Tag Archives: pipeda

Two presentations all about information

5 Apr

Here are two recent presentations that may be relevant to you – one on finding internet evidence that I presented last Saturday at our firm’s PD day and another from a few days earlier on privacy, data security and CASL compliance at financial services firms. If you work in management and something catches your eye that raises questions do get in touch.

 

SCC says PIPEDA does not constrain a court’s procedural power

19 Nov

The Supreme Court of Canada decided the case of RBC v Trang this week. It held that the Personal Information Protection and Electronic Documents Act does not limit the procedural powers of a court. If a court, based on analysis that is not at all governed by PIPEDA, decides that an order to disclose personal information is warranted, it may issue the order. The order may be complied with notwithstanding PIPEDA.

Here is the ratio in Trang:

As a result of s. 7(3) , PIPEDA does not diminish the powers courts have to make orders, and does not interfere with rules of court relating to the production of records. In addition, PIPEDA does not interfere with disclosure that is for the purpose of collecting a debt owed by the individual to an organization, or disclosure that is required by law. In other words, the intention behind s. 7(3) is to ensure that legally required disclosures are not affected by PIPEDA.

All is right in the world again after the Ontario courts got quite twisted up on a very fundamental question about PIPEDA’s impact on the civil justice system.

The Court also held that debtors implicitly consent to the disclosure of mortgage status information (current balance) to judgement creditors who are seeking to recover a debt. This creates an opportunity for banks to assist judgement creditors without requiring them to obtain a court order. (Might the Court have had the burden of pro forma motions in mind?)

More generally, the Court supported a very flexible, fully-contextual implicit consent standard. This arguably erodes privacy protection and invites uncertainty, but also allows for just and sensible outcomes despite a consent rule in PIPEDA that is otherwise quite strict. Of course, this will feed the current dialogue about whether consent is a meaningful principle by which to govern the protection of personal privacy.

Royal Bank of Canada v. Trang, 2016 SCC 50 (CanLII).

Cybersecurity and data loss (short presentation)

8 Nov

Here’s a 10 minute presentation I gave to the firm yesterday that puts some trends in context and addresses recent breach notification amendments.

CORRECTION. I made a point in this presentation that the Bill 119 amendments to PHIPA remove a requirement to notify of unauthorized “access” – a positive add given the statute does not include a harms-related threshold for notification. Section 1(2) of the Bill, I have now noticed, amends the definition of  “use” as follows: “The definition of ‘use’ in section 2 of the Act is amended by striking out ‘means to handle or deal with the information” and substituting ‘means to view, handle or otherwise deal with the information.’ The removal of “access” from the breach notification provision will therefore not invite a change.

The internet as a corporate security resource

22 Mar

Here’s a presentation I gave to a federally-regulated employer last week on use of internet-based information for security and other related purposes. Enjoy!

Court dismisses application for information about business partner’s employees

15 Apr

On April 2nd, the Ontario Superior Court of Justice dismissed an application for the disclosure of detailed employee payroll information from an employer to its partner in a joint venture.

The partner was partially responsible for the employer’s wage bill and relied on its right to inspect records under the joint venture agreement. The employer argued that, despite the agreement, it could not disclose employee personal information without violating PIPEDA. As an alternative, the employer offered to have an audit conducted and share the results. The partner felt this was insufficient.

Justice Perell held that he had no power to make an order that would relieve the parties from the PIPEDA consent requirement, stating “s. 7(3)(c) of PIPEDA does not provide a free-standing jurisdiction to grant exemptions.” He dismissed the application without prejudice to the filing of a new application based on the “activation” of another PIPEDA exemption.

Mountain Province Diamonds Inc v De Beers Canada Inc, 2014 ONSC 2026 (CanLII).

OPC issues important decision for federally-regulated employers on access to “mixed personal information”

1 Jan

Federally-regulated employers should pay heed to OPC report of findings 2013-004, issued in July 2013. It contains the most detailed guidance on how to administer requests for access to personal information about employees that is received from other employees in confidence – information sometimes called “mixed personal information.”

The OPC adopts the case-by-case balancing of interests approach endorsed by the Federal Court of Appeal in a Privacy Act case called Pirrie: “In determining the right to have access to this information under PIPEDA, the interests of the individuals concerned should be balanced against each other along with the public interest for and against disclosure.”

This test does not support a “bright line,” so the OPC guidance is welcome. It uses 2013-004 to distinguish between two scenarios:

  • The OPC held that notes containing peer feedback that an employer received in conducting a routine performance feedback process were exempt from the right of access. It helped that the employer had provided the complainant with a high-level summary of feedback and helped that the complainant himself had expressly promised to his peers that their feedback would be given anonymously.
  • The OPC distinguished its prior treatment of information gathered in an internal investigation from witnesses when the investigation led to the complainant’s dismissal from employment. The OPC affirmed the complainant’s right of access in this scenario, but specified that the complainant required access to her personal information “as part of her efforts to be re-instated in her position,” which suggests that the complainant had either commenced litigation or that litigation was reasonably contemplated. The OPC also noted, “there were no formal assurance made that the information the investigation participants provided would be kept confidential.”

This gives federally-regulated employers some indication of the OPC’s perspective on a common and significant access issue, though the analysis invited by the Pirrie test is very contextual and outcomes will differ based on a wide range of potentially relevant facts. While the OPC’s decision on access to information gathered from witnesses in an internal investigation might be of some concern to employers, employers cannot provide witnesses with an absolute promise of confidentiality given witness statements may be producible in litigation. If the OPC decision merely suggests that witness statements are likely to be accessible under PIPEDA when litigation is reasonably contemplated it will be rather harmless in its impact.

Bank provides former employee with insufficient access to his personal information, 2013 CanLII 71855 (PCC).

Ontario court says PIPEDA does not apply to LawPro

29 Sep

On August 28th, the Ontario Superior Court of Justice held that LawPro (who insures Ontario lawyers) was entitled to report various allegations made against an insured to the Law Society of Upper Canada.

LawPro made the report after the insured was sued and before it denied him coverage.  The Court held that LawPro wrongly denied coverage but dismissed the insured’s breach of confidence and privacy claim.

The Court held that LawPro did not breach PIPEDA because it is not engaged in commercial activity. It explained:

Counsel for LawPro submits, correctly in my view, that the providing of mandatory professional liability insurance to the province’s lawyers is not a commercial activity within the meaning of section 4(1)(a) of PIPEDA. Although LawPro is designed to conduct itself in a financially viable manner, its principal shareholder is the Law Society – a regulatory body – and its mandate entails “a commitment to working with the bar in the public interest over the long term”. LawPro, Our Story: 15 Years of Making a Difference (Lawyers Professional Indemnity Company, 2010), online: http://www.practicepro.ca/LawPROmag/15Anniversary Booklet.pdf, at p. 4. That mandate takes LawPro outside of the type of activities to which PIPEDA applies.

The Court also held that LawPro acted properly in making the report notwithstanding the insured’s argument that his communications with LawPro were made to a solicitor in his and LawPro’s common interest and were therefore subject to solicitor-client privilege. The Court held that LawPro had a duty to report that superseded solicitor-client privilege.

(Is there really such a duty? I question whether the decision merely suggests that LawPro was entitled, as a matter of public interest, to report.)

Cusack v The Lawyers’ Professional Indemnity Co., 2013 ONSC 5511 (CanLII).