“Stolen” solicitor-client communications to be returned

On January 11th, the Ontario Superior Court of Justice ordered solicitor-client communications to be returned to the exclusive possession of a defendant to a constructive dismissal action and denied the plaintiff a declaration that privilege had been waived based on an alleged “reckless” disclosure.

The plaintiff obtained the communications through her husband, who took them from her employer when he was given access to the employer’s computer to conduct some maintenance.

The Court’s privilege waiver denial is not surprising given the privilege waiver doctrine offers relatively strong protection for solicitor-client communications. Justice Arell also suggested that the administration of justice would be brought into disrepute if stolen communications were to be used in support of an action. This is a more novel idea, though it was expressed in obiter.

Pottruff v. Don Berry Holdings Inc., 2012 ONSC 311 (CanLII).

Privacy tort recognized by Ontario Court of Appeal

The Ontario Court of Appeal issued a very important decision today that recognizes an “intrusion upon seclusion” tort.

Under Ontario law it is now clear that individuals can sue for breach of privacy based on proof of:

  1. an intentional unauthorized intrusion;
  2. which is an intrusion upon private affairs or concerns (i.e., that breaches a reasonable expectation of privacy); and
  3. that is made in circumstances that are highly offensive to the reasonable person.

If these elements are proven, harms that justify the award of moral damages will be presumed. Such damages will be awarded “to mark the wrong that has been done” in an amount that does not ordinarily exceed $20,000, with an amount being set based on:

  1. the nature, incidence and occasion of the defendant’s wrongful act;
  2. the effect of the wrong on the plaintiff‟s health, welfare, social, business or financial position;
  3. any relationship, whether domestic or otherwise, between the parties;
  4. any distress, annoyance or embarrassment suffered by the plaintiff arising from the wrong; and
  5. the conduct of the parties, both before and after the wrong, including any apology or offer of amends made by the defendant.

The Court stressed that valid claims for intrusion upon seclusion will only arise “for deliberate and significant invasions of privacy” and also said that the law will develop affirmative defenses based on countervailing claims for the protection of freedom of expression and freedom of the press.

Jones v. Tsige, 2012 ONCA 32.

Acceptable use policies – answers to ten common employer questions

I’ve been doing substantial work on employer acceptable use policies lately and would like to publish a draft Q&A for feedback.

If you have feedback please comment or send me an e-mail.

Dan

1. What should employers do today to ensure their acceptable use policies effectively manage the implications of personal use?

In light of recent developments, employers should ensure that their acceptable use policies (1) articulate all the purposes for which management may access and use information stored on its system and (2) make clear that engaging in personal use is a choice employees make that involves the sacrifice of personal privacy.

2. What are the most common purposes for employer access?

Consider the following list: (a) to engage in technical maintenance, repair and management; (b) to meet a legal requirement to produce records, including by engaging in e-discovery; (c) to ensure continuity of work processes (e.g., employee departs, employee gets sick, work stoppage occurs); (d) to improve business processes and manage productivity; and (e) to prevent misconduct and ensure compliance with the law.

3. How should employers describe the scope of application of an acceptable use policy?

Acceptable use policies usually apply to “users” (employees and others) and a “system” or “network.” To effectively manage employee privacy expectations, policies should make clear that devices (laptops, handhelds…) that are company owned and issued for work purposes are part of the system or network even though they may periodically be used as stand alone devices.

4. Should employers have controls that limit access to information created by employees even though they don’t want to acknowledge that employees can expect privacy in their personal use?

Access controls are an important part of corporate information security. Rules that control who can access information created by employees (e.g., in an e-mail account or stored in a space reserved for an employee on a hard drive) are, first and foremost, for the company’s benefit. Access controls should be clearly framed as being created for the company’s benefit and not for the purpose of protecting employee privacy.

5. How should passwords be addressed in an acceptable use policy?

Password sharing should be prohibited by policy. Employees should have a positive duty to keep passwords reasonably secure. An acceptable use policy should also make clear that the primary purpose of a password is to ensure that people who use the company system can be reliably identified. Conversely, an acceptable use policy should make clear that the purpose of a password is not to preclude employer access.

6. Does access to forensic information raise special issues?

Yes. Acceptable use policies often advise employees that their use of a work system may generate information about system use that cannot readily be seen – e.g., information stored in log files and “deleted” information. It is a good practice to use an acceptable use policy to warn employees that this kind of information exists and may be accessed and used by an employer in the course of an investigation (or otherwise).

7. How should an employer address the use of personal devices on its network?

Ensuring work information stays on company owned devices has always been the safest policy, though cost and user pressures are causing a large number of organizations to open up to a “bring your own device” policy. Employers who accept “BYOD” should use technical and legal means to ensure adequate network security and adequate control of corporate information stored on employee-owned devices. For example, employers may require employees to agree to remotely manage their own devices as a condition of use and with an understanding that they will sacrifice a good degree of personal privacy.

8. Should an acceptable use policy govern the use of social media?

Only indirectly. An acceptable use policy governs the use of a corporate network. A social media policy governs the publication of information on the internet from any computer at any time. In managing social media risks, employers should stress that publications made from home are not necessarily “private” or beyond reproach, so putting internet publication rules in an acceptable use policy sends a counter-productive message.

9. Should employers utilize annual acknowledgements?

Annual acknowledgements are not a strict requirement for enforcing the terms of an acceptable use policy but are helpful. The basic requirement is to give notice of all applicable terms in a manner that allows knowledge to be readily inferred in the event of a dispute. “Login script” with appropriate warning language is also common and helpful. Nowadays, a good login script will say something like, “If you need a confidential means of sending and receiving personal communications and storing personal files you should use a personal device unconnected to our system.”

10. Are there special concerns for public sector employers?

Most public sector employers in Canada are bound by the Canadian Charter of Rights and Freedoms and by freedom of information legislation. Many have workforces that are predominantly unionized. The guidance to public sector employers on their acceptable use policies is no different than to employers in general, but the need to manage expectations that employees may derive from personal use is particularly strong for public sector employers given the legal context in which they operate.

B.C. court awards nominal damages for privacy breach

The British Columbia Supreme Court awarded nominal damages for a privacy breach on November 23rd of last year.

The plaintiffs advanced the claim under the British Columbia Privacy Act. The Court awarded $100 to a defendant’s estranged mother because the defendant read and made a copy of her will after finding it while searching for her own documents. It also awarded a company operated by the estranged mother $50 because the defendant read and made a copy of a business letter and showed it to others. (The parties agreed that a corporation could sue for breach of privacy under the statute.)

The Court also held that the defendant’s brother, who had merely viewed a copy of the business letter, did not breach the Act.

Fillion v. Fillion, 2011 BCSC 1593 (CanLII).

E-mails sent to in house counsel for “simultaneous review” not privileged

Master Short of the Ontario Superior Court of Justice issued a decision on December 21st in which he held that e-mails merely copied to in house counsel were not subject to solicitor-client privilege. Here is the principle Master Short endorsed:

If the document was prepared for purposes of simultaneous review by legal and non-legal personnel, it cannot be said that the primary purpose of the document is to secure legal advice.

The idea that a communication for “simultaneous review” by legal and non-legal personnel is not privileged seems too broad and should be understood based on the facts in this case, which involved a standing order to copy in house counsel on all correspondence related to a business conflict (with significant legal ramifications) so counsel would be “in the loop.” If a communication goes “to” counsel and “to” another business official in the context of an ongoing advisory relationship pertaining to a matter, the inference about the purpose of the communication is significantly different than if counsel is merely copied. Barring other facts, the communication ought to be privileged.

Humberplex v. TransCanada Pipelines, 2011 ONSC 4815 (CanLII).

FCA says successful candidates’ employment history not accessible under ATIA

The Federal Court of Appeal has just published a decision it issued back in September in which it held that information submitted by successful applicants in federal public service job competitions is not accessible under the Access to Information Act.

Records containing the personal information of others are generally not accessible to the public under the ATIA. The issue in this case was whether information about candidates’ experience in other federal public service positions is accessible because such information is excluded from the definition of personal information based on section 3(j) of the Privacy Act. Section 3(j) deems that personal information does not include:

information about an individual who is or was an officer or employee of a government institution that relates to the position or functions of the individual including (i) the fact that the individual is or was an officer or employee of the government institution, (ii) the title, business address and telephone number of the individual, (iii) the classification, salary range and responsibilities of the position held by the individual, (iv) the name of the individual on a document prepared by the individual in the course of employment, and (v) the personal opinions or views of the individual given in the course of employment

The Court held that section 3(j) applies to information about a federal public service position and that (in the context) employment history information and educational history information submitted by candidates is more about a person than about a position. The Court described the information as being “an individual’s personal assets” in the context.

Mr. Nault has filed an application for leave to appeal to the Supreme Court of Canada.

Hat tip to AMiNA.

Nault v. Canada (Public Works and Government Services), 2011 FCA 263.

BCCA dismisses appeal of successful claim for privacy breach

On December 12th the Court of Appeal for British Columbia dismissed an appeal of a November 2010 award of damages for defamation and breach of privacy.

The $40,000 award was based partly on a number of publications made by an ex-husband about his ex-wife that the British Columbia Supreme Court held were defamatory and unjustified. The Supreme Court also upheld a privacy claim based on the ex-husband’s use of e-mail communications he obtained from an old home computer and distributed for the purpose of scandalizing his ex-wife.

The Court of Appeal dismissed the appellant’s procedural grounds for appeal without comment on the merits.

Nesbitt v. Neufeld, 2011 BCCA 529 (CanLII).

Federal Court protects CJC’s “fact finder” report

On December 13th, the Federal Court held that a report prepared by Professor Martin Friedland to the chair of a judicial conduct committee was subject to solicitor-client privilege and therefore not to be filed in a judicial review of the chair’s decision to dismiss a complaint.

Although Professor Friedland was retained under Canadian Judicial Council policy to make “further inquires” into a judicial conduct complaint – a fact-finding role in its essence – the Court held that his communication to the chair was best considered to be legal advice given Friedland’s status as a lawyer and the legal context for his communication. It said:

I agree with counsel for the CJC that for an investigator to be able to “attempt to clarify the allegations against the judge and gather evidence which, if established, would support or refute those allegations”, to quote from the Complaint Policy, he or she must know the legal elements of the specific allegations and of the notions of “judicial misconduct” and “incapacity” more broadly. In the case at bar, for example, Mr. Slansky alleged in his 16-page letter, bias, abuse of office, improper motive and knowingly acting contrary to the law. For the investigator to determine whether there is evidence that would support these allegations, he or she must be able to determine the materiality of the evidence. This is fundamentally a legal exercise, as it requires an assessment of whether there is a probative connection between the facts to be proved and the facts in issue as determined by the substantive law. Relevance and materiality are determined by the trier of law in a court proceeding, whereas the weight to be given to that evidence is for the trier of fact (Bryant, Lederman and Fuesrt, The Law of Evidence in Canada, pp 56-58, ss 2.49-2.50). Once again, it was essential for the investigator to be well versed in the principles of substantive law and evidence, to be in a position to assess whether the examples provided by Mr. Slansky in support of his complaint, amount to mere errors of law that are better left to an appeal court or whether they do raise, when considered in isolation or as a whole, the sort of concerns put forward by Mr. Slansky…

In light of the foregoing, therefore, I agree with CJC that counsel could only gather and examine relevant facts and present his or her findings and analysis through a legal framework or analysis. There is no doubt in my mind that Professor Friedland was retained by the CJC in his professional capacity as a lawyer, with the intention of providing assistance through his legal knowledge and analysis.

The Court also held that privilege applied to the entire report, making clear that the common law generally does not contemplate the severance and partial disclosure of a privileged communication. The Court also held that Professor Friedland’s report was subject to public interest privilege given the special need to encourage full and frank participation in the investigation process.

Slansky v. Canada (Attorney General), 2011 FC 1467.

Ontario Commissioner Issues Significant Order on Custody or Control of University Records

On November 7th, the Information and Privacy Commissioner/Ontario issued a very significant order for Ontario universities. It held that the IPC has exclusive jurisdiction to decide whether a record is in the custody or control of a university in the context of an access request and created a principle-based framework to assess whether records possessed by faculty members are in the custody or control of a university.

The matter relates to a very broad access request that was made to the University of Ottawa immediately after universities came under FIPPA in 2006. The University made a broad collection request of faculty members that led to a grievance by the University’s faculty association (AUPO) that Arbitrator Philip Chodos upheld in 2008. Arbitrator Chodos held that the University violated its faculty agreement by sending the collection request. In May 2009, Arbitrator Chodos issued a second order in which he endorsed a proposal by the association that suggested only a limited number of faculty records were under the custody or control of the University. After this decision, the University denied the request with reference to the Chodos award and on the basis that it had no responsive records. The requester appealed to the IPC.

Adjudicator Smith of the IPC made two important findings.

First, Adjudicator Smith held that the IPC has exclusive jurisdiction to decide whether a record is in the custody or control of a university in the context of an access request. She said:

Applying the two-part test in Weber, it is clear that the legislature intended that issues arising from requests and appeals under the Act be determined by the head, and on appeal, by the Commissioner, and not by a labour arbitrator. Considering the governing legislation (that is, the Act) as applied to the dispute in the relevant factual matrix, as outlined in the foregoing analysis, and bearing in mind that the arbitrator’s authority only arises under the collective agreement, an instrument that is not determinative of the issue of custody or control, I find that, in the context of an access- to-information request made under the Act, the Commissioner has the exclusive jurisdiction to determine this issue.

Second, Adjudicator Smith created a principle-based framework to assess whether records possessed by faculty members are in the custody or control of a university. She said:

Accordingly, I conclude that the arbitral awards are not determinative with respect to the custody or control of records that may be responsive in this case. Rather, the determination is to be made based in the principles enunciated in this order. The significant conclusions I have reached in this regard are:

1. records or portions of records in the possession of an APUO member that relate to personal matters or activities that are wholly unrelated to the university’s mandate, are not in the university’s custody or control;

2. records relating to teaching or research are likely to be impacted by academic freedom, and would only be in the university’s custody and/or control if they would be accessible to it by custom or practice, taking academic freedom into account;

3. administrative records are prima facie in the university’s custody and control, but would not be if they are unavailable to the university by custom or practice, taking academic freedom into account.

Based on these findings, Adjudicator Smith ordered the University to request that association members produce responsive records that are in the University’s custody or control, taking into account the three stipulated criteria. She also suggested that the University require faculty members to create “lists or indices of records or portions of records for which the question of custody or control may be in dispute, including a brief explanation of why a record or records would not be in the university’s custody or control.”

This is complicated and requires further thought. One question I have is whether the recognition of academic freedom in the second “custody or control criterion” is likely to satisfy the faculty association and dissuade it from pursuing judicial review. Another is about the potential effect of the exclusive jurisdiction finding. What if a faculty member takes a position on custody or control and refuses to produce a record for processing? Under the IPC’s approach that dispute will seemingly raise an issue about custody or control under FIPPA, but how can it not arise out of the collective agreement? We might look to a labour arbitrator response to this question in time. And why does a university’s right of access – a right arising out of employment – have anything to do with the FIPPA custody or control standard anyway? Finally, this illustrates the high costs of mixed-use information systems. Consider the extreme cost of the indexing exercise proposed by Adjudicator Smith, all borne out of a need to protect academic freedom and faculty confidentiality because information of different kinds is intermingled on a single system. Is it really the case that academic freedom cannot coexist with a university right of access that’s necessary for a legitimate purpose?

University of Ottawa – Order PO-3009-F (November 7, 2011).

Information About Landlords not Personal Information

On September 30th the Ontario Superior Court of Justice held that certain information about residential landlords was not their personal information in the circumstances.

The issue arose in an application that challenged a municipal by-law requiring landlords to obtain licenses for residential rental units. The by-law required landlords to submit information in support of a license (including name, telephone number and address information). The by-law also required a copy of an issued license (which included similar information) to be posted. The applicants argued that the by-law conflicted with the Municipal Freedom of Information and Protection of Privacy Act.

The Court held that MFIPPA’s privacy protection part was not engaged because the information at issue was information that identifies an individual in a business capacity rather than personal information. Justice Leitch explained:

In my view, landlords who lease Rental Units are engaged in business whether or not the landlord is an individual leasing a Rental Unit in his own home or a corporate landlord leasing units in a large apartment building. Both landlords are operating a business. As a result, I am satisfied that the Licensing By-law does not conflict with the provisions of the MFIPPA which protects personal information because the information requested comes within the exclusion set out in s. 2(2.1) of MFIPPA. It is contact information that identifies the individual in a business capacity.

It appears this was the same finding reached by the Information and Privacy Commissioner/Ontario in a previously decided privacy investigation report that dealt with the by-law. The IPC intervened and argued that the Court should not re-decide the issue or, alternatively, adopt the IPC’s finding. The Court rejected the IPC’s argument because of the IPC’s limited jurisdiction to hear and decide privacy complaints.

London Property Management Association v. City of London, 2011 ONSC 4710 (CanLII).