IPC interprets prohibition on collecting health card numbers

20 Dec

Section 34(2) of PHIPA prohibits persons other than health information custodians or agents of health information custodians from collecting, using and disclosing health card numbers. There are some narrow exceptions, one of which applies when the collection, use or disclosure is “for purposes related to the provision of provincially funded health resources to [the] person [whose health card number is collected…].”

In a decision issued October 10th, the IPC said the following about the exception:

 Having regard to the above, I find the proper interpretation of section 34(2)(a) is that a collection or use of a health number will only be “related to the provision of provincially funded health resources” where the health number is collected or used for the purposes of the provincial funding of health resources, or directly obtaining those health resources.

The IPC therefore held that an insurance company could not routinely collect health card numbers on an application form for supplementary health insurance benefits. Although related in the broad sense, the insurance company did not routinely use the number to coordinate benefits. The IPC permitted the company to continue to collect health card numbers to obtain reimbursement for payments made under plans that provide for emergency medical travel coverage.

An insurance company (Re), 2017 CanLII 70023 (ON IPC).


Tribunal errs by ordering disclosure without redaction – right to redaction?

18 Dec

On November 28th the Nova Scotia Court of Appeal held that the Nova Scotia Workers’ Compensation Appeals Tribunal erred by ordering the disclosure of a worker’s entire file without redaction.

The matter was about a workplace safety insurance claim, and particularly whether a worker’s condition was caused by his work. The Tribunal made the order in response to an employer’s objection to various redactions made to a set of records in the possession of the Workers Compensation Board. Although the employer argued the redacted information was relevant, the Tribunal ordered the unredacted file to be produced because it lacked the resources to vet for relevance, because fairness and the “ebb and flow” of a hearing supported full disclosure and because of the difficulty in making relevance determinations.

Despite the obvious appearance of laziness, the Tribunal framed its decision as rooted in procedural fairness. In response, the Court said: “…there is no principle of procedural fairness… that a litigant who requests disclosure is entitled to see every document it requests, regardless of relevance and without a relevance ruling by an impartial arbiter.”

Implicit in this statement is a concern for the worker’s privacy interest. The Tribunal had recognized this interest in a policy manual that it disregarded in making its order, though there are aspects of the Court’s reasoning that suggest a more broadly based right to redaction.

The Court gave this guidance on how to vet for relevance:

The person who vets for relevance must keep in mind that material should be disclosed for its connection to the “proposition[s] being advanced” by the parties, to borrow Justice Rothstein’s phrase, and not merely to justify an anticipated conclusion on the merits of those propositions. The vetting official may not be able to foretell precisely how the evidence will be martialed. So the ambit of disclosure should allow the parties some elbow room to strategize for the engagement.

Baker v. Nova Scotia (Workers’ Compensation Appeals Tribunal), 2017 NSCA 83.

Jones, Marakah and corporate information systems

17 Dec

There has been significant discussion of the Supreme Court of Canada’s decisions in R v Jones and R v Marakah – cases in which the Court recognized a reasonable expectation of privacy in text messages that police obtained from others. In Jones, the police obtained messages from a telecom company and in Marakah the police obtained messages from a recipient’s phone.

At their broadest, Jones and Marakah are clearer than ever recognition that the Charter protects digital communications although digital communications are not easily controlled or kept secret. Justice Cote said it well in Jones:

Here, as in Spencer and TELUS, the only way to retain control over the subject matter of the search vis-à-vis the service provider was to make no use of its services at all. That choice is not a meaningful one. Focusing on the fact that Mr. Jones relinquished direct control vis-à-vis the service provider is accordingly difficult to reconcile with a purposive approach to s. 8. Canadians are not required to become digital recluses in order to maintain some semblance of privacy in their lives.


Recognizing this particular, highly-normative basis for Jones and Marakah is essential to properly understanding what these cases might mean for rights and entitlements of organizations that hold the digital information of others – including employers who hold the digital information of their employees. In contrast to the above statement, the Supreme Court of Canada has already recognized that employees have a meaningful choice as to whether they use a work system for their private dealings . In R v Cole, Justice Fish said the following about employee Cole’s choice:

In this case, the operational realities of Mr. Cole’s workplace weigh both for and against the existence of a reasonable expectation of privacy.  For, because written policy and actual practice permitted Mr. Cole to use his work-issued laptop for personal purposes.  Against, because both policy and technological reality deprived him of exclusive control over — and access to — the personal information he chose to record on it.

Jones and Marakah do not detract from this statement and, if anything, invite the law to develop in a way that gives even greater emphasis to employee choice and its impact on privacy and corporate data security. Corporate data security is all about choosing the right medium – the right tool – for the purpose. Our right as citizens to text without state interference is quite a different thing.

R. v. Jones, 2017 SCC 60 (CanLII).

R. v. Marakah, 2017 SCC 59 (CanLII).

Arbitrator orders $3,000 in privacy damages

18 Nov

On April 27th, Arbitrator Knopf ordered that $3,000 in damages be paid to a grievor for breach of privacy and harassment because:

  • the grievor’s personnel file contained an inexplicable notation that the grievor advised his supervisor that he injured his penis while cooking nude at home; and
  • the employer contacted the grievor’s doctor to confirm the doctor’s signature without justification and without consent.

Ms. Knopf said that these claims were “serious enough to warrant damages, buy they were not profoundly damaging to [the grievor’s] reputation or harmful to his privacy, nor did they have a negative impact on his benefit claims, status in the workplace or reputation in general.”

York (Regional Municipality) v Canadian Union of Public Employees, Local 905, 2017 CanLII 56454 (ON LA).

Arbitrator issues principled decision on identification of grievors and other complainants

17 Nov

On September 5th, Arbitrator Abramsky dismissed a motion to anonymize the name of an individual who had grieved harassment, discrimination and a reprisal.

In  making its request, the Union rested heavily on the fact the grievance would invite the disclosure of the grievor’s medical information – information about a learning disability and back problems. It also argued that no purpose would be served by publication of the grievor’s identity.

Ms. Abramsky held that the open court principle applied to the statutory tribunal for whom she was sitting (the GSB in Ontario) and that openness was therefore presumed absent a “compelling reason.” In doing so, she endorsed the following statement about the identification of individuals who file serious complaints:

This rationale – that litigants who make serious accusations should not do so “from behind a veil of anonymity, assured that they will not be identified if they are found not to be credible, their allegations are rejected” – has significant resonance.  It is very easy to make serious assertions and claims.  When doing so – and pursuing such a claim – litigants should not be able to hide behind anonymity, absent a compelling reason to allow it.  Confidence in the administration of justice – and the open court principle – requires it.

Ms. Abramsky also held that medical information can vary in sensitivity and that, in the circumstances, anonymization was not justified.

Ontario Public Service Employees Union (Cull) v Ontario (Health and Long-Term Care), 2017 CanLII 71798 (ON GSB).

Cyber insurance and incident response practice

17 Nov

Here’s a deck from a Monday panel presentation that I participated in with some colleagues from the sector.  It features a cyber incident scenario and some questions. See if you can answer them, and if you’d like to have a discussion, please comment or get in touch.

What’s a breach coach?

29 Sep

I hate the term “breach” – please call them “security incidents” – but the term “breach coach” is certainly ingrained. Posting today’s presentation on the role of the coach as I step out the door to an insurance sector event. The simple, self-serving and valid message: call a coach first.