The five ways of a strong privacy officer

It has been a few years since Carswell published its Managing Personal Information text, but this morning I had cause to look up a chapter on information governance that I contributed. I had forgotten about what I had written about the qualities of a privacy officer, but liked what I read and thought I would share it here.

Acting in support of self-policing is not an easy role. With this in mind, here is a list of good behaviors for privacy officers to demonstrate:

  • Flexibility. Privacy officers should understand that few things required by privacy statutes are black and white and should be prepared to accommodate reasonable business risk.
  • Creativity. Privacy officers should be prepared to help line managers think creatively about how to manage around privacy-related constraints in a responsible manner.
  • Benign skepticism. Privacy officers should give others the benefit of the doubt, while also looking diligently for objective evidence of non-compliance.
  • Fairness and consistency. Privacy officers should take an even-handed approach to their duties, treating all departments and employees in a principled and objective manner. They should deal with similar scenarios in similar ways.
  • Empathy. Privacy officers should communicate the rules with a view to helping audience members comply and should be understanding of audience members’ business demands.

Privacy officers should strive to foster and protect their credibility with line management. This involves demonstrating unwavering commitment to the principles underlying their privacy programs, yet a willingness to apply those principles in a manner that invites respect and keeps “doors open.”

Thank you Claudiu Popa for involving me in your book project. For more about Managing Personal Information and to purchase a copy see here.

Criminal reference checks for current hospital employees ruled improper

In a decision from last May that just came to my attention, Arbitrator Stout ruled that a hospital’s policy that required all current employees to undertake vulnerable sector criminal record checks violated its nurses collective agreement. 

Although British Columbia legislation supports periodic checks on vulnerable sector employees, the hospital’s policy was first of its kind in the Ontario hospital sector. Ontario employer’s have had difficulty justifying such checks. Arbitrator Picher’s comment about the distinction between pre-employment and in-employment checks in City of Ottawa is both authoritative and restrictive. 

The person who presents himself or herself at the door of a business or other institution to be hired does so as a stranger. At that point the employer knows little or nothing about the person who is no more than a job applicant. In my view, the same cannot be said of an individual who has, for a significant period of time, been an employee under the supervision of management. The employment relationship presupposes a degree of ongoing, and arguably increasing, familiarity with the qualities and personality of the individual employee. The employer, through its managers and supervisors, is not without reasonable means to make an ongoing assessment of the fitness of the individual for continued employment, including such factors as his or her moral rectitude, to the extent that it can be determined from job performance, relationships with supervisors and other employees, and such other information as may incidentally come to the attention of the employer through the normal social exchanges that are common to most workplaces. On the whole, therefore, the extraordinary waiver of privacy which may be justified when a stranger is hired is substantially less compelling as applied to an employee with many months, or indeed many years, of service.

Mr. Picher did state that in-employment checks can be used for employees exercising “particularly sensitive functions.” 

In this case, Arbitrator Stout held that the employer had not proven a “current problem” or “real risk.” Arbitrator Stout was also significantly influenced by the structural problem with vulnerable sector checks – i.e. they return sensitive “non-conviction information” for which employers generally have no need.

Rouge Valley Health System v Ontario Nurses’ Association, 2015 CanLII 24422 (ON LA).

Wellness be dammed – universal medical assessments not allowed

On November 12th, Arbitrator Dorsey held that an employer could not implement universal “fitness for duty” testing.

The program would require drivers responsible for carrying liquid and compressed gas to be tested once every five years. The employer framed the testing as fitness for duty testing, but the program featured urinalysis and bloodwork to look for “disorders, including anemia, infection and leukemia.” In other words, the program looked (at least partly) rooted in the promotion of wellness, though requiring employees to participate in a wellness program with an (invasive) medical assessment feature is aggressive by Canadian standards, if not unprecedented.

Arbitrator Dorsey appeared to appreciate this problem, and decided the matter by finding that the particular collective agreement provision upon which the employer relied did not have the “clear and express language” necessary to authorize universal testing. He also said that truck transportation is not so safety sensitive an endeavour “regardless of the nature of the product being transported” to justify an exception to normal preference for individualized, for cause testing.

Teamsters Local Union No 213 v Linde Canada Limited, 2015 CanLII 73757 (BC LA).

Arbitrator dismisses video surveillance grievance, makes principled statements

On November 12th, British Columbia labour arbitrator Stan Lanyon dismissed a policy grievance that challenged the implementation of a video surveillance system in an equipment production and maintenance plant.

Surveillance cases are driven by their facts, but Arbitrator Lanyon did dismiss a union argument that overt and covert surveillance are equally invasive: “covert surveillance is more a more egregious violation of privacy because it is capable of causing more distress, anguish and embarrassment.”

As significantly, he held that surveillance systems can be justified without evidence of “a past history of serious breaches of safety, or security issues.”

Finally, Arbitrator Lanyon recognized a difference between using cameras for disciplinary (or supervisory) purposes and using video surveillance footage in the investigation of incidents. This distinction is not clearly drawn in some case law (and employer policies), but is important.

Kadant Carmanah Design v International Association of Machinists and Aerospace Workers, District 250, 2015 CanLII 79278 (BC LA).

BC class action alleging vicarious liability for employee’s snooping to proceed

Yesterday the Court of Appeal for British Columbia held that a class action alleging vicarious liability for breach of the British Columbia Privacy Act should not be struck.

The claim is based on an allegation that an ICBC employee improperly accessed the personal information of about 65 ICBC customers. The Court dismissed ICBC’s argument that the Privacy Act only contemplates direct liability because its statutory tort rests on wilful misconduct. The Court reasoned that a requirement of deliberate wrongdoing is not incompatible with vicarious liability.

ICBC also raised a seemingly dangerous policy question for a data breach defendant: “Should liability lie against a public body for the wrongful conduct of its employee, in these circumstances?” The Court said this question should be answered based on a full evidentiary record.

While allowing the vicarious liability claim to proceed, the Court held that the plaintiff could not found a claim on an alleged breach of the safeguarding provision in British Columbia’s public sector privacy act. It did consider whether to recognize a common law duty to abide by the safeguarding provision, but held that it should not do so based on policy grounds, including the need to defer to the comprehensive administrative remedial regime provided for by the legislature.

Ari v Insurance Corporation of British Columbia, 2015 BCCA 468 (CanLII).

Cybersecurity and data loss (short presentation)

Here’s a 10 minute presentation I gave to the firm yesterday that puts some trends in context and addresses recent breach notification amendments.

CORRECTION. I made a point in this presentation that the Bill 119 amendments to PHIPA remove a requirement to notify of unauthorized “access” – a positive add given the statute does not include a harms-related threshold for notification. Section 1(2) of the Bill, I have now noticed, amends the definition of  “use” as follows: “The definition of ‘use’ in section 2 of the Act is amended by striking out ‘means to handle or deal with the information” and substituting ‘means to view, handle or otherwise deal with the information.’ The removal of “access” from the breach notification provision will therefore not invite a change.

Duty to document in the news again

I finally got around to reading Access Denied – the British Columbia OIPC’s October 22nd bombshell of an investigation report on the processing of freedom of information requests.

You’ve likely heard about the OIPC’s finding that a Ministerial Assistant in the Ministry of Transportation and Infrastructure commandeered an executive assistant’s workstation to wilfully “triple delete” e-mails responsive to an FOI request. While shocking, you may be just as interested in the OIPC’s less headline-catching recommendation that government re-configure its e-mail system so e-mails cannot be deleted by users before they are captured in monthly backups “for investigative and legal purposes.” The OIPC doesn’t back this recommendation with many details, but it seems to treat backups as a data source with an all-too-routine reason to access.

You may also be interested in the OIPC’s recommendation to create a legislative duty to document. I’ve wrote about the duty to document in some detail in this June 2013 post.

In Ontario, amendments to FIPPA and MFIPPA relating to the preservation of records come into force on January 1st. Read more here.

Party defending against claim based on prior settlement does not waive settlement privilege

On September 30th, the Divisional Court held that a party defending against claim based on prior settlement does not waive settlement privilege. The Court reasoned as follows:

Consistent with such notions of fairness, we are satisfied that the LCBO has not waived settlement privilege in this case. The LCBO claims that Magnotta’s current actions advance the same claims as the prior settled proceedings, and we express no view on that assertion. However, the LCBO should, as a matter of fairness, be able to raise the settlement in its defence and in support of its proposed motion, without automatically losing the benefit of settlement privilege. In particular, the LCBO should be able to rely on the Minutes of Settlement for this purpose.

The defendant obtained a sealing order based on the public interest in encouraging parties to settle their disputes.

Magnotta Winery Corp v Ontario (Alcohol and Gaming Commission), 2015 ONSC 6234 (CanLII).

How to manage a data security incident – Ten tips from a breach practitioner

Here’s a slide deck (including speaking notes) for a presentation I did today at LegalTech Toronto.

I aimed for something practical on the art of breach response by speaking to these ten tips:

  1. Initiate response ASAP
  2. Don’t rest on assumptions
  3. Keep the ball moving
  4. Don’t rush
  5. Obtain objective input
  6. Obtain technical input
  7. Take a broad view of notification
  8. Put yourself in their shoes
  9. Demonstrate commitment to doing better
  10. Apologize

Enjoy!