Case Report – Surdykowski speaks on medical forms for STD admin

On October 5th of last year, Ontario Arbitrator Surdykowsky made some broad statements in upholding a grievance which challenged a standard medical information form administered for the purpose of adjudicating short term disability benefits.

The form was administered by the employer’s third-party adjudicator in all applications for STD benefits. It included a consent to collect information from any “party” involved in treatment and requested, among other information, primary and secondary diagnoses, medical history, information on tests and investigations performed and specific information on program of treatment.

Mr. Surdykowsky held that the standard for eligibility in the employer’s STD plans (there were two different ones at issue) did not justify collection of this information for the purpose of adjudication. One plan, for example, simply specified that employees must submit a satisfactory medical certificate showing an inability to perform regular job duties. Mr. Surdykowsky held that the employer was limited to asking for a certificate focused directly on the eligibility requirement unless there was an objectively reasonable basis for doubting the accuracy or truth of the health care provider’s certification.

Mr. Sudykowsky also engaged in a very principled analysis of an employer’s right to medical information. He held that employee privacy rights cannot be outweighed by expediency or efficiency, so even though the collection of further and more detailed medical information may be justified as an absence becomes prolonged and attendance management and accommodation processes become engaged, such information should not be routinely collected at the beginning of an absence on a form that is administered strictly for the purpose of determining benefit eligibility. And while recognizing that broader requests for medical information up front may actually reduce conflict given that health professionals are not “always entirely objective,” Mr. Surdykowski held that employee privacy rights weigh against a departure from a strict necessity requirement.

As part of his broad analysis, Mr. Surdykowski also endorsed the following general principles (in my words):

A union can bargain the scope of a medical information request form on behalf of its members. An individual may chose not to consent but may be denied benefits. An employer does not act coercively by informing an employee of the potential negative repercussions of failing to consent to disclosure of all information on the form.
When collecting information for the purpose of adjudicating short term disability benefits or approving a short term medical leave, employers are normally restricted to collecting a certification of disability, the general nature of the illness or injury (which is different from diagnostic information), that the employee has and is following a treatment plan (but not the plan itself), the expected return to work date, and what work the employee can or cannot do.
Medical consents should generally authorize disclosure from a specific health care provider. They should not authorize contact between the employer or its agent and the health care provider in a manner that cuts the employee out of the “medical information loop” and, more generally, should not authorize the disclosure of information generated course of future care.

While this is a decision based on specific and relatively restrictive collective agreement language, Mr. Surdykowski’s fully-reasoned decision (which is based on 20 days of hearing) may be authoritative and conflicts with fairly standard employer practices. Unionized employers should consider it and reflect upon their short term disability or sick leave administration practices, their medical consent forms and their collective agreement and benefit plan language.

Importantly, the Surdykowski award is only about the information an employer may request for the purpose of adjudicating short term disability benefits. Although he comments peripherally on employers’ need for information in the accommodation process, to the extent an employer has a need for more fulsome information to provide accommodation or to develop a plan for safely returning an employee to work, it may be justified in seeking further and more detailed medical information. Based on the reasoning in the Surdykowski award, such requests should be tailored as much as possible to meet the need in any given case.

Re Hamilton Health Sciences and Ontario Nurses Association, 91 C.L.A.S. 228 (Surdykowski).

Employee privacy, Web 2.0 and other random musings of a management employment lawyer

The judiciary should confine itself to those incremental changes which are necessary to keep the common law in step with the dynamic and evolving fabric of our society.

Iacobucci J. in R. v. Salituro

* * *

I’ve stayed away from Web 2.0 issues on this blog until now. But when a colleague who I wouldn’t have guessed called me the other day and was quite obviously flabbergasted about how powerful the Facebook application is, it confirmed my very non-original opinion that this phenomenon of people posting personal stuff on the internet could change the shape of privacy law.

I was a resister at first, not of the technology, but of the technology as something that was going to change the law as we know it. You see, I’m a former research lawyer and (as you know) like to follow developing case law. Through this affair of the heart I’ve learned that nine out of ten judgements are confined to their facts. The tenth is usually one I can squeeze some meaning out of, formerly in our internal firm newsletters and now in this blog. I know well that incremental change is truly the norm for the common law. So even as a user of Facebook that was fully-aware of the new masses of people taking control of the internet’s content, I was sceptical (or clueless) that Web 2.0 meant much for privacy law.

My non-belief was aided by my practice as a management-side employment lawyer. We get asked to help employers manage employees who post bad things on the internet all the time. Most of the time we rely on contractual rights, hopefully ones that are helped by a nice “blogging” policy so employer interests can be protected without having to rely on an argument that “employees ought to have known.” Like maybe a policy that tells employees that saying an improper thing to 350 Facebook friends can cause just as much harm as saying it to the world and, hence, will be treated as such. Disputes about off-duty conduct and about how far an employer’s right to regulate an employee’s private life goes have been litigated in Canada for years. Not simple by any means, but nothing new.

Then came the harder files. Former employees don’t have employment contracts. They can have a duty to keep information confidential, but in Canadian law the duty is based on the circumstances under which information is communicated and received. Disparagement of a former manager doesn’t fit, and as a result I’ve gained a rather quick interest in the law of defamation. But what if a former employee publishes a true but embarrassing or harmful fact about a former manager? Or a patient or client? Think about an accurate and fair account of bad management. Say it includes a manager’s home phone number stolen from a personnel file. Or maybe a nurse posts information about a patient’s medical condition on a Facebook page. If employee and patient privacy is regulated, the organization may be in for a problem with a privacy regulator (though not likely for disclosure of the bad management story). But does it have a legal means of acting against the rogue former employee to contain the breach? Does the manager or patient for that matter? What the heck is the basis for the claim?

What’s that? “A new common law right of privacy,” you say?

I am happy that I work with many fair and reasonable organizations, but I’m not really in the running for the “new invasion of privacy tort and implied (contractual) privacy rights advocate-of-the-year” award. We’re only inching our way towards court-based recognition of privacy rights in Canada. Though a newly-recognized privacy right would cause some constraint on management, the example above shows that new bases for protecting privacy would at least fit with some management interests. I think most employers would feel compelled to take action to protect a manager whose privacy is under attack by a former employee simply as a matter of good human resources. A novel confidentiality clause in an employment contract may take employers part of the way provided it hits the right level of post-employment restrictiveness, but such a clause would only invite the truly important question: what types of restrictions on expression ought to be imposed or enforced by a court in the name or privacy?

So I’m a believer now. I’ve mentioned before that I recently read Daniel Solove‘s book, The Future of Reputation. It’s a great read, and got me thinking about privacy law and its relationship to freedom of expression, an issue of balance that I don’t get exposed to when working with very technical privacy regulation on a day-in and day-out basis. It also helped me unlock a link between privacy, the law of defamation and even intellectual property that I hadn’t fully understood and that is critical to our developing common law of privacy. Web 2.0 will push the common law along, maybe incrementally, but likely at a pace that reflects a true social phenomenon. We might expect bad decisions and confusing jurisprudence given the pace of change, but we’ll soon enough have a rational governing common law.

But, of course, the significance of Web 2.0 raises other challenging issues.

There’s the increasing significance of the principle of practical obscurity – the one that says information can still be private (or one’s interest in keeping something private can subsist) even if it is exposed to some unauthorized or limited authorized access if it is so buried that the information remains obscure. This has been a part of privacy law for some time, recognized as early as 1989 by the United States Supreme Court in Reporters Committee, but it is a principle that should now have an increasing importance as privacy law develops.

Then there’s the merging of professional and personal reputation and its impact on workplace privacy law. My loving and understanding wife accepts that I “work” all the time and in turn brings her own laptop to our dinner table – which, appropriately enough, is four feet high and more of a casual dinner “bar.” I also have a mainly professional blog but a deep craving to blow the barrier between my personal and professional personas apart by revealing more and more of myself online. If I’m going to be on-duty all the time I’d better do it in my own skin or I’ll be bound for misery and burnout eh?

I assume the way I work is not atypical for a year 2008 knowledge worker in his or her mid-30s, and therfore ask the following: Have we surrendered all privacy to our employers? Or is a new legal framework for employee privacy needed now that the “workplace” is boundless and there is no true “off-duty?” If the boundary between the workplace and the outside world is disintegrating, where should courts now draw the line between what an employer is and is not allowed to know about its employees?

Can you tell I’m excited? Thanks for listening to my story and my ramblings. I’m looking forward to watching this play out and following the developments. If you have any good readings to further feed my interest please let me know. See ya!

Case Report – NSCA says “Crown” must be implicated in search to be liable for costs

On January 18, the Nova Scotia Court of Appeal issued a significant judgement on Crown liability for costs on an application to quash a search warrant.

The Court held that the Crown in Right of Canada ought not to be liable for costs of on an application to quash an “ill-conceived and poorly executed” search warrant obtained and executed by the Canada Revenue Agency. It reached this conclusion because a Crown Attorney was not involved in the impugned investigation but, rather, had simply responded to the application to quash.

The Court also said that it did not matter the CRA is a deemed agent of the Crown under the Canada Revenue Agency Act because the basis for an award of costs is rooted in the special role of the Crown as prosecutor:

The basis of this general rule is not that the prosecutor might be an agent of the Crown and that an investigator might not be. The general rule is not based on the law of agency, but on strong reasons of public policy which I have already described, and which have been set out in the cases on many occasions: see, for example, Foster, supra at ¶ 62-65; and Ciarniello, supra, at ¶ 31-36. Whether by virtue of ss. 4(2) of the CRAA, the investigator here was or was not an agent of the Crown (a point I need not decide) does not change the general legal principle applicable to costs against the Crown in criminal matters.

The underlying facts involved a search based on a flawed Information and in which the CRA had seized records subject to solicitor-client privilege contained on computer and electronic storage devices.

R. v. Taylor, 2008 NSCA 5.

Case Report – BCCA says confidentiality agreement strict

Yesterday, the British Columbia Court of Appeal held that it ought not relieve B.C. Ferries from a confidentiality agreement it had entered into with the Canadian Transportation Investigation and Safety Board as a condition of receiving data from its own hard drive that had been recovered from its sunken vessel and seized by the Board. So it could respond to the Board’s draft investigation report on the sinking, B.C. Ferries agreed to the following confidentiality covenant:

The [data] will be kept in confidence by BC Ferries and is to be used only for the purposes of responding to the draft report subject to the parties’ agreement to permitted uses prior to the release of [the Board’s] final report or order of the court.

B.C. Ferries argued that the Board did not exercise its discretion to grant relief from the confidentiality covenant in good faith. The majority, in a fact-specific judgement written by Mr. Justice Lowry, held that the clause did not grant a discretion subject to an implicit good faith requirement, but rather, was simply an agreement “subject to further agreement.” Mr. Justice Hall adopted the majority’s reasons and added that the public interest in the safety of the traveling public might have otherwise justified an order of relief, but that there was insufficient evidence of such an interest on the record.

British Columbia Ferry Services Inc. v. Canadian Transportation Accident Investigation and Safety Board, 2008 BCCA 40.

Information Roundup – January 27, 2008

Not bad for a dead of winter weekend. A monochrome out and back paddle from the famous R.C. Harris Water Filtration Plant to the not-so-famous Ashbridges Bay Water Filtration Plant on Saturday. On Sunday, a nice brunch with Seanna and Hugo and then another paddle with just me and the long-tail ducks that winter on the lake.

Here are my good reads of the week.

Ronald K. Perkowski, Coping With the EDD Drumbeat. There are lots of articles on controlling the cost of electronic discovery, but I’d call this one “contrarian” and even “radical” in that it shoots hard at consultant, vendor and external counsel practices. By in-house counsel at Haliburton Company. (Law.com)
Stewart Weltman, Lean Litigation Practice. I like the ideas here: avoid the lawyer as firefighter syndrome; analyze the case in advance; develop your best case story; create a roadmap and a budget; and litigate with the goal of winning, not settling. (ABA Section of Litigation)
Jennifer Stoddart, Response to Industry Canada’s PIPEDA Consultation. A letter from the Privacy Commissioner of Canada. Includes an interesting request for a new discretion to decline to hear complaints that are frivolous or (confining her mandate even further) not in the public interest. (Privacy Commissioner of Canada)
David Fraser, US Department of Commerce privacy incident response plan. David links to the Department’s risk assessment matrix for breach notificaiton. I like the concept of having a tool for rapid risk assessment for supporting breach response. You’re sometimes forced to make big dollar decisions on gut without one, and finding an expert to put him or herself on the hook is hard. This is about the most practical model I’ve seen, but I wonder how valid it is. If anyone knows of any other risk assessment models please let me know. (Privacylawyer.ca)

I’ve been listening to the Great Lake Swimmers all weekend too. Just a great indie-folk band from Toronto. You can listen here. See ya!

British Columbia MOE agrees to reform its FOI practices

On January 22, the British Columbia OIPC released an investigation report dealing with a complaint brought by eight environmental organizations which alleged three ministries were suffering from systemic flaws in their processing of FOI requests. Commissioner Loukidelis held that further analysis would be required to make a firm finding, but that there was some basis for an allegation of a “systemic problem” at the MOE. This was enough to make the MOE agree to a remedial plan with six core tasks.

Investigation Report FO8-01, [2008] B.C.I.P.D. No. 5 (QL).

Paper on RFID in Health Care Released

The Ontario IPC and Hewlett-Packard have released a joint-paper entitled, “RFID and Privacy – Guidance for Health-Care Providers.” The report discusses the privacy issues associated with RFID health care applications as grouped into three types:

those involving tagging things
those involving tagging things linked to people and
those involving tagging people.

It identifies the latter two types as being privacy sensitive, with tagging “things linked to people” being more sensitive if the the link is strong, as is the case with tags affixed to individually-prescribed vials of medicine. As with most IPC reports of this type, the authors have generally guarded against making potentially binding statements on specific issues. While the authors note many new applications and comment generally on their potential benefit, the report neither endorses nor denounces any specific application. The most strong statement in the report was made about an application totally unrelated to health care. On the use of contactless identification cards for employee identification purposes, the authors said:

RFID-embedded (“contactless”) Identification cards are a special category of health care RFID use. Here we must distinguish between employee identification (and access) cards (whether “smart” or not), and patient identification cards. Employee Identification cards are increasingly being equipped with RFID technologies in order to identify and authenticate the bearer and facilitate access to physical spaces and other (e.g. computer) resources, as well as for process control and audit purposes. Dual or multi-purpose employee identity cards can serve differing functions at different times, according to context. Such a multi-purpose card and the data it contains, if not properly controlled, invites over-identification for some functions, function creep, and unwanted employee profiling.

While making this strong statement on employee identification, the report said that an RFID patient identification program may be acceptable where it…

…responds to a defined problem or issue in a limited, proportional and effective manner, and is deployed in a way that minimizes privacy and security risks, at least as effectively as any alternative solution.

I sense the two pull quotes above were the subject of considerable discussion. And while employers in Ontario should take heed of the report’s warning, the IPC has a very limited jurisdiction to enforce employee privacy rights in Ontario, even on behalf of employees who work at hospitals.

Sedona Canada Principles launched

The Sedona Canada Principles were launched yesterday and are available on LexUM’s E-Discovery Canada portal (now RSS enabled!). The Principles should play an important role in advancing e-discovery practice in Canada.

Case Report – Ireland Supreme Court on creating records and proportionality

On December 5th, a 2-1 majority of the Supreme Court of Ireland held that it was not improper to order a defendant to create and produce a special report from a database. However, a separately constituted majority held that, in the circumstances, the costs of such an order would be disproportionate to its benefit until and unless the plaintiff proved the defendant was liable.

The impugned order was made in the context of a competition law dispute. The plaintiff was a domestic seller of calling cards who claimed that the defendant network owner engaged in a discriminatory pricing practice that favoured foreign providers. It requested production of records of specific calls from one or more archived database files in order to prove liability and damages.

The parties argued the merits of the production request in light of another set of records that was also ordered to be produced. When it became apparent that the disclosure of the other set of records would not provide evidence the plaintiff felt it needed to meet its burden of proof, it pressed for production of the call records. The defendant only then strongly raised its proportionality concerns and made a factual admission which it claimed would render production unnecessary. It also claimed that the impugned order would require it to compile, analyze and present information in a form in which it never existed.

The defendant ultimately prevailed at the Supreme Court based on its proportionality argument. Fennelly J. and Kearns J.’s reasoning arguably turned on the plaintiff’s factual admission, which they held made production unnecessary to proof of liability and disproportionate in light of the cost of production (claimed to require the purchase of hardware costing approximately of €150,000 and significant other cost outlays to be made over a six month period). Both recognized the potential necessity of production to proof of damages, and held that the plaintiff may file a fresh application for discovery should it first prove liability. In reaching his finding Fennelly J. said:

I have come to the conclusion that the very unusual burden and heavy cost of the discovery in this case requires the Court to have a clear view of the litigious benefit to the plaintiff from obtaining the extremely detailed breakdown of information which is the only remaining issue.

Geoghegan J., dissenting on the proportionality issue, took the opposite view on the burden of proof, making comments that favoured a strict burden of proving disproportionate costs once evidence is shown to be relevant and necessary. He noted that the defendant had raised cost as a barrier to production well into the dispute and then had argued cost in its submissions without adducing supportive evidence. He said:

My overall impression is that essentially, the appellant was trying unsuccessfully to frighten the court by the mention of what superficially at least would be large figures but figures unsupported by solid evidence.

While the bifurcation of production in response to cost is novel and the dispute on burden of proof significant, the Court’s treatment of the “creating records” issue was dealt with on a more broadly-reasoned basis. Fennelly J. endorsed Geoghegan J.’s reasoning, and Kearns J. did not make comment. Geoghegan J. reasoned that the form in which data is stored is not relevant to the form in which its produced. He said:

It is common knowledge that a vast amount of stored information in the business world which formerly would have been in a documentary form in the traditional sense is now computerised. As a matter of fairness and common sense the courts must adapt themselves to this situation and fashion appropriate analogous orders of discovery. In order to achieve a reasonable parity with traditional documentary discovery it may well be necessary to direct a party “to create documents” within the meaning of the notice of appeal. It may indeed also be necessary to direct a party “to create documents” within the meaning of the notice of appeal even if such “documents” “do not exist at the time the order is made”. I am deliberately using quotation marks because I do not intend to adjudicate on the quasi-metaphysical argument of Mr. Paul Anthony McDermott, counsel for the respondent, that the “documents” do in fact “exist”. At any rate that matter can probably be argued both ways but I would be firmly of opinion that an order of discovery can be made which involves the creation of documents which do not exist, made in the kind of context in which it is sought in this case. Otherwise, potential litigants could operate their business computers in such a way that they would be able to evade any worthwhile discovery. In expressing the above views, I accept that superficially I am perhaps going a step further than the English authorities have done in so far as their rule of court can apparently be interpreted to cover computer discovery. I have no hesitation, however, in making that extension.

Dome Telecom v. Eircom, [2007] IESC 59.

Information Roundup – January 20, 2008

No paddling this weekend. You’d be surprised how warm today’s wetsuits are. They can take you to minus ten centigrade comfortably, but in fresh water you get a lot of ice-up below minus five and if its windy getting in and out of the water can be pretty unpleasant. To rub my landlocked status in, I got surf reports (with pictures) from my friends Alex in Nova Scotia, Jean-Luc in Santa Barbara and Jan in Raglan, New Zealand. Can you tell that I get cranky when I don’t get in the water?!

Anyway, I came back to the law on the basis that pursuits of the legal kind can be as good a means of finding enlightenment as the aquatic. On that note, here’s what I read of interest this week.

Randy Cohen (The Ethicist), Anonymity Breach. An ethical (and legal dilemma) on investigating the identity of a student who writes discriminatory teaching evaluation under a promise of confidentiality. (New York Times)
Ellen Nakashima, In Child Porn Case, A Digital Dilemma. Covers an appeal that addresses whether a decryption order in furtherance of a child pornography investigation would violate the right against self-incrimination. (Washington Post)
Pete Yost, White House Missing CIA, Iraq E-Mails. The Washington Post has had the leading coverage on the allegations that the White House has failed to comply with the Presidential Records Act, now scheduled for a February 15th hearing by the Committee on Government Oversight and Reform. (Washington Post)
Ellen Perlman, Delete at Your Own Risk. Food for thought for freedom of information coordinators and government records managers. I agree with the basic premise, but disagree to the extent the article suggests that retention beyond statutorily-mandated retention periods is necessarily a good risk-management practice. (Governing.com)