All About Information

I presented to a great audience of access and privacy professionals today at the 2009 Ontario Access and Privacy Workshop. My slides are below.

To give this presentation I had to answer for myself whether outsourcing to the cloud is the same as any other data processing outsourcing. I settled on, “not quite” and argued outsourcing to the cloud is different because (1) it will usually be a cross-border outsourcing, which comes with a special set of considerations (especially for government) and (2) the cloud service provider’s business model may not be flexible enough to allow for it to meet an organization’s need to satisfy specific data security requirements.

I’m not a cloud basher. I’ve argued here that one of the legal concerns about outsourcing to the cloud is poorly founded and also have have concerns that the cross-border data transfer issue is a bugaboo. However, outsourcing to the cloud does seem to be a bit of a different game then entering a one-to-one business relationship with a “normal” data processor. Just some thoughts, which I’d invite comment on below.

Dan

I’ve been preparing a case digest for an upcoming universities conference we’re hosting and summarized these two Ontario FOI cases, both of significance.

April 9th – IPC finds personal e-mails under City’s custody or control

In this order, the IPC held that the City of Ottawa was in custody or control of e-mails its solicitor sent and received in his personal capacity, as a board member of a local Children’s Aid Society. Though acknowledging that the e-mails had nothing to do with City business, it held:

• The City was in physical possessions of the records, which were stored on its e-mail server.
• The City had the authority to regulate the use of the e-mail system upon the records were kept even though personal e-mails were excluded from the definition of “business record” under the City’s retention by-law.
• The City reserved a right to monitor its system for unauthorized use.

The factual basis for this decision is not unique, so it has broad significance for FIPPA and MFIPPA institutions.

The City has filed an application for judicial review.

Order MO-2408, 2009 CanLII 16569 (ON I.P.C.).

August 21st – IPC orders municipality to sue third-party record holder

The IPC issued a compliance order that required a municipality to take “all steps necessary,” including legal action, to obtain records that it decided earlier were under the municipality’s custody or control.

The request was for a model and input data that was in the custody of a third-party consultant who was retained by the municipality to evaluate a proposed landfill site. There was no formal retainer, and after an analyzing the IPC’s traditional “custody or control” factors, in May 2009 the IPC ordered the municipality to “issue a written direction to Jagger Hims to provide the County with the records responsive to the appellant’s request.” The municipality did exactly what the IPC ordered, but the third-party did not cooperate and deliver up the records at issue.

The IPC re-initiated its proceeding. Its compliance order was based in part on a finding that the municipality had a “potent legal basis” for causing the third-party to turn over the records.

Order MO-2449, 2009 CanLII 47235 (ON I.P.C.).

I’m honoured to have been invited to present at this year’s Ontario Access and Privacy Workshop on October 26th and 27th in Toronto. The agenda looks great, and if you’re in the Ontario provincial or municipal public sector or in the Ontario broader public sector I’d encourage you to check out the conference site and consider attending. I’ll be speaking on privacy and cloud computing, here’s the abstract:

Cloud computing holds many opportunities as a model for business computing, yet it is also associated with a number of legal issues that have caught the public eye and invite close scrutiny. Join Dan Michaluk from Hicks Morley in taking a focussed look at these issues. Dan will lead a discussion with a view to helping government administrators develop a strong ability to manage legal issues in assessing, planning for and implementing cloud computing projects. Issues such as:

• Good, bad and ugly cloud computing models
• Applicable regulation and its impact on cross-border transfers
• Laying the groundwork for outsourcing – the importance of due diligence
• The negotiation and the contract
• The Lakehead University and City of Los Angeles outsourcing projects as case studies

I’ve been out here on a Nova Scotian holiday for the last couple weeks reading up on the issue. I posted this piece over at Slaw as a kind of warm-up, but still have some thinking to do, so if you have thoughts or resources please do send them my way. See you there!

Dan

On October 2nd, Pringle J. of the Ontario Court of Justice held that the police violated section 8 of the Charter by obtaining the identity of an individual suspected of possessing and sharing child pornography by making simple letter request to an ISP. She also admitted the evidence despite the Charter breach, and in doing so made some significant comments about the impact of terms of service on internet user privacy.

There have been a number of recent Canadian cases about whether the police can investigate internet crime by asking an ISP to reveal the identity of the individual linked to an IP address that is associated with unlawful and anonymous activity. The cases turn on whether this investigatory tactic violates a reasonable expectation of privacy. Two factors have featured strongly in the analysis (1) the nature of the information obtained by the police and (2) the contractual terms between the individual and ISP.

Unlike some other judges who have decided the issue, Justice Pringle held that the nature of the information obtained by a police request to an ISP does go to an individual’s biographical core. She explained that this tactic allows the police obtain the identity of an otherwise anonymous internet user and not simply an ISP subscriber’s name and address:

Once the police accessed Mr. Cuttell’s name and address, they were able to link his identity to a wealth of intensely personal information. Linking his name to the shared folder under his IP address, police learned a great deal about Douglas Cuttell and his lifestyle: namely in this case, his interest in adult pornography, obscenity and child pornography, which were all revealed by his choice of shared files.

Pringle J.’s treatment of the contract is even more significant. Like other judges before her, she held the that a contract between the ISP subscriber and ISP can negate an otherwise reasonable expectation of privacy. In the case before Pringle J., however, the Crown did not prove the specific contract entered into between the defendant and his ISP and therefore failed to negate what Pringle J. called a “premise of confidentiality” regarding one’s ability to engage in anonymous internet use. Her judgement suggests that reliance on ISPs alone does not negate an otherwise reasonable expectation of privacy in anonymous internet use, but the specific terms of service an individual agrees to may change this.

Ultimately, ISP terms of service did have a significant influence on the outcome in this case even though the Crown failed to prove the defendant’s specific contract. Pringle J. decided to admit the impugned evidence despite the proven Charter breach, in part, because ISPs often put customers on notice that they will make disclosures to law enforcement. She said:

I also take into account that while the privacy of subscriber information is important and can provide a critical link to personal information, a subscriber name and address does not have a great deal of intrinsic privacy on its own. As the Crown pointed out, Mr. Cuttell’s name was publicly available on Canada411, and his shared folder was also publicly available to anyone wanting to share child pornography. Many Internet Service Providers appear to contract out of their obligation of confidentiality with subscribers in similar circumstances, and accordingly it would be difficult to argue that there is a high expectation of privacy in this information: see Grant at para. 77.

In conclusion, Pringle J. said that the practice of contracting for disclosure is “unfortunate,” but also suggested that the courts will  often be powerless to grant a Charter remedy in the face of such private action.

Thanks to David Fraser for breaking the news this case. For his related opinion piece on Slaw, click here.

R. v. Cuttell, 2009 ONCJ 471 (CanLII).

On August 31st, Arbitrator Watters held that video surveillance evidence taken from a hidden camera installed in a long-term care facility resident’s room was admissible in a termination arbitration.

Many labour arbitrators will balance employer and employee interests in determining whether to admit surveillance evidence. This case is notable because the parties engaged in a dispute about whether the reasonableness test used to effect this balance includes a “no less intrusive means” component. Arbitrator Watters held that it does not – the test is a reasonable grounds/reasonable means test, though consideration of other options may support the grounds for surveillance.

The National Automobile, Aerospace, Transportation and General Workers Union of Canada (CAW-Canada), Local 127 and The Municipality of Chatham-Kent (Riverview Gardens) (Re), [2009] O.L.A.A. No. 424 (Watters).