Ontario IPC makes cease and desist and destruction order

As David Fraser reports, the Information and Privacy Commissioner/Ontario has used her order-making powers under the privacy part of Ontario’s public sector privacy legislation for the first time after receiving a privacy complaint about the collection of personal information relating to the sale of second hand goods. For the Commissioner’s news release click here and for a copy of the order, click here.

Case Report – BCCA says implied undertaking rule does not have a necessary disclosure component

On September 10th, the British Columbia Court of Appeal dismissed an application for leave to appeal in a novel application for contempt based on an alleged breach of the implied undertaking rule.

The plaintiffs alleged that the Insurance Corporation of British Columbia unnecessarily disclosed obtained information in materials served on third parties in support of a production order. They relied on an ICBC internal policy that recommended (in part) that such information only be disclosed in third-party production motion materials as “absolutely necessary.” The application was dismissed and the Court of Appeal dismissed the application for leave to appeal, holding that the appeal was not prima facie meritorious.

The Court of Appeal quoted the following passage from the application judge’s decision:

It is a matter of judgment to be exercised by counsel what information obtained by parties through the litigation discovery process needs to be disclosed to non parties in furtherance of the litigation in which that information has been obtained.

Any court-imposed constraint on that judgment is antithetical to the underlying rationale of court compelled disclosure, with its necessary intrusion on a litigant’s general right to privacy. That rationale is the need to do justice between the parties.

Implicit in the law and Rules governing disclosure is the proposition that justice between the parties is best assured when disclosure of all relevant evidence from whatever source may be compelled by the court, subject to claims of privilege.

Imposition of constraints on the parties’ use of information obtained through the discovery process in the litigation in which it is obtained, by expanding the scope of the implied undertaking, could inhibit counsel in their investigation of the case and undermine the rationale for court compelled disclosure.

***

The law delineating the scope of the implied undertaking of confidentiality respecting use of information obtained through the litigation discovery process draws a bright line. Use of that information within the litigation is permitted use. Use outside the litigation for an “alien” or “collateral” purpose is not permitted without the consent of the affected party or an order of the court.

That bright line tends to expedite litigation, which is the goal of all recent reforms of civil litigation procedure in various jurisdictions. An obscure line would tend to promote procedural controversy, which is antithetical to that goal. The current bright line sacrifices litigants’ privacy for more procedural certainty. Its ultimate goal is to achieve a just result in the litigation.

The plaintiffs’ applications seek to have the court impose the policy reflected in s. 8.3.2 of the Manual as a constraint on the use of information obtained through the litigation discovery process within the litigation. If the court were to impose that policy by expanding the scope of the implied undertaking of confidentiality to limit use of information obtained through the litigation discovery process within the litigation in which it was obtained, the bright line would become an obscure line. There is no precedent for imposing such a policy. For the reasons stated, I decline to do so.

Jampolsky v. Shattler, 2007 BCCA 439.

Case Report – Another data breach claim dismissed

An American court has dismissed another data breach claim because the plaintiffs did not allege any damage other than the cost of obtaining credit monitoring services.

The plaintiffs provided their personal information to the defendant, a bank, in an online application for services. Their information was hosted by a third party and was subject to a malicious hacking attack in 2005. The Seventh Circuit upheld the bank’s motion to dismiss based on the inadequacy of the plaintiffs’ pleadings. It made the following comment on the recent court decisions that weigh against recovery of credit monitoring costs borne as a result of a data breach:

Although some of these cases involve different types of information losses, all of the cases rely on the same basic premise: Without more than allegations of increased risk of future identity theft, the plaintiffs have not suffered a harm that the law is prepared to remedy.

The outcome and reasoning in this case is similar to that in Kahle v. Litton Loan Servicing LP, discussed here.

Pisciotta v. Old National Bancorp (23 August 2007, 7th Cir.).

Good article on hash values

Ralph Losey is a Florida litigator who publishes a blog called, “E-Discovery Team.” He’s published an article called, “HASH: The New Bates Stamp.” You can download a copy, originally published in the June 2007 edition of the Journal of Technology Law & Policy, here. Mr. Losey explains what hash values are, how they are used in litigation and proposes that a file naming protcol featuring truncated hash values should replace the bates numbering convention. It’s a clearly written, well-thought and compelling article. Thank you!

Virginia Tech – Information graphic and a personal thought

I’ve taken a deeper look at Chapter 4 of the report of the Virginia Tech Review Panel and created this graphic, which compartmentalizes the various pieces of information about Cho Seung Hui that were known by groups inside and outside the university. As outlined in text in the state report, the graphic illustrates that the Virginia Tech Police Department, Virginia Tech Residence Life and the various teachers who worked most closely with Cho had potentially relevant information about Cho that was not shared with Virginia Tech’s multidisciplinary Care Team (which had formal responsibility for threat assessment). It also illustrates that Cho’s high school had information that might have been of assistance to Virginia Tech, but was not shared when he registered or in the course of his studies.

Barring any significant developments, this is probably the last I’ll blog about Virginia Tech. Before moving on, however, I do feel compelled to share a personal thought. This is a blog, after all. You see, I’ve been a very responsible lawyer in blogging about this issue and have kept things nice and objective. I’ve purposely chosen not to use the word “tragedy” because I thought it unhelpful and obfuscatory.

Chapter 4, however, got to me. Perhaps it’s because I’m a new father and the Chapter starts with a story about Cho having a heart problem as an infant and his corrective medical procedure leading, at age three, to the start of severe emotional problems. It also touched me that, through the great efforts of his parents and his public school educators, Cho seemed to be managing his difficulties pretty well up until university. Then it all rapidly spiraled downwards to the terrible ending. Though he’s ultimately responsible for an atrocious act, I’m sad for Cho as I’m sad for his parents and his victims.

All of which underlies the essence of this issue. When privacy is balanced against security it rarely seems a fair fight. Privacy is well understood as a fundamental human right, yet security tends to be cast as just another intangible concept, and worse, one associated with institutional or governmental rather than human interests. I don’t believe that it’s always fair to characterize security interests this way. Security can be as much about helping troubled individuals as about preventing harm to others. I’m engaged by the Virginia Tech case because it demonstrates this well. Perhaps tragedy is a helpful word after all.

Case Report – FCA gives effect to statutory privilege in access dispute

On August 27th, the Federal Court of Appeal held that information provided by the Canadian Imperial Bank of Commerce to the Canadian Human Rights Commission as part of an employment equity audit was exempt from public access as “information supplied in confidence.”

The request, made under the Access to Information Act, was for a final employment equity report that primarily contained information provided by the bank to the Commission in the course of an employment equity audit. In arguing against disclosure, the bank relied heavily on section 34(1) of the Employment Equity Act, which creates a statutory privilege for all information obtained by the Commission under the Act. This provision is not listed in Schedule II to the ATIA, which lists nineteen other statutory privilege provisions. Information that is protected by a Schedule II provision is expressly exempt from public access by section 24 of the ATIA.

The Commission decided to disclose the report and the Federal Court dismissed the bank’s application for judicial review. On appeal, the bank argued that the report was not subject to public access because it was not under the Commission’s control, that the report was not subject to public access because the information it contained was privileged and, alternatively, that the record was exempt from public access under a number of specific provisions of the ATIA. The Canadian Bankers Association intervened in the appeal, expressing a broader interest in the confidentiality of bank disclosures to a number of federal regulators under similar statutory privilege provisions.

In the end, the Court dismissed the bank’s broader arguments and held the report was exempt from disclosure based on section 20(1)(b) of the ATIA as information provided in confidence and treated consistently in a confidential manner. It held that the application judge erred on a number of bases in finding this exemption did not apply. Most significantly, it held the application judge erred in finding that the bank had no reasonable expectation of confidentiality because the right of public access in the ATIA expressly applies “notwithstanding any other Act of Parliament” and because the Commission had warned the bank that its information could be subject to public access. Rather, the Court held that the statutory privilege in section 34(1) of the Employment Equity Act provided a reasonable basis for the bank’s belief that the information in question would be held in confidence and held that the bank had also met the other requirements of the section 20(1)(b) exemption.

While the Federal Court of Appeal judgement offers strong support for the application of the section 20(1)(b) to records of information provided to federal regulators and protected by a statutory privilege, the Court did note the requirement to bring the record within the scope of the exemption in every case: “A statutory guarantee of confidentiality is not, in and of itself, a sufficient basis for a claim of exemption under paragraph 20(1)(b) of the ATIA.”

Canadian Imperial Bank of Commerce v. Canada (Human Rights Commission), 2007 FCA 272 (CanLII).

Some comments on the Virginia Tech state report

As promised, here are some comments on the privacy-related aspects of the Virginia Tech state report. I’ve split this post into a part on legal issues and a part on policy issues.

Legal Issues – With no golden rule, strong policy should guide

Not all risks can be effectively mitigated by detailed policy, but given the need for decentralized decision-making about the sharing of information and the apparent inaccessibility of privacy legislation to laypersons, the student-at-risk/catastrophic violence challenge is clearly one that should be addressed through the promulgation of good policy.

Here’s a key quote from the report:

The widespread perception is that information privacy laws make it difficult to respond effectively to troubled students. This perception is only partly correct. Privacy laws can block some attempts to share information, but even more often may cause holders of such information to default to the nondisclosure option—even when laws permit the option to disclose. Sometimes this is done out of ignorance of the law, and sometimes intentionally because it serves the purposes of the individual or organization to hide behind the privacy law. A narrow interpretation of the law is the least risky course, notwithstanding the harm that may be done to others if information is not shared.

Following this theme, the report runs through a number of disclosures in the Virginia Tech case that could have been made, were not, but would have been permitted under applicable state and federal privacy laws.

Similar to the situation in Ontario (where I practice), in Virginia there’s no single “golden rule” or simplifying model to help teachers, administrators and student volunteers figure out what information can be shared about a student at risk, with whom and under what circumstances. Rather, there are a number of different rules – disclosure “exceptions” to be slightly more precise. These exceptions apply indirectly to the scenarios that commonly confront individuals in university and college communities.

In Ontario, for example, when teachers learn of disturbing behavior in the course of teaching, the legality of reporting that behavior to a case management team is ordinarily governed by the “need to know” rule or exception – i.e. the report is lawful if “necessary and proper in the discharge of the institution’s functions.” While this language may allow a lawyer to interpret whether a disclosure is permissible based on a set of facts, without specific guidance on what to do when a student demonstrates objectively threatening behavior, how’s a teacher to know whether reporting the behavior is permissible?

Post-secondary educational institutions must have systems in place that encourage the exercise of sound judgement and due diligence. Enabling the reporting of information about certain student behaviors through policy so these systems can function on complete and valid information is critical to their effectiveness.

Policy Issues – Parental disclosures and safe harbour provisions

I’d like to identify two good policy issues raised by the report, one for consideration by schools and another for consideration by government.

Issue 1: Should post-secondary educational institutions pursue a policy of sharing information about adult students at risk with their parents?

Consistent with the United States Department of Education’s philosophy on parental involvement, the state report clearly favours information sharing with parents:

During his formative years, Cho’s parents worked with Fairfax County school officials, counselors, and outside mental health professionals to respond to episodes of unusual behavior. Cho’s parents told the panel that had they been aware of his behavioral problems and the concerns of Virginia Tech police and educators about these problems, they would again have become involved in seeking treatment.

I’m not sure what Canadian post-secondary institutions will want to do with this. Is it reasonable to assume that all parental relationships will be supportive? How will institutions know if there is a benefit to the disclosure? If the decision to share information with parents is discretionary, what factors should inform the exercise of discretion? To what extent should schools rely on a disclosure to parents as a complete discharge of their duty of care (assuming such a duty exists)?

Issue 2: Should governments enact new exemptions to allow for disclosures made in a good faith belief that they are necessary for protecting health and safety?

The state report recommends this type of “safe harbour” exemption as a means of cutting through the confusion about how existing and general privacy exemptions apply to the health and safety problem illustrated by Virginia Tech. It states:

Laws protecting good-faith disclosure for health, safety, and welfare can help combat any bias toward nondisclosure.

The current health and safety exemptions in Ontario’s public sector privacy and health privacy statutes are objective standards that are based on a “serious harm” threshold. Short of this relatively high threshold, disclosures are only permitted under other more general exemptions like the “need to know” exemption noted above (which applies only to internal disclosures) or the similarly-obscure “consistent purpose” or “law enforcement” exemptions. Would acceptance of the safe harbour proposal lead to an appropriate clarification of the law? Is it important that privacy legislation be made accessible to laypeople? Will this type of amendment harm the integrity of the legislation?

***

I’m just scratching the surface with these comments, but hope they provoke some good thought amongst those who are interested in this subject. It’s a sad one, but I like the privacy-related ideas that have been raised following the shootings because they are simple, compelling and important. Look for more posts on campus security and privacy in the future.