In a decision from last May that just came to my attention, Arbitrator Stout ruled that a hospital’s policy that required all current employees to undertake vulnerable sector criminal record checks violated its nurses collective agreement.
Although British Columbia legislation supports periodic checks on vulnerable sector employees, the hospital’s policy was first of its kind in the Ontario hospital sector. Ontario employer’s have had difficulty justifying such checks. Arbitrator Picher’s comment about the distinction between pre-employment and in-employment checks in City of Ottawa is both authoritative and restrictive.
The person who presents himself or herself at the door of a business or other institution to be hired does so as a stranger. At that point the employer knows little or nothing about the person who is no more than a job applicant. In my view, the same cannot be said of an individual who has, for a significant period of time, been an employee under the supervision of management. The employment relationship presupposes a degree of ongoing, and arguably increasing, familiarity with the qualities and personality of the individual employee. The employer, through its managers and supervisors, is not without reasonable means to make an ongoing assessment of the fitness of the individual for continued employment, including such factors as his or her moral rectitude, to the extent that it can be determined from job performance, relationships with supervisors and other employees, and such other information as may incidentally come to the attention of the employer through the normal social exchanges that are common to most workplaces. On the whole, therefore, the extraordinary waiver of privacy which may be justified when a stranger is hired is substantially less compelling as applied to an employee with many months, or indeed many years, of service.
Mr. Picher did state that in-employment checks can be used for employees exercising “particularly sensitive functions.”
In this case, Arbitrator Stout held that the employer had not proven a “current problem” or “real risk.” Arbitrator Stout was also significantly influenced by the structural problem with vulnerable sector checks – i.e. they return sensitive “non-conviction information” for which employers generally have no need.
Rouge Valley Health System v Ontario Nurses’ Association, 2015 CanLII 24422 (ON LA).
Here’s a 10 minute presentation I gave to the firm yesterday that puts some trends in context and addresses recent breach notification amendments.
CORRECTION. I made a point in this presentation that the Bill 119 amendments to PHIPA remove a requirement to notify of unauthorized “access” – a positive add given the statute does not include a harms-related threshold for notification. Section 1(2) of the Bill, I have now noticed, amends the definition of “use” as follows: “The definition of ‘use’ in section 2 of the Act is amended by striking out ‘means to handle or deal with the information” and substituting ‘means to view, handle or otherwise deal with the information.’ The removal of “access” from the breach notification provision will therefore not invite a change.
Here’s a slide deck (including speaking notes) for a presentation I did today at LegalTech Toronto.
I aimed for something practical on the art of breach response by speaking to these ten tips:
- Initiate response ASAP
- Don’t rest on assumptions
- Keep the ball moving
- Don’t rush
- Obtain objective input
- Obtain technical input
- Take a broad view of notification
- Put yourself in their shoes
- Demonstrate commitment to doing better
On February 24th the Grievance Settlement Board (Ontario) held that an employer should provide a grievor with three days’ paid vacation as a remedy for the consequences of an (admitted) security breach. The breach apparently allowed other employees to read incident reports involving the grievor, who alleged this caused him psychological distress. The GSB made its finding after conducting an informal med-arb process.
Ontario Public Service Employees Union (Grievor) v Ontario (Liquor Control Board of Ontario), 2015 CanLII 14198 (ON GSB).
On March 15th, the Grievance Settlement Board (Ontario) dismissed a grievance against the government for one employee’s intentional “snooping” into another employee’s employment insurance file.
Intentional unauthorized access to personal information by a trusted agent is a somewhat common scenario that has not yet been addressed by labour arbitrators. While arbitrators have taken jurisdiction over privacy grievances on a number of bases, privacy grievances have typically addressed intentional employer action – e.g. the administration of a drug test or the installation of a surveillance camera. This case raises an issue about an employer’s obligation to secure employee personal information and its liability for intentional access by another person. Can a reasonable safeguards duty arise inferentially out of the terms of a collective agreement? Is there some other source of jurisdiction for such claims? It is not clear.
The GSB ultimately finds jurisdiction in the Municipal Freedom of Information and Protection of Privacy Act, which it finds is an “employment-related statute” that can be the basis of arbitral jurisdiction. This is unfortunate because MFIPPA, in general, excludes employment-related records (and hence employees). There are now a handful of arbitral decisions that neglect to consider and apply the (very important) exclusion.
Having found jurisdiction rooted in MFIPPA, oddly, the GSB does not consider whether the government (or the Ministry’s head) failed to meet the MFIPPA “reasonable measures to prevent unauthorized access” security standard. Instead, it applied a vicarious liability analysis and dismissed the grievance. I’ll quote the GSB analysis in full:
41 Being guided by the principles set out in Re Bazley, I am of the view that the Employer is not vicariously liable for actions of Ms. X. Simply put, the “wrongful act” was not sufficiently related to conduct authorized by the Employer. Indeed, the accessing of the grievor’s EI file had nothing to do with the work assigned to employees. Employees were able to and indeed did access EI files but only in those instances where it was necessary to assist their clients.
42 The evidence established that the Employer had clear and sufficient policies regarding the protection of private information. Privacy matters were discussed with employees at the point that they were hired and although those policies could have and perhaps should have been formally reviewed more frequently by management, employees were reminded of their obligations frequently by way of a “pop up” upon entering their computers.
43 Further, Ms. Smith, a co-worker of the grievor, who testified for the Union was very forthright in her cross-examination that she knew that she was not to access the private information of anyone for her own interest. Moreover, this intrusion was the first time that she knew of anyone in the workplace doing such a thing. It might well be argued that this reinforces the view that the policy was known and followed in the workplace. Certainly there was no evidence of any other breach.
44 This intrusion was not an abuse of power. It was not an instance where someone with power over the grievor utilized their authority to carry out the wrong. It was a coworker — indeed I am of the view that it was the action of a rogue employee who, for her own purposes accessed the grievor’s EI file. It was not an action that could be seen to “further the Employer’s aims.” Indeed this activity was done without the sanction or knowledge of the Employer. I accept the Employer’s evidence that it knew nothing of the intrusion until being told by a coworker of the grievor and upon learning took immediate action to investigate and manage the issue and the Ms. X who received a significant suspension.
45 Finally, it must be recalled that this Board dismissed the grievor’s allegations that the Employer and her coworkers were bullying and harassing her in a separate decision. Accordingly it seems to me that it cannot be said that the intrusion into her EI records by Ms. X was “related to friction, confrontation or intimacy inherent in the employer’s enterprise.”
Whether an organization is vicariously liable for an employee’s intentional unauthorized access to personal information is a very significant legal issue. This analysis will receive significant attention.
Ontario and OPSEU, Re, 2015 CarswellOnt 3885.
Today, the Office of the Information and Privacy Commissioner for British Columbia held that the District of Saanich breached the British Columbia Freedom of Information and Protection of Privacy Act by installing endpoint monitoring software on employee workstations.
The District’s plan was not well conceived – apparently arising out of a plan to shore up IT security because the District’s new mayor was “experienced in the area of IT.”
The District installed a product called Spector 360 – a product billed as a “comprehensive user activity monitoring solution.” This is software that enables the collection of detailed data from “endpoints” on a network. It is not intrusion detection software or software that helps analyze events across a network (which the OPIC noted is in use at other British Columbia municipalities).
The District enabled the software on 13 workstations of “high profile users” to capture a full range of endpoint data, including screenshots captured at 30 second intervals and data about all keystrokes made. The purported purpose of this implementation was to support incident response, a purpose the OIPC suggested could only support an inadequate, reactive IT security strategy.
The OIPC held that the District collected personal information without the authorization it required under FIPPA and failed to notify employees as required by FIPPA. I’ll save on the details because the OIPC’s application of FIPPA is fairly routine. I will note that the OIPC’s position is balanced and seems to adequately respect institutions’ need to access system information for IT security purposes. It acknowledges, for example, that some limited data collection from endpoints is justifiable to support incident response. Not surprisingly, the OIPC does not endorse taking screen shots or collecting keystroke data.
Investigation Report F15-01, 2015 BCIPC No. 15.
Here’s a presentation my partner Ian Dick and I gave today to an audience of in-house counsel. It’s about the why’s and how’s of breach response planning. The wonderful Karen Gordon of Squeaky Wheel Communications also presented on communicating a data breach, and her slides are attached.
Yesterday the Information & Privacy Commissioner/Ontario issued a paper called “Detecting and Deterring Unauthorized Access to Personal Health Information.” The paper adjusts and augments the detailed guidance on hospital data security the IPC provided in December when it issued HO-013.
In issuing HO-013 the IPC articulated numerous requirements in near checklist form. The IPC adds new requirements in Detecting and Deterring. Hospitals that are currently using HO-013 to conduct a gap analysis should now refer to Detecting and Deterring.
One exception to the augmentation is the IPC’s handing of “search controls” – controls that rest on limiting the search functionality of patient record systems. The IPC has backed off noticeably from HO-013 in Detecting and Deterring, which states:
With respect to search controls, it is important to note that open-ended search functionality may facilitate unauthorized access to personal health information in electronic information systems. For example, in the privacy breach involving the use and disclosure of personal health information for the purpose of selling or marketing RESPs, agents of the hospital were able to obtain lists of women who had recently given birth by performing open-ended searches of a patient index. To prevent this, custodians should ensure that the amount of personal health information that is displayed as a result of a search query is limited, while still enabling agents to carry out their employment, contractual or other duties. Open-ended searches for individuals should be prohibited by the search functionality and search capabilities of electronic information systems containing personal health information. Ideally, electronic information systems should be configured to ensure that search criteria return only one record of personal health information. If that is not feasible, then electronic information systems should be configured so that no more than five records of personal health information are displayed as a result of a search query.
The withdrawal makes sense. Search controls can put patient safety at risk, yet even rigid search controls are a questionable deterrent to intentional unauthorized access. Are bad actors really more likely to engage in unauthorized access because information is easy to find?
Hospitals should beware of the distinction between prescriptions that are recommendatory and prescriptions the IPC has the power to enforce. This is most important in considering the heavily-augmented breach response section of Deterring and Detecting. The IPC, for example, returns to an accountability-related idea it has pressed since making order HO-010 in 2010 by suggesting that hospitals should provide affected individuals with the name of “the agent that caused the privacy breach” in a breach notification letter. The IPC has the power to enforce breach response requirements that are derived from section 12 of PHIPA. A number of the prescriptions it makes on breach response (not necessarily the one I have identified above) have a tenuous connection to section 12 and can reasonably be viewed as recommendatory.
On December 16th the Information and Privacy Commissioner/Ontario issued its 13th order under the Personal Health Information Protection Act. It contains very detailed prescriptions pertaining to the PHIPA data security standard in section 12. The standard is contextual – i.e., the standard of care is always based on all the “circumstances.” However, given Ontario hospitals face similar foreseeable risks, hospitals should pay very close heed to the prescriptions in HO-013.
I’ll spare you a description of the background and get to the point. Here is a bulleted summary of the data security prescriptions in HO-13. Rather than describe each in detail I will give you very short (synthesized) descriptions and page references.
- Ensure that patient information systems support audits and investigations of system misuse. Collect reliable data on all access, copying, disclosure, modification and disposal of patient records. Retain data for a reasonable period of time. Pages 23 to 29.
- Conduct periodic audits for patient information system misuse: “Audits are essential technical safeguards for electronic information systems.” Conduct random audits on all system activity. Run a special audit program for “high profile” patients. Pages 32 to 34.
- Ensure that patient information systems feature reasonable search controls. Search controls should limit the ability of agents to perform “open-ended” searches. Pages 29 to 32.
- Ensure that patient information systems feature a login notice that appears on its own screen and requires express acknowledgement. Page 22.
- Conduct regular and comprehensive privacy training pursuant to a privacy training program policy. Require pre-authorization training and annual re-training. Training materials should be detailed and contain certain information prescribed in HO-013. Pages 34 to 36.
- Communicate regularly about privacy compliance and compliance duties pursuant to a privacy awareness program policy. Page 36.
- Administer a “pledge of confidentiality” that contains certain information prescribed in HO-013. Require agents to sign pre-authorization and annually. Pages 37 and 38.
- Maintain and administer a privacy breach management policy that meets particular requirements specified in HO-013. Pages 40 and 41.
Most hospitals will already have data security programs that feature many of the elements in the list above. Regardless, there are detailed requirements in HO-013 (not included in the summary above) that invite hospitals to conduct a broad gap analysis. Some gaps are likely to be closed easily and others may require the investment of additional ongoing resources – e.g., gaps with respect to training and communication programming. The most problematic prescriptions in HO-013 are those related to the modification of patient information systems. The prescriptions regarding search controls, for example, seem problematic and may create system usability (search) problems. The responding hospital did raise concerns about usability that the IPC dismissed.
Order HO-013 (IPC Ontario).
I’m mid way through the Canadian Institute for the Administration of Justice “Privacy in the Age of Information” conference in St. John’s Newfoundland. It’s been a great conference so far, with quality presentations on tough administration of justice like issues like cyberbullying, the right to be forgotten and state surveillance.
My contribution was on the workplace privacy panel with Paul MacDonald of Cox & Palmer (as moderator), Emma Phillips of Sack Mitchell and Melanie Beuckert of the Court of Appeal of Manitoba. I started with a short “management perspectives” address and then Emma and I debated a variety issues, including computer access and monitoring, off-duty conduct and the exclusion of surveillance evidence at labour arbitration. Melanie played the “straight person” role wonderfully. It was fun, and I advanced my thinking about these issues significantly.
In preparation I worked up the speaking notes below, which capture some of the ideas I contributed to the discussion.