Why the name change?

I imagine I’ve broken a cardinal rule of blog branding, but I thought I’d change the name before I do this for too much longer.  I wanted to replace “Michaluk’s Information & Privacy Pages” with “All About Information” to reflect the blog’s breadth. 

Privacy is a rapidly-developing area of substantive law, but it is not all that’s  driving my interest.  Lateral employee movement is putting pressure on organizations as they attempt to protect their confidential business information.  And if the experience in the United States is a valid basis for prediction, electronic records management (or non-management as it be) is going to cause some extremely interesting developments in the law of production and access to information law in the next while.

 So there it is.  Part privacy, and part more.  I hope you’ll enjoy!

Case Report – Bendel says no power to exclude surveillance evidence

Arbitrator Michael Bendel has recently taken a very strong stance favouring the admission of evidence collected by way of surrepetitious video surveillance.  His position is encapsulated in the following statement, made in  Re Greater Toronto Airports Authority and P.S.A.C, 2007 CanLII 21:

It follows that the discussions in many of the arbitral awards, on the existence of a right to privacy (or an expectation of privacy) in various jurisdictions, on the parametrs of such an interest, on the actionability of invasions of privacy, and on the reasonableness of resorting to videotape surveillance of an employee suspected of sick leave abuse, are quite beside the point. Interesting though these debates may be, I express no views on them. They proceed on the wholly mistaken assumption that there exists a discretion to exclude evidence that is tainted by an invasion of privacy. In the absence of any such discretion, either at common law or by virtue of provisions such as section 16(c), I an unable to detect any point in these discussions about the existence of a right to privacy.

Mr. Bendel endorsed these comments again in Re General Electric Canada and C.E.P., Local 544, 2007 CanLII 408.

Case Report – Ministry’s e-mail search survives scrutiny

On June 28th the Information and Privacy Commissioner/Ontario upheld a fee estimate that involved an extensive process of retrieving e-mails.  The Ministry had nine individual custodians conduct electronic keyword searches of their own workstations using a number of specified terms.  The custodians spent time opening e-mails and other documents to determine whether they were responsive.  The Ministry also searched shared directories (presumably using the same terms). 

The IPC held the Ministry’s field filtering process was reasonably efficient and that the Ministry had established the basis for its estimate.  Note that only the efficiency of the search (and not its quality) was under appeal.

Order PO-2592 (Ontario Secretariat for Aboriginal Affairs) (I.P.C. Ont.).

Case Report – B.C. Commissioner speaks on public sector “necessary collection” standard

On June 26th, the Information and Privacy Commissioner of British Columbia held that a school board met the “necessary collection” standard in the British Columbia Freedom of Information and Protection of Privacy Act in its use of an online assessment tool for teacher recruiting.  He also held that the Board had complied with the FIPPA security standard and the Act’s requirement for storing and accessing personal information outside of Canada (as the assessment was administered by a third-party with databases located in Nebraska). 

The “necessity” ruling is broad in its analysis.  The Commissioner held that the meaning of necessity depends on the context:

At the same time, I am not prepared to accept, as the Complainants contend, that in all cases personal information should be found to be “necessary” only where it would be impossible to operate a program or carry on an activity without the personal information.  There may be cases where personal information is “necessary” even where it is not indispensable in this sense.  The assessment of whether personal information is “necessary” will be conducted in a searching and rigorous way.  In assessing whether personal information is “necessary”, one considers the sensitivity of the personal information, the particular purpose for the collection and the amount of personal information collected, assessed in light of the purpose for collection.  In addition to FIPPA’s privacy protection objective is also relevant in assessing necessity noting that this statutory objective is consistent with the internationally recognized principle of limited collection.

On this standard, he held the Board’s collection of personal information was necessary.  Although the Board had successfully recruited teachers for years before implementing the new assessment process, he accepted evidence that the new process was efficacious in identifying the best teachers and allowed the Board to more rapidly screen a large number of candidates.

The USA Patriot Act part of Commissioner Loukidelis’s award is more fact-specific, but also demonstrates a pragmatic approach.  Although he held that the Board was compliant, the Commissioner did recommend that the service provider take steps to replace identifying information with unique numerical identifiers for the purposes of permanently storing data. 

 Note that the collection standard in the British Columbia Act is essentially the same as is included in Ontario’s public sector privacy legislation.  The Ontario standard was recently considered by the Ontario Court of Appeal for the first time the Cash Converters Canada Inc. v. Oshawa (City) decision, released on July 4th.  The Court adopted the standard endorsed by the Ontario Commissioner, which arguably more rigid and restrictive than the one described above. 

Order F07-10 (B.C.I.P.C.).

Case Report – Appeal court considers jurisdiction to exclude fruits of non-disclosure

On July 31st the British Columbia Court of Appeal held that a plaintiff who was granted an Anton Piller order based on a material non-disclosure should not be prohibited from using an e-mail obtained in the search.

The plaintiff (who was unrepresented) obtained an ex parte order requiring the defendant to disgorge computer hardware and electronic and physical records related to his claim.  At the same time he, was denied an Anton Piller order and granted leave to re-apply if he served a notice of application on the plaintiff the same day.  The plaintiff executed the disgorgement order but did not serve the notice.  When the defendant did not comply, the plaintiff applied for an Anton Piller order before a different judge and did not disclose service condition imposed by the first judge.  He also drafted and entered an order broader than disclosed in the transcript of the proceeding (in that it allowed for both seizure and copying and not just seizure).

Although the Court acknowledged the high standard on a party seeking an Anton Piller and noted that the plaintiff deliberately mis-drafted the order, it held that enjoining use of the e-mail would do too great an injustice to the plaintiff.  In balancing interests, it relied on (1) the fact that the motion to discharge the search order that was under appeal was brought over a year after the search, (2) that the defendant did not have clean hands in that the search was ordered after his failure to comply with the disgorgement order (in which the e-mail ought to have been produced) and (3) that the e-mail was central to the dispute.  The Court also held that the chambers judge erred in excluding a single e-mail because of its relevance to the dispute.

Solara Technologies Inc. v. Beard, 2007 BCCA 402.

Medical information management for employers

I gained a penchant for diagrams during my foray into the business world that I make no apologies for!

I’d like to build this post around the diagram below, which illustrates a very common model by which employers manage medical information – i.e., one in which the employer seeks information from an employee’s treating physician through its own medical adviser. 

 meds2.jpg

The point I’d like to make is that role definition is key to effective medical information management.  When there is confusion about the players’ roles and responsibilities (especially vis-a-vis confidential medical information) the management process tends to break down.

Relationship “A” is the employment relationship.  In most cases employers cannot obtain employee medical information without express written consent, but employees have a duty to consent to the release of medical information when it is reasonably necessary to the administration of the employment relationship.  Employers typically need medical information for four purposes:  (1) to determine the validity of an absence, (2) to determine eligibility for an income protection benefit, (3) to develop accommodation plans and proposals and (4) to ensure that employees can safely return to work.

In Ontario, section 49 of the Personal Health Information Protection Act requires employers to use and disclose medical information for only those purposes specified in the written medical release (ordinarily, the four noted above) and, essentially, share information internally on a need to know basis.

Relationship “B” is the treatment relationship.  An employee’s treating physician has a professional and legal duty to act in the employee’s best interests.  This does not mean that a physician must let a patient dictate his or her opinion.  To the contrary, abdicating professional judgment in this manner is a breach of a physician’s duty.  In this regard, the Ontario Medical Association has helped physicians reconcile employee and employer interests by advising them of the health-related benefits of a safe and early return to work.

Treating physicians also have a professional and legal duty to maintain patient confidentiality.  They are subject to the full range of “health information custodian” rules in PHIPA, and may only release medical information to employers based on written consent.

Relationship “C” is either an employment or contractual relationship.  Employers often retain the services of medical professionals to act on their behalf.  These professionals typically (1) take custody of medical information received pursuant to a release and share it with management as permitted by the medical release and on a need to know basis, (2) evaluate and make objective recommendations to the employer about the sufficiency of information provided and (where it is sufficient) about eligibility for paid or unpaid leave, accommodation plans and return-to-work and (3) act as the employer’s liaison (and advocate) with the treating physician.

The medical adviser does not have independent legal or professional duties to the employee.  He or she acts as the employer and shares the employer’s section 49 duty.  Does he or she nonetheless play an important role in medical confidentiality?  Yes.  The medical adviser role helps create a confidentiality screen.  By taking immediate custody of the medical information on behalf of the employer, he or she is the means by which the “need to know” rule is given effect.  This is a difficult role, and sometimes out of a sense that he or she has an independent duty of confidentiality to the employee, the medical adviser takes a position at odds with the employer.  This type of conflict can generally be avoided by establishing reasonable and PHIPA-compliant policy to guide the internal distribution of medical information received pursuant to a medical release.

The advisory model described above is common, but there are other models by which employers seek and obtain medical information they need to make employment-related decisions.  In the Ontario Bar Association’s latest Eye on Privacy, I wrote an article called, “Understanding Church and State – The Occupational Health and Safety Department and PHIPA” I elaborated on Relationship “C” and briefly discussed how the legal duties change when an employer actually provides health care to its employees.  I missed an opportunity to draw diagrams in that article, but if you’re interested in this topic you may nonetheless find them helpful.

E-mail surveillance and constructive knowledge (Part 2)

In my post yesterday I suggested that employers in some circumstances may be presumed to have constructive knowledge of employee e-mails and that this may justify routine e-mail monitoring.

Let’s push the idea of constructive knowledge a little further.

Consider the Virginia Tech shooting. Let’s say Cho Seung-Hui, the troubled 23-year-old shooter, had an accomplice and let’s say Cho and the acomplice planned the shooting by way of e-mail exchange. Could the University be liable for failing to take reasonable steps in response to the e-mail exchange? In other words, would it have breached a duty (either a civil duty or perhaps one based in occupational health and safety legislation) to monitor its e-mail system to identify threatening e-mails and respond appropriately?

I’ve been thinking lots about the privacy-related implications of Virginia Tech and wrote about it with my colleague Catherine Peters several months ago. As universities and colleges across North America are thinking through their security-related policy, I wouldn’t be surprised if routine, software-aided e-mail surveillance is under consideration at one or more institutions.

Could it be justified on the basis of a competing legal duty? The most directly-applicable case law is American, and tends to suggest the answer is “no.”

In Shin v. MIT the Commonwealth of Massachusetts Superior Court allowed a wrongful death action to proceed against a suicidal student’s residence don and MIT’s dean of student affairs – finding they did have a duty to take reasonable steps to secure the student’s short term safety. The case caught the attention of colleges and universities who would argue (as MIT did) that the relationship between a student and a post-secondary educational institution is not close enough to warrant a duty to protect students from harming themselves and others. The duty endorsed by the court is seemingly triggered by the formation of a quasi-custodial relationship marked, in its words, by the “imminent probability of harm.” On this reasoning, at some point after a student is designated “at risk” (voluntarily or otherwise) a school’s duty crystallizes. At the same time, the student’s right to privacy becomes diminished.

As for the duty to protect the campus community at large (where the risk is generalized rather than specific), the duty is more likely to conflict with privacy rights. This is well-illustrated by another Commonwealth of Massachusetts Superior Court decision – Bash v. Clark University from last November. The student who attended at Clark and died from a heroin overdose at the end of her freshman year was far from trouble-free. In her one year at the university she had been noted a number of times for alcohol related misconduct, placed on academic probation, referred to counseling and questioned about drug use (where she admitted trying heroin). The Court held the University and its administrators did not owe the student a duty of care. It made the point that the standard for the imposition of a duty is high because of competing “social values,” including privacy values:

Third, recognition of the existence of a legal duty on the part of university officials and staff in this case would conflict with the expanded right of privacy that society has come to regard as the norm in connection with the activities of college students. The incursion upon a student’s privacy and freedom that would be necessary to enable a university to monitor students during virtually every moment of their day and night to guard against the risks of harm from the voluntary ingestion of drugs is unacceptable and would not be tolerated.

So short of some threshold – which is high according to this Court’s reasoning – a school’s duty is limited and student privacy rights remain undiminished. This certainly weighs against a duty and corresponding right to conduct routine e-mail surveillance as a means of managing the risk of catastrophic on-campus violence. It also supports an argument that a university or college will not likely be held to have constructive knowledge of e-mails sent over its system in the same manner as would other organizations.

While this reasoning may not give university and college administrators comfort when contemplating the Cho Seung-Hui scenario presented above, they can and should take other steps to assess and monitor potential threats (including reasonable grounds e-mail searches). If they are confident that these means will not be effective, depending on local laws, routine e-mail monitoring may still be an option. My only point, and I hope it’s a useful one, is that privacy rights must fit with (and be limited by) competing legal duties.