Arbitrator demands more of employer in excluding e-mail evidence obtained from work system

On May 16th, Arbitrator Allen Ponak ruled that e-mails an employer collected from its IT system were inadmissible in a discharge case because the employer collected the e-mails in breach of the grievor’s privacy.

The employer (a public sector union) discharged the grievor for being a known associate of a motorcycle club and denying the association when confronted. The employer proceeded with the discharge after finding incuplatory e-mails between the grievor and his wife. It retrieved these e-mails after receiving an e-mail from the Ministry of Justice indicating that it had received a “letter of concern” about the grievor from a local police force. It did so without following up with the Ministry of Justice.

Arbitrator  Ponak dismissed the employer’s “no expectation of privacy” argument based on the Supreme Court of Canada reasoning in R v Cole. He held that the intrusion associated with the employer’s search was “heightened” given it was examining e-mails between the grievor and his wife and said:

I am satisfied while the need for an investigation of the Grievor was justified, the search of emails to and from his spouse was not reasonable at the time it was carried out. Relying only on second or third hand information about the Grievor, the Employer’s first and immediate response was to scrutinize his personal emails. There was no evidence that alternatives to this invasive search were considered, possibly because the Employer believed that it owned the email system and no barrier existed to such scrutiny. It was also relatively simple to carry out.

I accept the Doman principle that it is unreasonable to conduct a highly intrusive search before other less intrusive alternatives are considered. For example, the Employer did not contact the Grievor for an explanation after receiving new information on January 15 about his exclusion from corrections facilities and about a police investigation that seemingly implicated the Grievor. The Employer did not seek more details from the Ministry of Justice or the police regarding the allegations. Other LRO’s who might have relevant information were not canvassed. Any concerns about possible permanent deletion of emails and files (I hasten to add there was no evidence to suggest such a concern) could have been handled by putting a temporary freeze on the Grievor’s account. If these and other investigation avenues had proved unsatisfactory, then perhaps the legitimate interests of the Employer in obtaining more information would have trumped the Grievor’s right to privacy, justifying, with safeguards, a search of personal emails. Instead, the Employer went immediately to the Grievor’s email, discovered multiple and obviously personal emails with photo attachments from the Grievor’s wife in a file of deleted emails, and examined the photos. It is difficult to imagine a more intrusive invasion of personal privacy.

This is the first case I’m aware of in which a labour arbitrator has excluded evidence because an employer breached an employee’s privacy in searching its own IT system. It is, however, more illustrative than it is significant because of the facts outlined in the two paragraphs above. After R v Cole employers simply cannot continue to act as if employees have no expectation of privacy in information stored on a work system. Rather, they must conduct investigations in a manner that demonstrates respect for the an existent, albeit limited, employee privacy interest.

Saskatchewan Government and General Employees Union v Unifor Local 481, 2015 CanLII 28482 (SK LA).

With CASL, a little due diligence goes a long way

Everyone’s talking about Porter Airlines’ recent agreement to pay a $150,000 penalty for various CASL violations. Porter is a sophisticated marketer yet slipped up, so other organizations are now wondering what whether they are similarly exposed. (Perhaps this was the CRTC’s enforcement aim.)

CASL is a regulatory instrument that includes a due diligence defence. In other words, organizations can violate the act without liability if they have taken all reasonable steps to avoid the violation.

Due diligence is about using good, systematic processes to avoid bad things. Here’s a simple process for due diligence that me and my colleagues have employed and continue to employ with our clients:

  • Define your operational units and prioritize them in accordance with risk
  • If you can’t do them all, select key units for review
  • Identify a key individual for each unit, someone with the best knowledge of messaging practices
  • Ask the key individual to complete (in writing) a list-centric survey – a survey that aims to gather some basic information about all formal and informal address lists (It’s easier to identify lists than activities.)
  • Review the survey response and applicable website or sites and follow-up in writing with questions that help close major gaps
  • Have a telephone call to confirm understanding and discuss potential compliance issues
  • Draft a compliance memo – a point-form document that identifies the steps taken in the compliance review, the activities of concern and the compliance advice
  • Conduct any follow-up information gathering in response to the memo
  • Send the memo the the key individual for feedback on completeness
  • Finalize the memo

This is a not a difficult or costly process for review and remediation, though you should also budget for (a) some project management costs for a multi-unit review and (b) some multi-unit training, which is normally an appropriate follow-up to the review and remediation process.

If the Porter agreement is causing you worries, following a process like this is well worth it.

 

BCCA affirms order requiring Google to render domains unsearchable

Last Thursday, the Court of Appeal for British Columbia issued an important decision about the power of a domestic court to make orders against non-party, internet “intermediaries” – in this case, search engine provider Google.

The matter involved an order made to help a network hardware manufacturer enforce its intellectual property rights against a former distributor who had gone rogue. After the plaintiff sued the former distributor, it went underground – essentially running a “clandestine” effort to pass off its own products as the plaintiff’s products. This scheme relied on the internet and, to a degree, Google’s market-dominant search engine.

Google voluntarily took steps so searches conducted at the Google.ca search page would not return specific web pages published by the defendants. The plaintiffs sought and obtained an order to block entire domains and to block searches originating from all jurisdictions. Google appealed, making a number of broad arguments about the impact of the order (and its kind) on comity principle of private international law as well as international (internet-based) freedom of expression.

The Court of Appeal dismissed Google’s appeal, demonstrating significant sympathy for the perils facing the British Columbia plaintiff. And while the Court was sensitive to the principles raised by Google (along with the Canadian Civil Liberties Association and the Electronic Frontier Foundation as interveners), it held that the principles were not engaged in the matter:

… Courts should be very cautious in making orders that might place limits on expression in another country. Where there is a realistic possibility that an order with extraterritorial effect may offend another state’s core values, the order should not be made.

In the case before us, there is no realistic assertion that the judge’s order will offend the sensibilities of any other nation. It has not been suggested that the order prohibiting the defendants from advertising wares that violate the intellectual property rights of the plaintiffs offends the core values of any nation. The order made against Google is a very limited ancillary order designed to ensure that the plaintiffs’ core rights are respected.

This reasoning by the Court of Appeal relates back to a significant admission by Google – an admission recorded by the chambers judge as follows: “Google acknowledges that most countries will likely recognize intellectual property rights and view the selling of pirated products as a legal wrong.”

The Court of Appeal decision is therefore relatively balanced. In general, it will help those seeking civil remedies deal with global internet intermediaries such as Google. However, global search engine “takedown orders” of the kind issued in this case will not necessarily be easy to obtain and enforce.

Equustek Solutions Inc. v. Google Inc., 2015 BCCA 265 (CanLII).

Ontario decision suggests corporation can sue for breach of privacy

On February 19th, the Ontario Superior Court of Justice declined to strike a pleading that alleged a company unlawfully interfered with a competitor’s economic relations by receiving confidential information about a client (BC Cancer) that was sought after by both organizations. The Court held that the pleading was sustainable because BC Cancer had an arguable claim against the recipient organization based on the “intrusion upon seclusion” tort, suggesting that the tort is available to natural persons and corporations. As stressed by the Court, on a motion to strike a court errs on the side of permitting a novel but arguable claim to proceed to trial.

Fundraising Initiatives v Globalfaces Direct, 2015 ONSC 1334 (CanLII).

Reasonable necessity not enough to justify collection under Ontario’s public sector statutes

Section 38(2) is an important provision of Ontario’s provincial public sector privacy statue. It requires institutions to satisfy a necessity standard in collecting personal information. Ontario’s municipal public sector privacy statute contains the same provision.

On May 4th, the Divisional Court dismissed an Liquor Control Board of Ontario argument that the Information and Privacy Commissioner/Ontario had erred by applying a higher standard than “reasonable necessity” in resolving a section 38(2) issue. The Divisional Court held that the Court of Appeal for Ontario’s Cash Converters case establishes just such a standard:

The LCBO relies upon Cash Converters to support its submission that the IPC erred in not interpreting “necessary” as meaning “reasonably necessary.” However, Cash Converters does not interpret “necessary” in this way. In fact, it suggests the opposite. Arguably, something that is “helpful” to an activity could be “reasonably necessary” to that activity. Yet, the Court of Appeal makes it clear that “helpful” is not sufficient.

It’s hard to fathom a legislative intent to prohibit a practice that is, by definition “reasonable.” If the LCBO seeks and is granted leave to appeal this could lead to an important clarification from the Court of Appeal on a strict interpretation of section 38(2) that has stood for some time. The LCBO practice at issue – which involves collecting the non-sensitive information of wine club members to control against the illegal stockpiling and reselling of alcohol – is a good one for testing the line.

Liquor Control Board of Ontario v Vin De Garde Wine Club, 2025 ONSC 2537.

Ontario arbitration award addresses remedy for privacy violation

On February 24th the Grievance Settlement Board (Ontario) held that an employer should provide a grievor with three days’ paid vacation as a remedy for the consequences of an (admitted) security breach. The breach apparently allowed other employees to read incident reports involving the grievor, who alleged this caused him psychological distress. The GSB made its finding after conducting an informal med-arb process.

Ontario Public Service Employees Union (Grievor) v Ontario (Liquor Control Board of Ontario), 2015 CanLII 14198 (ON GSB).

Alberta OIPC lacks power to compel production to resolve solicitor-client privilege appeals

On April 2nd, the Court of Appeal of Alberta held that the Alberta Freedom of Information and protection of Privacy Act does not give the Alberta OIPC the power to compel the production of records over which a public body has asserted solicitor-client privilege.

The Court considered the power granted by the following provision:

Despite any other enactment or any privilege of the law of evidence, a public body must produce to the Commissioner within 10 days any record or a copy of any record required under subsection … (2).

It held that this language was not clear, unequivocal and ambiguous enough to overcome the presumption against abrogation of solicitor-client privilege. The ratio, at paragraph 48, is very clear and simple: “This [authorization of infringement] requires specific reference to solicitor-client privilege.”

Also of significance, the Court held that the chambers judge (below) erred by construing provision according to “modern approach,” which it said cannot be reconciled with the rule of strict construction established by the Supreme Court of Canada in Blood Tribe. The Court allowed the appeal and ordered the OIPC to pay the institution’s costs.

University of Calgary v JR, 2015 ABCA 118.

Arbitrator dismisses privacy breach grievance based on actions of a snooping employee

On March 15th, the Grievance Settlement Board (Ontario) dismissed a grievance against the government for one employee’s intentional “snooping” into another employee’s employment insurance file.

Intentional unauthorized access to personal information by a trusted agent is a somewhat common scenario that has not yet been addressed by labour arbitrators. While arbitrators have taken jurisdiction over privacy grievances on a number of bases, privacy grievances have typically addressed intentional employer action – e.g. the administration of a drug test or the installation of a surveillance camera. This case raises an issue about an employer’s obligation to secure employee personal information and its liability for intentional access by another person. Can a reasonable safeguards duty arise inferentially out of the terms of a collective agreement? Is there some other source of jurisdiction for such claims? It is not clear.

The GSB ultimately finds jurisdiction in the Municipal Freedom of Information and Protection of Privacy Act, which it finds is an “employment-related statute” that can be the basis of arbitral jurisdiction. This is unfortunate because MFIPPA, in general, excludes employment-related records (and hence employees). There are now a handful of arbitral decisions that neglect to consider and apply the (very important) exclusion.

Having found jurisdiction rooted in MFIPPA, oddly, the GSB does not consider whether the government (or the Ministry’s head) failed to meet the MFIPPA “reasonable measures to prevent unauthorized access” security standard. Instead, it applied a vicarious liability analysis and dismissed the grievance. I’ll quote the GSB analysis in full:

41      Being guided by the principles set out in Re Bazley, I am of the view that the Employer is not vicariously liable for actions of Ms. X. Simply put, the “wrongful act” was not sufficiently related to conduct authorized by the Employer. Indeed, the accessing of the grievor’s EI file had nothing to do with the work assigned to employees. Employees were able to and indeed did access EI files but only in those instances where it was necessary to assist their clients.
42      The evidence established that the Employer had clear and sufficient policies regarding the protection of private information. Privacy matters were discussed with employees at the point that they were hired and although those policies could have and perhaps should have been formally reviewed more frequently by management, employees were reminded of their obligations frequently by way of a “pop up” upon entering their computers.
43      Further, Ms. Smith, a co-worker of the grievor, who testified for the Union was very forthright in her cross-examination that she knew that she was not to access the private information of anyone for her own interest. Moreover, this intrusion was the first time that she knew of anyone in the workplace doing such a thing. It might well be argued that this reinforces the view that the policy was known and followed in the workplace. Certainly there was no evidence of any other breach.
44      This intrusion was not an abuse of power. It was not an instance where someone with power over the grievor utilized their authority to carry out the wrong. It was a coworker — indeed I am of the view that it was the action of a rogue employee who, for her own purposes accessed the grievor’s EI file. It was not an action that could be seen to “further the Employer’s aims.” Indeed this activity was done without the sanction or knowledge of the Employer. I accept the Employer’s evidence that it knew nothing of the intrusion until being told by a coworker of the grievor and upon learning took immediate action to investigate and manage the issue and the Ms. X who received a significant suspension.
45      Finally, it must be recalled that this Board dismissed the grievor’s allegations that the Employer and her coworkers were bullying and harassing her in a separate decision. Accordingly it seems to me that it cannot be said that the intrusion into her EI records by Ms. X was “related to friction, confrontation or intimacy inherent in the employer’s enterprise.”
Whether an organization is vicariously liable for an employee’s intentional unauthorized access to personal information is a very significant legal issue. This analysis will receive significant attention.

Ontario and OPSEU, Re, 2015 CarswellOnt 3885.

IPC Ontario says a disclosure on the internet is just another disclosure

The Information and Privacy Commissioner/Ontario issued a notable investigation report on March 20th. It held that the City of Vaughan did not breach the Municipal Freedom of Information and Protection of Privacy Act by publishing personal information from a minor variance application on the internet.

The information in a minor variance application is required by statute to be accessible to the public, but by statutory language that speaks to “making available” and allowing for “inspection.” The complainant did not take issue with access to her information, but did not want her information published on the internet. The IPC essentially held that disclosure was authorized, and also that disclosure by internet publication was just another disclosure. Its key text is as follows (with my emphasis):

A concern raised in Gombu was that disclosing records in an electronic format was detrimental
to privacy because it removed the de facto privacy protection created by the relative obscurity of
paper records. As noted by the Court, circumstances have changed such that records are expected
to be provided in electronic format. Part of this is the ease of use for individuals wishing to
access records and databases which in turn increase transparency. Indeed, in Gombu this was the
complainant’s stated purpose for requesting an electronic copy of the database.

In confirming that the records could be disclosed in bulk electronic format, the Court noted that
this would make them more easily accessible with minimal further intrusion upon personal
information contained within given that they were already subject to disclosure.

In the circumstance of this complaint, sections 1.0.1. and 44(10) of the Planning Act and 253 of
the Municipal Act, taken together, specifically override the privacy interest of individuals
engaging the minor variance process and, as in Gombu, mandate the disclosure of personal
information in association with that process. I conclude that the City’s decision to disclose the
complainant’s personal information in electronic format is in compliance with the Act.

In response to the argument that this information should not be disclosed via the Internet, in the
circumstances of this complaint I cannot identify any basis that would prohibit information
otherwise subject to the section 32 exceptions from being disclosed via the Internet. I note that
Committees of Adjustment are required to demonstrate accountability via a transparent process
that permits individuals to participate, scrutinize and to hold institutions such as the City
accountable. As such, making these records available online facilitates this goal in a manner
consistent with the Act.

The IPC praised the City for administering a public record redaction procedure that allows individuals to request redaction. It also said the City should explore the use of web search exclusion technologies so that personal information it publishes on the internet is not readily searchable. This seems like a recommendation about best practices rather than one that is rooted in the statute.

Privacy Complaint Report MC13-67

BC OIPC addresses network security and endpoint monitoring

Today, the Office of the Information and Privacy Commissioner for British Columbia held that the District of Saanich breached the British Columbia Freedom of Information and Protection of Privacy Act by installing endpoint monitoring software on employee workstations.

The District’s plan was not well conceived – apparently arising out of a plan to shore up IT security because the District’s new mayor was “experienced in the area of IT.”

The District installed a product called Spector 360 – a product billed as a “comprehensive user activity monitoring solution.” This is software that enables the collection of detailed data from “endpoints” on a network. It is not intrusion detection software or software that helps analyze events across a network (which the OPIC noted is in use at other British Columbia municipalities).

The District enabled the software on 13 workstations of “high profile users” to capture a full range of endpoint data, including screenshots captured at 30 second intervals and data about all keystrokes made. The purported purpose of this implementation was to support incident response, a purpose the OIPC suggested could only support an inadequate, reactive IT security strategy.

The OIPC held that the District collected personal information without the authorization it required under FIPPA and failed to notify employees as required by FIPPA. I’ll save on the details because the OIPC’s application of FIPPA is fairly routine. I will note that the OIPC’s position is balanced and seems to adequately respect institutions’ need to access system information for IT security purposes. It acknowledges, for example, that some limited data collection from endpoints is justifiable to support incident response. Not surprisingly, the OIPC does not endorse taking screen shots or collecting keystroke data.

Investigation Report F15-01, 2015 BCIPC No. 15.