Social Media Use by Teachers and Students: OCT Recommends Limits

The Ontario College of Teachers has recently issued a professional advisory recommending strict limits on interactions between teachers and students through social media.  The advisory emphasizes that teachers are professionals, who are held to high standards of conduct, in both their professional and private lives.  Since inappropriate electronic communications with students – including those outside of school hours and unrelated to school matters – can lead to teacher discipline, and even criminal charges, the OCT recommends that teachers take certain precautions in their electronic communications, particularly through social media.  Among other guidelines, the advisory recommends that teachers:

  • not be “friends” with students on Facebook, refrain from “following” students on Twitter, and otherwise avoid personal connections with students on social media;
  • notify parents before using social media for classroom purposes; and
  • use appropriate privacy settings when using social media, to ensure that students may not access personal or inappropriate postings.

The recommendations are not surprising, given the high standards of conduct expected of teachers, and the perils teachers may face from inappropriate use of electronic media – as illustrated by the recent Ontario Court of Appeal decision in R. v. Cole.

Although specific to the educational context, the OCT’s professional advisory reflects the importance of addressing the impact which social media, and electronic media in general, can have in various settings.  Employers should consider whether the dynamics of their workplace justify guidelines or policies on the appropriate use by employees of social media, for example, in their interactions with each other or with customers, suppliers or other parties.

A link to the OCT’s professional advisory is here, and a related CBC article is here.

Employee Privacy Expectations and Employer Systems – Two Options

There has been lots of talk about employee privacy and employer work systems since the Ontario Court of Appeal’s March 22nd judgement in R. v. Cole. Here is, for example, some commentary that Michael Power posted yesterday on his privacy blog, Dot Indicia.

I wrote an article entitled Employer Access to Employee E-mails in Canada that was published in the September 2009 issue of the Canadian Privacy Law Review. Here is my own position on what employers need to do, a position reinforced by the Cole decision:

The tension demonstrated in the above noted cases is likely to take some time to be resolved. The uncertainty alone, however, is good reason for employers to re-think their approach to managing employee computer use. It is less clear what to do.

One approach is to give employees clearer notice. If more permissive rules on personal use are the basis for changed expectations, employers may work harder to ensure employees are making informed choices about the sacrifice of privacy associated with personal use. Under this approach, computer use policies need not change much at all; the solution lies more in their implementation and, more specifically, in communication measures such as periodic acknowledgements, log-in notices and the like.

While the “clearer notice” approach is appealing in its simplicity, it is also somewhat risky given the relationship between permissive personal use rules and acceptable workplace privacy norms. For one, managers sensitive to the type of “private” content generated by personal use might resist and send inconsistent messages about policy. This practical risk is well-illustrated by a much-discussed case in which a California court held that a public employer violated several employees’ privacy rights by auditing their text messages. This outcome was based on a finding that a supervisor had implemented an informal process of allowing employees to pay for “overage” charges as a means of avoiding text message audits. But even if managers can be suitably controlled, a court or labour arbitrator may still reject a policy that permits personal use and relies strictly on notice. Personal use and zero privacy don’t sit well together, so a clear “no privacy” notice might not always convince an adjudicator that an expectation of privacy is unreasonable.

The more cautious employer will implement a new form of computer use policy that reserves the right to meet all legitimate purposes identified above, but also includes privacy controls to ensure that use of more sensitive types of information on its system (e.g. the content of e-mails and information revealing of keystrokes) is based on reasonable necessity. I am not suggesting that management fetter its rights in a manner that sacrifices management interests. If an employer, for example, feels that investigations based on “reasonable suspicion” instead of “reasonable grounds” are justified, then it should promulgate policy that contemplates investigations based on a reasonable suspicion. Likewise, if an employer feels that routine and/or random audits are justified, it should promulgate a policy that contemplates routine and/or random audits. In some circumstances — where employment privacy legislation applies for example — proof of business justification might be required, but an employer faced with a policy challenge should be well-positioned to argue that the chosen approach is measured and moderate compared to the traditional type of policy that has met with arbitral and court approval.

Here is a link to the full article. Reprint courtesy of LexisNexis.

Sask C.A. Opines on Elements of Statutory Privacy Tort

On March 15th, a majority the Saskatchewan Court of Appeal affirmed a decision not to strike a pleading that was based on the Saskatchewan Privacy Act.

The case is about a Saskatchewan Power Corporation customer service representative who accessed account information for personal reasons. The account holder sued and the defendants, in response, moved to strike. The defendants argued that the plaintiff did not plead facts necessary to establish that the information at issue was of a quality protected by the Act. The ratio of the majority decision (written by Justice Ottenbreit) is summarized in the following paragraph:

The wording of the Act arguably does not require that a claim alleging a breach of privacy respecting information must necessarily plead that the information accessed is confidential or reveals intimate details of the lifestyle and personal choices of the plaintiff. This is not to say that the Act does not make the accessing of such information actionable and that certain Charter concepts of privacy and Charter analysis would not be apt in a particular case. To what extent Charter concepts and a Charter approach would be helpful remains to be determined. What is clear is that the Charter concept of reasonable expectation of privacy and its corollary concepts are arguably not congruent with the “privacy” or an “expectation of privacy”, the violation of which is actionable under the Act. Based on an examination of the Act, pleadings in terms of Charter concepts of reasonable expectation of privacy are arguably not therefore essential to a claim under the Act. The argument of SPC that the pleading is deficient because it lacks sufficient facts which would allege a violation of an expectation of privacy identical or very similar to the Charter concept fails.

Justice Ottenbreit said that it was enough for the plaintiff to plead that the individual defendant accessed her employer’s records “to obtain information about [the plaintiff’s] activities” for her own purposes.

Justice Smith dissented. She held that, at a minimum, a plaintiff claiming breach of an informational privacy right based on the Saskatchewan Privacy Act must plead facts to establish that the information at issue is “personal and confidential.”

Bigstone v. St. Pierre, 2011 SKCA 34 (CanLII).

Majority of Alberta CA Slaps OIPC on Driver’s License Case

On March 28th, a majority of the Alberta Court of Appeal held that the OIPC erred in finding that receiving and recording driver’s license and license plate numbers for security-related purposes is a breach of Alberta PIPA. This is a significant and business-friendly judgement on how to interpret private sector privacy legislation. It also demonstrates a wide gap in values between our privacy commissioners and some members of the judiciary.

Justice Slatter wrote for the majority, with a concurrence by Justice Berger. Justice Slatter held that the OIPC erred in finding that license plate numbers are personal information and erred in finding that that Leon’s failed to comply with the standard for collecting personal information under Alberta PIPA by recording the driver’s license and license plate numbers of individuals who picked up furniture.

Notwithstanding that Leon’s used license plate numbers as a backup means of identifying individuals, Justice Slatter held that license plate numbers are not an individual’s personal information because license plate number are only information “about” or “related to” a vehicle. He said, “The Act is designed to regulate and protect information that is uniquely connected to one person.” He also interpreted the meaning of personal information in light of the normative “reasonable expectation of privacy” concept, noting that there is no reasonable expectation of privacy in a license plate number because it is displayed openly in public.

Regarding whether the recording of driver’s license and license plate numbers is justifiable under the standard for collection in Alberta PIPA, Justice Slatter held that the OPIC’s finding was improperly influenced by a belief that the Alberta PIPA makes privacy rights paramount to an organization’s need to collect information. He held that this was inconsistent with the purpose provision of Alberta PIPA, which expressly recognizes the need of organizations to collect personal information for purposes that are reasonable. In light of this recognized need, Justice Slatter stressed that the standard for collecting personal information under Alberta PIPA is not a strict necessity standard. He referred to a “reasonable necessity” requirement given section 7(2) of Alberta PIPA requires that a mandatory collection of personal information must be limited to “what is necessary to provide [a] product or service,” but Justice Slatter makes clear that the overall reasonableness of a collection should be the focus of the inquiry. This led him to state, “As long as fraud is a meaningful risk in the business, and the policies adopted have a meaningful effect on preventing or detecting fraud, those policies would be considered ‘appropriate in the circumstances’ by reasonable people.”

Justice Conrad wrote a lengthy and detailed dissent. She disagreed with the majority on whether license plate numbers are personal information and on whether the recording of driver’s license and license plate numbers is justifiable for security-related purposes.

Regarding the personal information issue, Justice Conrad relied heavily on Justice LaForest’s dissenting judgement in Dagg v. Canada and the Ontario Court of Appeal’s judgement in Ontario v. Pascoe. In Dagg, Justice LaForest argued that “the information about an identifiable individual” condition in the definition of personal information should be construed broadly. In Pascoe, the Ontario Court of Appeal held that information is about an identifiable individual if it is about and individual who can be identified when the information is combined with information from “sources otherwise available.” Justice Conrad also held that the reasonable expectation of privacy concept should not be applied in assessing whether information is protected under statute as “personal information.”

On the justification for collection issue, Justice Conrad stressed the governing reasonableness standard of review, though she did expressly disagree with the majority’s suggestion that necessity is not part of the standard for collection under Alberta PIPA.

The Court’s discussion of both these issues, especially the personal information issue, is very significant, but the context is also notable. The Alberta OPIC has had a tough go in the Alberta Courts lately, most recently having a decision quashed for reasonable apprehension of bias. It certainly did not go out on a limb here given its position against the recording of driver’s license numbers is shared (at least) by the federal and Ontario commissioners, yet it lost on the reasonableness standard of review in a manner that must feel like a good slap. Look for an appeal.

Leon’s Furniture Limited v. Alberta (Information and Privacy Commissioner), 2011 ABCA 94 (CanLII).

No Invasion of Privacy Tort in Ontario

The Ontario Superior Court of Justice issued a significant judgment today in which Justice Whitaker held that Ontario law does not recognize a common law invasion of privacy tort. More specifically, he held that he was bound by the Court of Appeal’s 2005 judgment in Euteneier v. Lee, in which the Court commented that there is no “free standing” right to privacy in assessing a privacy-related claim by a police detainee that was based in negligence, assault, civil conspiracy and the Charter. Justice Whitaker said:

While it is certainly the case that in Euteneier, the plaintiff was not suing on the basis of an intentional tort, the extent to which privacy rights are enforceable at law was squarely before the court for the purposes of determining the content of the duty of care owed by the police to the plaintiff while in custody. In my view, the inescapable conclusion, put quite plainly by the Court of Appeal in paragraph 63 of that decision, is that “there is no ‘free standing’ right to… privacy… at common law.”

Justice Whitaker departed from the Court’s well-known decision in Somwar v. McDonald’s Restaurants of Canada. Justice Stinson decided Somwar shortly after the Court of Appeal decided Euteneier and did not consider it in finding (on a summary judgment motion) that it is not settled law in Ontario that there is no tort of invasion of privacy.

Alex Cameron acted for the defendant.

Jones v. Tsige, 2011 ONSC 1475.

The Far Reach of the CRA

When employers provide employee benefits, they are required to include the value of the taxable benefits in the income of employees.  If an employer does not properly report the taxable benefit, the Canada Revenue Agency (“CRA”) has considerable power to require employers to disclose the names and related information of the taxpayers who enjoyed the taxable benefit.  As discussed in Minister of National Revenue v. Lordco Parts Ltd., this also applies if a business provides taxable benefits to its customers.

Following an audit of Lordco, the CRA noted that Lordco established an incentive program, which included a bi-annual cruise for its customers who had earned rebates based on the volume of their purchases of Lordco products.  The customers could purchase tickets for the cruise using the rebates.  Corporate customers nominated individuals to attend the cruise as representatives.  Only 30% of the cruise related to business activities.

According to the CRA, Lordco was required to report the benefits enjoyed by the individual attendees.  When Lordco failed to complete such reporting, the CRA issued a “named requirement” requiring Lordco to provide a list of the individuals who attend the cruise.  Lordco refused to provide any names, addresses or registration forms, on the basis that the information related to unnamed third party individuals.  The CRA applied, without notice , for an order of the Federal Court requiring Lordco to produce “information and documents relating to certain persons whose identities are unknown to the Minister”, being the individual representatives of customers of Lordco.

The Federal Court granted the order, recognizing that obtaining information relevant to the tax liability of some specific person(s) whose tax liability is under review is a purpose related to the administration or enforcement of the Income Tax Act (“ITA”) and does not violate any rights of taxpayers under section 8 of the Charter of Rights and Freedoms (the Supreme Court of Canada has previously stated that taxpayers do not have a high expectation of privacy in relation to documents concerning tax matters).

The CRA is permitted to request third party information related to unknown persons with the authorization of a judge.  Two conditions must be met for an order to be made: (i) the individual or group is ascertainable; and (ii) the production is necessary to verify compliance with the ITA.  Finding both conditions met in this case, the Federal Court ordered that the CRA was authorized to impose a requirement to produce the information regarding the customers who went on the cruise, failing which Lordco could be subject to fines under the ITA up to $25,000 or both fine and imprisonment up to 12 months.

This is a reminder of how far the CRA’s reach can be extended when it comes to obtaining information for the purpose of identifying tax payers and ensuring compliance with the ITA.  Employers and businesses are not able to refuse production on the sole basis that the information pertains to unidentified third parties (e.g., representatives of corporate customers) when the CRA is attempting to verify compliance with the ITA.

Express Confidentiality Order Okay Protection for Customer Personal Information

On March 11th, the British Columbia Supreme Court ordered two directors of a plaintiff corporation to sign a confidentiality agreement as a means of protecting customer information. The defendant had proposed a more costly masking procedure.

The dispute was about an online retail business. The plaintiff claimed damages for failure to account for profits and for the return of two customer databases. The databases themselves were themselves relevant to either one or both claims. The defendant, in custody of the databases, proposed a masking procedure to be paid for by the plaintiff to protect against the disclosure of customer personal information, including customer addresses, e-mail addresses and credit card numbers.

Armstrong J. held that privacy concerns of non-parties should be addressed in determining the scope of documentary discovery, but stressed the court’s discretion and the presumed efficacy of the implied undertaking. In the circumstances, he held that a masking order was not warranted.

Animal Welfare International Inc. v. WS International Media Ltd., 2011 BCSC 299.

IMAPS 2011 – The Sedona Canada Panel on Privacy and E-Discovery

Alex Cameron and I presented on e-discovery and privacy today at “IMAPS 2011” on behalf of the Sedona Canada working group. The Information Management Access Privacy Symposium is a fantastic annual event hosted by the Office of the Chief Information and Privacy Officer of Ontario. It was an honor to present.

Alex and I were one talking head short of an honest “panel,” but nonetheless had some good back-and-forth in delivering a presentation that is meant to provide a general overview of the privacy and e-discovery topic, with a focus on law and practice applicable to the Ontario public sector. Slides below.

There is such a thing as “too much information”….

In the United States, the Federal Rules of Appellate Procedure limit appellate briefs to 14,000 words.  The Seventh Circuit Court of Appeals recently faced a case where one of the parties had submitted an 18,000 word brief.  The court issued an order to show cause why the brief should not be “stricken and/or sanctions imposed for failing to comply with Rule 32 and making a false representation to the court.”  The court heard argument that the error was inadvertent.  The court rejected that argument.  In a decision written by Justice Posner, this stern warning was issued:

The flagrancy of the violation in this case might well justify the dismissal of the appeal: let this be a warning. But in addition it is plain from the briefs that the appeal has no merit. To allow time for the appellants to file a compliant brief and the appellees to file a revised brief in response, and to reschedule oral argument, would merely delay the inevitable.  The motion to file an oversized brief is denied and the judgment of the district court summarily AFFIRMED.

A link to the decision,  is here.