IPC upholds university vaccination policy

On April 5th, the Information and Privacy Commissioner/Ontario affirmed a University of Guelph requirement that students in residence for the 2021/2022 academic year be fully vaccinated.

The IPC has jurisdiction to consider whether a public body’s collection of personal information is “necessary” to a lawfully authorized activity based on the Freedom of Information and Protection of Personal Privacy Act. The necessity test has been endorsed by the Court of Appeal for Ontario as strict. Where personal information would merely be helpful to the activity, it is not “necessary” within the meaning of FIPPA. Similarly, where the purpose can be accomplished another way, a public body is obliged to chose the other route.

The IPC’s affirmation of the University’s policy (and its collection of personal information) rested heavily on a letter the University had received from the Wellington-Dufferin-Guelph Health Unit in July 2021. It said:

I am writing to recommend in the strongest possible terms that the University of Guelph require a full (two-dose) course of COVID-19 vaccines for all students living in residence during the 2021-22 school year. Additionally, the University should continue to recommend strongly that all other students, faculty and staff receive both doses of the vaccine.
Students beginning or returning to their studies this fall are looking forward to a safe and relational post-secondary experience. Adding this significant layer of protection will help create a more normal fall on campus. Strong vaccination rates across the University are an important part of student physical and mental well-being, and should contribute peace of mind to all Gryphons.

The IPC affirmation is significant not only because it supports a vaccine mandate based on the strict FIPPA necessity standard, but also because of its adoption of this letter and its reasoning. While mandates must certainly be based on science that establishes that vaccination reduces the risk of exposure, the privacy commissioners, labour arbitrators and judges who will continue to be called upon to evaluate mandates must recognize that they are also based on a need for stability and mental well-being.

We thought we were though the pandemic, and are now in Wave Six. Will there be a Wave Seven? And although the province is trying to give us the stability we all crave by committing to laissez faire policy, why should our public bodies be precluded from adopting stable, medium-term policy that prioritizes safety?

University of Guelph (Re), 2022 CanLII 25559 (ON IPC).

The union right of access to information

I’ve done a fair deal of enjoyable work on matters relating to a union’s right of access to information – be it under labour law, health and safety law (via union member participation in the health and safety internal responsibility system) or via freedom of information law. Today I had the pleasure of co-presenting to the International Municipal Lawyers Association on the labour law right of access with my colleague from the City of Vaughan, Meghan Ferguson.

Our presentation was about how the labour law right has fared against employee privacy claims. In short, it has fared very well, and arguably better in Ontario than in British Columbia.

I don’t believe the dialogue between labour and management is over yet, however, especially as unions push for greater access at the same time privacy sensitivities are on the rise. The advent of made-in-Ontario privacy legislation could be an impetus for a change, not because it is likely to provide employees with statutory privacy rights as much as because the new legislation could apply directly to unions. So stay tuned, and in the interim please enjoy the slides below.

What’s not to say about Sherman Estate?

We all know that the Supreme Court of Canada decided Sherman Estate v Donavan on June 11th. I just got to it today, and was surprised at its significance to information and privacy law beyond the open courts principle itself. Here is a quick note on its three most salient broader points.

The Court held that records filed in court by estate trustees seeking probate ought not to have been sealed given the presumption of openness that applies to all court proceedings. In doing so, however, it recognized for the first time that privacy alone (whether or not it encourages access to justice) could be “an important public interest” that warrants a departure from the presumption.

Point one – sensitive information is information linked to the biographical core

Most significantly, the Court said that not any privacy interest will qualify. Privacy is such a subjective, difficult and confused concept that many individuals with genuinely felt “sensibilities” must be precluded from claiming that their privacy interest weighs against the openness of a court proceeding. A privacy interest only qualifies as “an important public interest” if the information at stake is “sufficiently sensitive such that it can be said to strike at the biographical core of the individual.”

The biographical core is a concept first articulated in R v Plant in 1993 and has since been criticized by privacy advocates as a concept that limits privacy protection. Yet here it is, front and centre as the limitation on privacy that will now protect the transparency of our justice system. The Court links the biographical core to the protection of human dignity, as it explains in the following paragraph:

Violations of privacy that cause a loss of control over fundamental personal information about oneself are damaging to dignity because they erode one’s ability to present aspects of oneself to others in a selective manner (D. Matheson, “Dignity and Selective Self-Presentation”, in I. Kerr, V. Steeves and C. Lucock, eds., Lessons from the Identity Trail: Anonymity, Privacy and Identity in a Networked Society (2009), 319, at pp. 327‑28; L. M. Austin, “Re-reading Westin” (2019), 20 Theor. Inq. L. 53, at pp. 66‑68; Eltis (2016), at p. 13). Dignity, used in this context, is a social concept that involves presenting core aspects of oneself to others in a considered and controlled manner (see generally Matheson, at pp. 327‑28; Austin, at pp. 66‑68). Dignity is eroded where individuals lose control over this core identity‑giving information about themselves, because a highly sensitive aspect of who they are that they did not consciously decide to share is now available to others and may shape how they are seen in public. This was even alluded to by La Forest J., dissenting but not on this point, in Dagg, where he referred to privacy as “[a]n expression of an individual’s unique personality or personhood” (para. 65).

The term “fundamental personal information” used here is sure to be re-used by privacy defence counsel to deal with disputes about sensitivity. And although the Court stressed again and again that its reasoning was made for the open courts context, we need the authority. The concept of sensitivity is as confused as any aspect of privacy law. The Office of the Privacy Commissioner of Canada finds personal information to be sensitive in virtually every one of its reports. It has found home address information sensitive, for example, yet the Ontario Superior Court of Justice held that home address information doesn’t warrant common law privacy protection. Sherman Estate is going to be helpful to those of us who are striving for a clear and predictable boundary to privacy claims.

Point two – the concept of privacy is a mess

The Court has already said that privacy is “somewhat evanescent” (Dagg) and “protean” (Tessling), and has noted that scholars have criticized privacy as being a concept in “theoretical disarray” (Spencer). In Sherman Estate, the Court revisits this criticism and, for the first time, clearly applies it to limit the scope of privacy protection. It says:

Further, recognizing an important interest in privacy generally could prove to be too open‑ended and difficult to apply. Privacy is a complex and contextual concept (Dagg, at para. 67;see also B. McIsaac, K. Klein and S. Brown, The Law of Privacy in Canada (loose‑leaf), vol. 1, at pp. 1‑4;D. J. Solove, “Conceptualizing Privacy” (2002), 90 Cal. L. Rev. 1087, at p. 1090). Indeed, this Court has described the nature of limits of privacy as being in a state of “theoretical disarray” (R. v. Spencer, 2014 SCC 43, [2014] 2 S.C.R. 212, at para. 35). Much turns on the context in which privacy is invoked. I agree with the Toronto Star that a bald recognition of privacy as an important interest in the context of the test for discretionary limits on court openness, as the Trustees advance here, would invite considerable confusion. It would be difficult for courts to measure a serious risk to such an interest because of its multi-faceted nature.

This is another very important paragraph for privacy defence counsel. I have relied on the first chapter of Daniel Solove’s Understanding Privacy more than once in a factum as a means of inviting a conservative response to a novel privacy matter. Now we have clear Supreme Court of Canada authority on point.

Yes I am arguing against privacy protection, but it is because I deeply crave clarity. Organizations are faced all manner of novel and bold privacy claims, the merits of which are too difficult to assess. We need a clearly defined limit to what counts as a privacy interest worthy of legal protection, whatever it is. This is another reason Sherman Estate is good: the first step to healing is to admit you have a problem!

Point three – a step towards unification, and a half step back

This is why it is so disappointing that the Court keeps saying that privacy is in theoretical disarray without taking up the challenge of fixing the problem.

As I’ve explained, it repeatedly tied its reasoning to the open courts context, and although it took the novel step of relying on Charter jurisprudence to help with its delineation, the Court felt it necessary to make clear that a reasonable expectation of privacy protected by section 8 of the Charter is different.

I pause here to note that I refer to cases on s. 8 of the Charter above for the limited purpose of providing insight into types of information that are more or less personal and therefore deserving of public protection. If the impact on dignity as a result of disclosure is to be accurately measured, it is critical that the analysis differentiate between information in this way. Helpfully, one factor in determining whether an applicant’s subjective expectation of privacy is objectively reasonable in the s. 8 jurisprudence focuses on the degree to which information is private (see, e.g., R. v.Marakah, 2017 SCC 59, [2017] 2 S.C.R. 608, at para. 31; Cole, at paras. 44‑46). But while these decisions may assist for this limited purpose, this is not to say that the remainder of the s. 8 analysis has any relevance to the application of the test for discretionary limits on court openness.

Privacy shouldn’t have a different meaning in the open courts context and the Charter context and the common law/civil context. Why should it? It’s a fundamental right is it not? Has all the talk about contextual significance caused us to be too conservative? Lazy, even? Certainly facts can be assessed in their proper context under a unified concept?

We have unified our reading of differently worded anti-discrimination statutes to provide for clear and strong law across the Country given the importance of human rights protection. I fail to see why we are so hesitant to unify our privacy law.

Sherman Estate is therefore a good decision in my eyes, but not great, and there is more work to be done.

Sherman Estate v. Donovan, 2021 SCC 25 (CanLII).

[This is a personal blog, and these are my views alone. They do not reflect the views of my firm or colleagues.]

Cyber Risks and M&A Transactions

We have just posted all the content for our BLG series “Privacy & Cyber Risks, Trends & Opportunities for Business.” See here for some very good content by our privacy and data security team.

Here is a direct link to our most recent webinar, which I delivered together with my partner Patrice Martin. It was very rewarding to work with and learn from Patrice, a very well established technology industry and transactions lawyer.

Enjoy. Learn. Get in touch.

Cybersecurity and data loss (short presentation)

Here’s a 10 minute presentation I gave to the firm yesterday that puts some trends in context and addresses recent breach notification amendments.

CORRECTION. I made a point in this presentation that the Bill 119 amendments to PHIPA remove a requirement to notify of unauthorized “access” – a positive add given the statute does not include a harms-related threshold for notification. Section 1(2) of the Bill, I have now noticed, amends the definition of “use” as follows: “The definition of ‘use’ in section 2 of the Act is amended by striking out ‘means to handle or deal with the information” and substituting ‘means to view, handle or otherwise deal with the information.’ The removal of “access” from the breach notification provision will therefore not invite a change.

Arbitrator dismisses privacy breach grievance based on actions of a snooping employee

On March 15th, the Grievance Settlement Board (Ontario) dismissed a grievance against the government for one employee’s intentional “snooping” into another employee’s employment insurance file.

Intentional unauthorized access to personal information by a trusted agent is a somewhat common scenario that has not yet been addressed by labour arbitrators. While arbitrators have taken jurisdiction over privacy grievances on a number of bases, privacy grievances have typically addressed intentional employer action – e.g. the administration of a drug test or the installation of a surveillance camera. This case raises an issue about an employer’s obligation to secure employee personal information and its liability for intentional access by another person. Can a reasonable safeguards duty arise inferentially out of the terms of a collective agreement? Is there some other source of jurisdiction for such claims? It is not clear.

The GSB ultimately finds jurisdiction in the Municipal Freedom of Information and Protection of Privacy Act, which it finds is an “employment-related statute” that can be the basis of arbitral jurisdiction. This is unfortunate because MFIPPA, in general, excludes employment-related records (and hence employees). There are now a handful of arbitral decisions that neglect to consider and apply the (very important) exclusion.

Having found jurisdiction rooted in MFIPPA, oddly, the GSB does not consider whether the government (or the Ministry’s head) failed to meet the MFIPPA “reasonable measures to prevent unauthorized access” security standard. Instead, it applied a vicarious liability analysis and dismissed the grievance. I’ll quote the GSB analysis in full:

41      Being guided by the principles set out in Re Bazley, I am of the view that the Employer is not vicariously liable for actions of Ms. X. Simply put, the “wrongful act” was not sufficiently related to conduct authorized by the Employer. Indeed, the accessing of the grievor’s EI file had nothing to do with the work assigned to employees. Employees were able to and indeed did access EI files but only in those instances where it was necessary to assist their clients.

42      The evidence established that the Employer had clear and sufficient policies regarding the protection of private information. Privacy matters were discussed with employees at the point that they were hired and although those policies could have and perhaps should have been formally reviewed more frequently by management, employees were reminded of their obligations frequently by way of a “pop up” upon entering their computers.

43      Further, Ms. Smith, a co-worker of the grievor, who testified for the Union was very forthright in her cross-examination that she knew that she was not to access the private information of anyone for her own interest. Moreover, this intrusion was the first time that she knew of anyone in the workplace doing such a thing. It might well be argued that this reinforces the view that the policy was known and followed in the workplace. Certainly there was no evidence of any other breach.

44      This intrusion was not an abuse of power. It was not an instance where someone with power over the grievor utilized their authority to carry out the wrong. It was a coworker — indeed I am of the view that it was the action of a rogue employee who, for her own purposes accessed the grievor’s EI file. It was not an action that could be seen to “further the Employer’s aims.” Indeed this activity was done without the sanction or knowledge of the Employer. I accept the Employer’s evidence that it knew nothing of the intrusion until being told by a coworker of the grievor and upon learning took immediate action to investigate and manage the issue and the Ms. X who received a significant suspension.

45      Finally, it must be recalled that this Board dismissed the grievor’s allegations that the Employer and her coworkers were bullying and harassing her in a separate decision. Accordingly it seems to me that it cannot be said that the intrusion into her EI records by Ms. X was “related to friction, confrontation or intimacy inherent in the employer’s enterprise.”

Whether an organization is vicariously liable for an employee’s intentional unauthorized access to personal information is a very significant legal issue. This analysis will receive significant attention.

Ontario and OPSEU, Re, 2015 CarswellOnt 3885.

BC OIPC addresses network security and endpoint monitoring

Today, the Office of the Information and Privacy Commissioner for British Columbia held that the District of Saanich breached the British Columbia Freedom of Information and Protection of Privacy Act by installing endpoint monitoring software on employee workstations.

The District’s plan was not well conceived – apparently arising out of a plan to shore up IT security because the District’s new mayor was “experienced in the area of IT.”

The District installed a product called Spector 360 – a product billed as a “comprehensive user activity monitoring solution.” This is software that enables the collection of detailed data from “endpoints” on a network. It is not intrusion detection software or software that helps analyze events across a network (which the OPIC noted is in use at other British Columbia municipalities).

The District enabled the software on 13 workstations of “high profile users” to capture a full range of endpoint data, including screenshots captured at 30 second intervals and data about all keystrokes made. The purported purpose of this implementation was to support incident response, a purpose the OIPC suggested could only support an inadequate, reactive IT security strategy.

The OIPC held that the District collected personal information without the authorization it required under FIPPA and failed to notify employees as required by FIPPA. I’ll save on the details because the OIPC’s application of FIPPA is fairly routine. I will note that the OIPC’s position is balanced and seems to adequately respect institutions’ need to access system information for IT security purposes. It acknowledges, for example, that some limited data collection from endpoints is justifiable to support incident response. Not surprisingly, the OIPC does not endorse taking screen shots or collecting keystroke data.

Investigation Report F15-01, 2015 BCIPC No. 15.

Workplace privacy panel at the #CIAJ “Privacy in the Age of Information” conference

I’m mid way through the Canadian Institute for the Administration of Justice “Privacy in the Age of Information” conference in St. John’s Newfoundland. It’s been a great conference so far, with quality presentations on tough administration of justice like issues like cyberbullying, the right to be forgotten and state surveillance.

My contribution was on the workplace privacy panel with Paul MacDonald of Cox & Palmer (as moderator), Emma Phillips of Sack Mitchell and Melanie Beuckert of the Court of Appeal of Manitoba. I started with a short “management perspectives” address and then Emma and I debated a variety issues, including computer access and monitoring, off-duty conduct and the exclusion of surveillance evidence at labour arbitration. Melanie played the “straight person” role wonderfully. It was fun, and I advanced my thinking about these issues significantly.

In preparation I worked up the speaking notes below, which capture some of the ideas I contributed to the discussion.

Court dismisses application for information about business partner’s employees

On April 2nd, the Ontario Superior Court of Justice dismissed an application for the disclosure of detailed employee payroll information from an employer to its partner in a joint venture.

The partner was partially responsible for the employer’s wage bill and relied on its right to inspect records under the joint venture agreement. The employer argued that, despite the agreement, it could not disclose employee personal information without violating PIPEDA. As an alternative, the employer offered to have an audit conducted and share the results. The partner felt this was insufficient.

Justice Perell held that he had no power to make an order that would relieve the parties from the PIPEDA consent requirement, stating “s. 7(3)(c) of PIPEDA does not provide a free-standing jurisdiction to grant exemptions.” He dismissed the application without prejudice to the filing of a new application based on the “activation” of another PIPEDA exemption.

Mountain Province Diamonds Inc v De Beers Canada Inc, 2014 ONSC 2026 (CanLII).