disclosed his cancer diagnosis to the employer without justification and because the counsellor had counselling sessions with the employee in various public places (including Tim Hortons and Home Depot);
awarded $2,500 to an employee because the counsellor answered a telephone call and engaged in a discussion about “sensitive matters” while sitting with another employee (also a client); and
awarded $1,500 to the employee who overheard the telephone call because it “would undermine [his] expectation of privacy and confidentiality in communications with [the counsellor].”

The employer argued it hired a reputable provider and was unaware the serious allegations made agains the counsellor until after the union filed a grievance. Arbitrator Picher’s response reflects the approach taken in finding employers liable for workplace harassment (see Robichaud). He said, “The employer cannot disavow or escape responsibility for the actions of its chosen agent and must bear liability for any violation, in the course of his duties, of the rights of the employees in the bargaining unit for which he was responsible.”

Halifax Employers Assn. and ILA269 (2014-L-39), Re, 2015 CarswellOnt 10497.