IPC/Ontario determines what’s reasonable to include in a drug prescription

On April 20th, the IPC/Ontario held that it is reasonable to include a patient’s first and last name, address, telephone number and date of birth on an Ontario drug prescription.

First name, last name, address and telephone number can be included as primary identifiers, with the telephone number element also enabling communication. The IPC accepted that date of birth can also be included because it is an immutable identifier (unlike address and phone number) and also contributes the prevention of dosing errors (because dosage can depend on age).

The IPC also held that OHIP number can be included on prescriptions for controlled substances because it is required by section 5 of Ontario Regulation 381/11.

Women’s College Hospital (Re), 2020 CanLII 31115 (ON IPC).

Ont CA – reasonable expectation of privacy turns on potential for secondary use

The Court of Appeal for Ontario issued a judgement yesterday that highlights the potential for secondary use of collected data as a factor that weighs in favour of privacy protection.

The police swabbed the door handle of a car that was parked in public to test for cocaine residue. The Court found a reasonable expectation of privacy that rendered the search – which was done without judicial authorization – unlawful.

While holding that physical contact with the car was “a factor,” the Court de-emphasized the significance of physical contact with a chattel:

Too narrow a focus on whether there was a trespass to a chattel, and the extent of interference with use of that chattel, could obscure the privacy interests at stake, as here, where the trial judge focused on the fact that the taking of the swabs had no impact on the appellant’s use of the car and was not known to him.

Compare this to the United States Supreme Court finding in United States v Jones, in which a majority held that the trespass committed by police who install a GPS tracking device on a vehicle is the trigger to constitutional privacy protection.

The Court of Appeal for Ontario’s analysis rested more heavily on the potential for using the swab sample for purposes more intrusive than testing for cocaine residue:

These swabs presumably revealed whether the appellant had handled cocaine. I also agree with the observations in Wong, at para. 27, that privacy concerns are heightened because the swabs may also provide DNA samples for analysis by police, even if that is not why they were initially collected, or what they were used for. Patrick concerned police searches of a suspect’s curb-side garbage. Though the police were searching for evidence of drug offences, the potential for collection of DNA was also relevant to the privacy analysis: see para. 30. The court also expressed scepticism of the notion that privacy concerns are diminished because the search was targeted at contraband: see Patrick, at para. 32; see also A.M., at para. 73.

Search methodologies can be so targeted as to become defensible. The Supreme Court of Canada’s Tessling case, for example, suggests that capturing a heat signature emanating from a residence is unobtrusive because it reveals criminal activity in the house – an illegal grow op – and not much else. The majority in Tessling expressly said that a search should not be judged based on “theoretical” secondary uses. In this case, the potential for secondary use was real.

Hat tip to Fred Schumann of Stockwoods.

R. v. Wawrykiewycz, 2020 ONCA 269.

 

Ont CA says bag search unlawful, order $500 in damages

On April 16th, the Court of Appeal for Ontario held that the Toronto Police breached sections 2(b), 8 and 9 of the Charter by enforcing a “condition of entry” to a public park because they were not properly authorized to establish the condition.

The City of Toronto had authorized the police to act as its agents “for the purpose of administering the Trespass to Property Act.” Acting under this authority, the police decided to search bags (and all other things in which weapons could be concealed) possessed by those attending a G20 protest at Allan Gardens. The appellant took issue with the legality of this “condition of entry.” The police restrained him when he refused to comply, searched his bag and confiscated a pair of swim goggles. You can see a video of the altercation here.

The Court of Appeal decision turned on text of the grant of authorization, which the Court held was too narrow given the Trespass to Property Act only provides property owners and occupiers with “a suite of enforcement powers” and not a power to create restrictions on access to property. It said, “The jurisprudence consistently takes a rigorous approach when interpreting the sources of legal authority relied upon by government to encroach upon the liberty of the subject.”

The Court ordered the police to pay $500 in damages. It said the appellant (who drew attention to his fate during the altercation and afterwards) did not establish any reputational or other personal loss. The Court also noted that the police acted in good faith with a view to the safety of the public.

Stewart v Toronto (Police Services Board), 2020 ONCA 255 (CanLII).

FCA revives longstanding test for protective orders in IP disputes

On February 17th, the Federal Court of Appeal re-clarified that protective orders ought to be granted based on the test set out in AB Hasslei.e., when “the moving party believes that its proprietary, commercial and scientific interests would be seriously harmed by producing information upon which those interests are based.” It held that the application of the more restrictive test for confidentiality orders set out in Sierra Club was not warranted.

Canadian National Railway Company v BNSF Railway Company, 2020 FCA 45 (CanLII).

No privacy breach for publishing information about a provincial offences conviction

Late last year the Ontario Superior Court of Justice issued judgement in a hard-fought dispute between residential neighbours. After an 11-day small claims court trial (!) the Court allowed one neighbour’s privacy breach claim and dismissed the other’s.

The Court allowed a claim against the defendants for directing surveillance cameras and motion-activated floodlights at the plaintiffs’ property as part of a deliberate campaign of harassment. It awarded each plaintiff $8,000, noting evidence of “significant stress and irritation.” The Court also awarded each plaintiff $500 on account of their exposure to “obstructive parking.”

The successful plaintiffs tended to the high road, at one point returning the defendants’ stray dog in an act of neighbourliness. They did, however, publicly post a document that detailed a Provincial Offences Act conviction of one of the defendants. (They said did so to give their prying-eyed neighbours “something to look at.”) The Court dismissed a counterclaim based on this publication, explaining:

Convictions and sentences imposed by courts of law are events which occur in public and are publicly-available information.  The fact that some third party has posted such facts on the internet makes them all the more public.  I am unable to accept the defence submission, unsupported by authority, that for Mr. Cecchin to find and post this information constitutes an actionable invasion of privacy.  Such a conclusion would be inconsistent with the definition pronounced by Sharpe J.A. in Jones v. Tsige (2012), 2012 ONCA 32 (CanLII), 108 O.R. (3d) 241 (C.A.), at para. 70.  The conviction and sentence cannot be viewed as Mr. Bradbury’s “private affairs or concerns”.  Nor would a reasonable person regard the search for or publication of the outcome of legal proceedings as “highly offensive.”

In a similar vein, the Court dismissed a counter-claim that alleged the plaintiffs committed a privacy violation by writing a letter to other neighbours drawing their attention to the defendants’ non-compliance with municipal bylaws. It said that the claim was untenable as one that attacked, “an exercise of free speech, of local political action and participation in the municipal legal process.”

Cecchin v Lander, 2019 CanLII 131883 (ON SCSM).

UKSC decides data thief was on a “frolic of his own”

The Supreme Court of the United Kingdom has decided an important vicarious liability case in favour of a company whose rogue employee stole payroll information and posted it online.

The company entrusted the employee with payroll data pertaining to over 120,000 of its employees to facilitate an audit. The employee – who was still aggrieved about some discipline the company had earlier imposed – passed the data to the auditor as instructed, but kept a copy and posted it online as part of a personal vendetta.

As in Canadian law, United Kingdom law deems employers to be responsible for the wrongful acts of their employees that are not authorized if there is a “sufficient connection” between the wrongful act and the work that is authorized. The creation of “opportunity” to commit the wrong is a factor, and the analysis is to be conducted with a view to the policy-implications, leading some to argue that data security concerns justify broadly-imposed vicarious liability.

Nonetheless, the Court held that cause (or the creation of opportunity) was not enough to warrant this employer’s liability for its employee’s data theft. That is, the employee’s theft (and his public disclosure) was caused by the company’s provision of data to the employee, but the employee was still motivated to harm the employer and “on a frolic of his own” that did not warrant employer liability.

WM Morrisons Supermarkets plc (Appellant) v Various Claimants (Respondent), [2020] UKSC 12.

 

Hackers, hacking and cybersecurity for kids

Many of you know Dustin Rivers and Chris Lutz of the Public Service Information Community Connection, who run some of our major Canadian privacy conferences. Like the great entrepreneurs they are, Dustin and Chris have put together an online kids camp for delivery to COVID-sequestered kids from across the globe!

I volunteered as a camp instructor and just did this presentation. It was fun, and  a great exercise to reduce the subject matter I deal with in a far different context to something that could be understood by six to ten year olds! Not only that, my son and I created the deck together – more learning.

Here’s the deck. Next time I’ll record!

NSCA issues principled judgement on relevance standard for production and proportionality

On February 28th, the Nova Scotia Court of Appeal held that a motor vehicle accident plaintiff was not entitled to production of her insurer’s policy documents merely because she had alleged bad faith. It held that these documents might be relevant, but the plaintiff failed to meet an evidentiary burden to establish relevance. Justice Farrar explained:

Although the pleadings are a factor to be taken into consideration in determining whether documents are relevant, they are not the only factor.  If that were the case, adroit counsel could draft pleadings in such a manner to allow a party to embark on a fishing expedition.  This is precisely what the Rules were intended to avoid when they were amended to move from the “semblance of relevance” test to relevancy.  The motions judge’s decision, in my view, reverts to the “semblance of relevance” test.  Allegations, no matter how specifically worded or drafted, which have no basis in the facts or the evidence without more, cannot be the basis for a production application.  This is particularly true here, where there was a dearth of evidence before the motions judge.

Intact Insurance Company v. Malloy, 2020 NSCA 18 (CanLII).

NSCA denies privilege claim for statement made in collective agreement bargaining

On March 10th, the Nova Scotia Court of Appeal held that a government statement made to the province’s teachers union in the course of collective agreement bargaining was not subject to settlement or case-by-case privilege.

The union has brought an application that alleges breach of the duty to bargain in good faith and a Charter infringement. The statement it wishes to use in this application is hardly a secret. The Deputy Minister of Finance and the Treasury Board apparently told the Union’s lead negotiator that, if the teachers did not accept an offer, the Government would introduce legislation to impose lower compensation. The negotiator then conveyed the statement to the union’s 9,300 person membership by way of letter in advance of a ratification vote.

In this context the Court held that the a privilege claim could not be rightly made. In addressing the settlement privilege claim, the Court also held that the inevitability of litigation could not be presumed.

Nova Scotia (Attorney General) v Nova Scotia Teachers Union, 2020 NSCA 17 (CanLII).

Four data security points for pandemic planners who are addressing the coronavirus

Organizations currently engaged in pandemic planning ought to consider the data and cybersecurity risks associated with the rapid adoption of telework. Planning should start now, with the following considerations in mind.

Remote access risks. Secure remote access should continue to be a requirement. In general, this means access through a virtual private network and multi-factor authentication. Though understandable, “band aid” solutions to enable remote access that depart from this requirement represent a significant risk. Some departure may be necessary, though all risks should be measured. In general, any solution that rests on the use of remote desktop protocol over the internet should be considered very high risk.

Data leakage risks. Efforts should be made to keep all data classified as non-public on the organization’s systems. This can be established by issuing hardware to take home or through secure remote access technology. The use of personal hardware is an option that should used together with a well-considered BYOD policy. Printing and other causes of data leakage should be addressed through administrative policy or direction. Consider providing direction on where and how to conduct telephone calls in a confidential manner.

Credential risks. New classes of workers may need to be issued new credentials. Although risks related to poor credential handling can be mitigated by the use of multi-factor authentication, clear and basic direction on password use may be warranted. Some have said that phishing attacks may increase in light of an increase in overall vulnerability as businesses deploy new systems and adjust. While speculative, a well-timed reminder of phishing risks may help.

Incident response risks. Quite simply, will your incident response plan still function when the workforce is dispersed and when key decision-makers may be sick? Who from IT will be responsible for coming on-site? How long will that take? If decision-makers are sick, who will stand in? These questions are worth asking now.

Hat tip to my colleague Matin Fazelpour for his input on this post.