Tag Archives: privacy

SCC issues civil production decision stressing discretion and proportionality

17 Oct

Today, a majority of the Supreme Court of Canada affirmed an order that directed the Competition Bureau and the federal Department of Public Prosecutions to produce, for civil discovery purposes, recordings of more than 220,000 private communications that they had obtained pursuant to Criminal Code wiretap authorizations.

Justices LeBel and Wagner wrote a majority judgement with which Chief Justice McLachlin (for the most part) concurred. The majority held that the production order was neither prohibited by the Criminal Code nor the Competition Act and was a proper exercise of discretion.

The discretion to order non-party production, according to the majority, is “great” (para 28), though should be exercised with a view to fulsome disclosure: “relevance is generally interpreted broadly at the exploratory stage of the proceedings” (para 30). Relevant records may be withheld to achieve proportionality and efficiency, but they may not be “unduly” withheld (para 60). In making a non-party production order a judge must consider the “financial and administrative burden” of the order and the impact on non-party privacy (paras 83 and 85).

The majority’s emphasis on balance and proportionality is heavy. It weaves proportionality into the concept of relevance as the concept applies in respect of civil production:

[30] To be relevant, the requested document must relate to the issues between the parties, be useful and be likely to contribute to resolving the issues (Glegg, at para. 23; Arkwright, at p. 2741; Chubb, at p. 762; Westfalia Surge Canada Co.; Autorité des marchés financiers; Fédération des infirmières et infirmiers du Québec).

[31] This relevance requirement ensures that the parties do not conduct “fishing expeditions”. It also ensures that the conduct of the proceedings is not delayed, complicated or even jeopardized by the introduction of evidence that does not assist in establishing the rights being claimed (see Royer and Lavallée, at p. 487; Marseille, at pp. 1 and 21). In this sense, the relevance rule is a procedural balancing rule that ensures the efficiency of the judicial process while facilitating the search for truth.

The majority refers to the 2005 decision in Glegg v Smith & Nephew Inc in which the Supreme Court of Canada espoused similar principles in respect of the production obligations of a party to an action. All the authorities the majority relies on are Quebec authorities, but the majority does not expressly rely on any provision of the Civil Code of Quebec and the principles it applies are broadly applicable.

Justice Abella, in dissent, argued that private communications intercepted by law enforcement are of utmost sensitivity and should be “protected by an almost impermeable legal coating like a privileged communication.” To achieve this purpose, she would have interpreted the Criminal Code to prohibit the production of intercepted private communications in a civil proceeding.

Imperial Oil v Jacques, 2014 SCC 66.

Advertisements

Employer’s Privacy and Confidentiality Policies Upheld by Court

29 Aug

A recent decision of the Supreme Court of British Columbia underscores that courts will view any breach of an employee’s right to privacy and confidentiality in the workplace as a serious infraction.

In Steel v. Coast Capital Savings Credit Union, the plaintiff was employed on the Helpdesk where she had access to confidential information, including personal folders of other employees. The employer had policies in place regarding access to private and confidential information, including a protocol to be followed by Helpdesk employees when they needed to access the personal folders in order to provide technical assistance. The plaintiff was aware of these policies.

When the employer learned the plaintiff, a 20 year service employee, had accessed confidential information contained in a personal folder without following the protocol in place, it terminated her employment on the basis that her actions constituted a severe breach of trust. The Court upheld that termination, finding that as a member of the Helpdesk, the plaintiff was in a position of “great trust” and she worked for an employer (a credit union) that operated in an industry where trust was of “central importance”. It stated:

[27]      It was not practicable for Coast to monitor which documents Ms. Steel accessed and for what purpose. The employer had to trust Ms. Steel to obey its policies and to follow the protocols. It had to trust Ms. Steel to only access such documents as part of the performance of her duties and to follow the protocols when she did so. Such trust was fundamental to the employment relationship in relation to Ms. Steel’s position. It was, to use the language of Iacobucci J. in McKinley, “the faith inherent to the work relationship” that was essential to this employment relationship.

The willingness of the Court to uphold the cause termination of a 20 year employee for a violation of the employer’s policies sends a strong signal that courts will not hesitate to enforce and apply clearly drafted employer privacy and confidentiality policies, in order to protect confidential information.

Steel v. Coast Capital Savings Credit Union, 2013 BCSC 527 (CanLII)

The Far Reach of the CRA

21 Mar

When employers provide employee benefits, they are required to include the value of the taxable benefits in the income of employees.  If an employer does not properly report the taxable benefit, the Canada Revenue Agency (“CRA”) has considerable power to require employers to disclose the names and related information of the taxpayers who enjoyed the taxable benefit.  As discussed in Minister of National Revenue v. Lordco Parts Ltd., this also applies if a business provides taxable benefits to its customers.

Following an audit of Lordco, the CRA noted that Lordco established an incentive program, which included a bi-annual cruise for its customers who had earned rebates based on the volume of their purchases of Lordco products.  The customers could purchase tickets for the cruise using the rebates.  Corporate customers nominated individuals to attend the cruise as representatives.  Only 30% of the cruise related to business activities.

According to the CRA, Lordco was required to report the benefits enjoyed by the individual attendees.  When Lordco failed to complete such reporting, the CRA issued a “named requirement” requiring Lordco to provide a list of the individuals who attend the cruise.  Lordco refused to provide any names, addresses or registration forms, on the basis that the information related to unnamed third party individuals.  The CRA applied, without notice , for an order of the Federal Court requiring Lordco to produce “information and documents relating to certain persons whose identities are unknown to the Minister”, being the individual representatives of customers of Lordco.

The Federal Court granted the order, recognizing that obtaining information relevant to the tax liability of some specific person(s) whose tax liability is under review is a purpose related to the administration or enforcement of the Income Tax Act (“ITA”) and does not violate any rights of taxpayers under section 8 of the Charter of Rights and Freedoms (the Supreme Court of Canada has previously stated that taxpayers do not have a high expectation of privacy in relation to documents concerning tax matters).

The CRA is permitted to request third party information related to unknown persons with the authorization of a judge.  Two conditions must be met for an order to be made: (i) the individual or group is ascertainable; and (ii) the production is necessary to verify compliance with the ITA.  Finding both conditions met in this case, the Federal Court ordered that the CRA was authorized to impose a requirement to produce the information regarding the customers who went on the cruise, failing which Lordco could be subject to fines under the ITA up to $25,000 or both fine and imprisonment up to 12 months.

This is a reminder of how far the CRA’s reach can be extended when it comes to obtaining information for the purpose of identifying tax payers and ensuring compliance with the ITA.  Employers and businesses are not able to refuse production on the sole basis that the information pertains to unidentified third parties (e.g., representatives of corporate customers) when the CRA is attempting to verify compliance with the ITA.

Two presentations on privacy, campus and workplace violence and student affairs

1 Dec

Our firm has the pleasure of doing extensive work in the Ontario post secondary education sector. As part of this business, we ran a conference entitled Students and the Law – Proactive Strategies for Changing Times for a group of university administrators in early November and a similar session again today for college administrators.

I spoke on students at risk and managing on-campus violence together with my colleague Catherine Peters. Catherine covered the impact of Ontario’s pending workplace health and safety legislation (Bill 168) on campus safety programs as well as the (tricky!) interplay between disciplinary and non-disciplinary management. I also dealt with Bill 168 in discussing mandatory and discretionary disclosures of personal information for the purpose of managing risk. The slides are below, and for a copy of my speaking notes click here.

I then did a short “hot issues” in student information and privacy presentation, with a brief note on the tort of invasion of privacy, a fun segment about students who take other students’ pictures and a note about processing the “I want all my e-mails” access to personal information request. The slides are below, and for my speaking notes click here.

Here are some recent and relevant resources that we noted in our discussion:

I’d like to thank Gene Deisinger, who has recently begun duties as Deputy Chief of Police & Director of Threat Management Services at Virginia Tech, for identifying some of these resources. Gene and colleague Marisa Randazzo do an excellent podcast on threat assessment that’s linked from the fourth bullet above.

I hope this material is of use!

Dan

Case Report – Jurisdiction to order production of non-resident data

27 Sep

The Federal Court rejected an application to vacate a production order made under section 231.2 of the Income Tax Act. The order required two Canadian eBay subsidiaries to produce data about specific Canadian eBay users that resided on servers operated by eBay’s American subsidiary in the United States.

The Court dealt only with the issue of whether it had jurisdiction to order production of non-resident data because the parties agreed that the Court should reserve on whether there was a sufficient basis for the order pending resolution of the appeal in Canada (MNR) v. The Greater Montreal Real Estate Board, 2006 FC 1069 (CanLII). On the threshold issue, the Court stated:

In the present case, eBay Canada has access to and uses information respecting PowerSellers. It is not determinative of the issue that the electronic apparatus storing the information which eBay Canada accesses is outside Canada. The information can be summoned up in Canada and for the usual business purposes of eBay Canada. The situation may be different if the information never had been used in Canada.

For commentary by Michael Geist, please click here.

eBay Canada Limited v. Canada (National Revenue), 2007 FC 930 (CanLII).

Data breach response – a multidisciplinary perspective

26 Sep

In some chance timing given the release of the report on the Canadian investigation into the TJX breach, I presented today at a lunch meeting of the Association of Certified Forensic Investigators of Canada together with David Malamed of Grant Thonrton. We called the presentation “Data Breach Response: A Multidisciplinary Perspective.”

This is the first presentation David and I have given on an project we started at the beginning of the summer together with Karen Gordon, an expert crises communicator from Squeaky Wheel Communications. The idea we are promoting is that organizations should be using multi-disciplinary teams to manage breach response and, whether internal or external experts are used, the team should be defined in a formal breach response plan.

I’ve posted a copy of the presentation here.

Case Report – Data breach investigation report released

26 Sep

The Privacy Commissioner of Canada and the Office of the Information and Privacy Commissioner of Alberta have released their joint report into the TJX/Winners data breach. They found that TJX breached the collection, retention and safeguarding rules in both the federal and Alberta commercial privacy statutes.

With respect to TJX’s system for preventing the fraudulent return of goods, the commissioners held that TJX breached both statutes by collecting drivers license and other provincial ID numbers to identify individuals who returned goods without a receipt. While they accepted the importance of identifying such individuals for purposes of fraud control, they also held that retaining this sensitive data was not necessary and that TJX also did not give adequate notice of the purposes for its collection. The commissioners said:

A driver’s license is proof that an individual is licensed to operate a motor vehicle; it is not an identifier for conducting analysis of shopping-return habits. Although licenses display a unique number that TJX can use for frequency analysis, the actual number is irrelevant to this purpose. TJX requires only a number—any number—that can be consistently linked to an individual (and one that has more longevity and is more accurate than a name and telephone number).

Moreover, a driver’s license number is an extremely valuable piece of data to fraudsters and identity thieves intent on creating false identification with valid information. After drivers’ license identity numbers have been compromised, they are difficult or impossible to change. For this reason, retailers and other organizations should ensure that they are not collecting identity information unless it is necessary for the transaction.

Having made this finding, they accepted TJX’s proposal to create unique identifiers from provincial ID numbers by using cryptographic hashing and approved of a three-year retention period for this information.

On the collection and retention of payment card information for processing purposes, the commissioners held that TJX’s retention of information for 18 months in accordance with its contractual obligations to financial institutions was reasonable, but were critical of TJX’s practice of retaining the information for longer periods for “troubleshooting” purposes. They reasoned that TJX had not clearly established “troubleshooting” as a primary purpose for collection, nor had it established the need to retain information in order to troubleshoot.

Finally, the commissioners held that TJX did not meet the safeguarding standard in both acts, primarily because it failed to upgrade its wireless encryption protocol within a reasonable period of time. Version 1.1 of the Payment Card Industry Data Security was released in September 2006 and endorsed the “Wi-fi Protected Access” or “WPA” encryption protocol. The commissioners said that TJX should have been adhering to this standard by “late 2006.” They commented:

TJX relied on a weak encryption protocol and failed to convert to a stronger encryption standard within a reasonable period of time. The breach occurred in July 2005, conversion began in October 2005, and the pilot project was completed in January 2007. We are also aware that the final conversion to a higher level of encryption will be completed soon.

Furthermore, while TJX took the steps to implement a higher level of encryption, there is no indication that it segregated its data so that cardholder data could be held on a secure server while it undertook its conversion to WPA.

TJX had a duty to monitor its systems vigorously. If adequate monitoring of security threats was in place, then TJX should have been aware of an intrusion prior to December 2006.

This comes just days after a settlement was announced in the related class action lawsuit.

Report of an Investigation into the Security, Collection and Retention of Personal Information (26 September 2007, C.P.P. and Alberta O.I.P.C.).