Case Report – Alberta Court of Appeal case discusses qualified privilege and threat reports

Chohan v. Cadsky was decided by the Alberta Court of Appeal on October 16th. The court found that three individuals acted within the scope of a qualified privilege in reporting expressions of concern about a colleague’s mental health and were therefore not liable for defaming the colleague. The Court summarized its finding in the following paragraph:

We dismiss the appeals against Dr. Ohlhauser, Dr. Baker, Dr. Gardener and Capital Health, as we are not persuaded that the trial judge made any reversible error in dismissing those actions. We will address the arguments separately, but commence with the following summary. Dr. Ohlhauser, Dr. Baker, and Dr. Gardener each testified that as a result of expressions of concern from others and/or their personal observations, each had an honest concern about the health of a colleague, and believed that, as a medical professional, he had a duty to either investigate this concern, or inform someone who was in a position to investigate. Each contacted the person he believed appropriate to provide assistance or investigate to ensure that there was no cause for concern. There is no evidence that any one of them contacted individuals who had no interest in knowing and no responsibility to receive the communication because of the position he held in Capital Health. Dr. Block, Dr. Hibbert and Dr. Gardener, the three persons to whom communications were made, each had a responsibility for ensuring that colleagues within their service did not have health issues that might affect patient care or their own well being. These three defendants were not engaged in idle gossip or general discussion in making these communications. In our view, the defence of qualified privilege was designed for exactly such a situation.

The principled aspect of this statement is not surprising, and the application of the qualified privilege defence will always turn on the specific facts. However, given that bona fide reports of potential threats should be encouraged as part of managing workplace (and campus) violence, the case is worth a note.

Chohan v. Cadsky, 2009 ABCA 334.

Workplace Privacy Presentation at the HRPA 20X Annual Conference and Trade Show

On January 27, 2010 I’ll be giving a presentation entitled “Everything You need to Know About Workplace Privacy” at the HRPA’s 20X Annual Conference and Trade Show.

I designed the presentation today around the following topics:

Employee privacy rights – the patchwork quilt
How to run an internet background check
Why and how your acceptable use policy needs to change
Yes, you can transfer that data to the U.S., but…
How to manage the risk of communicable diseases in the workplace

I’m looking forward to the opportunity to touch on these hot issues and have also left lots of time for questions. If you’re an HR professional who’s attending the conference please consider joining my session.

Case Report – BCCA says statutory privilege not a barrier to production

On October 9th, the British Columbia Court of Appeal held that the privilege in section 517(5) of the Canada Elections Act is not a bar to production.

The section deems the fact that a person entered into a compliance agreement and any statement in a compliance agreement that admits responsibility for a violation of the Act to be inadmissible as evidence. The Court held that the provision only deems evidence to be inadmissible and does not bar production. It also held that the information, in the circumstances, was not subject to litigation privilege.

Ontario courts have read the statutory privilege governing an Ontario Student Record similarly. See, for example, the McNeil case.

Lougheed Estate v. Wilson, 2009 BCCA 438.

Couple posts on Slaw.ca of interest

I’ve posted two pieces on privacy over at slaw.ca in the last two weeks. The first is a critique of the federal, B.C. and Alberta privacy commissioner’s H1N1 guidance. The second, from today, is an interview I conducted with Melanie Bueckert, author of the recently published book, “The Law of Employee Monitoring in Canada.” Check them out when you can!

Case Report – RCMP allowed to access flight manifest without a warrant

On November 6th, the Nova Scotia Court of Appeal held that the RCMP did not conduct an unreasonable search by reviewing a WestJet passenger manifest without a warrant and without making a formal request.

The context and the background

The issue of law enforcement’s access to personal information held by business organizations has arisen in a number of recent criminal cases, and it is becoming common for courts to judge the reasonableness of a police search in light of standards set by PIPEDA. PIPEDA restricts regulated organizations from disclosing personal information without consent, but includes the following key exemption:

7(3) For the purposes of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may disclose personal information without the knowledge and consent of the individual only if the disclosure is…

(c.1) made to a government institution or part of a government institution that has made a request for the information, identified its lawful authority to obtain the information and indicated that

(i) it suspects that the information relates to national security, the defence of Canada or the conduct of international affairs,

(ii) the disclosure is requested for the purpose of enforcing any law of Canada, a province or a foreign jurisdiction, carrying out an investigation relating to the enforcement of any such law or gathering intelligence for the purpose of enforcing any such law, or

(iii) the disclosure is requested for the purpose of administering any law of Canada or a province…

In this case, the RCMP reviewed a passenger manifest from a domestic flight, identified a passenger who had paid by cash shortly before the flight and who only had one piece of luggage and proceeded to search that passenger’s luggage. It found drugs and laid charges.

Trial judge finds Charter breach

In December of last year, Mr. Justice Simon MacDonald of the Nova Scotia Supreme Court held the RCMP breached PIPEDA because it did not make a “request” required by section 7(3)(c.1) given its “cozy” relationship with WestJet:

It might be a fair comment to say the officers had assumed they had permission to look at the manifest from their daily discussions and associations with the staff at Westjet. However, in my mind that is not a satisfactory answer to the problem. There were certain obligations upon the RCMP officers in reviewing the manifest which were legislated under PIPEDA and applied when they went to look at this manifest without a warrant. Mr. Plimmer said Westjet put a protocol on procedures in place for the police to follow in order to see manifests. The police were aware of the procedure they had to follow. I find they didn’t do so in this case, but rather cavalierly walked into Westjet and simply started looking at manifests.

In addition to signaling that the procedural requirements in section 7(3)(c.1) are likely to be read strictly, the trial judgement was notable for its close consideration of WestJet’s privacy policy. The policy said that WestJet might be “required by legal authorities” to disclose personal information without consent, but did not say that WestJet would voluntarily cooperate with law enforcement. MacDonald J. said the policy “seems to emphasize that WestJet would only collect and disclose what is required by law and nothing more.” This weighed in favour of finding the search to be unreasonable and therefore unconstitutional.

MacDonald J. then excluded the evidence based on an application of the Collins test.

Court of Appeal disagrees

The Court of Appeal held that MacDonald J. erred by finding that the RCMP did not have legal authority for the collection of information and by equating a breach of PIPEDA with a breach of the Charter right to be free from unreasonable search and seizure. It then conducted its own contextual expectation of privacy analysis and held that section 8 of the Charter was not engaged in the circumstances. It noted the following in its analysis:

It could not infer a subjective expectation of privacy given the information used by the RCMP was not particularly private – that is, the defendant purchased a ticket from Vancouver to Halifax at the last minute with cash and checked a single bag all in public view.
The place searched was a third-party’s office, not a home or not even a business premises.
Westjet’s privacy policy, with its reference to being “required by authorities” to disclose certain information, was nonetheless a warning to passengers.
Given the exception to the consent rule in section 7(3)(c.1)(ii), PIPEDA does not support an expectation of privacy.
The police tactic was limited, in that the RCMP relied on a drug courier profile and sought only information that fit that profile.
The information collected by the RCMP did not go to the defendant’s “biographical core” of information. The Court said it “amounted to no more than Westjet’s record of Mr. Chehil’s public activities in transacting business with the airline.”
The fact that the passenger record had a space where more sensitive personal information could be entered (e.g. food preferences) did not support an expectation of privacy. The Court said this fact was too theoretical to count.

Thanks to David Fraser for the tip on this important case.

R. v. Chehil, 2009 NSCA 111.

Case Report – Fed Court comments on jurisdiction to receive ATIA applications

On October 13th, the Federal Court had an opportunity to comment on its jurisdiction to receive applications for review under section 41 of the Access to Information Act. It held that the Court’s jurisdiction is based on a “genuine and continuing claim of refusal of access.” This supported a finding that it had no jurisdiction to (a) hear an application about a series of requests that were deemed to be refused but, through a series of events, answered by the time the application was filed and (b) reprimand the responding institution for delay.

Statham v. Canadian Broadcasting Corp., 2009 FC 1028.

Case Report – Court denies ex parte motion to preserve Facebook

On October 29th, Price J. of the Ontario Superior Court of justice denied a motion for an ex parte order for preservation of a plaintiff’s Facebook.

The motion was brought by a defendant to a personal injury claim. It brought its motion ex parte on the basis that the plaintiff would be likely to destroy evidence if notified. It therefore had to meet the three-part test from R.J.R.-MacDonald in order to receive interim relief pending a return to court to deal with the matter of production. The Defendant brought its motion on the strength of several photos it had obtained from non-password protected Facebook pages. These showed the plaintiff after the date of the accident doing things that were arguably consistent with her claim for damages in respect of a significantly curtailed lifestyle – i.e. the pictures showed her sitting and reclining on a floor. Neither these photographs nor any other records from the plaintiff’s Facebook were disclosed in her Affidavit of Documents.

The Court held that the defendant had not adduced any evidence that allowed it to conclude that the plaintiff’s Facebook was likely to contain relevant information and that it would not infer from the nature of the Facebook service that the plaintiff’s Facebook was likely to contain such information. On the inference, Price J.’s decision ought to be viewed to be in conflict with the Court’s prior decisions in Leduc v. Roman and Wice v. Dominion General Insurance Company of Canada. Price J. says:

I do not regard the mere nature of Facebook as a social networking platform or the fact that the Plaintiff possesses a Facebook account as evidence that it contains information relevant to her claim or that she has omitted relevant documents from her Affidavit of Documents. The photographs that the Defendant has obtained from the Plaintff’s account in the present case do not appear, on their face, to be relevant.

Price J. did grant leave to cross-examine the plaintiff on her Affidavit of Documents. He forgave the defendant for not doing so at the plaintiff’s examination for discovery “because Facebook is a relatively recent phenomenon” but specified that the defendant would pay the costs of the examination should it prove fruitless.

Finally, in addressing the balance of convenience, Price J. made the following statement about the balance of convenience:

The Plaintiff has set her Facebook privacy settings to private and has restricted its content to 67 “friends.” She has not created her profile for the purpose of sharing it with the general public. Unless the Defendant establishes a legal entitlement to such information, the Plaintiff’s privacy interest in the information in her profile should be respected.

The concept (reflected in this paragraph) that an expectation of privacy can be maintained despite a limited disclosure of information is supported by privacy advocates, but is not often accepted by courts.

Schuster v. Royal & Sun Alliance Insurance Company of Canada, 2009 CanLII 58971 (S.C.J.).

Information Roundup – 1 November 2009

Here are some links you may find interesting!

Think ARMA’s Generally Accepted Recordkeeping Principles are useful http://www.arma.org/garp/
Judge critical of defendant for setting up “straw person” to attack it with Facebook pics: http://bit.ly/oOJcH
RT @pensionlawyer I’m quoted in Benefits Canada Across Borders re US-style DC litigation http://tinyurl.com/yenllmq [Nice Rachel!]
RT @slaw_dot_ca Right to know week wrapup >> Slaw http://bit.ly/1aw8T6
RT @slaw_dot_ca The debate about warrantless access to ISP customer information >> Slaw http://bit.ly/15Sd9C
RT @thetrialwarrior A Procedural Tsunami: The Fundamental Change in the Role of Experts in the Ont Civil Justice System http://bit.ly/1Riigt
RT @Pr1vacy RT @jimwhitman http://bit.ly/14LQjl Understanding the anxious mind [NYT. Fascinating!]
The evolution of e-privacy: http://bit.ly/4pevIj Quoted in today’s Montreal Gazette on workplace e-mail privacy.
RT @slaw_dot_ca Cloud computing and the legal significance of terms of service >> Slaw http://bit.ly/26TomY
RT @thetrialwarrior (via @WayneMarr) [HBS] Should You Accept That Assignment? http://tinyurl.com/yj96zg3 [Need to hear this every so often!]
Florida State releases docs in fraud case: http://bit.ly/219AgW
RT @privacylawyer Canadian Government declines proposed reforms to access and privacy laws http://bit.ly/2NjloZ #privacy #foi #legal
Commented on “Privacy and video surveillance on campus” http://bit.ly/guk3z
RT @eMichaelPower new PIPA amendments require notice if service provider is outside of Canada. #privacy
RT @sectorprivate Are College E-mail Addresses on the Way Out? http://bit.ly/11Cgrm
RT @complexd Wortzman Nickle Law Firm Launches Canadian E-Discovery Blog – http://kuex.us/3075 [Welcome Susans!]
RT @slaw_dot_ca Metadata as Record http://bit.ly/3HeWE8
Drew Gilpin Faust: Leadership Without a Secret Code: http://bit.ly/2KI6Cf [Good one!]

You may have noticed that I’ve slowed down posting. This is not because I’ve tired of the blog, but because of my new commitment to Slaw.ca and my new expanded family. Both new commitments are very rewarding, especially new life with Hugs and Pens (below). Please keep coming back.

See ya!

Dan

Cloud Computing – 2009 Ontario Access and Privacy Worksop

I presented to a great audience of access and privacy professionals today at the 2009 Ontario Access and Privacy Workshop. My slides are below.

To give this presentation I had to answer for myself whether outsourcing to the cloud is the same as any other data processing outsourcing. I settled on, “not quite” and argued outsourcing to the cloud is different because (1) it will usually be a cross-border outsourcing, which comes with a special set of considerations (especially for government) and (2) the cloud service provider’s business model may not be flexible enough to allow for it to meet an organization’s need to satisfy specific data security requirements.

I’m not a cloud basher. I’ve argued here that one of the legal concerns about outsourcing to the cloud is poorly founded and also have have concerns that the cross-border data transfer issue is a bugaboo. However, outsourcing to the cloud does seem to be a bit of a different game then entering a one-to-one business relationship with a “normal” data processor. Just some thoughts, which I’d invite comment on below.

Dan

Two significant Ontario FOI cases from 2009

I’ve been preparing a case digest for an upcoming universities conference we’re hosting and summarized these two Ontario FOI cases, both of significance.

April 9th – IPC finds personal e-mails under City’s custody or control

In this order, the IPC held that the City of Ottawa was in custody or control of e-mails its solicitor sent and received in his personal capacity, as a board member of a local Children’s Aid Society. Though acknowledging that the e-mails had nothing to do with City business, it held:

The City was in physical possessions of the records, which were stored on its e-mail server.
The City had the authority to regulate the use of the e-mail system upon the records were kept even though personal e-mails were excluded from the definition of “business record” under the City’s retention by-law.
The City reserved a right to monitor its system for unauthorized use.

The factual basis for this decision is not unique, so it has broad significance for FIPPA and MFIPPA institutions.

The City has filed an application for judicial review.

Order MO-2408, 2009 CanLII 16569 (ON I.P.C.).

August 21st – IPC orders municipality to sue third-party record holder

The IPC issued a compliance order that required a municipality to take “all steps necessary,” including legal action, to obtain records that it decided earlier were under the municipality’s custody or control.

The request was for a model and input data that was in the custody of a third-party consultant who was retained by the municipality to evaluate a proposed landfill site. There was no formal retainer, and after an analyzing the IPC’s traditional “custody or control” factors, in May 2009 the IPC ordered the municipality to “issue a written direction to Jagger Hims to provide the County with the records responsive to the appellant’s request.” The municipality did exactly what the IPC ordered, but the third-party did not cooperate and deliver up the records at issue.

The IPC re-initiated its proceeding. Its compliance order was based in part on a finding that the municipality had a “potent legal basis” for causing the third-party to turn over the records.

Order MO-2449, 2009 CanLII 47235 (ON I.P.C.).