NSCA issues principled judgement on relevance standard for production and proportionality

On February 28th, the Nova Scotia Court of Appeal held that a motor vehicle accident plaintiff was not entitled to production of her insurer’s policy documents merely because she had alleged bad faith. It held that these documents might be relevant, but the plaintiff failed to meet an evidentiary burden to establish relevance. Justice Farrar explained:

Although the pleadings are a factor to be taken into consideration in determining whether documents are relevant, they are not the only factor.  If that were the case, adroit counsel could draft pleadings in such a manner to allow a party to embark on a fishing expedition.  This is precisely what the Rules were intended to avoid when they were amended to move from the “semblance of relevance” test to relevancy.  The motions judge’s decision, in my view, reverts to the “semblance of relevance” test.  Allegations, no matter how specifically worded or drafted, which have no basis in the facts or the evidence without more, cannot be the basis for a production application.  This is particularly true here, where there was a dearth of evidence before the motions judge.

Intact Insurance Company v. Malloy, 2020 NSCA 18 (CanLII).

NSCA denies privilege claim for statement made in collective agreement bargaining

On March 10th, the Nova Scotia Court of Appeal held that a government statement made to the province’s teachers union in the course of collective agreement bargaining was not subject to settlement or case-by-case privilege.

The union has brought an application that alleges breach of the duty to bargain in good faith and a Charter infringement. The statement it wishes to use in this application is hardly a secret. The Deputy Minister of Finance and the Treasury Board apparently told the Union’s lead negotiator that, if the teachers did not accept an offer, the Government would introduce legislation to impose lower compensation. The negotiator then conveyed the statement to the union’s 9,300 person membership by way of letter in advance of a ratification vote.

In this context the Court held that the a privilege claim could not be rightly made. In addressing the settlement privilege claim, the Court also held that the inevitability of litigation could not be presumed.

Nova Scotia (Attorney General) v Nova Scotia Teachers Union, 2020 NSCA 17 (CanLII).

Four data security points for pandemic planners who are addressing the coronavirus

Organizations currently engaged in pandemic planning ought to consider the data and cybersecurity risks associated with the rapid adoption of telework. Planning should start now, with the following considerations in mind.

Remote access risks. Secure remote access should continue to be a requirement. In general, this means access through a virtual private network and multi-factor authentication. Though understandable, “band aid” solutions to enable remote access that depart from this requirement represent a significant risk. Some departure may be necessary, though all risks should be measured. In general, any solution that rests on the use of remote desktop protocol over the internet should be considered very high risk.

Data leakage risks. Efforts should be made to keep all data classified as non-public on the organization’s systems. This can be established by issuing hardware to take home or through secure remote access technology. The use of personal hardware is an option that should used together with a well-considered BYOD policy. Printing and other causes of data leakage should be addressed through administrative policy or direction. Consider providing direction on where and how to conduct telephone calls in a confidential manner.

Credential risks. New classes of workers may need to be issued new credentials. Although risks related to poor credential handling can be mitigated by the use of multi-factor authentication, clear and basic direction on password use may be warranted. Some have said that phishing attacks may increase in light of an increase in overall vulnerability as businesses deploy new systems and adjust. While speculative, a well-timed reminder of phishing risks may help.

Incident response risks. Quite simply, will your incident response plan still function when the workforce is dispersed and when key decision-makers may be sick? Who from IT will be responsible for coming on-site? How long will that take? If decision-makers are sick, who will stand in? These questions are worth asking now.

Hat tip to my colleague Matin Fazelpour for his input on this post.

Arbitrator declines to find a privacy violation for inquiry made of employee’s second employer

As the gig economy rises, work for more than one employer is becoming more common, and work across multiple employers has been common in the health care sector for some time. What, then, is an employer to do if its employee has taken sick leave but may be working for their other employer? Can the employer simply ask the other employer if the employee is at work?

There are some discipline cases in which unions have not challenged such questioning and others in which employers have asked for employee consent to make the inquiry. Last July, Arbitrator Brian Sheehan of Ontario entertained and dismissed what I believe to be the first privacy breach allegation on point, though he did so in quite a qualified manner.

The employer’s inquiry was apparently based on a mere suspicion. Mr. Sheehan explained, “For Ms. Valentin, the grievor’s relatively significant level of absenteeism, in addition to Ms. Valentin’s perception that there was a pattern of the grievor being absent from work on days before or after her scheduled days off was suspicious.”

To aggravate the situation, when the employer called the other workplace it received the information it was seeking plus some editorial – that the grievor’s “attitude stinks.”

Mr. Sheehan nonetheless declined to find a privacy breach. He said:

As to the Union’s privacy argument, factually, I do not find that claim  particularly compelling. Based on the Employer’s understanding of the facts as of September 2014, it had, in my view, a reasonable basis to investigate the grievor’s work history at Villa Leonardo.  The Union’s primary complaint was that the Employer should have initially sought to obtain the information from the grievor.  On this point, while as previously noted the grievor was fairly forthcoming with respect to her work history at Villa Leonardo, she was in fact mistaken as to her work history in relation to some of the days in question. At the same time, the Employer arguably should have followed the approach in the Province of Alberta, supra, case and sought the grievor’s consent to obtain the relevant documentation from Villa Leonardo.

At the end the day, however, the extent of the nature of the invasion of the grievor’s privacy relates to the Employer asking a third party the work history pertaining to the grievor. Seeking such information is definitively on the lower end of the spectrum of the privacy interests of an individual that warrant protection, and that interest is far removed from the surreptitious electronic surveillance that was in dispute in the cited Domain Forest Products, supra, and Ebco Metal Finishing Ltd., supra, cases. In this regard, any breach of the grievor’s privacy interest was, in my view, de minimis in nature; such that, I am not inclined to issue any sort of declaration or sanction.

This is best understood as a discouragement to employers, without an actual finding based on an application of the de minimis non curat lex principle: the law will not concern itself with trifles.

No arbitrator is bound to follow another arbitrator, but employers can take some comfort in this award. If they have a reason not to ask for consent (and are prepared to articulate it if challenged) they may decide to unilaterally seek information from another employer about whether an employee was or was not at work during a period of time. The risk of liability is low.

Toronto (City) v Canadian Union of Public Employees, Local 79, 2019 CanLII 78856 (ON LA).

The twelve security failures underscoring the ICO’s recent £500,000 fine

On February 10th the Information Commissioner’s Office fined Cathay Pacific £500,000 for breaching the security principle established under the UK Data Protection Act. Here are the twelve security failures that were the basis of the finding (with underlined text in the ICO’s words plus my annotation):

    • The database backups were not encrypted. The ICO said this was a departure from company policy undertaken due to a data migration project, but a company approval and risk mitigation requirement was apparently not followed.
    • The internet-facing server was accessible due to a known and publicized vulnerability. The Common Vulnerabilities and Exposure website listed the vulnerability approximately seven years before it was exploited, said the ICO.
    • The administrator console was publicly accessible via the internet. This was done to facilitate vendor access, without a risk assessment according to the ICO. The ICO said the company ought to have used a VPN to enable vendor access.
    • System A was hosted on an operating system that was (and is) no longer supported. The ICO noted that the company neither replaced the system or purchased extended support.
    • Cathay Pacific could not provide evidence of adequate server hardening.
    • Network users were permitted to authenticate past the VPN without multi-factor authentication. The ICO noted that this allowed the attackers to mis-use stolen credentials (pertaining to a 41,000 user base).
    • The anti-virus protection was inadequate. This was apparently due to operating system comparability problems (on an operating system other than the legacy system on System A).
    • Patch management was inadequate. Logs were missing on some systems, the ICO said. It also noted that one server was missing 16 updates that resolved publicly known vulnerabilities, 12 of which were described as “easily exploitable.”
    • Forensic evidence was no longer available during the Commissioner ‘s investigation. The ICO said that servers images analyzed in the post-incident investigation were not retained and provided to the ICO.
    • Accounts were given inappropriate privileges. “Day-to-day” user accounts were given administrator privileges according to the ICO.
    • Penetration  testing  was  inadequate. The ICO said three years without penetration testing was inadequate given the quantity and nature of the information at issue, which included passport numbers.
    • Retention periods were too long. It appears (though is not clear) that transaction data was preserved indefinitely and that user data was purged after seven years of inactivity.

£500,000 is the maximum fine. The ICO said it was warranted, in part, because the failures related to “fundamental principles.” The failure to retain evidence was another notable factor.

IPC/Ontario – Appropriate for hospital to notify of breach because it maintained a shared EMR

The IPC/Ontario has issued a significant decision about information governance under the Personal Health Information Protection Act. Specifically, it held that a hospital that gives a physician access to an electronic medical record for use in private practice is a health information custodian together with the physician, but that it can retain a duty to notify of a breach arising out of the private practice.

Background

The hospital maintained an EMR system and gave access to its credentialed physicians and their employees for use in private practice. Employees in two such private practices accessed EMRs without authorization. The hospital notified affected patients and reported the breach to the IPC, which led the IPC to investigate.

In the course of investigation it came to light that some of the employees had shared their login credentials with others outside of the hospital, but apparently to enable health care. The employees also apparently accessed some records (for non-health care purposes) with the consent of friends of family members. Both of these actions violated hospital policy.

Decision

The IPC held that the access enabled by credential sharing and the access made with the consent of family members was made in breach of PHIPA. Although a more benign form of unauthorized access, the IPC found a breach based on section 10(2) of PHIPA, which states, “A health information custodian shall comply with its information practices.”

Regarding the identity of the custodian, the IPC held that both the hospital and the two private practice physicians were custodians in the circumstances – the physicians being custodians “when they access patient information in [the EMR] for the purpose of privatizing health care to their private practice patients.” Such access, the IPC explained, invites a disclosure by the hospital and a collection by the physicians; in this context the physicians were not the hospitals’ agents.

Despite the physicians’ custodianship, the IPC held it was appropriate for the hospital to notify in the circumstances. It said:

[122]   In the cases under review, THP and the private practice physicians also treated THP as the health information custodian responsible for notifying affected individuals of the private practice employees’ unauthorized accesses in THP’s EMR. In these circumstances, I agree that THP was the appropriate party to give notice under section 12(2) of PHIPA. As the health information custodian who maintains the EMR, THP was best placed to discover and investigate the extent of the employees’ activity in the EMR, identify all the parties whose personal health information had been accessed without authority, and initiate contact with these individuals, all of whom are THP patients, but some of whom may not have any relationship with the particular private practice physician for whom the employee worked. In these cases, notification by THP was appropriate, taking into account not only the language of section 12(2)[29] but also the interests of the affected individuals.

[123]   I also agree with THP that in some circumstances, notification by the collecting custodian may be more appropriate, and a reasonable approach to fulfilling the notice obligation in section 12(2). For example, in a case where the private practice physician has a more significant relationship with the patient whose privacy was breached, notice from that physician (rather than from the custodian who disclosed the information) may be prudent. So long as the notice is given as required upon the events described in section 12(2) (and complies with the other requirements of that section), I agree with THP that circumstances such as the patient’s interests and the relationships between the patients and the various custodians involved may be relevant factors in deciding how best to fulfil the notification obligation. I am not persuaded that applying such an approach to notification in future cases would have the consequences of discouraging hospitals from adopting EMR technologies, or from participating in broader initiatives like a provincial electronic health record system.

Implications

The kind of shared accountability invited by this decision can cause confusion and risk. It will behoove hospitals and other custodians who provide shared access to their EMR systems to be very clear and detailed in establishing who is responsible for what. The hospital in this case, for example, decided post-incident to make more clear that physicians who are given outside access are responsible for training and supervising their employees. It also expressly obligated physicians to participate in privacy investigations arising from the actions of an employee.

The IPC’s finding on who provides notification is very qualified, and rests partly on the fact that the hospital in this case voluntarily provided notification to affected individuals. While taking control of notification may be beneficial to hospitals who maintain and provide third-party access to EMR systems, providing notification may also signal responsibility for a breach and for the related risks for which hospitals have little or no ability to control. The hospital in this case dealt with this tension by stipulating to its physicians that they may be named in hospital notification letters “as being responsible for the breach.” Other hospitals, may wish to require physicians to notify themselves in certain circumstances. The IPC’s decision does not appear to preclude such alternatives.

Trillium Health Partners (Re), 2020 CanLII 15333 (ON IPC).

IPC/Ontario – no correction of health care record when joint custody parents disagree

On January 24th, the IPC/Ontario held that a health information custodian has no obligation to correct a health care record of a child whose joint custody parents (with equal decision-making authority) are in dispute about whether a correction should be made. It made clear that custodians are not required to canvass both equally ranking parents, but held that a correction request should be denied when a conflict is apparent.

Complaint HA19-00010 (Re), 2020 CanLII 8232 (ON IPC).