Case Report – Court won’t order disclosure of health professional’s identity

On January 27th, the British Columbia Supreme Court denied a request for an order requiring an online contact lens and eyeglass business to disclose the identity of an eye care professional it employs.

The College sought the identity of the registrant who worked for the respondents (affiliated companies) in the course of an investigation. The College applied to the Court for an order based on the Court’s equitable jurisdiction (a Norwich Pharmacal order), or alternatively, its inherent jurisdiction (in aide of an inferior tribunal).

The Court held that an order should not be made on either basis. This was partly based on a finding that the evidence did not show the unidentified registrant was involved in the matter under investigation. The Court also held that an order would not be appropriate in light of the statutory powers granted to the College. The Court suggested that the College had ample means to identify the registrant without relying on the Court, noting its power to inspect the premises and records of a registrant, the possibility of asking for warrant to search a non-registrant’s premises and the possibility of requiring registrants to file their business address and telephone number.

College of Opticians of British Columbia v. Coastal Contacts Inc., 2010 BCSC 104 (CanLII).

Case Report – Judge says, “You’ve got the hard drives, you review them.”

On January 27th Marrocco J. of the Ontario Superior Court of Justice dismissed a motion for a further and better affidavit because the moving party had previously taken custody of the records that it wanted the respondent to produce.

The moving party had executed an Anton Piller order that apparently gave it unrestricted access to a number of hard drives, and it used the drives to demonstrate deficiencies in the respondent’s production. In dismissing the motion, Marrocco J. said:

Rule 30.03(2) of the Rules of Civil Procedure provides that the affidavit of documents shall list and describe all documents relevant to any matter in issue in the action that are in a party’s “possession control or power…”. In this case, the respondent’s hard drives were seized under an Anton Piller order. They were imaged and the imaged hard drives were made available to the plaintiff. The plaintiff can have access to the imaged hard drives at any time. Therefore, it seems to me that the imaged hard drives are within the power, if not also the possession and control of the plaintiff. Therefore, pursuant to Rule 30.03(2), the plaintiff is obliged to review the documents on the imaged hard drives when preparing its affidavit of documents.

Marrocco J. did note that the respondent had not made any claim of privilege in records contained on the hard drives.

Bell ExpressVu Limited Partnership v. Heeren, 2010 ONSC 665 (CanLII).

Case Report – Appeal Court interprets Alberta PIPA time limit

On January 27th, a majority of the Alberta Court of Appeal held that the time limit for completing an inquiry or giving notification of a time extension in Alberta PIPA is mandatory, but that non-compliance does not necessarily result in a loss of jurisdiction.

Section 50(5) of Alberta PIPA establishes a time limit for completing an inquiry in the following language:

50(5) An inquiry into a matter that is the subject of a written request referred to in section 47 must be completed within 90 days from the day that the written request was received by the Commissioner unless the Commissioner

(a) notifies the person who made the written request, the organization concerned and any other person given a copy of the written request that the Commissioner is extending that period, and

(b) provides an anticipated date for the completion of the review.

The majority, in a judgment written by Watson J., held that the decision to extent (and notify of the same) must be given before the expiration of the 90 day time period and that the time period is mandatory rather than directory. The majority also held, however, that loss of jurisdiction does not flow from non-compliance if there has been (my emphasis):

(a) substantial consistency with the intent of the time rules having regard to the reason for the delay, the responsibility for the delay, any waiver, any unusual complexity in the case, and whether the complaint can be or was resolved in a reasonably timely manner, and

(b) that there was no prejudice to the parties, or, alternatively, that any prejudice to the parties is outweighed by the prejudice to the values to be served by PIPA.

Berger J. dissented. He held that the time limit was directory and also took issue with the Applicant’s failure to raise a timely objection before the Commissioner.

This has obvious practical significance to the Alberta OIPC and Alberta practitioners. (Alberta FIPPA has a similar time limit.) It is also a significant administrative law decision on the mandatory/directory point that only a lawyer could love. Commissioner Work says he will appeal.

Hat tip to David Fraser. For his Slaw post that includes the relevant context, see here.

Alberta Teachers’ Association v. Alberta (Information and Privacy Commissioner), 2010 ABCA 26 (CanLII).

Post-secondary educational institutions, technology and risk mitigation

I’d like to  thank the Association of Canadian Community Colleges for inviting me to speak at its winter symposium on “Technology and Web 2.0 Across Institutions.” I addressed data breaches, employee use of “consumer cloud” services, outsourcing risks and the relationship between Web 2.0 and the duty to maintain a safe and harassment free college environment. My slides are below.

I was able to stay for a good presentation by a Google rep on its enterprise offering, which has a compelling value proposition, especially given its basic license is free to educational institutions. Google is going to cause many educational institutions to work through the security and privacy related issues associated with cloud computing.

Regards!

Dan

Case Report – Court says there’s no right to forensic inspection absent evidence of non-disclosure or omission

On January 19th, Master Sproat of the Ontario Superior Court of Justice held that a plaintiff had provided no basis for an order permitting the forensic inspection of two hard drives. In doing so, he made the following general comment on forensic inspections as a matter of right:

Related to this point was a submission that a party was entitled, as of right, to a forensic obligation of a computer or, alternatively, that because this action involved allegations of political conspiracy, the plaintiff had a stronger entitlement to the relief sought. In my view, there is no entitlement as of right to the investigation sought by the plaintiff absent some evidence of non disclosure or omission and upon a proper consideration of the issue of proportionality now required under the new rules. Furthermore, and the nature of this case does not give this plaintiff a better entitlement than other plaintiffs. All litigants have a right to disclosure of relevant documents, regardless of the nature of the case. I do accept that electronic discovery may have a greater role or be of greater importance in certain cases over others depending on the allegations in the action (for example, if there is a dispute concerning when a key document was prepared), but this is not such a case so far as this court can discern.

The Court also dismissed a request for an order requiring the defendant municipality to conduct a second search for records in the absence of any evidence that its first search was flawed.

Rossi v. Vaughan (City), 2010 ONSC 214 (CanLII).

Case Report – Court lacks jurisdiction to grant access to materials not filed

On December 31st, the Nova Scotia Supreme Court held that it did not have jurisdiction to order access to records that were referenced in a joint sentencing submission but not entered as exhibits.

The CBC applied for an order against the RCMP, who possessed audio and video recordings made in the course of a high profile murder investigation. The CBC relied on section 2(b) of the Canadian Charter of Rights and Freedoms and argued access was necessary to assess the joint sentencing submission. The Court held that, given the records had not been filed in Court, the proper forum for such a request was the Federal Court under the authority of the Access to Information Act.

Canadian Broadcasting Corporation v. Canada (Attorney General), 2009 NSSC 400.

Hot topics in workplace privacy

I’d like to thank the organizers of the Human Resources Professional Association 20X Annual Conference, at which I spoke today. My presentation was entitled, “Everything you need to know about workplace Privacy” – really a “hot topics” presentation, with content on internet background screening, e-mail and communication monitoring, cross-border processing of employee information and the privacy issues related to pandemic planning. The only hot topic I missed was the most recent – criminal background checks in light of the RCMP’s recent policy directive. For more on that, see the article I  published over at Slaw.ca today.

Best regards!

D.

<div style=”width:425px;text-align:left” id=”__ss_3002749″><a style=”font:14px Helvetica,Arial,Sans-serif;display:block;margin:12px 0 3px 0;text-decoration:underline;” href=”http://www.slideshare.net/dannym999/everything-you-needed-to-know-about-workplace-privacy&#8221; title=”Everything You Needed To Know About Workplace Privacy”>Everything You Needed To Know About Workplace Privacy</a><object style=”margin:0px” width=”425″ height=”355″><param name=”movie” value=”http://static.slidesharecdn.com/swf/ssplayer2.swf?doc=everythingyouneededtoknowaboutworkplaceprivacy-100127061646-phpapp01&rel=0&stripped_title=everything-you-needed-to-know-about-workplace-privacy&#8221; /><param name=”allowFullScreen” value=”true”/><param name=”allowScriptAccess” value=”always”/><embed src=”http://static.slidesharecdn.com/swf/ssplayer2.swf?doc=everythingyouneededtoknowaboutworkplaceprivacy-100127061646-phpapp01&rel=0&stripped_title=everything-you-needed-to-know-about-workplace-privacy&#8221; type=”application/x-shockwave-flash” allowscriptaccess=”always” allowfullscreen=”true” width=”425″ height=”355″></embed></object><div style=”font-size:11px;font-family:tahoma,arial;height:26px;padding-top:2px;”>View more <a style=”text-decoration:underline;” href=”http://www.slideshare.net/”>presentations</a&gt; from <a style=”text-decoration:underline;” href=”http://www.slideshare.net/dannym999″>dannym999</a&gt;.</div></div>

Case Report – Arbitrator orders stipulations on use of in-plant video surveillance

Last July, Arbitrator Craven partially upheld a policy grievance that challenged the expansion of an employer’s in-plant video surveillance system. Last December 14th, he issued a remedial order that imposed certain conditions on the employer’s use of video surveillance.

As I explained in this post, last July Arbitrator Craven found that the employer had breached a technological change provision in its collective agreement by not engaging in discussions with the union when it expanded its system. He ordered the employer to meet with the union to engage in discussions.

The parties were not able to reach a resolution, and came back before Arbitrator Craven in December. Following a hearing, he made an order that included the following stipulations:

  1. The Employer shall not use the video surveillance system to monitor employees, in real time or otherwise.
  2. Recordings made by the video surveillance system shall be retained for no longer than six (6) months, except in the circumstances set out in the following paragraph.
  3. When an incident or investigation occurs requiring the retention of video surveillance recordings, the Employer may retain those recordings for as long as is necessary for the purpose of dealing with the specific incident or investigation (including any related legal process or proceeding), but shall not use them for any other purpose.
  4. When the Employer intends to use recordings made by the video surveillance system in any legal process or proceeding which specifically relates to the Union or to a member of the bargaining unit, the Employer shall provide the Union with a copy of the recordings prior to their use in the legal process or proceeding.
  5. When the Employer intends to rely on recordings made by the video surveillance system in support of employee discipline, the Union and the employee concerned shall have the same right to access and view the recordings as if they were documents in the central personnel file as provided for in article 4.03(a) of the Collective Agreement.

Despite the reference in the fifth stipulation, none of these appear to turn on any specific collective agreement language.

Cargill Foods, division of Cargill Ltd. v. United Food and Commercial Workers International Union, Local 633 (Collective Agreement Grievance), [2009] O.L.A.A. No. 633 (Craven) (QL).

The ugly, the bad and the good of cloud computing

I’d like to thank the members of the Information, Management, Privacy and Access Committee of the Ontario Association of School Business Officials, who invited me to address the subject of privacy compliance and cloud computing at their winter workshop today.

Here’s a snippet from my prepared speech (so you can understand the theme). I’ve also put my slides below.

…and that’s the thing. The cloud is a metaphor for the internet, and it’s a very pejorative metaphor if you’re a privacy person. It implies that the party receiving services has a cloudy idea of the computing resources that are being applied to its data.

So it’s this loose control concept that has thus far defined cloud computing that causes privacy and security concerns – and rightly so. Since school boards have a need to control their data because of regulation and other reasons, they need to work with cloud vendors to re-shape the concept if they are to reap the benefits of the cloud.

The presentation included discussion on the Lakehead University Google outsourcing, the 2005 British Columbia “Maximus outsourcing” and the very useful report by the Alberta Commissioner on public sector outsourcing practices.

Case Report – Federal Commissioner dismisses GPS complaint

In a recently published decision that is dated May 27, 2009, the Office of the Privacy Commissioner of Canada dismissed a GPS complaint as not-well founded. The decision is evidence of a developing model for permissible GPS use in the Canadian privacy commission and arbitral jurisprudence.

Decision-makers have recognized that vehicle-based GPS systems entail the collection of non-sensitive personal information. Such systems are therefore ordinarily upheld for common fleet management purposes such as dispatch, scheduling and driver safety. Use of GPS data in support of investigations or exception follow-up also appears to be safe. In this case, for example, the OPC held that it was reasonable for a transit organization (the custodian of the GPS data) to report late arrivals to its contracted driver’s employer. Other requirements include notification and the implementation of reasonable security measures.

The limits? There is an expressed aversion to the use of GPS for routine supervisory purposes; in ordinary circumstances GPS is not a substitute for calling a driver to check on his or her whereabouts. Use of GPS as a tool to manage a documented performance management problem on a time-limited basis might be looked upon more favorably.

The case also raises an notable scenario about PIPEDA application, but I will save my thoughts on this complex subject for another day.

PIPEDA Case Summary #2009-011.