Canadian data breach litigation is still in its early phase. On July 3rd, the Ontario Superior Court of Justice approved a settlement in a significant class action that was brought after a public health nurse lost a USB key containing the personal information of about 85,000 individuals who had been immunized during the 2009 H1N1 scare.

The settlement involved the creation of a claims period open until August 1, 2016 to allow class members to claim for economic loss but no damages payment otherwise. As Justice Lauwers explained, the defendant and its insurer agreed to accept the risk of economic harm over the six and a half year claim period, after which, he held, “the risk will be virtually eliminated.”

In approving the settlement, Justice Lauwers stressed that the plaintiff faced a difficult case given, as time passed, his ability to prove compensable damages worsened. He said:

It is important to consider the context in which this case developed. The USB key was lost on or about December 16, 2009. In the midst of the anxiety created by that loss, the action was started on April 26, 2010. The certification motion was heard on December 16, 2010 with the decision rendered on February 4, 2011, and the certification order signed on April 26, 2011. Over the course of this action, anxiety about the abuse of private information has given way to the realization that it is now probable that no one has the missing USB key. This inference comes from the fact that no class member has claimed that information on the key has been used to financially damage his or her interests. This case, it bears emphasizing, would look far different if information from the lost USB key had been abused by a wrongdoer…

As a matter of law, in my view, the chances of success, in the circumstances as they have unfolded since the USB key was lost, are quite low.

Justice Lauwers approved an agreement to pay $500,000 in costs (including taxes and disbursements) to class counsel plus an amount equal to 25% of any claims paid. Though loss to individuals was not the basis for this amount, it equals about $5.99 per affected individual for a suspected breach involving the loss of name, address, telephone number, gender, date of birth, Ontario health number, health card expiration date, name of primary care provider and “some additional personal health information.”

Rowlands v Durham Region Health, 2012 ONSC 3948 (CanLII).

Here is another case in which an arbitrator held that an employer did not have grounds to order an employee to attend a psychiatric assessment. Ontario Arbitrator Nimal Dissanyake issued his order on April 3, 2012. He was driven by a number of factors:

• the employee had demonstrated a pattern of angry behavior, but had not made an express or implied threat;
• the employer did not base its assessment direction on input from a company physician/advisor;
• the employer’s decision-maker admitted that he (simply) had doubts about the employee’s mental health; and
• the employer disciplined the employee for the same behavior that caused it to issue its assessment direction.

While Arbitrator Dissanyake rejects “a technical rule that conduct that had been the subject of discipline in the past may not be relied upon in requiring an IME,” his reasoning suggests that basing a discipline charge and an order to attend an IME on the same behavior is problematic. While employers should be careful about picking their means of managing aggressive or angry behavior in the workplace, question whether an employee can have the mental capacity to commit a workplace offence and, at the same time, have a mental condition that (on reasonable grounds) requires assessment.

IBEW, Local 636 and Niagara Peninsula Energy Inc. (Dissanyake, 3 April 2012).

An award from June 29th of last year was just published in which Arbitrator Michel Picher held that an employer was not justified in directing an employee who had made a concerning outburst to a psychiatric assessment.

The employee was a 26-year mechanic who became frustrated about the theft of his tools. The company alleged he told a manager that he, “was bringing in a knife, and that the next time someone touches anything of his he will cut their hand or head off.” He later said he would pray that the manager and his family would answer to God. The company referred the employee to its OHS physician, who  recommended that the employee attend an IME. This led to a lengthy dispute that came before Arbitrator Picher five years later, after the parties agreed the employee would be reinstated; they argued only about the terms of reinstatement, including whether an IME would be a condition of return.

Employers faced with concerning behavior are in a dilemma, and should never be too confident in their own ability to assess an employee’s disposition to commit an act of violence. This case is notable as highlighting the requirement to have a reasonable basis for requiring a psychiatric assessment, but the finding is very qualified. Arbitrator Picher noted that the employee had supported his rejection of the IME direction by submitting medical evidence from his own physician, evidence that the company appeared not to answer in the arbitration. He also noted that the precise statement made by the employee was in dispute, and the employer did not bring the manager to the hearing. Finally, Arbitrator Picher ordered the employee to be reinstated without compensation. In a way, the employer got what it wanted: an independent review of the circumstances prior to reinstatement.

The Canadian Pacific Railway and CAW-Canada, Local 101 (M. Picher, 29 June 2011).

On June 15th the Alberta Court of Queen’s Bench affirmed an Alberta OIPC finding that amounts of financial assistance received by livestock farmers under two government programs were not the farmers’ personal information. The OIPC held that even if the information could be linked indirectly to individuals (e.g., owners of sole proprietorships or closely held corporations) there was no proof that it had a “personal dimension” sufficient to qualify. The Court held the OIPC’s order was transparent and detailed, “made sense” and was consistent with the purpose of Alberta FIPPA.

Agriculture Financial Services Corporation v Alberta (Information and Privacy Commissioner), 2012 ABQB 397 (CanLII).

Yesterday the Court of Appeal for British Columbia restored a finding that the British Columbia Ministry of Children and Family Development breached British Columbia FIPPA by failing to make every reasonable effort to ensure the accuracy of personal information before using it to answer a background check inquiry.

This is a very well-litigated dispute about a communication made by the Ministry to a social services employer who contacted the Ministry, with consent, to check into the background of a new employee. The Ministry disclosed the existence of a complaint made against the employee. It also noticed some irregularities in its file, did a full review of the file (without going behind the file to make inquires) and said to the employer, “to be on the safe side, I would prefer that he may be supervised, if you can do this.”

The employee was terminated and has since been on a long campaign to seek redress. In May 2010, the British Columbia Court of Appeal dismissed the employee’s $520 million action against the Ministry and others as disclosing no reasonable cause of action. About a year earlier, the Court of Appeal heard an appeal of the employee’s privacy complaint and sent it back to the B.C. OIPC so the OIPC could consider whether the Ministry breached section 28 of B.C. FIPPA. Section 28 imposes a duty to make every reasonable effort to ensure the accuracy of personal information that is used to make a “decision that directly affects [an] individual.”

In yesterday’s decision, a 2-1 majority of the Court held that the OIPC was reasonable to conclude that the Ministry’s act of issuing a caution to the employer entailed a use of personal information in making a “decision that directly affects [an] individual.” Madam Justice Bennet wrote for the majority. Most significantly, she affirmed the OIPC’s broad reading of “decision” – to encompass formal and informal decisions – as reasonable. Mr. Justice Hinkson did not take issue with this finding in his dissent. He held that Ministry’s highly qualified advice could not even be elevated to the status of an informal decision.

The public sector access and privacy statutes in Nova Scotia, Newfoundland, Prince Edward Island, Alberta and the three territories contain provisions with similar or identical language to section 28.

Hat tip to Eileen Vanderburgh from the ABHL Information + Privacy Law Blog.

British Columbia (Ministry of Children and Family Development) v. Harrison, 2012 BCCA 277.

In a March 30th decision, Arbitrator Michel Picher said, “An employee who is trained and remains meaningfully on call to perform safety sensitive functions must be recognized as having safety sensitive status, regardless of the frequency of the functions.” In applying this principle, he held that qualified Diesel Mechanics at a rail yard were in a safety sensitive position even though they only were required to operate locomotives on a very occasional basis – some as little as a few times a year. Arbitrator Picher’s finding means that the mechanics are subject to special medical assessment and drug and alcohol testing requirements.

Canadian Pacific Railway Company and CAW-Canada, Local 101 (30 March 2012, M. Picher).