In a decision issued June 6th, Master MacLeod of the Ontario Superior Court of Justice asked whether particulars should be more readily ordered under the Ontario rules given the relationship between pleading, discovery and expense. He concluded:

All of this is to say that the requirement of particulars for the purpose of pleading should not be construed too narrowly. A request for particulars should be upheld if it appears that it will result in a more focused and intelligent pleading and it should be refused if it simply adds another unnecessary step or delays the progress of the action.

Master MacLeod is on Sedona Canada and clearly cares to encourage efficient litigation. He has demonstrated a unique willingness to take a detailed look at how parties have conducted a step in a proceeding (as opposed the steps taken) and hold them to account: see e.g., L’Abbé v Allen-Vanguard.

Ottawa (City) v. Cole & Associates Architects Inc., 2012 CarswellOnt 7204.

The use of personal e-mail accounts for work purposes is out of control. A May 23rd judgement of the Court of Appeal of Alberta illustrates.

The Court affirmed a stay a prosecution that an accounting profession tribunal ordered because an investigator used his wife’s e-mail to send and receive correspondence in conducting an investigation. The Court agreed with the tribunal that the respondent did not consent. It said:

In our view, whatever standard of review one applies to the Appeal Tribunal’s review of the Discipline Tribunal’s decision on this point, it is clear that the finding of consent cannot be sustained. While it might be possible to infer that Clark consented to the disclosure of information he sent to Rockwood’s wife’s e-mail address, no such inference can be drawn with respect to the confidential information gathered by the investigator about Clark from the complainant and other third parties. Clark did not know that information about him was being gathered in this fashion, and counsel for CIC conceded that Rockwood’s wife might have seen some of these e-mails.

The Court also held that the tribunal was reasonable to conclude that a stay (though an extreme remedy) was warranted, particularly given the investigation and prosecution at issue was for breaching client confidences: “…the stay was the only way to hold the CIC to the standard of conduct expected of all members of the profession.”

Clark v. Complaints Inquiry Committee, 2012 ABCA 152 (CanLII).

On June 7th, the Ontario Superior Court of Justice dismissed a partial summary judgement motion, thereby allowing a defendant to plead that the plaintiff had committed spoliation by failing to obtain a piece of plastic she had ingested after it was surgically removed. The plaintiff argued that the pleading should be struck because there was no claim that she ever had power, possession or control of the piece of plastic (which was lost by the hospital at which she was treated). Justice Quigley held that summary judgement is not a means to strike part of a defence and that the defence pleaded was novel yet “legally tenable.”

Melissa Topp v. Costco Wholesale Canada Ltd., 2012 ONSC 3354 (CanLII).

On June 4th, the Ontario Court of Appeal affirmed a 2009 Information and Privacy Commissioner/Ontario order to disclose sex offender registry data linked to the first three characters of offenders’ postal codes (so called “forward sortation area” data). The IPC had rejected the Ministry of Community Safety and Correctional Services’ argument that the information could not be disclosed in such a manner without causing a degree of harm to offenders contemplated by the “health and safety exemption” in section 14(1)(e) of the Freedom of Information and Protection of Privacy Act.

Ontario (Community Safety and Correctional Services) v. Ontario (Information and Privacy Commissioner), 2012 ONCA 393.

On April 5th Arbitrator Sims awarded $1,250 to each member of a group of 26 government of Alberta employees because the government checked each employee’s credit without authorization or sufficient justification.

An internal investigator conducted the checks to see if any the employees were in financial difficulty, which he thought might indicate a motive to engage the fraud he was investigating. The government admitted a breach and apologized, but its employees’ union grieved to seek damages. Arbitrator Sims heard the grievance based on an agreed statement of facts that stipulated the employees had “suffered emotional stress in their personal lives and in the workplace.”

Arbitrator Sims relied on the Court of Appeal for Ontario’s decision in Jones v. Tsige and the Federal Court’s decision in Nammo v. Trans Union of Canada in crafting a damages award. He said:

Having weighed all these considerations and the facts in this case, I find this is an appropriate case for a modest award of damages for each grievor, which I set at $1,250.00 per grievor. I accept the point from Nammo (supra) that steps taken to correct a breach do not mean no breach occurred. Here, a breach did occur, and one of real significance in terms of the grievors’ privacy rights and their sense of security and well being as employees. Paragraph 12 of the agreed facts confirm damages, although they are intangible in nature. The Assistant Deputy Minister’s reply at Level II of the grievance procedure speaks of “an environment of mistrust” having been created.

The Department’s clear and unrestrained admission of error and its apology goes some considerable distance in rectifying that mistrustful environment and must have, to a significant degree, calmed the employees’ anxieties over the Employer’s attitude towards their right to privacy. I have also taken into account the fact that the Equifax system does not report on such “soft requests”, although they remain within its system. No steps have apparently been taken to have these entries erased, but they could be and, to the extent that involves cost, the Employer has agreed to cover any such expenditure. Considering the facts overall, I find the conduct and the harm in this case to be considerably less egregious and damaging than that in either Nammo (supra) or Jones.

Alberta v. Alberta Union of Provincial Employees (Privacy Rights Grievance), [2012] A.G.A.A. No. 23 (Sims) (QL).

On March 12th, Ontario arbitrator Joseph Carrier held that electronic records of an employee’s parking activity were admissible as meeting the “best evidence” requirements in the Ontario Evidence Act.

The employer relied on the records in asserting overtime fraud. Its system recorded data (presumably the time of “ins” and “outs”) on a server that it owned and that was overseen by a member of management named MacLeod. MacLeod testified and suggested that the system was functioning properly in the relevant time period, though she did not maintain the server herself and admitted that she was not technically inclined.

Arbitrator Carrier rejected the union’s assertion that expert technical evidence was required to satisfy integrity requirement that applies to evidence recorded by its proponent – i.e., proof “that at all material times the computer system or other similar device was operating properly.” He said:

I have considered those submissions and the provisions of section 34 and am of the view that the requirement respecting the integrity of the computer system need not require the evidence of a technical expert. Rather, the requirement is for evidence to support a finding that the computer system was operating properly at all material times or, if not, that any malfunction did not affect the integrity of the records. In this case, Ms. MacLeod, although she was not directly involved in overseeing the daily operation of the parking lot or the server, as manager of the operation for the hospital was informed of any functional problems both mechanical and electronic and consulted with respect to any proposed repairs or maintenance. As the Lakeridge Hospital Manager responsible for the overall operation of the parking lot, it is my view that her evidence was sufficient to satisfy the requirements of section 7(a) of the legislation. She did not testify, as one might otherwise have expected, that there were recording problems that were brought to her attention or discrepancies between the parking records and the revenues reported. Furthermore, in the words of section 7(a) there were “no other reasonable grounds to doubt the integrity of the electronic records system”. Indeed, Mr. del Junco did not assert, nor did Mr. Koscik, the Grievor, challenge that the records of his entrance and exit from the parking lot during any relevant period were inaccurate. Although one could not expect him to recall any specific day on which he might have entered or exited at times other than those recorded, in general, he did not challenge that the times recorded unfairly reflected his parking usage. In the circumstances, it is my view that the parking records could be properly admitted and relied upon pursuant to these provisions of the Evidence Act.

Arbitrator Carrier also rejected (without giving reasons) an argument that the records were inadmissible because the records were used in breach of the Personal Information Protection and Electronic Documents Act. It is questionable whether PIPEDA applies given the use of the records was in relation to employment in the province.

Lakeridge Health Corporation and OPSEU (12 March 2012, Carrier).

On May 3rd, the Divisional Court held that defendants to regulatory prosecutions under the Provincial Offences Act receive the benefit of “McNeil disclosure” notwithstanding a claim made by OPSEU on behalf of provincial regulatory inspectors.

“McNeil disclosure” is a form of Crown disclosure facilitated by a 2009 Supreme Court of Canada decision. The Court held that the Crown has a positive duty to build-out the Crown brief by making “reasonable inquiries” of other Crown agencies and departments. This duty, said the Court, includes a duty to collect and disclose records of police misconduct, at least where an officer is likely to be a witness at trial and has a record with some arguably relevant blemishes.

After McNeil was issued, the Ontario Ministry of Labour initiated a procedure for conducting CPIC checks on Ontario Occupational Health and Safety Act inspectors to support its disclosure duties. OPSEU grieved, and in March 2011 the Grievance Settlement Board held that the Ministry’s procedure did “not accord with an appropriate exercise of management rights under the [OPSEU/OPS] Collective Agreement.” The Toronto Star headline read, “Province slammed for secret criminal checks on labour inspectors.”

The Divisional Court has now held that the GSB erred in finding that an inspector’s criminal record should not be the subject of first party disclosure pursuant to McNeil. It explained:

A comparison of the role of the investigator in an OHSA prosecution with that of a police officer in prosecutions under the Criminal Code or Controlled Drug and Substances Act does not provide a sufficient basis upon which to differentiate the inspector from the police officer. Though the powers of police officers are broader, the essence of McNeil focuses on the role of police as investigator, accuser and witness. An OHSA inspector has the same role. Furthermore, these regulatory offences can engage severe penal consequences for an accused.

The Crown must exercise its own discretion in deciding what information falls within the parameters of McNeil and what does not, but in the first instance the Crown is obliged to at least obtain the information. Not all police records are relevant to the credibility or reliability of the inspector’s evidence and therefore relevant to the accused’s rights to make full answer and defence. However, there is no reason to think an inspector’s criminal record will have less bearing on the right to make full answer and defence in a regulatory proceeding than a police officer’s record in a criminal prosecution.

I agree with the Crown that McNeil does not just establish a conduit for the disclosure by the police through the Crown’s office; rather it establishes an obligation on the Crown to solicit readily obtainable information, like a CPIC record, or an internal record of misconduct in employment records. The obligation to disclose what is in the “possession and control” of the prosecution is not limited to what it has in its physical possession but also includes readily obtainable information or documents.

This is good news for POA defendants, who will receive the same treatment as criminal defendants based on this reasoning.

The Court also upheld part of the GSB order that imposed certain procedural safeguards to protect inspector privacy. The Court suggested (on a point that doesn’t appear to have been argued) that the GSB jurisdiction to make such a privacy-protective order arose out of its jurisdiction to interpret and apply the Freedom of Information and Protection of Privacy Act. This source of jurisdiction is highly questionable given FIPPA is a records-based statute that has a broad employment-related records exclusion. Indeed, the view that FIPPA does not protect employee privacy is reinforced by the Information and Privacy Commissioner/Ontario’s own position. The IPC has lobbied for elimination of the exclusion so Ontario public sector employees can enjoy statutory privacy rights (see 2004 Annual Report). It also routinely declines jurisdiction over employment-related privacy complaints.

OPSEU v. Ontario, 2012 CarswellOnt 6293, 2012 ONSC 207.

I presented today on the topic of internal investigations and the cloud at the annual Association of Certified Forensic Investigators of Canada fraud conference.

The issue: outsourcing business IT systems to the cloud may impede access to information for audit and investigatory purposes. Data security is front and center in most outsourcings, but audit and investigation capability is also a key concern and is subject to unique requirements. Business owners should recognize that security and audit departments are likely stakeholders in most outsourcing projects and support the best possible needs analysis and requirements definition process.

Here are my slides:

 

Here are some related resources, including some data security resources that came up in discussion.

• J. Cheng, “IBM’s Siri ban highlights companies’ privacy, trade secret challenges”
• Digital Forensics Laboratories, “Digital investigations in the Cloud”
• T. Harbert, “E-discovery in the Cloud? Not so easy”
• W. Manning, “Investigating in the Clouds” (good, but password required)
• Hogan Lovells, “A Global Reality: Governmental Access to Data in the Cloud”
• K. Ruan et al, “Cloud forensics: An overview”
• A. Savvas, “Cloud providers cave into more flexible contracts”
• T. Trappler, “In the Cloud, Your Data Can Get Caught Up in Legal Actions”
• K. Zetter, “FBI Uses ‘Sledgehammer’ to Seize E-Mail Server in Search for Bomb Threat Evidence”

Finally, here’s a link to my comment on the recent Calgary Police Service case, which I used as an intro to a segment on handling an evidence trail that leads to an employee’s personal cloud-based account.

I hope this content helps you approach a pressing issue for internal investigators.

Employers who are regulated by privacy legislation need to reckon with privacy commissioner oversight in conducting searches of their work systems for evidence of misconduct. This is the clear lesson from the recent and much-discussed Calgary Police Service order of the Alberta OIPC that dealt with the service’s unauthorized access to an employee’s personal e-mail account.

The facts are simple. The service embarked on an internal sexual misconduct investigation that included a review of an employee’s work e-mail account. It conducted a search for the word “password” as a matter of protocol because the sending and receiving of passwords through e-mail is indicative of a number of common IT security problems. The service found a message to an outsider containing the employee’s password to her personal e-mail account, a communication the service said “seemed odd.” Given the employee had also sent “snippets” of confidential service records to others internally, the service accessed the personal account on a theory that the employee was leaking confidential information through the personal e-mail account. It happened to find evidence of work-related sexual misconduct and used it to discipline the employee. The employee later complained to the OIPC under Alberta’s public sector privacy legislation.

The OIPC was not impressed with the service’s professed basis for using the password to access the employee’s personal account, particularly given the investigator had no mandate to determine whether the employee had committed a breach of confidence. It upheld the employee’s complaint.

The result is no surprise. Taking a step in an investigation as intrusive as gaining unauthorized access to a personal e-mail account based significantly on the discovery of a communication that “seemed odd” is problematic. The record shows that the service was clearly on a fishing expedition, and despite the OIPC’s finding, its approach still signals respect for management’s right to investigate. The OIPC says, for example, “It might be policy for IT to check for data leakage whenever a Public Body employee is being investigated for inappropriate email or computer use, but this cannot extend, without cause, to an employee’s personal email account.”

The simple lesson from the case for employers who are subject to employment privacy regulation – far from all employers – is to develop and implement controls to structure the process of searching work systems for evidence of misconduct. Who authorizes a search? What’s the scope? What routine searches should be conducted? What should the investigator do if he or she finds evidence of wrongdoing that is out of scope? Who is responsible for securing evidence and how? Organizations should have clear answers to these questions before embarking on an IT search.

Order F2012-07 (April 30, 2012).