People are abuzz about this April 9th order of the Information and Privacy Commissioner/Ontario in which Adjudicator Corban held that e-mails received by a solicitor employed by the City of Ottawa in his personal capacity were under the custody or control of the City and subject to public access.
The IPC rejected the City’s argument, which rested on a by-law that deemed personal e-mails to be transitory and subject to immediate disposal and the permission it had granted employees to use its computer systems for incidental personal use. The IPC said:
I accept that the City has no objection to the “incidental personal use of City assets such as computers” and the creation or receipt of personal e-mails by its employees. However, I am not persuaded that by allowing for personal usage and by addressing the disposal of such e-mails in its Records Retention By-law the City has given up its authority over personal e-mails stored on City servers…
In my view, the fact that the City has explicitly stated that employees are permitted to use the e-mail system for incidental personal use but that personal use of City computers may be monitored for unauthorized use by the City’s Information and Technology staff, supports a conclusion that the City does have the authority to regulate the treatment of those records even if it chooses not to do so.
This order is reminiscent of (though far less sexy than) the Bobbie Malmer case out of Kentucky. It is also consistent with the traditional view on control of information stored on corporate computer systems. Though the application of our commercial sector privacy legislation, PIPEDA, does not hinge on custody or control, the Federal Court recently found that personal e-mails were not subject to PIPEDA in Johnson v. Bell Canada.
I’ll be speaking about employer access to personal e-mails at a couple of upcoming seminars, including the OBA’s Hot Topics in Privacy Law. Access is a different issue than the control issue (an idea touched upon in this order), but is related and also bound up in developing expectations of privacy based on personal use. An extremely engaging issue right now!
[Addendum. Query whether this outcome is consistent with the purpose of freedom of information legislation? Should the concept of “control” be significantly narrower for the purposes of triggering a right of access than in other circumstances (e.g. for litigation or regulatory production requirements)?]
Order MO-2408 (9 April 2009, IPC/Ontario).
On February 18th, the Federal Court dismissed a PIPEDA application that alleged an executive had unlawfully collected personal information by sending an e-mail to members of his firm to inquire about the applicant.
The facts leading to the application are twisted. Martha McCarthy, a prominent family law lawyer in Ontario, had represented the applicant’s wife in a contentious family law dispute. The judgement reports that Ms. McCarthy told her brother, Peter McCarthy, that she had received two threatening phone calls from the applicant. Mr. McCarthy, a Vice-President at J.J. Barnicke, e-mailed the company’s sales force for information. His subject line stated “Mark Waxer” and his e-mail stated, “Does anyone know what firm Mark is with?” Mr. Waxer complained to the federal Privacy Commissioner and subsequently filed his application.
These facts raise a good issue about PIPEDA application, but the Privacy Commissioner took jurisdiction over the complaint and the court application did not address whether the collection at issue was made in the course of J.J. Barnicke’s commercial activity or for Mr. McCarthy’s personal purposes. (Query whether a finding of jurisdiction is consistent with the Federal Court’s recent Johnson v. Bell Canada ruling.)
The Court dismissed the unlawful collection complaint because the applicant had not proven that Mr. McCarthy had actually collected personal information as result of his request. Notably, the Court gave no weight to the applicant’s argument that it should infer that Mr. McCarthy’s inquiry was fruitful from the respondent’s failure to adduce evidence of a thorough search of its computer system (including a search of e-mail archives and back-up tapes). It was satisfied with Mr. McCarthy’s sworn denial, which the applicant did not challenge in cross-examination .
The Court also declined to award damages for breach of PIPEDA’s accountability principle. The Privacy Commissioner had concluded that J.J. Barnicke did not have appropriate privacy policies in place nor did it have a designated privacy officer accountable for compliance as required by the Principles 4.1 and 4.1.4 of Schedule 1 to PIPEDA. The company complied with the Commissioner’s recommendations, and she therefore deemed the complaint to be “well-founded and resolved.” Without re-visiting the question of breach, the Court held that it was not proper to award damages in the circumstances. It held the applicant could not claim damages for the stress of the proceedings themselves and held that the he had not otherwise proven any other humiliation or embarrassment that would warrant a damages award. It noted that the applicant’s aggressive and assertive position throughout the litigation was inconsistent with his damages claim.
Waxer v. J.J. Barnicke Limited, 2009 FC 168 (CanLII).