The five ways of a strong privacy officer

It has been a few years since Carswell published its Managing Personal Information text, but this morning I had cause to look up a chapter on information governance that I contributed. I had forgotten about what I had written about the qualities of a privacy officer, but liked what I read and thought I would share it here.

Acting in support of self-policing is not an easy role. With this in mind, here is a list of good behaviors for privacy officers to demonstrate:

  • Flexibility. Privacy officers should understand that few things required by privacy statutes are black and white and should be prepared to accommodate reasonable business risk.
  • Creativity. Privacy officers should be prepared to help line managers think creatively about how to manage around privacy-related constraints in a responsible manner.
  • Benign skepticism. Privacy officers should give others the benefit of the doubt, while also looking diligently for objective evidence of non-compliance.
  • Fairness and consistency. Privacy officers should take an even-handed approach to their duties, treating all departments and employees in a principled and objective manner. They should deal with similar scenarios in similar ways.
  • Empathy. Privacy officers should communicate the rules with a view to helping audience members comply and should be understanding of audience members’ business demands.

Privacy officers should strive to foster and protect their credibility with line management. This involves demonstrating unwavering commitment to the principles underlying their privacy programs, yet a willingness to apply those principles in a manner that invites respect and keeps “doors open.”

Thank you Claudiu Popa for involving me in your book project. For more about Managing Personal Information and to purchase a copy see here.

City Councillor Fined for Leaking Harassment Report

I hadn’t heard about the unprecedented conviction of a city counsellor under the British Columbia Freedom of Information and Protection of Privacy Act until stumbling upon the British Columbia Provincial Court’s May 24th judgement. Councillor Brian Skakun was convicted and fined $750 for disclosing information in contravention of FIPPA. The Court found Skakun leaked a harassment report to a CBC reporter. Notably, it rejected an argument that Skakun’s actions were justified based on a common law whistleblower defence.

R. v. Skakun, 2011 BCPC 98. (conviction)

R. v. Skakun, 2011 BCPC 108. (sentence)

Case report – Full access to hard drives ordered

On August 31, the Alberta Court of Queen’s Bench declared that the plaintiff in a departing employee case was entitled to enforce a default order that allowed it direct access to a number of hard drives it had seized earlier in executing an Anton Piller order.

The plaintiff was granted an Anton Piller order at the outset of litigation. It seized hard drives but did not inspect them.

As the litigation proceeded, a case management judge ordered the defendants to serve and file an affidavit of records by a certain date, failing which the plaintiffs would have direct access to the hard drives (subject to confidentiality terms to be agreed upon or ordered). The parties subsequently consented to a joint confidentiality order.

The Court held that the defendants did not provide an adequate affidavit of records because they did not disclose a number of records related to their involvement in a consortium that had bid successfully for a contract formerly held by the plaintiff and did not disclose all relevant e-mails and deleted files. It also held that the defendants should have produced the passwords, systems files and software necessary to access files in their native format and should have processed the electronic records for export into a litigation support software program.

The Court also rejected the defendants’ justifications. It held that the records pertaining to the consortium would be adequately protected by the implied undertaking rule and the joint confidentiality order. It also held that the defendants had not shown that electronic production (as ordered) would be unduly burdensome. On this point, the Court said:

The unusually high level of disclosure imposed in this case is justified by: the underlying fact that the defendants were employees of the plaintiff when they began working in competition with the plaintiff, the judicial determination that this was an appropriate case in which to issue an Anton Piller order, the size of the claim, which exceeds $50 million, and the great IT expertise of the parties which presupposes that at least some of the work required to provide the required level of disclosure can be done in-house.

Spar Aerospace Limited v. Aerowerks Engineering Inc., 2007 ABQB 543 (CanLII).