We have just posted all the content for our BLG series “Privacy & Cyber Risks, Trends & Opportunities for Business.” See here for some very good content by our privacy and data security team.
Here is a direct link to our most recent webinar, which I delivered together with my partner Patrice Martin. It was very rewarding to work with and learn from Patrice, a very well established technology industry and transactions lawyer.
Here’s a 10 minute presentation I gave to the firm yesterday that puts some trends in context and addresses recent breach notification amendments.
CORRECTION. I made a point in this presentation that the Bill 119 amendments to PHIPA remove a requirement to notify of unauthorized “access” – a positive add given the statute does not include a harms-related threshold for notification. Section 1(2) of the Bill, I have now noticed, amends the definition of “use” as follows: “The definition of ‘use’ in section 2 of the Act is amended by striking out ‘means to handle or deal with the information” and substituting ‘means to view, handle or otherwise deal with the information.’ The removal of “access” from the breach notification provision will therefore not invite a change.
On March 15th, the Grievance Settlement Board (Ontario) dismissed a grievance against the government for one employee’s intentional “snooping” into another employee’s employment insurance file.
Intentional unauthorized access to personal information by a trusted agent is a somewhat common scenario that has not yet been addressed by labour arbitrators. While arbitrators have taken jurisdiction over privacy grievances on a number of bases, privacy grievances have typically addressed intentional employer action – e.g. the administration of a drug test or the installation of a surveillance camera. This case raises an issue about an employer’s obligation to secure employee personal information and its liability for intentional access by another person. Can a reasonable safeguards duty arise inferentially out of the terms of a collective agreement? Is there some other source of jurisdiction for such claims? It is not clear.
The GSB ultimately finds jurisdiction in the Municipal Freedom of Information and Protection of Privacy Act, which it finds is an “employment-related statute” that can be the basis of arbitral jurisdiction. This is unfortunate because MFIPPA, in general, excludes employment-related records (and hence employees). There are now a handful of arbitral decisions that neglect to consider and apply the (very important) exclusion.
Having found jurisdiction rooted in MFIPPA, oddly, the GSB does not consider whether the government (or the Ministry’s head) failed to meet the MFIPPA “reasonable measures to prevent unauthorized access” security standard. Instead, it applied a vicarious liability analysis and dismissed the grievance. I’ll quote the GSB analysis in full:
41 Being guided by the principles set out in Re Bazley, I am of the view that the Employer is not vicariously liable for actions of Ms. X. Simply put, the “wrongful act” was not sufficiently related to conduct authorized by the Employer. Indeed, the accessing of the grievor’s EI file had nothing to do with the work assigned to employees. Employees were able to and indeed did access EI files but only in those instances where it was necessary to assist their clients.
42 The evidence established that the Employer had clear and sufficient policies regarding the protection of private information. Privacy matters were discussed with employees at the point that they were hired and although those policies could have and perhaps should have been formally reviewed more frequently by management, employees were reminded of their obligations frequently by way of a “pop up” upon entering their computers.
43 Further, Ms. Smith, a co-worker of the grievor, who testified for the Union was very forthright in her cross-examination that she knew that she was not to access the private information of anyone for her own interest. Moreover, this intrusion was the first time that she knew of anyone in the workplace doing such a thing. It might well be argued that this reinforces the view that the policy was known and followed in the workplace. Certainly there was no evidence of any other breach.
44 This intrusion was not an abuse of power. It was not an instance where someone with power over the grievor utilized their authority to carry out the wrong. It was a coworker — indeed I am of the view that it was the action of a rogue employee who, for her own purposes accessed the grievor’s EI file. It was not an action that could be seen to “further the Employer’s aims.” Indeed this activity was done without the sanction or knowledge of the Employer. I accept the Employer’s evidence that it knew nothing of the intrusion until being told by a coworker of the grievor and upon learning took immediate action to investigate and manage the issue and the Ms. X who received a significant suspension.
45 Finally, it must be recalled that this Board dismissed the grievor’s allegations that the Employer and her coworkers were bullying and harassing her in a separate decision. Accordingly it seems to me that it cannot be said that the intrusion into her EI records by Ms. X was “related to friction, confrontation or intimacy inherent in the employer’s enterprise.”
Whether an organization is vicariously liable for an employee’s intentional unauthorized access to personal information is a very significant legal issue. This analysis will receive significant attention.
Today, the Office of the Information and Privacy Commissioner for British Columbia held that the District of Saanich breached the British Columbia Freedom of Information and Protection of Privacy Act by installing endpoint monitoring software on employee workstations.
The District’s plan was not well conceived – apparently arising out of a plan to shore up IT security because the District’s new mayor was “experienced in the area of IT.”
The District installed a product called Spector 360 – a product billed as a “comprehensive user activity monitoring solution.” This is software that enables the collection of detailed data from “endpoints” on a network. It is not intrusion detection software or software that helps analyze events across a network (which the OPIC noted is in use at other British Columbia municipalities).
The District enabled the software on 13 workstations of “high profile users” to capture a full range of endpoint data, including screenshots captured at 30 second intervals and data about all keystrokes made. The purported purpose of this implementation was to support incident response, a purpose the OIPC suggested could only support an inadequate, reactive IT security strategy.
The OIPC held that the District collected personal information without the authorization it required under FIPPA and failed to notify employees as required by FIPPA. I’ll save on the details because the OIPC’s application of FIPPA is fairly routine. I will note that the OIPC’s position is balanced and seems to adequately respect institutions’ need to access system information for IT security purposes. It acknowledges, for example, that some limited data collection from endpoints is justifiable to support incident response. Not surprisingly, the OIPC does not endorse taking screen shots or collecting keystroke data.
I’m mid way through the Canadian Institute for the Administration of Justice “Privacy in the Age of Information” conference in St. John’s Newfoundland. It’s been a great conference so far, with quality presentations on tough administration of justice like issues like cyberbullying, the right to be forgotten and state surveillance.
My contribution was on the workplace privacy panel with Paul MacDonald of Cox & Palmer (as moderator), Emma Phillips of Sack Mitchell and Melanie Beuckert of the Court of Appeal of Manitoba. I started with a short “management perspectives” address and then Emma and I debated a variety issues, including computer access and monitoring, off-duty conduct and the exclusion of surveillance evidence at labour arbitration. Melanie played the “straight person” role wonderfully. It was fun, and I advanced my thinking about these issues significantly.
In preparation I worked up the speaking notes below, which capture some of the ideas I contributed to the discussion.
On April 2nd, the Ontario Superior Court of Justice dismissed an application for the disclosure of detailed employee payroll information from an employer to its partner in a joint venture.
The partner was partially responsible for the employer’s wage bill and relied on its right to inspect records under the joint venture agreement. The employer argued that, despite the agreement, it could not disclose employee personal information without violating PIPEDA. As an alternative, the employer offered to have an audit conducted and share the results. The partner felt this was insufficient.
Justice Perell held that he had no power to make an order that would relieve the parties from the PIPEDA consent requirement, stating “s. 7(3)(c) of PIPEDA does not provide a free-standing jurisdiction to grant exemptions.” He dismissed the application without prejudice to the filing of a new application based on the “activation” of another PIPEDA exemption.
Arbitrator Brent held that the University of Windsor did not violate its faculty collective agreement or the Ontario Freedom of Information and Protection of Privacy Act by publishing teaching evaluation scores on a secure network for access by students and other members of the university community.
She made three findings. First, she held that the change in practice did not breach a frozen practices provision in the collective agreement because the publication condition (freedom from publication, as was argued) was not fundamental to the employment relationship. Second, she held that the express collective agreement restriction on disclosure of faculty personal information did not apply because the information disclosed was not “personal information” under the collective agreement. In reaching this finding, she relied on permissive collective agreement language that referred to the use of teacher evaluation data to construe the term “personal information.” Finally, she held that FIPPA did not apply based on its employment-related records exclusion and the fact that the data was used in the University’s promotion, tenure and renewal process. In rejecting the Association’s argument that student use of the data brought the records under the auspices of the Act, she said:
To argue that it ceases to become a “labour relations” or “employment-related” matter once it is made available to the students would in my view have the effect of excluding SET from FIPPA when it is used for employment related purposes but then including it when it is used to provide information to students. Such a result would be contrary to the Court of Appeal’s decision that once it is determined that FIPPA does not apply to certain material, then that material is exempt from FIPPA for ever.