Here are two recent presentations that may be relevant to you – one on finding internet evidence that I presented last Saturday at our firm’s PD day and another from a few days earlier on privacy, data security and CASL compliance at financial services firms. If you work in management and something catches your eye that raises questions do get in touch.
Here’s a 10 minute presentation I gave to the firm yesterday that puts some trends in context and addresses recent breach notification amendments.
CORRECTION. I made a point in this presentation that the Bill 119 amendments to PHIPA remove a requirement to notify of unauthorized “access” – a positive add given the statute does not include a harms-related threshold for notification. Section 1(2) of the Bill, I have now noticed, amends the definition of “use” as follows: “The definition of ‘use’ in section 2 of the Act is amended by striking out ‘means to handle or deal with the information” and substituting ‘means to view, handle or otherwise deal with the information.’ The removal of “access” from the breach notification provision will therefore not invite a change.
On April 2nd, the Ontario Superior Court of Justice dismissed an application for the disclosure of detailed employee payroll information from an employer to its partner in a joint venture.
The partner was partially responsible for the employer’s wage bill and relied on its right to inspect records under the joint venture agreement. The employer argued that, despite the agreement, it could not disclose employee personal information without violating PIPEDA. As an alternative, the employer offered to have an audit conducted and share the results. The partner felt this was insufficient.
Justice Perell held that he had no power to make an order that would relieve the parties from the PIPEDA consent requirement, stating “s. 7(3)(c) of PIPEDA does not provide a free-standing jurisdiction to grant exemptions.” He dismissed the application without prejudice to the filing of a new application based on the “activation” of another PIPEDA exemption.
Mountain Province Diamonds Inc v De Beers Canada Inc, 2014 ONSC 2026 (CanLII).
Federally-regulated employers should pay heed to OPC report of findings 2013-004, issued in July 2013. It contains the most detailed guidance on how to administer requests for access to personal information about employees that is received from other employees in confidence – information sometimes called “mixed personal information.”
The OPC adopts the case-by-case balancing of interests approach endorsed by the Federal Court of Appeal in a Privacy Act case called Pirrie: “In determining the right to have access to this information under PIPEDA, the interests of the individuals concerned should be balanced against each other along with the public interest for and against disclosure.”
This test does not support a “bright line,” so the OPC guidance is welcome. It uses 2013-004 to distinguish between two scenarios:
- The OPC held that notes containing peer feedback that an employer received in conducting a routine performance feedback process were exempt from the right of access. It helped that the employer had provided the complainant with a high-level summary of feedback and helped that the complainant himself had expressly promised to his peers that their feedback would be given anonymously.
- The OPC distinguished its prior treatment of information gathered in an internal investigation from witnesses when the investigation led to the complainant’s dismissal from employment. The OPC affirmed the complainant’s right of access in this scenario, but specified that the complainant required access to her personal information “as part of her efforts to be re-instated in her position,” which suggests that the complainant had either commenced litigation or that litigation was reasonably contemplated. The OPC also noted, “there were no formal assurance made that the information the investigation participants provided would be kept confidential.”
This gives federally-regulated employers some indication of the OPC’s perspective on a common and significant access issue, though the analysis invited by the Pirrie test is very contextual and outcomes will differ based on a wide range of potentially relevant facts. While the OPC’s decision on access to information gathered from witnesses in an internal investigation might be of some concern to employers, employers cannot provide witnesses with an absolute promise of confidentiality given witness statements may be producible in litigation. If the OPC decision merely suggests that witness statements are likely to be accessible under PIPEDA when litigation is reasonably contemplated it will be rather harmless in its impact.
Bank provides former employee with insufficient access to his personal information, 2013 CanLII 71855 (PCC).
On August 28th, the Ontario Superior Court of Justice held that LawPro (who insures Ontario lawyers) was entitled to report various allegations made against an insured to the Law Society of Upper Canada.
LawPro made the report after the insured was sued and before it denied him coverage. The Court held that LawPro wrongly denied coverage but dismissed the insured’s breach of confidence and privacy claim.
The Court held that LawPro did not breach PIPEDA because it is not engaged in commercial activity. It explained:
Counsel for LawPro submits, correctly in my view, that the providing of mandatory professional liability insurance to the province’s lawyers is not a commercial activity within the meaning of section 4(1)(a) of PIPEDA. Although LawPro is designed to conduct itself in a financially viable manner, its principal shareholder is the Law Society – a regulatory body – and its mandate entails “a commitment to working with the bar in the public interest over the long term”. LawPro, Our Story: 15 Years of Making a Difference (Lawyers Professional Indemnity Company, 2010), online: http://www.practicepro.ca/LawPROmag/15Anniversary Booklet.pdf, at p. 4. That mandate takes LawPro outside of the type of activities to which PIPEDA applies.
The Court also held that LawPro acted properly in making the report notwithstanding the insured’s argument that his communications with LawPro were made to a solicitor in his and LawPro’s common interest and were therefore subject to solicitor-client privilege. The Court held that LawPro had a duty to report that superseded solicitor-client privilege.
(Is there really such a duty? I question whether the decision merely suggests that LawPro was entitled, as a matter of public interest, to report.)
Cusack v The Lawyers’ Professional Indemnity Co., 2013 ONSC 5511 (CanLII).