Municipality breaches privacy statute by communicating via Facebook

Last September 27th, the Newfoundland and Labrador OIPC held that a municipality breached the Newfoundland Access to Information and Protection of Privacy Act because an employee, in the course of her duties, identified the Facebook accounts of two members of the public and messaged them through her own Facebook account.

The OIPC held that this use of Facebook led the municipality to engage in an improper use of personal information and breach its safeguarding duty. One problem, according to the OIPC, was the use of a means of communication not governed at all by the municipality:

Facebook is a social media website that is accessible from any computer or device which is capable of accessing the internet. In this sense, the use of Facebook by the Town employee may be akin to the removal of personal information from the Town office. This is further exacerbated by the use of the employee’s own personal account to engage in this communication. From this perspective, the information must be protected in the same manner as used by other public bodies which allow for the removal of personal information from their facilities.

The OIPC made clear, however, that communicating personal information through a Facebook account in a public body’s name is also inappropriate. It said:

For the various security and identification issues outlined above, there is no way to ensure that personal information is properly protected on these websites. If an individual requests that communications with a public body be carried out in this manner, the public body must first satisfy itself that the identity of the Facebook account holder is confirmed, and furthermore that express consent be obtained from the individual acknowledging that the privacy of the communication cannot be guaranteed.

The OIPC gives little reasoning about why communicating through a Facebook account in a public body’s name is less secure than communicating through other kinds of corporate email services, but the concept of channelling communications that include personal information through a consumer service like Facebook (which is neither designed as an email service nor targeted at business) raises obvious concerns.

Report P-2012-001 (27 November 2012, OIPC Newfoundland).

Case Report – Another e-FOI case out of Alberta

On January 14th, the Alberta Court of Queen’s Bench quashed part of an OIPC order about the reasonableness of a search for electronically stored records.

The Court quashed an order requiring the University of Alberta to restore and search e-mail server backup tapes. It held the OIPC erred by making this order without considering the restriction on the obligation to create records that require an institution to use more than its normal “computer hardware and software and technical expertise” or cause “unreasonable interference” with its operation. As in Edmonton Police Services from last year, the Court seemed to assume that restoring compressed e-mails from a backup tape involves “creating” a record.

The Court also upheld the OIPC’s order to search again. In doing so, it affirmed an OIPC finding that it was unreasonable to search for “complaints” related to the requester by only searching e-mails of the two administrators who invited feedback and not the department members from whom feedback was solicited. The Court commented that a search of the recipients’ e-mails only was insufficient given the (unresolved) potential for deletion of e-mails:

The University, on the other hand, insists it was reasonable to restrict the scope of the search to just those two persons because they were the people who would have been aware of the complaints and would have received them. While the Chair and Associate Chair were the most likely recipients of complaints, it was reasonable to consider whether others might have responsive records, including the senders of any complaints. This was particularly so given the University’s evidence that the Chair and Associate Chair had no standard practice in regards to retention and deletion of records, gave no evidence as to whether they had deleted any email, and gave no evidence that they did not recall receiving any written complaints.

The Court also affirmed an order requiring the University to apply broader search terms in searching again on the basis that a keyword search based on the requester’s first or last name only was unreasonable.

Hat tip to Linda MacKay-Panos at ABlawg. See here for Linda’s summary.

University of Alberta v. Alberta (Information and Privacy Commissioner), 2010 ABQB 89 (CanLII).

Case Report – Privilege in e-mails waived based on uncontested waiver claim

On September 3rd, the Ontario Superior Court of Justice dismissed a motion to disqualify counsel who received allegedly privileged e-mails and used them to amend its pleadings. It held that the privilege holder had waived privilege either knowingly or through the reckless conduct of its counsel.

The privilege dispute arose in the context of a wrongful dismissal claim and a counter-claim brought against a departing plaintiff. The plaintiff had communicated with his legal counsel by e-mail on his former employer’s system. The employer’s American counsel retrieved the e-mails and turned them over to its Canadian counsel, who produced twelve suspect e-mails to the plaintiff in September 2007 along with 135 other documents. The next day, the employer’s counsel wrote a one page letter to the plaintiff’s counsel to deal with a number of production issues and expressly took the position that privilege in the e-mails had been waived.

The plaintiff objected to the production in May 2009. This was after its counsel had responded to all points in the one page letter except the privilege issue and had sought a further and better affidavit of documents. It was also after the defendant retained new counsel who assumed the plaintiff had accepted its privilege waiver position and sought to amend its pleadings to refer to the solicitor-client communications in November 2007.

On these facts, Master Glustein held that the plaintiff had waived privilege. He also held that he would not have otherwise disqualified the defendant’s newly-retained counsel, who he said was blameless in proceeding with its understanding that privilege had been waived. Master Glustein did not consider whether the plaintiff waived privilege in her communications by using her employer’s e-mail system, but did comment:

I also find no “blame” in CPL going through Eisses and Fava’s emails at the outset. Even if the Emails are privileged, CPL’s counsel (Miller and Blakes) believed that the Emails were not privileged because they were the employer’s documents, and that as such, Eisses waived privilege. In any event, CPL and Blakes did the right thing by immediately and explicitly advising Colson, at the outset of the production process, that CPL had produced solicitor-client communications on which CPL claimed Eisses waived privilege.

This obiter statement is of some interest given the frequency with which employers find themselves in custody of their former employees’ solicitor-client communications. The case is otherwise driven by its facts.

Eisses v. CPL Systems Canada Inc., 2009 CanLII 45440 (ON S.C.).

Employer access to employee e-mails in Canada

I presented at an OBA privacy conference back in early June but held off posting a short paper I wrote for it entitled, “Employer access to employee e-mails in Canada.” The paper argues that there are signs that the traditional “no expectation of privacy” approach to addressing employer access to employees’ stored communications is waning, leaving employers with a choice between giving clearer notice to employees or, alternatively, implementing purpose-based controls to protect employee privacy.

This is a hot topic north and south of the border, and was so even before the Superior Court of New Jersey Appellate Division issued its much discussed decision in Stengart v. Loving Care Agency on June 26th.

Stengart is about whether privilege is waived in solicitor-client communications that are stored on an employer’s system. Our own leading case on this issue is Daniel Potter, which suggests that privileged communications made by employees on employer systems deserve greater protection than other “private” employee communications. Despite this distinction, the reasoning in Stengart is very broad, very pro-privacy and is further reason for employers to pay heed to the issues I raise in my paper.

For a copy of the full paper, please click here. And please feel free to contact me or comment below with your feedback and ideas.

Information Roundup – 5 July 2009

Here are my recent links of note from June 22nd.

If you’re interested in the law relating to corporate e-mail systems, be sure to check out Stengart v. Loving Care Agency Inc., linked through the fifth bullet below. It’s a New Jersey case about whether an employee waived privilege in solicitor-client communications by sending them through a personal internet-based e-mail account on a work computer. The e-mails were recovered by the employer, who claimed it could use them in post-employment litigation with the employee. The Court makes some extremely strong statements against employer control over “personal” communications on work systems – some of the strongest I’ve read.

I find the reasoning in Stengart troubling, but am withholding an opinion pending further thought. What’s immediately remarkable to me, however, is how value-laden these e-mail judgements are. Try reading the Alberta Court of Appeal’s recent Poliquin decision and Stengart back-to-back and you’ll see what I mean. This is not good in my view. As a management side advisor and advocate I’m not inclined to promote the enactment of privacy legislation, but if we are going to have enforceable privacy rights, enacting good and balanced privacy legislation might be a way to make such rights understandable. Without predictability, policy-making will be difficult and litigation of reasonable positions might be prohibited by risks that cannot be controlled. These thoughts to be continued at a later date.

On a personal note, Seanna and I are new parents of Penelope Green Robinson. She was born two days ago and is very healthy. “Green” is from Joni Mitchell’s song “Little Green” – a lovely (though sad) song about a mother’s love for child. Here’s a pic of PG and her brother Bug, who has been very welcoming. As for me, I’m feeling very grateful for my family and for the wonders of life.

See ya!

Dan

IMG_0654

Case Report – Strong words on employers’ interest in controlling employee computer use by the Alberta C.A.

The Alberta Court of Appeal’s June 22nd judgement in Poliquin v. Devon Canada Corporation is not a privacy judgement, but contains some very strong dicta supporting employers’ interest in controlling employee use of their computer systems.

The case is about an employer that terminated a long-service supervisor for, among other things, sending and receiving pornographic and racist e-mails. In holding the employee’s wrongful dismissal claim ought to be dismissed summarily, the Court of Appeal made the following remarks:

It is important to situate a document like the Code of Conduct in the larger workplace context. Employers have the right to set the ethical, professional and operational standards for their workplaces. Doing so not only falls within an employer’s management rights, it also constitutes an integral component of corporate good governance. The workplace is not an employee’s home; and employees have no reasonable expectation of privacy in their workplace computers. It therefore follows that while employers may permit employees limited personal use of workplace computers, the employer is entitled to restrict the terms and conditions on which that use may be permitted. Devon did just that. Employees are permitted to use Devon’s equipment “for limited personal use”, but such use must be in compliance with the Code of Conduct: App. Key Evidence, Vol. 1, A83. The Code of Conduct expressly provides that prohibited use of e-mail includes “[s]ending…pornographic, obscene, inappropriate or other objectionable messages or attachments via e-mail to anyone”: App. Key Evidence, Vol. 1, A83. Further, harassment is defined under the Code of Conduct as including “[v]isual conduct such as pornographic or derogatory…e-mails…”: App. Key Evidence, Vol. 1, A80.

Employers have good reason to be concerned about the misuse of their equipment and resources in order to access, receive and disseminate pornographic or racist material. The potential for harm to an organization flowing from this kind of misconduct is great. It can easily poison a work environment, thereby denying equal employment opportunities to others: Backman v. Maritime Paper Products Ltd., 2008 NBQB 219 (CanLII), 2008 NBQB 219, 67 C.C.E.L. (3d) 261 at paras. 9-11. Since work is an essential aspect of an individual’s personal life, an employer owes obligations to all employees in its organization. It cannot turn a blind eye to discrimination or harassment in its workplace: Menagh v. Hamilton (City), [2005] O.T.C. 898 at paras. 46 & 287 (S.C.J.), aff’d 2007 ONCA 244 (CanLII), 2007 ONCA 244. As the Ontario Court of Appeal recognized in Gonsalves v. Catholic Church Extension Society of Canada 1998 CanLII 7152 (ON C.A.), (1998), 164 D.L.R. (4th) 339 at para. 10, 39 C.C.E.L. (2d) 104, an employer “has a duty to all the employees both to end the [sexual harassment] and to alleviate its impact upon the employment environment.” See also Tellier v. Bank of Montreal reflex, (1987), 17 C.C.E.L. 1 at 12 (Ont. Dist. Ct.), where the Court recognized that an employer has “a heavy responsibility to protect its employees.”

If an employer fails to act, it faces a significant risk of actions by employees who are subjected to discrimination or harassment – and properly so: see for example Robichaud v. Canada (Treasury Board), 1987 CanLII 73 (S.C.C.), [1987] 2 S.C.R. 84 , 40 D.L.R. (4th) 577; Janzen v. Platy Enterprises Ltd., 1989 CanLII 97 (S.C.C.), [1989] 1 S.C.R. 1252, 59 D.L.R. (4th) 352; Bannister v. General Motors of Canada Ltd. 1998 CanLII 7151 (ON C.A.), (1998), 164 D.L.R. (4th) 325 at para. 20, 39 C.C.E.L. (2d) 91 (Ont. C.A.); and Tellier at p. 12. Therefore, employers are fully justified in taking proactive steps, including the adoption of codes of conduct, to curtail and prevent improper conduct.

There are other negative consequences an employer may suffer when an employee misuses its equipment and resources for pornographic or racist purposes. The reputation of an employer in the business and wider community can be seriously compromised when even one employee engages in this kind of behaviour, particularly where that employee holds a senior supervisory position. It can also adversely impact on the work – and work ethic – of the employee in question given the very real risk that the misuse will occur in whole or in part on the employer’s time. And then there is the threat to a company’s information technology systems. Computer operating systems can be infected with worms and viruses introduced through inappropriate accessing of pornographic and racist websites or through receiving tainted material downloaded from these websites. In addition to these concerns, this kind of misconduct increases the risk that other ethical and professional boundaries will, by reason of the employer’s perceived tolerance of the original misconduct, be more readily crossed, not only by the affected employee, but by others within the organization, or even perhaps outside it (like suppliers to a company).

In summary, an employee’s misuse of a workplace computer for pornographic or racist purposes negatively affects an employer’s professional, ethical and operational integrity. Employers are not required to tolerate the misuse of their computers and Internet access any more than they are required to put up with serious incidents of dishonesty by employees. When an employee steals money from an employer, the theft and resulting damage is at least confined to that employee. But where dissemination of pornographic or racist material using the employer’s computer or Internet access is concerned and especially where the employee’s e-mail address includes the employer’s identity, this is not necessarily so. In the information technology world today, e-mail can be disseminated to many inside and outside an organization with the click of a mouse. Accordingly, the harm done may well be far more serious and pervasive. This reality substantially increases the risks to employers flowing from the misuse of their equipment and Internet access for improper purposes. For these reasons, an employer is entitled not only to prohibit use of its equipment and systems for pornographic or racist purposes but also to monitor an employee’s use of the employer’s equipment and resources to ensure compliance.

Please forgive the lengthy quote, but it is a fairly powerful excerpt and handy to us management lawyers.

For Michael Fitzgibbon’s excellent discussion of Poliquin and the availability of summary judgement in wrongful dismissal cases, see here.

Poliquin v. Devon Canada Corp., 2009 ABCA 216.

Today’s “e-mail law” presentation

I was at the Osgoode PDP Electronic Evidence seminar today. There were great presentations all around, and I’ve included my notes at this Twitter feed. I was very honoured to co-present with John Gregory, whose knowledge of electronic evidence issues is deep. Our presentation is really about the law of e-mail, with a mix of content on access to e-mail on corporate systems, e-mail production and e-mail admissibility and weight. Here are the slides.

We also provided a handout with case citations and a summary sheet on the CGSB Standard on Electronic Records as Documentary Evidence.

I hope this is useful!

When employees use business systems to communicate with their lawyers

I just read Universal Sales, Limited v. Edinburgh Assurance Co. Ltd., a November 2008 judgement of the Federal Court that deals with inadvertent disclosure of solicitor-client communications.

The case is about a transcript of a telephone conversation containing solicitor-client communications that was inadvertently produced to an opponent in litigation. The judgement has a nice summary of the law on inadvertent disclosure of privileged information:

As the Plaintiffs point out, the mere physical loss of custody of a privileged document does not automatically end privilege, especially in the context of modern litigation where large quantities of documents, such as the electronic production of a CD in this case, are exchanged between counsel and accidental disclosure is bound to occur from time to time.

In cases of inadvertent disclosure, the waiver question turns more on the conduct of the privilege holder after it discovers its disclosure and also on any special prejudice that might be faced by the recipient (e.g. by bona fide reliance that does not conflict with any professional duty to immediately seal the communication).

I found Universal Sales in preparing to make some comments on whether employees waive privilege when they communicate with their solicitors on employer e-mail systems at today’s Osgoode PDP program on electronic evidence. The question is whether the waiver is intentional as opposed to inadvertent and will turn on the facts. The most authoritative Canadian case on the issue is the Daniel Potter decision by Mr. Justice Scanlan of the Nova Scotia Supreme Court.

Scanlan J. found that the CEO of a company had not waived privilege by sending solicitor-client communications through his employer’s computer system. He did consider argument based on the employee privacy cases (see my last post), but held that solicitor-client communications deserve special treatment. He also noted, however, that Mr. Potter was CEO and had “day to day executive control over policies which may have threated his expectation of privacy.”

My view on the issue is (1) that Daniel Potter does not close the debate, (2) that Canadian courts will demand very special facts to find waiver because they are staunch defenders of solicitor-client privilege and (3) the occasions when it makes tactical sense to engage in a dispute over the waiver issue are likely rare.

Looking forward to speaking to this later this morning. I’ll live blog the event at #oseev and @michaluk_live.

See ya!