Case Report – Bendel says no power to exclude surveillance evidence

Arbitrator Michael Bendel has recently taken a very strong stance favouring the admission of evidence collected by way of surrepetitious video surveillance.  His position is encapsulated in the following statement, made in  Re Greater Toronto Airports Authority and P.S.A.C, 2007 CanLII 21:

It follows that the discussions in many of the arbitral awards, on the existence of a right to privacy (or an expectation of privacy) in various jurisdictions, on the parametrs of such an interest, on the actionability of invasions of privacy, and on the reasonableness of resorting to videotape surveillance of an employee suspected of sick leave abuse, are quite beside the point. Interesting though these debates may be, I express no views on them. They proceed on the wholly mistaken assumption that there exists a discretion to exclude evidence that is tainted by an invasion of privacy. In the absence of any such discretion, either at common law or by virtue of provisions such as section 16(c), I an unable to detect any point in these discussions about the existence of a right to privacy.

Mr. Bendel endorsed these comments again in Re General Electric Canada and C.E.P., Local 544, 2007 CanLII 408.

Case Report – Ministry’s e-mail search survives scrutiny

On June 28th the Information and Privacy Commissioner/Ontario upheld a fee estimate that involved an extensive process of retrieving e-mails.  The Ministry had nine individual custodians conduct electronic keyword searches of their own workstations using a number of specified terms.  The custodians spent time opening e-mails and other documents to determine whether they were responsive.  The Ministry also searched shared directories (presumably using the same terms). 

The IPC held the Ministry’s field filtering process was reasonably efficient and that the Ministry had established the basis for its estimate.  Note that only the efficiency of the search (and not its quality) was under appeal.

Order PO-2592 (Ontario Secretariat for Aboriginal Affairs) (I.P.C. Ont.).

Case Report – B.C. Commissioner speaks on public sector “necessary collection” standard

On June 26th, the Information and Privacy Commissioner of British Columbia held that a school board met the “necessary collection” standard in the British Columbia Freedom of Information and Protection of Privacy Act in its use of an online assessment tool for teacher recruiting.  He also held that the Board had complied with the FIPPA security standard and the Act’s requirement for storing and accessing personal information outside of Canada (as the assessment was administered by a third-party with databases located in Nebraska). 

The “necessity” ruling is broad in its analysis.  The Commissioner held that the meaning of necessity depends on the context:

At the same time, I am not prepared to accept, as the Complainants contend, that in all cases personal information should be found to be “necessary” only where it would be impossible to operate a program or carry on an activity without the personal information.  There may be cases where personal information is “necessary” even where it is not indispensable in this sense.  The assessment of whether personal information is “necessary” will be conducted in a searching and rigorous way.  In assessing whether personal information is “necessary”, one considers the sensitivity of the personal information, the particular purpose for the collection and the amount of personal information collected, assessed in light of the purpose for collection.  In addition to FIPPA’s privacy protection objective is also relevant in assessing necessity noting that this statutory objective is consistent with the internationally recognized principle of limited collection.

On this standard, he held the Board’s collection of personal information was necessary.  Although the Board had successfully recruited teachers for years before implementing the new assessment process, he accepted evidence that the new process was efficacious in identifying the best teachers and allowed the Board to more rapidly screen a large number of candidates.

The USA Patriot Act part of Commissioner Loukidelis’s award is more fact-specific, but also demonstrates a pragmatic approach.  Although he held that the Board was compliant, the Commissioner did recommend that the service provider take steps to replace identifying information with unique numerical identifiers for the purposes of permanently storing data. 

 Note that the collection standard in the British Columbia Act is essentially the same as is included in Ontario’s public sector privacy legislation.  The Ontario standard was recently considered by the Ontario Court of Appeal for the first time the Cash Converters Canada Inc. v. Oshawa (City) decision, released on July 4th.  The Court adopted the standard endorsed by the Ontario Commissioner, which arguably more rigid and restrictive than the one described above. 

Order F07-10 (B.C.I.P.C.).

Case Report – Appeal court considers jurisdiction to exclude fruits of non-disclosure

On July 31st the British Columbia Court of Appeal held that a plaintiff who was granted an Anton Piller order based on a material non-disclosure should not be prohibited from using an e-mail obtained in the search.

The plaintiff (who was unrepresented) obtained an ex parte order requiring the defendant to disgorge computer hardware and electronic and physical records related to his claim.  At the same time he, was denied an Anton Piller order and granted leave to re-apply if he served a notice of application on the plaintiff the same day.  The plaintiff executed the disgorgement order but did not serve the notice.  When the defendant did not comply, the plaintiff applied for an Anton Piller order before a different judge and did not disclose service condition imposed by the first judge.  He also drafted and entered an order broader than disclosed in the transcript of the proceeding (in that it allowed for both seizure and copying and not just seizure).

Although the Court acknowledged the high standard on a party seeking an Anton Piller and noted that the plaintiff deliberately mis-drafted the order, it held that enjoining use of the e-mail would do too great an injustice to the plaintiff.  In balancing interests, it relied on (1) the fact that the motion to discharge the search order that was under appeal was brought over a year after the search, (2) that the defendant did not have clean hands in that the search was ordered after his failure to comply with the disgorgement order (in which the e-mail ought to have been produced) and (3) that the e-mail was central to the dispute.  The Court also held that the chambers judge erred in excluding a single e-mail because of its relevance to the dispute.

Solara Technologies Inc. v. Beard, 2007 BCCA 402.

Medical information management for employers

I gained a penchant for diagrams during my foray into the business world that I make no apologies for!

I’d like to build this post around the diagram below, which illustrates a very common model by which employers manage medical information – i.e., one in which the employer seeks information from an employee’s treating physician through its own medical adviser. 

 meds2.jpg

The point I’d like to make is that role definition is key to effective medical information management.  When there is confusion about the players’ roles and responsibilities (especially vis-a-vis confidential medical information) the management process tends to break down.

Relationship “A” is the employment relationship.  In most cases employers cannot obtain employee medical information without express written consent, but employees have a duty to consent to the release of medical information when it is reasonably necessary to the administration of the employment relationship.  Employers typically need medical information for four purposes:  (1) to determine the validity of an absence, (2) to determine eligibility for an income protection benefit, (3) to develop accommodation plans and proposals and (4) to ensure that employees can safely return to work.

In Ontario, section 49 of the Personal Health Information Protection Act requires employers to use and disclose medical information for only those purposes specified in the written medical release (ordinarily, the four noted above) and, essentially, share information internally on a need to know basis.

Relationship “B” is the treatment relationship.  An employee’s treating physician has a professional and legal duty to act in the employee’s best interests.  This does not mean that a physician must let a patient dictate his or her opinion.  To the contrary, abdicating professional judgment in this manner is a breach of a physician’s duty.  In this regard, the Ontario Medical Association has helped physicians reconcile employee and employer interests by advising them of the health-related benefits of a safe and early return to work.

Treating physicians also have a professional and legal duty to maintain patient confidentiality.  They are subject to the full range of “health information custodian” rules in PHIPA, and may only release medical information to employers based on written consent.

Relationship “C” is either an employment or contractual relationship.  Employers often retain the services of medical professionals to act on their behalf.  These professionals typically (1) take custody of medical information received pursuant to a release and share it with management as permitted by the medical release and on a need to know basis, (2) evaluate and make objective recommendations to the employer about the sufficiency of information provided and (where it is sufficient) about eligibility for paid or unpaid leave, accommodation plans and return-to-work and (3) act as the employer’s liaison (and advocate) with the treating physician.

The medical adviser does not have independent legal or professional duties to the employee.  He or she acts as the employer and shares the employer’s section 49 duty.  Does he or she nonetheless play an important role in medical confidentiality?  Yes.  The medical adviser role helps create a confidentiality screen.  By taking immediate custody of the medical information on behalf of the employer, he or she is the means by which the “need to know” rule is given effect.  This is a difficult role, and sometimes out of a sense that he or she has an independent duty of confidentiality to the employee, the medical adviser takes a position at odds with the employer.  This type of conflict can generally be avoided by establishing reasonable and PHIPA-compliant policy to guide the internal distribution of medical information received pursuant to a medical release.

The advisory model described above is common, but there are other models by which employers seek and obtain medical information they need to make employment-related decisions.  In the Ontario Bar Association’s latest Eye on Privacy, I wrote an article called, “Understanding Church and State – The Occupational Health and Safety Department and PHIPA” I elaborated on Relationship “C” and briefly discussed how the legal duties change when an employer actually provides health care to its employees.  I missed an opportunity to draw diagrams in that article, but if you’re interested in this topic you may nonetheless find them helpful.

E-mail surveillance and constructive knowledge (Part 2)

In my post yesterday I suggested that employers in some circumstances may be presumed to have constructive knowledge of employee e-mails and that this may justify routine e-mail monitoring.

Let’s push the idea of constructive knowledge a little further.

Consider the Virginia Tech shooting. Let’s say Cho Seung-Hui, the troubled 23-year-old shooter, had an accomplice and let’s say Cho and the acomplice planned the shooting by way of e-mail exchange. Could the University be liable for failing to take reasonable steps in response to the e-mail exchange? In other words, would it have breached a duty (either a civil duty or perhaps one based in occupational health and safety legislation) to monitor its e-mail system to identify threatening e-mails and respond appropriately?

I’ve been thinking lots about the privacy-related implications of Virginia Tech and wrote about it with my colleague Catherine Peters several months ago. As universities and colleges across North America are thinking through their security-related policy, I wouldn’t be surprised if routine, software-aided e-mail surveillance is under consideration at one or more institutions.

Could it be justified on the basis of a competing legal duty? The most directly-applicable case law is American, and tends to suggest the answer is “no.”

In Shin v. MIT the Commonwealth of Massachusetts Superior Court allowed a wrongful death action to proceed against a suicidal student’s residence don and MIT’s dean of student affairs – finding they did have a duty to take reasonable steps to secure the student’s short term safety. The case caught the attention of colleges and universities who would argue (as MIT did) that the relationship between a student and a post-secondary educational institution is not close enough to warrant a duty to protect students from harming themselves and others. The duty endorsed by the court is seemingly triggered by the formation of a quasi-custodial relationship marked, in its words, by the “imminent probability of harm.” On this reasoning, at some point after a student is designated “at risk” (voluntarily or otherwise) a school’s duty crystallizes. At the same time, the student’s right to privacy becomes diminished.

As for the duty to protect the campus community at large (where the risk is generalized rather than specific), the duty is more likely to conflict with privacy rights. This is well-illustrated by another Commonwealth of Massachusetts Superior Court decision – Bash v. Clark University from last November. The student who attended at Clark and died from a heroin overdose at the end of her freshman year was far from trouble-free. In her one year at the university she had been noted a number of times for alcohol related misconduct, placed on academic probation, referred to counseling and questioned about drug use (where she admitted trying heroin). The Court held the University and its administrators did not owe the student a duty of care. It made the point that the standard for the imposition of a duty is high because of competing “social values,” including privacy values:

Third, recognition of the existence of a legal duty on the part of university officials and staff in this case would conflict with the expanded right of privacy that society has come to regard as the norm in connection with the activities of college students. The incursion upon a student’s privacy and freedom that would be necessary to enable a university to monitor students during virtually every moment of their day and night to guard against the risks of harm from the voluntary ingestion of drugs is unacceptable and would not be tolerated.

So short of some threshold – which is high according to this Court’s reasoning – a school’s duty is limited and student privacy rights remain undiminished. This certainly weighs against a duty and corresponding right to conduct routine e-mail surveillance as a means of managing the risk of catastrophic on-campus violence. It also supports an argument that a university or college will not likely be held to have constructive knowledge of e-mails sent over its system in the same manner as would other organizations.

While this reasoning may not give university and college administrators comfort when contemplating the Cho Seung-Hui scenario presented above, they can and should take other steps to assess and monitor potential threats (including reasonable grounds e-mail searches). If they are confident that these means will not be effective, depending on local laws, routine e-mail monitoring may still be an option. My only point, and I hope it’s a useful one, is that privacy rights must fit with (and be limited by) competing legal duties.

E-mail surveillance and constructive knowledge (Part 1)

Just when is an organization’s e-mail system a record of its conscience?  And if it is, does this justify routine e-mail surveillance?

People haven’t been talking about e-mail surveillance in the workplace for some time now.  Even video surveillance is a little passe, with far sexier monitoring technologies like GPS, biometrics, keystroke monitoring and RFID implants taking centre-stage.

The reality is that there’s never been a business case for routine monitoring of employee e-mails.  Who’s got the time to read through employee e-mails?  With broad “no expectation of privacy” statements in almost every employer’s computer use policy backed by a practical restraint on doing anything more than reasonable grounds searches, the law on e-mail monitoring has seemed in balance for the last half-decade.

Is this about to change?  Here is some evidence that the answer is “yes.”  First, we heard about the aggressiveness of the United States domestic security program since 9/11.   Professor Daniel Solove’s recent article does a fine job of describing its “Total Information Awareness” project, a data-mining initiative.  Then back in April, Fortune 500 retailer came under some heat when a fired security worker exposed the extent of the company’s surveillance activity, which apparently includes (or included) software-supported monitoring of its computer systems.  My last piece of evidence in anecdotal.  A forensic accountant friend of mine suggested to me a few week’s back that data-mining software is in use in at least some organizations as part of their corporate governance initiatives.

Assuming that routine e-mail monitoring is coming into its time, when is it likely to be justified?

To start, Canadian labour arbitrators (the only Canadian decision-makers who have regularly had the opportunity to address the validity of e-mail surveillance) have taken a different approach to computer systems surveillance than other forms of surveillance.  Rather, than balance business interests against employee privacy rights, they’ve arguably applied a more employer-friendly approach that has centred on the property rights of a system owner:  “It’s your property so you can assert absolute control over users’ expectation of privacy.”  This approach may seem offensive to privacy advocates, but it’s consistent with the balancing approach when one considers competing legal duties and whether the employer will be deemed (in an assessment of whether it has discharged such duties) to have constructive knowledge of the transitory and non-business communications made through its system.

Take the duty to provide a harassment-free workplace for example.  Starting with the Supreme Court of Canada’s Robichaud case, courts and tribunals have placed a very high standard of due dilligence on employers to root out and stop workplace harassment.  The premise is that employees are vulnerable and only the employer (who controls the workplace) has the ability to protect.  Although the standard is not one of strict liability, any employer that receives a harassment complaint, searches for responsive e-mails and only then discovers a harmful and longstanding dialogue should be very concerned.  Is it any coincidence that some of the hardest-fought e-discovery cases in the United States – including the Zubulake case – are harassment cases?

As offensive as routine e-mail monitoring seems, I wouldn’t rule it out.  Your average corporate counsel today will squirm if you ask her what she thinks is being sent over her company’s computer system.  At least under Canadian harassment law, the corporate computer system is treated as a record of the corporate conscience.  Constructive knowledge is presumed and, in my view, very difficult to rebut.  The ideal e-mail system would file all business e-mails into a logical structure and immediately obliterate everything else, but the greatest document management system in the world won’t achieve this ideal.  Does this make routine monitoring a justifiable alternative?

I plan on following this post with another on college and university computer systems, constructive knowledge and the duty of care to prevent incidents of catastrophic violence like what happened at Virginia Tech.  I feel very cool about the use of routine surveillance in this context.  Please come back to hear why.

Finding my own voice

Hello?  Is anyone there?

I’m Dan Michaluk, and this is my blog.  In the last few years I’ve spent a lot of time on the internet reading other people’s blogs.  The medium is amazing and I’ve learned lots from other’s generosity in sharing their information and knowledge.  Now that I’m writing this, part of me’s wondering what I’ve been waiting for.

I am a lawyer at a firm in Toronto, Canada called Hicks Morley.  We’re the biggest management-side labour and employment law boutique in Canada, but my practice is a little anomalous for the firm because I specialize in information and privacy, which I like to define broadly as including (fascinating) subjects such as the law of confidential business information, the law of production (including e-discovery) and records management.   We also have a very strong client base in the secondary and post-secondary education sectors, and I’ve been lucky to do a significant amount of rewarding work with education sector clients.  My official bio is here, and for more about me please check out my about page.

I got inspired to do this when I had a thought at about routine e-mail surveillance but didn’t know where to publish it.  We have a client newsletter called the Hicks Information and Privacy Post.  I edit it with my good colleague Paul Broad, but its a quaterly and essentially a case law update.  I really enjoy it (and please e-mail me if you’d like to subscribe) but it’s written in my “Hicks voice.”  My thought about e-mail surveillance was the kind of thought you write in an e-mail to a colleague just so you have it down – also the kind of thought you could work into a paper by spending a lot of time on it (but that will never have significantly more value than when it was simply a thought).  So I decided I needed to start this blog.   

My plan is to make at least a couple of posts a week.  I like to scan and read a lot of information and privacy case law, so I’ll post summaries here regularly.  I’ll also try my best to post an original thought once and a while.

If it all works out as planned I’ll learn lots while making some friends and business contacts.  I hope you come back often and enjoy.