Last week my colleagues Amy Tibble and Frank Cesario and I presented to a group of in-house counsel on a selection of pressing issues related to information management and privacy. Our three take-away messages were:

• You should take control of the “zone of privacy” on sensitive legal matters by issuing a communication protocol. Beware of over reaching.
• You have a leadership role to play in causing your organization to better manage the risks associated with data loss. The messages about internal responsibility recently made by the IPC/Ontario are relevant to most organizations given the increased prevalence of data loss class action claims.
• We need to help arbitrators draw a better distinction between the role of an occupational health department and the role of an employee  health care provider. The key risk relates to safety-related accountability for information held by employers and not assessed or acted upon based on perceived privacy restrictions.

Here are our slides. I hope the slides and these notes help generate some ideas.

On September 11th the Ontario Small Claims Court dismissed a motion to strike a privacy claim brought by a police officer who was video recorded in the course of his duties.

The individual defendant was arrested by the officer. He recorded the arrest on video and published a video called “Arrested riding my E-Bike” on YouTube, who allegedly did not take the video down when contacted by the plaintiff.

YouTube brought the motion to strike. The Court dismissed it because YouTube did not meet the relatively onerous requirement to strike an Ontario small claims action. After referring to the Court of Appeal for Ontario decision in Jones v Tsige, the Court said, “I find that the plaintiffs [sic] claim does in fact disclose a reasonable cause of action and is not inflammatory, a waste of time, a nuisance or an abuse of the court process.”

Vertolli v YouTube LLC, [2012] OJ NO. 4275 (SCJ) (QL).

On August 27th the Court of Appeal of Manitoba held appeal determinations made by the Court of Queen’s Bench under section 67 of the Manitoba Freedom of Information and Protection of Privacy Act are final and binding, with no further right of appeal.

Klippenstein v Manitoba (Minister of Family Services and Consumer Affairs), 2012 MBCA 78 (CanLII).

On August 21st, the Ontario Superior Court of justice declined to strike a defamation claim as barred by absolute privilege because the manner in which the defendants delivered the draft claim to the plaintiff’s employer suggests, as alleged, it was sent to harm the plaintiff and not for the purposes of forwarding the defendants’ litigation.

The defendants, the plaintiff alleges, served the draft claim on his employer with a warning that “‘We didn’t know’ will not be an adequate explanation in this case.” Regardless, the plaintiff also alleges, after the employer sent a brief e-mail to the defendants saying there was no basis for a claim against it, the defendants promptly withdrew their allegations and proceeded against the plaintiff alone. The Court held that these allegations cast sufficient doubts on the defendants’ motives to let the plaintiff’s (counter)claim proceed.

Nuvius Bankcard Services v Dowty, 2012 ONSC 4835 (CanLII).

The New York Times published a story yesterday on the Aurora, Colorado shootings entitled, “Before Gunfire, Hints of ‘Bad News’.” We’re a long way from fully understanding the significance of the shootings, but the Times’ piece is a reasonable consolidation of facts, so I’ll use it here to make the point that discharging a duty to prevent violence rests heavily on the processing of information to understand the nature of a potential threat.

The Times on the Aurora shootings

The Times follows the classic line of inquiry that follows incidents of violence. Who knew what about suspected shooter James Holmes? When? And why didn’t they act?

The Times goes over facts raised very soon after the shootings about concerns held by Holmes’ psychiatrist, also the director of student mental health services at the University of Colorado Denver. Holmes attended UC Denver until he voluntarily withdrew from study about a month before the shooting. The Times also adds new facts garnered from interviews with people who had recent contact with Holmes. Most notably, in May, Holmes told another student that he had purchased a Glock semiautomatic pistol. Holmes also had some puzzling interactions with a different student about his mental condition, warning her to stay away “because I’m bad news.”

We should not be surprised by these findings. As the forensic psychiatrist quoted by the Times notes, “almost without exception, [mass killers’] crimes represent the endpoint of a long and troubled highway that in hindsight was dotted with signs missed or misinterpreted.”

This widely-accepted view is why violence prevention rests so heavily on processing information or, more specifically, on “threat assessment.” Whether a duty to prevent violence is based on workplace health and safety legislation, occupiers liability legislation or common law duties, implementing reasonable employment screening, reasonable physical security controls and a reasonable emergency response plan is not enough. Implementing a reasonable threat assessment system is an important part of violence prevention, and is necessary to manage the risk of violence that is perpetrated by individuals who are “knowable” to an organization (e.g., customers, patients, students, current and former employees and domestic partners of current employees).

What is threat assessment?

Threat assessment is a structured process of identifying, assessing and managing the threat that certain persons may pose to others. It is depicted in this slide I have prepared for an upcoming presentation (details and registration here):

The element of the process that is highlighted by the Times’ article is on the very left of the slide. A duty to employ reasonable threat assessment procedures requires organizations to build and maintain a system for picking up on and evaluating available or knowable information that might indicate a risk of violence. The duty to “know what is reasonable to know” supports the reporting of threats and mere behaviors of concern, supports the imposition of reporting duties on employees and supports the use of communication and training to encourage others (such as students and customers) to report.

Yes, threat assessment systems invite a kind of surveillance. However:

• their use is supported by a very strong and consistent body of authority;
• they have become a regularly utilized part of the health and safety programs at all Canadian universities and colleges (who are particularly open to the risk of violence from “knowable” individuals); and
• they are a key part of a workplace violence prevention and intervention standard approved by the American National Standard Institute in 2011.

Though threat assessment has an impact on personal privacy, it is a justifiable impact. The British Columbia and Ontario privacy commissioners have published a guideline on violence prevention that declares “life trumps privacy.” Though the guideline focuses on the disclosure of personal information post-assessment and as part of threat management, the principle it supports applies equally to justify the collection of personal information for threat assessment purposes. In fact, one may question whether a disclosure of personal information for threat management purposes can be made responsibility if it is not based on sound fact-based analysis that can only be achieved with through collection of personal information that helps an organization understand the threat.

Hard questions about the Aurora shootings

Though the Times has compiled some facts that, in hindsight, paint a “disturbing portrait of a young man struggling with a severe mental illness who more than once hinted to others that he was losing his footing,” this does not establish that Holmes’ university failed in assessing the threat that he posed. In fact, at this early stage the Aurora shootings raise some very difficult questions about UC Colorado’s responsibility.

First, what does the reasonable educational institution do to encourage student reports? One student received a warning from Holmes and another knew he had a firearm. UC Denver’s website indicates that faculty and staff have a duty to report threatening and concerning behaviors, but it does not appear that the university imposed such a duty on students. Is this approach reasonable? Would such a duty be meaningful or enforceable in any practical way? What did the university do to encourage or facilitate reporting by students? Was that reasonable?

Second, when should health care providers employed by an educational institution report behaviors for threat assessment? Mental health professionals hear about all kinds of concerning behaviors in the course of providing health care. They are duty-bound to keep such information confidential subject to, under our law in Ontario, a belief that disclosure of information is necessary to eliminate or reduce a significant risk of serious bodily harm. Such disclosures will ordinarily invite an immediate (emergency) response by law enforcement and not threat assessment, so the media’s early focus on what Holmes’ psychiatrist knew and disclosed for threat assessment purposes is puzzling.

Third, what duty does an educational institution have to the public at large? UC Denver is a public institution with an educational mandate. It has no public safety mandate and no relationship with the shooting victims. Does its mere engagement in assessing the threat posed by Holmes to its community justify the imposition of a duty of care to others? This is questionable.

For more information on threat assessment

Here are the resources I’ve used in preparing this article and in preparing for my upcoming presentation.

• The Final Report and Findings of the Safe School Initiative (US Secret Service and US Department of Education, 2004)
• Workplace Violence: Issues in Response (U.S. Department of Justice, 2004)
• Workplace Violence Prevention and Intervention (ASIS/SHRM, 2011)
• A Handbook for Police and Crown Prosecutors on Criminal Harassment (Department of Justice Canada, 2004)

I’d also encourage you to follow David Hyde, who regularly shares insightful information on threat assessment. For David’s recent post on the role of threat assessment in a workplace violence program, click here.

I spent a long day today studying some fairly wacky e-mails on a file and, coincidentally, also had someone ask me to pull together a list of good e-mail practices with a focus on risk management benefits. This got me onto a creative project, and I have produced the following list.

1. Pick up the phone. For many subjects, a telephone discussion can quickly generate a level of understanding that might take numerous e-mails to achieve. Even simple subjects can generate significant back-and-forth.
2. Have a meeting. Don’t use e-mail to think aloud. Deliberations can be very sensitive because they often lead to decisions that do not reflect initial thoughts. E-mail is an extremely poor medium through which to deliberate. Deliberation is best suited to meetings.
3. Write meaningful subject lines. Your recipient should be able to understand what your e-mail is about by reading the subject line. For example, “Project Alpha report attached for your review.” If action is required, indicate so in the subject line. Don’t leave the subject line blank. Don’t use “important,” or “Hi” or the like.
4. Keep to one subject per e-mail. By sending business e-mail you are creating a record of correspondence that likely has some value to the business. That record is difficult to manage when it has more than one subject. It may seem strange, but send two e-mails in sequence rather than one. Similarly, don’t (lazily) reply to an old e-mail to start a new subject.
5. Ask, “Does this person really need to be copied?” Routine use of the CC field can annoy and burden recipients. Use it for a purpose and be critical about your purpose. Ask yourself if copying someone is really a necessary courtesy. In other words, if they won’t complain, don’t copy them.
6. Be concise. Start with your point or request. Provide a brief rationale or explanation. End with an invitation to action (either yours or the recipient’s). If your e-mail requires much more than this, e-mail might not be the appropriate means of communication.
7. Pause. Pause again. Send. Never e-mail when you are upset or angry. If it is appropriate to respond in writing at all, wait until you have calmed down. Remember that your response will be permanently recorded. Even in less intense circumstances, you’ll benefit by reflecting on your e-mails rather than responding immediately.
8. Don’t forward an e-mail that will provoke a harmful response. If you receive an e-mail that is alarming or obnoxious, resist the urge to forward it to your colleagues. Yes, you’ll need to talk it through, but if you forward the provocative e-mail to four others, you’ll cause at least one to react without thought, in writing.
9. Check your spelling and grammar. It may seem unimportant, but if the substance of your e-mail is later scrutinized, poor spelling and grammar might cause people to perceive you as sloppy or uncaring and discount your substantive position.
10. Check the clarity of your message. Have I been too loose in conveying a complicated idea? Have I used humor that is too risky? Ask these questions and, remember, your e-mail will create a permanent record.