Good quotes on the impossibility of “ensuring” security and achieving zero risk

I blogged about Arbitrator Sudykowski’s decision in Providence Health when it was released in 2011 for its ratio – employers are entitled to more than a bare medical certification when an employee is absent from work.

I had occasion to use the case in a matter I argued yesterday, and was pleasantly surprised to re-read what Arbitrator Surdykowski said about data security and the impossibility of “ensuring” data security. The union had made an argument for minimizing the collection of health information that rested on data security risk, to which Mr. Surkyowski replied:

I agree with the Union’s assertion that there is always a possibility that private and confidential medical information may be inadvertently released or used inappropriately.  Try as they might, it is impossible for anyone to absolutely guarantee information security.  All that anyone can do in that respect is the best they can.  There is nothing before me that suggests the extent to which the inadvertent (or intentional) release or misuse of confidential information occurs, either generally or at the workplaces operated by this Employer.  More specifically, there is no indication of how often it happens, if at all, or that best efforts are demonstrably “not good enough”.

In a perfect world, the security and proper use of confidential private medical (or other) information could and would be guaranteed.  But to be perfect the world would have to be populated by perfect human beings.

This is a nice quote to bring forward in this blog, of course, because it’s always a good to remind ourselves (and others) that the mere happening of a security incident doesn’t mean fault!

It’s a hard point to argue when hindsight bears heavily on a decision-maker, but is indisputable. I once defended on employer in a charge that followed a rather serious industrial accident in which an employee at truck dealership was run over by a tractor. The Court of Appeal held that the tractor wasn’t a “vehicle” for the purposes of the Occupational Health and Safety Act and entered an acquittal. In examining the context for this finding Justice Cronk made the same point as Arbitrator Surdykowski:

That said, consideration of the protective purposes of the legislative scheme is not the only consideration when attempting to ascertain the scope of s. 56 of the Regulation. The Act seeks to achieve “a reasonable level of protection” (emphasis added) for workers in the workplace. For obvious reasons, neither the Act nor the Regulation mandate or seek to achieve the impossible — entirely risk-free work environments.

Every security incident is an opportunity to tell a story about pre-incident due diligence that highlights this basic truth. (If your defence rests our horrendously vague privacy law you’re in trouble, I say.) It’s also reason to hold our tongues and not judge organizations who are victimized, at least before learning ALL the facts. Security incidents are complex. Data security is hard.

Case Report – Investigator to suspect duty of care recognized by SCC

On October 4th, a 6-3 majority of the Supreme Court of Canada held that an investigating police officer owes a private law duty of care to the suspect under investigation. This is a duty of care case and not directly about information and privacy. There are, however, a couple of points of significance to readers of this blog.

First, investigations obviously involve the collection of personal information, and the new duty will inform such collections. Unlike section 8 of the Canadian Charter of Rights and Freedoms, which only operates to restrict the collection of information, the new duty could conceivably require its collection. In fact, in this case one of the allegations was that the police breached their duty of care by failing to re-investigate after receiving exculpatory evidence after charges were laid. Based on the majority’s reasoning, there is no reason why a private investigator or a member of a company’s audit or security staff would not be found to be subject to an analogous duty quite apart from any factors related to the underlying relationship between the investigator’s principal and her suspect.

Second, this is the first time the Supreme Court of Canada has commented on the important Jane Doe duty to warn case, which was relied upon by the majority (of five judges) at the Court of Appeal in recognizing the new duty. Writing for the majority of the Supreme Court, McLachlin C.J.C. said that Jane Doe was not analogous and noted that there is significant debate over the content and the scope of its ratio. For the minority, Charron J., went further and explained:

Hence, the trial judge in Jane Doe held that where the police are aware of a specific threat to a specific group of individuals, the police have a duty to inform those individuals of the specific threat in question so that they may take steps to protect themselves from harm. As Moldaver J. (as he then was) said, speaking for the Divisional Court in confirming that the action could proceed to trial, “[w]hile the police owe certain duties to the public at large, they cannot be expected to owe a private law duty of care to every member of society who might be at risk”: Jane Doe v. Metropolitan Toronto (Municipality) Commissioners of Police (1990), 72 D.L.R. (4th) 580, at p. 584. Hence, Jane Doe cannot be read to stand for the wide proposition that the police owe a general duty of care to all potential victims of crime. Such an interpretation would ignore the fact that there must be more than mere foreseeability of harm before a duty of care will arise; there must also be sufficient proximity between the parties and the absence of policy considerations negating the existence of any prima facie duty of care.

Hill v. Hamilton-Wentworth Regional Police, 2007 SCC 41.