Who is the “health information custodian” when an institution with an educational mandate provides health care? PHIPA gives institutions choice. Here’s a presentation I gave yesterday in which I argue that the institution (and not its employed practitioners) should assume the role of the HIC. Also includes some simple content on the new PHIPA breach notification amendment.
OPC gives guidance, argues for more enforcement power
It’s hard being the Office of the Privacy Commissioner of Canada. The OPC is responsible making sure all is right in commercial sector and federal government sector privacy. It has a pretty small operating budget, yet issues in these sectors are meaty and novel – I dare say harder to deal with than the privacy issues raised in the health and provincial public sectors. More than anything, meeting the OPC mandate is particularly challenging because the mandate is to enforce a principled statute that affords a “right to privacy” that lacks a well-understood meaning.
It is in this context that the OPC issued its 2016-2017 Annual Report to Parliament. The report includes a 24 page “year in review” on PIPEDA that follows the OPC’s public consultation on informed consent and some polling work that shows 90% of Canadians are concerned about their privacy. The OPC concludes that the PIPEDA commercial sector regime is at a crossroads – making some suggestions about new directions, giving some practical guidance and arguing for more enforcement power.
This post is to highlight the most significant new directions and practical guidance and to provide a short comment on the argument for more enforcement power.
The most significant new directions and practical guidance:
- The OPC will expect organizations to address four elements in obtaining informed consent – what personal information is being collected, who it is being shared with (including an enumeration of third parties), for what purposes is information collected, used or shared (including an explanation of purposes that are not integral to the service) and what is the risk of harm to the individual, if any.
- The OPC will draft and consult on new guidance that will explicitly describe those instances of collection, use or disclosure of personal information which we believe would be considered inappropriate from the reasonable person standpoint under subsection 5(3) of PIPEDA (no-go zones).
- The OPC says that “in all but exceptional cases, consent for the collection, use and disclosure of personal information of children under the age of 13, must be obtained from their parents or guardians” and “As for youth aged 13 to 18, their consent can only be considered meaningful if organizations have taken into account their level of maturity in developing their consent processes and adapted them accordingly.”
- The OPC will encourage industry to develop codes of practice and fund research for the purpose of developing codes of practice to address more particular, sector-specific challenges – presumably a mechanism by which organizations will be able to seek safe harbour.
- The OPC will make greater use of its power to initiate investigations “where [it sees] specific issues or chronic problems that are not being adequately addressed.”
Then, there’s the OPC’s argument for more enforcement powers. Specifically, the OPC wants Parliament to drop the “reasonable grounds” restriction from its audit power so it can engage in truly proactive audits, it wants the power to levy fines and it wants PIPEDA to feature a private right of action – all of which would invite a departure from the ombudsman model the OPC has operated under since PIPEDA came into force in 2004.
I personally dislike the ombudsman model of enforcement because it doesn’t come with the procedural safeguards associated with more formal enforcement models and can therefore give the ombudsman a frightening degree of “soft” power. This said, the prospect of big fines and lawsuits based on substantive rules that are poorly defined and understood is even more frightening to to those in the business of privacy compliance and defence. This is the irony of the OPC report: at the same time the OPC admits that the substance of the PIPEDA is, at the very least, “challenged” it asks to enforce it with a new hammer. Now going through an admittedly bad experience with CASL – legislation that the OPC would argue is much more “ineffective” than PIPEDA (see p. 34) – we can readily foresee the wasted compliance costs that the proposed change to PIPEDA could invite. Even if business is indeed responsible for the great concern about privacy that the OPC’s polling effort reveals, this is nonetheless a valid position for business to take going forward.
Court sends matter back to arbitrator to consider redaction request
On September 13th, the Federal Court of Appeal held that the Public Service Labour Relations and Employment Board was not functus officio and ought to have entertained an employer’s request to redact witness names.
The employer claimed it made an unopposed request to obscure the identities of several non-union witnesses during the Board’s hearing. When the Board issued a decision that included full names, the employer wrote the Board and asked for a correction. The Board disagreed that the employer had made a request during the hearing and held it was functus officio. The employer brought an application for judicial review, compounding the problem by filing an un-redacted copy of the decision on the Court’s public record.
The Court accepted affidavit evidence from the employer and held that it had, in fact, made an unopposed request during the hearing. Alternatively, the Court held that the Board had the power to amend its decision based on section 43 of the Public Service Labour Relations Act. The Court also ordered that its record be treated as confidential and that the applicant file new materials with witness names replaced by initials, stating, “So doing provides little, if any, derogation to the open courts principle as [the witnesses’s] identities are not germane to the decisions.”
This is an unfortunate example of (a) rising sensitivities regarding the inclusion of personal information in judicial and administrative decisions and (b) the need to be careful about it. This affair (which shall continue) could have been avoided if the parties had asked the Board to make a formal order during course of the hearing. The employer also ought to have brought a motion for a sealing order at the outset of its judicial review application, before filing un-redacted materials (a point that the Court made in its decision).
Hat tip to Ian Mackenzie.
Court won’t redact or take down its decision
On September 7th, the Court of Appeal for British Columbia dismissed an application to have part of its reasons redacted or to have the reasons withdrawn from the Court’s website.
The applicant believed that part of the reasons – released in 2004 – were harmful to his reputation, a problem he said was facilitated by internet search. The Court dismissed the application because redaction would offend the principle of finality. It held that redaction alone would effectively amount to an amendment of the Court’s (substantive) conclusions. (This is a non-obvious point of principle of some significance.) The Court also relied on the open courts principle, which it affirmed.
MacGougan v. Barraclough, 2017 BCCA 321 (CanLII).
NIST’s recommended password policy evolves
As imperfect a means of authentication as they are, “memorized secrets” like passwords, pass phrases and PINs are common, and indeed are the primary means of authentication for most computer systems. In June, the National Institute of Standards and Technology issued a new publication on digital identity management that, in part, recommends changes to password policy that has become standard in many organizations – policy requiring passwords with special characters.
Here is what the NIST says:
Memorized secrets SHALL be at least 8 characters in length if chosen by the subscriber. Memorized secrets chosen randomly by the CSP or verifier SHALL be at least 6 characters in length and may be entirely numeric. If the CSP or verifier disallows a chosen memorized secret based on its appearance on a blacklist compromised values, the subscriber SHALL be required to choose a different memorized secret. No other complexity requirements for memorize secrets SHOULD be imposed.
The NIST believes that the complexity derived from special characters is of limited benefit to security, yet creates (well known) useability problems and promotes “counterproductive” user behaviour – writing passwords down or storing them electronically in plain text. It’s better, according to the NIST, to allow for long passwords (that may incorporate spaces) and use other protective measures such as password blacklists, secure hashed password storage and limits to the number of failed authentication attempts.
The NIST publication includes other related guidance, including a recommendation against routine password resetting.
NIST Special Publication 800-63B – Digital Identity Guidelines (June 2017)
Consent form decision imposes strict transparency requirement for handling employee medical information
Disputes about employer medical information consent forms are now common. It’s not hard to pick apart a form, and employers tend to suffer “cuts and bruises.” In once such case an arbitrator has recently held that an employer must identify “anyone with whom the information would be shared” in a consent form. The arbitrator also held that an employer must subsequently (and seemingly proactively) give notice of who is handling information:
I agree with the employer that it is not practical to obtain a new consent every time a manager or HR Specialist who is absent is temporarily replaced. However, the employer must advise the employee of the employer’s need and intention to share health information with a replacement and identify that individual by name and title. This would enable the employee to revoke the consent if he/she does not wish the health information to be shared with the individual replacing the manager or HR Specialist. If and when it becomes necessary to share health information with HR or legal services in order to seek advice, or to obtain approval from senior management with delegated authority, the employee should be informed of the title or office only of the person with whom information will be shared. The employee’s consent would not be required for the employer to be able to do so.
While there’s no debating an employee’s right of control, the degree of transparency required here is very high and operationally challenging in the least. “Person-based consents” (as opposed to “purpose-based consents”) can also restrict important flows of information in subtle yet problematic ways.
The best argument against person-based consents is one that refers to the public policy that is reflected in the Personal Health Information and Protection Act (which does not govern employers acting as employers except via section 49). Even in the health care context – where the standard should be higher, not lower than in the employment context given the limited range of information processed by employers – consent is deemed to exist for a certain purpose and information can flow to any health care provider for that purpose. This is subject to a “lock box” that gives patients the ability to shield their information from specific individuals, but the lock box essentially functions as an opt out. (For the nuances of how PHIPA’s “circle of care” concept works, see here.) Transparency is satisfied by the publication of a “written public statement” (a policy really) that “provides a general description of the custodian’s information practices.” There’s no reason to require more of employers.
OPSEU and Ontario (Treasury Board Secretariat), Re, 2017 CarswellOnt 11994.
All About Information Turns Ten!
Ten years ago on a Saturday morning in early August something inspired me to upload a post on employee surveillance to a WordPress site. I can’t remember what I called the site at that time, but the title was lame and had my name in it. Ten years and 973 posts later, “All About Information” still exists. It has facilitated a good deal of my learning and has fostered connections with some valued colleagues who work outside of my own firm, Hicks Morley. As for its merits, at the very least All About Information is now a sizable catalog of notable Canadian cases that are… well… about information. Thank you to those who have made guest posts and comments and those who have kindly corrected my numerous typos. And thank you especially to you, the reader.
Dan Michaluk
“Steep hill” to climb for defamation plaintiffs when suing on matters of public interest
On July 25th, the Ontario Superior Court of justice dismissed an action under a new provision of the Ontario Courts of Justice Act intended to dissuade persons from bringing “strategic lawsuits against public participation” – so called “SLAPP” suits.
The plaintiff is a company that operates a gravel pit. It sued a Stouffville teacher who made two postings to Facebook about a municipal approval that allowed an expansion of the company’s operation. The defendant made the posts without reading the engineering report the plaintiff had filed with the municipality or taking any other significant steps to inform herself of the issue. She said the defendant would profit significantly from the approval, the municipality would not, and the defendant “would potentially poison our children.” When the plaintiff demanded an apology, the defendant apologized. The plaintiff sued anyway.
The plaintiff agreed that the defendant’s expression related to a matter of public interest – leaving the plaintiff to establish that its proceeding had “substantial merit,” that the defendant had “no valid defence” and that it had suffered (or was likely to suffer) “sufficiently serious harm” in order to survive dismissal under the CJA’s anti-SLAPP provision. The Court held that none of these criteria were met, dismissed the action and awarded $7,500 in damages to the plaintiff (in part reflecting how the plaintiff conducted its proceeding and in part reflecting the defendant’s failure to adduce medical evidence in support of her damages claim).
The judgement means that the burden on a party seeking civil redress for statements made about a matter of public interest is high. In this case, for example, it did not matter that the plaintiff took few steps to inform herself of the issue or used the “unfortunate” word “poison”; informed or not, the Court said the plaintiff had a right to enter the public forum and use emphatic language in doing so without the risk of being sued. Justice Lederer explained:
I am inclined to the view that the legislature did more than just “tilt the balance somewhat”. Rather the legislature created a steep hill for the plaintiff to climb before an action like this one is to be permitted to proceed. The legislation directs that we place substantial value on the freedom of expression over defamation in the public sphere. To put it simply, those who act in the public realm need to realize that not everybody will accept what they wish to do or agree with what they say and may make statements that go beyond what may seem, to the recipient, to be appropriate.
IPC decides on request for threat assessment records
On June 30th, the Information and Privacy Commissioner/Ontario issued an interim order regarding a request for records of a school board’s threat assessment process – a request made by the student who was the subject of the assessment.
The IPC held that input given by student witnesses was exempt because its disclosure would constitute an unjustified invasion of privacy and that opinions expressed by members of the board’s threat assessment team were exempt because their disclosure could reasonably be expected to threaten the members’ safety. This is decision rests on the facts before the IPC in this case, though sets out a roadmap for shielding the most sensitive information in a threat assessment file.
The IPC decided to give notice to staff members before deciding whether information related to them (other than opinions) should be released. The matter continues.
Toronto Catholic District School Board (Re), 2017 CanLII 45048 (ON IPC).
No relief for victims of harassment – Ont CA
I’ve written here about the difficult position an employer/organization is placed in when its employees are harassed by “outsiders.” On July 20th the Court of Appeal for Ontario illustrated the difficulty by affirming a decision that denied relief from such harassment that a municipality (and its mayor) sought on behalf of the mayor, councillors and staff. The decision suggests that an employer’s duty to provide a safe and harassment free environment provides no basis for a civil remedy.
Rainy River (Town) v. Olsen, 2017 ONCA 605.
All About Information 
You must be logged in to post a comment.