IPC upholds university vaccination policy

On April 5th, the Information and Privacy Commissioner/Ontario affirmed a University of Guelph requirement that students in residence for the 2021/2022 academic year be fully vaccinated.

The IPC has jurisdiction to consider whether a public body’s collection of personal information is “necessary” to a lawfully authorized activity based on the Freedom of Information and Protection of Personal Privacy Act. The necessity test has been endorsed by the Court of Appeal for Ontario as strict. Where personal information would merely be helpful to the activity, it is not “necessary” within the meaning of FIPPA. Similarly, where the purpose can be accomplished another way, a public body is obliged to chose the other route.

The IPC’s affirmation of the University’s policy (and its collection of personal information) rested heavily on a letter the University had received from the Wellington-Dufferin-Guelph Health Unit in July 2021. It said:

I am writing to recommend in the strongest possible terms that the University of Guelph require a full (two-dose) course of COVID-19 vaccines for all students living in residence during the 2021-22 school year. Additionally, the University should continue to recommend strongly that all other students, faculty and staff receive both doses of the vaccine.

Students beginning or returning to their studies this fall are looking forward to a safe and relational post-secondary experience. Adding this significant layer of protection will help create a more normal fall on campus. Strong vaccination rates across the University are an important part of student physical and mental well-being, and should contribute peace of mind to all Gryphons.

The IPC affirmation is significant not only because it supports a vaccine mandate based on the strict FIPPA necessity standard, but also because of its adoption of this letter and its reasoning. While mandates must certainly be based on science that establishes that vaccination reduces the risk of exposure, the privacy commissioners, labour arbitrators and judges who will continue to be called upon to evaluate mandates must recognize that they are also based on a need for stability and mental well-being.

We thought we were though the pandemic, and are now in Wave Six. Will there be a Wave Seven? And although the province is trying to give us the stability we all crave by committing to laissez faire policy, why should our public bodies be precluded from adopting stable, medium-term policy that prioritizes safety?

University of Guelph (Re), 2022 CanLII 25559 (ON IPC).

GSB addresses use of surveillance footage

In a decision first released last September, the Grievance Settlement Board partly upheld a grievance that challenged the use of video surveillance footage in Ontario correctional facilities.

It has become standard to establish the purpose of workplace video surveillance as supportive of safety and security and to proscribe the use of surveillance technology as a replacement for supervision. In principle this distinction makes sense, though in practice it is unclear and has led to disputes.

In this case, the GSB affirmed the employer’s use of video footage to address misconduct discovered incidentally during a legitimate surveillance footage review that was occasioned by a security incident. Vice-Chair Anderson said:

The evidence as to why the surveillance camera was placed in the central control module was scant.  The ISPPM indicates “audio and video technology are tools to enhance safety and security”.  Sgt Essery’s evidence suggests that was the purpose for the camera in the central control module. It is clear the duties of the officers in the control module are reasonably necessary to the safety and security of inmates, staff and property in the building.  I infer the ability, if necessary, to observe central control module officers in the performance of those duties has a safety and security function.  The camera is also used to observe the hallway next to the central control module through which inmates pass, in particular when they are being escorted to or from the segregation units.  There is no dispute that this has a safety and security function.  There is no evidence that the camera was placed in the central control module for any other purposes.  I conclude its placement was done in good faith for purposes permitted by Appendix COR10.

The GSB also recognized that the employer could justify the use surveillance video to spot check compliance with a procedure because the spot check and procedure were both to uphold safety and security – the primary purpose of video surveillance. In the circumstances, however, the GSB held that the employer had not proven a sufficient need for such spot checks.

The practical lesson for employers is to be wary of vague and unbounded promises to refrain from using video surveillance. The matter is one of nuance.

Ontario Public Service Employees Union (Union) v Ontario (Solicitor General), 2021 CanLII 95740 (ON GSB).

Where’s that workplace surveillance bill? More thoughts pending its release

It’s Friday at 4:20pm and I don’t see an Ontario workplace surveillance bill yet, so here are a couple more thoughts – one positive, one negative and one neutral.

Positive – Organizations ought to employ “information technology asset management” – a process for governing their network hardware and software. Those organizations with strong asset management practices will have little difficulty identifying how employees are “monitored.” For those who are weak asset managers, the new bill is an invitation to improvement and rooting out unmanaged applications.

Negative – As I said yesterday, the devil will be in the detail, and the scope of the “monitoring” that is regulated will be key. Monitoring must be defined in a way that does not affect non-routine processes – i.e., audits and investigations. Those raise a different kind of privacy concern, and a notification requirement shouldn’t frustrate an organization’s ability to investigate.

Neutral – Organizations typically keep security controls confidential to protect against behavior we call “threat shifting” – the shifting of tactics to circumvent existing, known controls. I’m doubtful the type of disclosure the bill will require will create a security risk, but it’s an issue to consider when we see the text.

Bring on the bill!

A call to modernize public sector privacy statutes without inviting litigation

The wave of public sector reform is coming, so it’s time to start thinking and talking about they best way achieve strong privacy protection in the Ontario public sector. I had the honour of participating the University of Toronto’s Privacy Day celebration yesterday, including by sitting on a panel and giving the short prepared remark below. I’m all for privacy protection and modernization, but the implementation of administrative monetary penalties in the Ontario public sector (like now in Quebec) would fundamentally change the relationship between the Ontario public sector and its regulator and not serve the public or education sectors well.

Ontario occupational health record law in deep need of correction

Here is the paper I submitted in participating on a panel at the LSO’s Human Rights Summit last week. The title speaks to the content, which is about the wart that is the Divisional Court finding in Hooper v. College of Nurses of Ontario. Time for Hooper to go.

Privacy and the pandemic

I spoke today at the Schedule 2 Employers’ Group virtual speakers series about privacy and the pandemic. It was a good chance to describe all of the ways we use information to manage the risk of workplace exposure to COVID-19. We looked closely at the major information flows – screening, location tracking, exposure notification – and I even did a little riff on defense in depth. Slides below for your viewing pleasure.

The union right of access to information

I’ve done a fair deal of enjoyable work on matters relating to a union’s right of access to information – be it under labour law, health and safety law (via union member participation in the health and safety internal responsibility system) or via freedom of information law. Today I had the pleasure of co-presenting to the International Municipal Lawyers Association on the labour law right of access with my colleague from the City of Vaughan, Meghan Ferguson.

Our presentation was about how the labour law right has fared against employee privacy claims. In short, it has fared very well, and arguably better in Ontario than in British Columbia.

I don’t believe the dialogue between labour and management is over yet, however, especially as unions push for greater access at the same time privacy sensitivities are on the rise. The advent of made-in-Ontario privacy legislation could be an impetus for a change, not because it is likely to provide employees with statutory privacy rights as much as because the new legislation could apply directly to unions. So stay tuned, and in the interim please enjoy the slides below.

Arbitrator declines to find a privacy violation for inquiry made of employee’s second employer

As the gig economy rises, work for more than one employer is becoming more common, and work across multiple employers has been common in the health care sector for some time. What, then, is an employer to do if its employee has taken sick leave but may be working for their other employer? Can the employer simply ask the other employer if the employee is at work?

There are some discipline cases in which unions have not challenged such questioning and others in which employers have asked for employee consent to make the inquiry. Last July, Arbitrator Brian Sheehan of Ontario entertained and dismissed what I believe to be the first privacy breach allegation on point, though he did so in quite a qualified manner.

The employer’s inquiry was apparently based on a mere suspicion. Mr. Sheehan explained, “For Ms. Valentin, the grievor’s relatively significant level of absenteeism, in addition to Ms. Valentin’s perception that there was a pattern of the grievor being absent from work on days before or after her scheduled days off was suspicious.”

To aggravate the situation, when the employer called the other workplace it received the information it was seeking plus some editorial – that the grievor’s “attitude stinks.”

Mr. Sheehan nonetheless declined to find a privacy breach. He said:

As to the Union’s privacy argument, factually, I do not find that claim  particularly compelling. Based on the Employer’s understanding of the facts as of September 2014, it had, in my view, a reasonable basis to investigate the grievor’s work history at Villa Leonardo.  The Union’s primary complaint was that the Employer should have initially sought to obtain the information from the grievor.  On this point, while as previously noted the grievor was fairly forthcoming with respect to her work history at Villa Leonardo, she was in fact mistaken as to her work history in relation to some of the days in question. At the same time, the Employer arguably should have followed the approach in the Province of Alberta, supra, case and sought the grievor’s consent to obtain the relevant documentation from Villa Leonardo.

At the end the day, however, the extent of the nature of the invasion of the grievor’s privacy relates to the Employer asking a third party the work history pertaining to the grievor. Seeking such information is definitively on the lower end of the spectrum of the privacy interests of an individual that warrant protection, and that interest is far removed from the surreptitious electronic surveillance that was in dispute in the cited Domain Forest Products, supra, and Ebco Metal Finishing Ltd., supra, cases. In this regard, any breach of the grievor’s privacy interest was, in my view, de minimis in nature; such that, I am not inclined to issue any sort of declaration or sanction.

This is best understood as a discouragement to employers, without an actual finding based on an application of the de minimis non curat lex principle: the law will not concern itself with trifles.

No arbitrator is bound to follow another arbitrator, but employers can take some comfort in this award. If they have a reason not to ask for consent (and are prepared to articulate it if challenged) they may decide to unilaterally seek information from another employer about whether an employee was or was not at work during a period of time. The risk of liability is low.

Toronto (City) v Canadian Union of Public Employees, Local 79, 2019 CanLII 78856 (ON LA).

Arbitrator orders $3,000 in privacy damages

On April 27th, Arbitrator Knopf ordered that $3,000 in damages be paid to a grievor for breach of privacy and harassment because:

  • the grievor’s personnel file contained an inexplicable notation that the grievor advised his supervisor that he injured his penis while cooking nude at home; and
  • the employer contacted the grievor’s doctor to confirm the doctor’s signature without justification and without consent.

Ms. Knopf said that these claims were “serious enough to warrant damages, buy they were not profoundly damaging to [the grievor’s] reputation or harmful to his privacy, nor did they have a negative impact on his benefit claims, status in the workplace or reputation in general.”

York (Regional Municipality) v Canadian Union of Public Employees, Local 905, 2017 CanLII 56454 (ON LA).

Arbitrator orders $25,000 in damages for privacy breach

Arbitrator Stout’s April 28th decision has received ample coverage, but I’d like this site to be a relatively complete repository of privacy damages awards. Mr. Stout ordered an employer to pay $25,000 in general damages after a supervisor disclosed an employee’s visual disability to three other employees after learning of the disability in a prior arbitration proceeding. The supervisor apologized orally and in writing, which presumably mitigated the breach. He did not testify, however, and Mr. Stout inferred that the disclosure was undertaken as retaliation for the outcome of the prior arbitration, a significant aggravating factor. The grievor also suffered distress that required him to undergo medical treatment and the employer “did very little” to remedy the breach in its response (e.g., discipline on the supervisor).

Canadian Pacific Railway Company v Teamsters Canada Rail Conference, 2016 CanLII 25247 (ON LA).