What’s significant about the Loblaw report

I finally got around to reading the @PrivacyPrivee report of findings on Loblaw’s manner of authenticating those eligible for a gift card. The most significant (or at least enlightening) thing about the report is that the OPC held that residential address, date of birth, telephone number and e-mail address were, together, “sensitive.” It did so in assessing the adequacy of the contractual measures Loblaw used in retaining a service provider for processing purposes. It said:

  1. The contract also provided guarantees of confidentiality and security of personal information, and included a list of specific safeguard requirements, such as: (i) implementing measures to protect against compromise of its systems, networks and data files; (ii) encryption of personal information in transit and at rest; (iii) maintaining technical safeguards through patches, etc.; (iv) logging and alerts to monitor systems access; (v) limiting access to those who need it; (vi) training and supervision of employees to ensure compliance with security requirements; (vii) detailed incident response and notification requirements; (viii) Loblaw’s pre-approval of any third parties to whom JND wishes to share personal information, as well as a requirement for JND to ensure contractual protections that are at a minimum equivalent to those provided for by its contract with Loblaw; and (ix) to submit to oversight, monitoring, and audit by Loblaw of the security measures in place.
  2. As outlined above, the additional ID’s requested by the Program Administrator were collected through a secure channel (if online) or by mail, verified and then destroyed.
  3. In our view, given the limited, albeit sensitive, information that was shared with the Program Administrator, as well as the limited purposes and duration for which that information would be used, Loblaw’s detailed contractual requirements were sufficient to ensure a level of protection that was comparable to that which would be required under the Act. Therefore, in our view, Loblaw did not contravene Principle 4.1.3 of Schedule 1 of the Act.

Residential address, date of birth, telephone number and e-mail address is a set of basic personal information. In analyzing it, one must recall the “contact information” that the Ontario Superior Court of Justice said was not “private” enough to found a class action claim in Broutzas.

Don’t be misled, though. The OPC made its finding because Loblaw was engaged in authentication, and collected a data set precisely geared to that purpose. The potential harm – identity theft – was therefore real, supporting finding that the data set as a whole was sensitive. Context matters in privacy and data security. And organizations, guard carefully the data you use to identify your customers.

Federal Court says firearm serial numbers not personal information

On October 9th, Justice McHaffie of the Federal Court held that firearm serial numbers, on their own, are not personal information. His ratio is nicely stated in paragraphs 1 and 2, as follows:

Information that relates to an object rather than a person, such as the firearm serial numbers at issue in this case, is not by itself generally considered personal information”since it is not information about an identifiable individual. However, such information may still be personal information exempt from disclosure under the Access to Information Act, RSC 1985, c A-1 [ATIA] if there is a serious possibility that the information could be used to identify an individual, either on its own or when combined with other available information.

The assessment of whether information could be used to identify an individual is necessarily fact-driven and context-specific. The other available information relevant to the inquiry will depend on the nature of the information being considered for release. It will include information that is generally publicly available. Depending on the circumstances, it may also include information available to only a segment of the public. However, it will not typically include information that is only in the hands of government, given the purposes of both the ATIA and the personal information exemption.

This is not a bright line test, though Justice McHaffie did say that the threshold should be more privacy protective than if the “otherwise available information” requirement was limited to publicly available information or even information available to “an informed and knowledgeable member of the public.”

Canada (Information Commissioner) v Canada (Public Safety and Emergency Preparedness), 2019 FC 1279 (CanLII).

SCC issues civil production decision stressing discretion and proportionality

Today, a majority of the Supreme Court of Canada affirmed an order that directed the Competition Bureau and the federal Department of Public Prosecutions to produce, for civil discovery purposes, recordings of more than 220,000 private communications that they had obtained pursuant to Criminal Code wiretap authorizations.

Justices LeBel and Wagner wrote a majority judgement with which Chief Justice McLachlin (for the most part) concurred. The majority held that the production order was neither prohibited by the Criminal Code nor the Competition Act and was a proper exercise of discretion.

The discretion to order non-party production, according to the majority, is “great” (para 28), though should be exercised with a view to fulsome disclosure: “relevance is generally interpreted broadly at the exploratory stage of the proceedings” (para 30). Relevant records may be withheld to achieve proportionality and efficiency, but they may not be “unduly” withheld (para 60). In making a non-party production order a judge must consider the “financial and administrative burden” of the order and the impact on non-party privacy (paras 83 and 85).

The majority’s emphasis on balance and proportionality is heavy. It weaves proportionality into the concept of relevance as the concept applies in respect of civil production:

[30] To be relevant, the requested document must relate to the issues between the parties, be useful and be likely to contribute to resolving the issues (Glegg, at para. 23; Arkwright, at p. 2741; Chubb, at p. 762; Westfalia Surge Canada Co.; Autorité des marchés financiers; Fédération des infirmières et infirmiers du Québec).

[31] This relevance requirement ensures that the parties do not conduct “fishing expeditions”. It also ensures that the conduct of the proceedings is not delayed, complicated or even jeopardized by the introduction of evidence that does not assist in establishing the rights being claimed (see Royer and Lavallée, at p. 487; Marseille, at pp. 1 and 21). In this sense, the relevance rule is a procedural balancing rule that ensures the efficiency of the judicial process while facilitating the search for truth.

The majority refers to the 2005 decision in Glegg v Smith & Nephew Inc in which the Supreme Court of Canada espoused similar principles in respect of the production obligations of a party to an action. All the authorities the majority relies on are Quebec authorities, but the majority does not expressly rely on any provision of the Civil Code of Quebec and the principles it applies are broadly applicable.

Justice Abella, in dissent, argued that private communications intercepted by law enforcement are of utmost sensitivity and should be “protected by an almost impermeable legal coating like a privileged communication.” To achieve this purpose, she would have interpreted the Criminal Code to prohibit the production of intercepted private communications in a civil proceeding.

Imperial Oil v Jacques, 2014 SCC 66.

Employer’s Privacy and Confidentiality Policies Upheld by Court

A recent decision of the Supreme Court of British Columbia underscores that courts will view any breach of an employee’s right to privacy and confidentiality in the workplace as a serious infraction.

In Steel v. Coast Capital Savings Credit Union, the plaintiff was employed on the Helpdesk where she had access to confidential information, including personal folders of other employees. The employer had policies in place regarding access to private and confidential information, including a protocol to be followed by Helpdesk employees when they needed to access the personal folders in order to provide technical assistance. The plaintiff was aware of these policies.

When the employer learned the plaintiff, a 20 year service employee, had accessed confidential information contained in a personal folder without following the protocol in place, it terminated her employment on the basis that her actions constituted a severe breach of trust. The Court upheld that termination, finding that as a member of the Helpdesk, the plaintiff was in a position of “great trust” and she worked for an employer (a credit union) that operated in an industry where trust was of “central importance”. It stated:

[27]      It was not practicable for Coast to monitor which documents Ms. Steel accessed and for what purpose. The employer had to trust Ms. Steel to obey its policies and to follow the protocols. It had to trust Ms. Steel to only access such documents as part of the performance of her duties and to follow the protocols when she did so. Such trust was fundamental to the employment relationship in relation to Ms. Steel’s position. It was, to use the language of Iacobucci J. in McKinley, “the faith inherent to the work relationship” that was essential to this employment relationship.

The willingness of the Court to uphold the cause termination of a 20 year employee for a violation of the employer’s policies sends a strong signal that courts will not hesitate to enforce and apply clearly drafted employer privacy and confidentiality policies, in order to protect confidential information.

Steel v. Coast Capital Savings Credit Union, 2013 BCSC 527 (CanLII)

The Far Reach of the CRA

When employers provide employee benefits, they are required to include the value of the taxable benefits in the income of employees.  If an employer does not properly report the taxable benefit, the Canada Revenue Agency (“CRA”) has considerable power to require employers to disclose the names and related information of the taxpayers who enjoyed the taxable benefit.  As discussed in Minister of National Revenue v. Lordco Parts Ltd., this also applies if a business provides taxable benefits to its customers.

Following an audit of Lordco, the CRA noted that Lordco established an incentive program, which included a bi-annual cruise for its customers who had earned rebates based on the volume of their purchases of Lordco products.  The customers could purchase tickets for the cruise using the rebates.  Corporate customers nominated individuals to attend the cruise as representatives.  Only 30% of the cruise related to business activities.

According to the CRA, Lordco was required to report the benefits enjoyed by the individual attendees.  When Lordco failed to complete such reporting, the CRA issued a “named requirement” requiring Lordco to provide a list of the individuals who attend the cruise.  Lordco refused to provide any names, addresses or registration forms, on the basis that the information related to unnamed third party individuals.  The CRA applied, without notice , for an order of the Federal Court requiring Lordco to produce “information and documents relating to certain persons whose identities are unknown to the Minister”, being the individual representatives of customers of Lordco.

The Federal Court granted the order, recognizing that obtaining information relevant to the tax liability of some specific person(s) whose tax liability is under review is a purpose related to the administration or enforcement of the Income Tax Act (“ITA”) and does not violate any rights of taxpayers under section 8 of the Charter of Rights and Freedoms (the Supreme Court of Canada has previously stated that taxpayers do not have a high expectation of privacy in relation to documents concerning tax matters).

The CRA is permitted to request third party information related to unknown persons with the authorization of a judge.  Two conditions must be met for an order to be made: (i) the individual or group is ascertainable; and (ii) the production is necessary to verify compliance with the ITA.  Finding both conditions met in this case, the Federal Court ordered that the CRA was authorized to impose a requirement to produce the information regarding the customers who went on the cruise, failing which Lordco could be subject to fines under the ITA up to $25,000 or both fine and imprisonment up to 12 months.

This is a reminder of how far the CRA’s reach can be extended when it comes to obtaining information for the purpose of identifying tax payers and ensuring compliance with the ITA.  Employers and businesses are not able to refuse production on the sole basis that the information pertains to unidentified third parties (e.g., representatives of corporate customers) when the CRA is attempting to verify compliance with the ITA.

Two presentations on privacy, campus and workplace violence and student affairs

Our firm has the pleasure of doing extensive work in the Ontario post secondary education sector. As part of this business, we ran a conference entitled Students and the Law – Proactive Strategies for Changing Times for a group of university administrators in early November and a similar session again today for college administrators.

I spoke on students at risk and managing on-campus violence together with my colleague Catherine Peters. Catherine covered the impact of Ontario’s pending workplace health and safety legislation (Bill 168) on campus safety programs as well as the (tricky!) interplay between disciplinary and non-disciplinary management. I also dealt with Bill 168 in discussing mandatory and discretionary disclosures of personal information for the purpose of managing risk. The slides are below, and for a copy of my speaking notes click here.

I then did a short “hot issues” in student information and privacy presentation, with a brief note on the tort of invasion of privacy, a fun segment about students who take other students’ pictures and a note about processing the “I want all my e-mails” access to personal information request. The slides are below, and for my speaking notes click here.

Here are some recent and relevant resources that we noted in our discussion:

I’d like to thank Gene Deisinger, who has recently begun duties as Deputy Chief of Police & Director of Threat Management Services at Virginia Tech, for identifying some of these resources. Gene and colleague Marisa Randazzo do an excellent podcast on threat assessment that’s linked from the fourth bullet above.

I hope this material is of use!

Dan

Case Report – Jurisdiction to order production of non-resident data

The Federal Court rejected an application to vacate a production order made under section 231.2 of the Income Tax Act. The order required two Canadian eBay subsidiaries to produce data about specific Canadian eBay users that resided on servers operated by eBay’s American subsidiary in the United States.

The Court dealt only with the issue of whether it had jurisdiction to order production of non-resident data because the parties agreed that the Court should reserve on whether there was a sufficient basis for the order pending resolution of the appeal in Canada (MNR) v. The Greater Montreal Real Estate Board, 2006 FC 1069 (CanLII). On the threshold issue, the Court stated:

In the present case, eBay Canada has access to and uses information respecting PowerSellers. It is not determinative of the issue that the electronic apparatus storing the information which eBay Canada accesses is outside Canada. The information can be summoned up in Canada and for the usual business purposes of eBay Canada. The situation may be different if the information never had been used in Canada.

For commentary by Michael Geist, please click here.

eBay Canada Limited v. Canada (National Revenue), 2007 FC 930 (CanLII).