All About Information

I spoke at our Toronto client conference on Monday on two topics. The first was on a topic we called, “The limits of the application game: why employee privacy matters.” It’s on our “patchwork” of employment privacy regulation and the state of the privacy tort. I wrote a paper that should be available for public consumption later, at which point I’ll link to it from here. I also spoke on “The perils of online communication” together with my colleague Mark Mason. We laid out the relevant legal issues, made some policy prescriptions and also discussed some of tactical considerations in responding harmful employee and student communication. I don’t have a full set of notes to publish, but here’s one idea we expressed on the dangers of over-reaching:

You’ll also likely send a cease and desist letter directly to the individual. Here’s the word of warning. Before you send a cease and desist you have to reckon with the risk of a backlash. There’s a community of people who use the internet who value it as a free speech medium. If you send an aggressive letter that targets communication that is lawful, you risk a severe backlash from that community. You could find your cease and desist letter posted online, you could be blogged about and you could have your minor communication issue become magnified 1,000 times over. And that’s not even an exaggeration!

So you have to create a cease and desist that is both firm on the law and demonstrative of a reasonable and measured approach – it has to be consistent with how your organization presents itself to the public so you can be proud of it and stand behind it to the very end. If you don’t have a solid legal claim that supports this approach and you still need to take action, send a different letter. Use a carrot and not a stick. Tell the person you’d be glad to discuss their concern or collaborate in some way but that they have to take down their communication first. It’s not as strong, and you have to be wary of setting a pay-out precedent, but with some creative thinking you may find an out without suffering a backlash because you over-reached. You shouldn’t be intimidated by the masses, but understand that its hard to bluff them with a bogus claim.

Finally, my colleague Catherine Peters and I published a follow-up on managing student violence in response to the recent Kajouji suicide case. It’s available here.

The Ontario and British Columbia Privacy Commissioners issued a joint statement today in which they commit to issuing a joint publication aimed at clarifying the role that privacy laws play in managing health and safety risks. Mr. Loukidelis says, “Individual cases can be fuzzy, but if someone uses common sense and in good faith discloses information, my office is not going to come down on them.” The focus of this positive initiative seems broader than campus safety, but the statement does mention Virginia Tech and the recent suicide at Carleton University. For my coverage of this issue, see here.

The Ottawa Citizen published an article today called “Lessons to learn” on the student-university duty of care as a follow-up to the Nadia Kajouji suicide at Carleton University.  Pauline Tam does a very good job of going deep into some of the complexities, and even received some input from American expert Peter Lake.  I’m also quoted on the duty of care issue and the limits of privacy law.  

As Anne Cavoukian has recently written in response to some commentary on the Carleton suicide, privacy law is not absolute. From how I was quoted it’s not exactly clear what the precise standard for disclosure is and, in fact, there are two standards for “health and safety” disclosures under Ontario law.  Under FIPPA - which governs personal information a university or college manages in its ordinary administration - there is a “compelling circumstances” standard. Under PHIPA - which governs health care relationships, including health care services provided by universities and colleges - the standard is higher, essentially a “serious and imminent” harm standard.  

One of the things that has been lost in some of the recent commentary is that there are two different standards, the latter standard creating a special and important “zone of privacy” within which a health care relationship is situated.  There’s very good reason for this. After all, we want students at risk and others who need care to seek treatment, and a strong guarantee of confidentiality is a necessary, indeed fundamental, part of making treatment accessible.  Outside of health care (think of information known by a residence don, faculty members or members of the administration) the standard for disclosing information to prevent harm should be taken seriously, but is lower and should be lower.  

I’ve spoken and written recently about the need for objective threat assessment procedures to balance the duty to provide a safe campus environment against the duty to protect individual privacy.  For more on my view see this post here and its attachments.

On April 25th, the Supreme Court of Canada released two decisions involving Charter challenges to sniffer dog searches. Very briefly, R. v. Kang-Brown was about the search of an individual traveller’s luggage at a bus station based on a police officer’s observation of suspicious behavior. R. v. A.M. was about a routine sniffer dog search at a public school. In both cases, the Court found a violation of section 8 of the Charter and held that the evidence found should be excluded.

The two cases are primarily about about the legal rules for police use of sniffer dogs and, to some extent, “snooping technologies” that facilitate scanning for crimes outside of a targeted investigation.

On the key issue, the Court split 4-4, with Bastarache J. writing a swing judgement on his own. Lebel J. (with Fish, Abella and Charron JJ. on this point) held that the police have no common law authority to use sniffer dogs outside of an investigation based on reasonable and probable cause. Binnie J. (with McLachlin C.J. and Deschamps and Rothstein JJ. on this point) held that the police possess a common law power to search using sniffer dogs on the basis of a Charter compliant standard of “reasonable suspicion.” Bastarache J. held that the police posses a common law power to search using drug sniffer dogs on the basis of a Charter compliant standard of “generalized suspicion.” Bastarache J. also endorses the reasonable suspicion standard, so it appears the police may continue to use sniffer dogs without statutory enactment based on the reasonable suspicion standard.

Police powers and Charter constraints - reasonable suspicion standard prevails

On the main issue, A.M. is a better example of what was at stake. Binnie J. characterizes the sniffer dog search in A.M. as one used in a “routine criminal investigation.” Calling what happened in A.M. an “investigation” seems a slight misnomer because there was really no crime under investigation at all. The sniffer dog search was used by the police in A.M. as a type of surveillance tactic, with its purpose rooted in keeping the peace and preventing crime. “Routine criminal inspection” might be a more accurate description of how sniffer dogs were used in A.M., though the word “inspection” is ordinarily used to describe regulatory rather than police activity.

This was the problem. In fact, a concern about the use of search powers for keeping the peace (as opposed to investigating crime) arguably drives Lebel J.’s judgement. In both cases, he held that the police only have a common law power to engage in a search that is based on reasonable and probable cause. Although he does not reject the permissibility of search powers for purposes that will naturally involve less targeted suspicions, he says that such policing powers ought to based in statute, not the common law.

Binnie J. held that a requirement for reasonable and probable cause would render a longstanding law enforcement tool unusable, so the Court ought to recognize the power and subject the reasonable suspicion standard to Charter scrutiny. In Kang-Brown, he said:

… the “leave it to Parliament” approach ducks a practical and immediate problem facing law enforcement. Sniffer dogs have been in common use by police forces in Canada for the last 30 years or more. If the police have lawful authority to use sniffer dogs only when they already have reasonable grounds to believe contraband is present, sniffer dogs would be superfluous and unnecessary, i.e. because ex hypothesi the police already have the grounds to obtain a search warrant and would not require the confirmatory evidence of a dog.

He held sniffer dog searches are Charter compliant when they meet the reasonable suspicion standard, characterizing a search with a well-trained and accurate dog as relatively unintrusive.

While Binnie J. states in Kang-Brown that the reasonable suspicion standard contemplates a suspicion “in relation to one or more members of a group of people closely linked in proximity to the crime,” in both cases Bastarache J. endorses a standard that is de-linked from individuals - the generalized suspicion standard. He says this standard is justifiable in environments such as public terminals and schools where there is a reduced expectation of privacy. In Kang-Brown, he explains:

In my view, it is, in some circumstances, appropriate for police to conduct random searches using sniffer dogs on the basis of generalized suspicion. Allowing this type of search recognizes the important role sniffer dogs can play not only in detecting crime but also in preventing and deterring crime. Given the accuracy and efficiency of sniffer-dog searches, it is reasonable to conclude that their known presence, or potential presence, at particular locations would have a significant preventative effect. Allowing random searches in certain situations also has the benefit of avoiding inappropriate profiling and reducing any embarrassment which may be associated with a targeted search. I agree with the finding in Simmons that there is no stigma attached “to being one of the thousands of travellers who are daily routinely checked” at border crossings (p. 517), and believe that that lack of stigma results in large part from the random nature of the search process.

School searches

A.M. was not resolved in a manner that significantly alters or speaks to the law regarding searches conducted by school boards themselves. When police search schools using sniffer dogs or conduct similar premises searches, it is now clear they must meet the reasonable suspicion standard. When school officials physically search individual students, based on the Supreme Court of Canada’s 1998 decision in M.R.M., they must meet a similar relaxed standard (which Binnie J. interestingly characterizes as the reasonable suspicion standard, though that term was not used in M.R.M.). Whether school boards (acting on their own and not through the police) can engage in routine searches of school premises is not yet clear.

A.M. does not speak to a school board’s own power to search school premises because it was clear that the search under review was initiated by the police. Despite this, Deschamps J. (with Rothstein J. on this point) held that the search in question did not affect a reasonable expectation of privacy such that it engaged a section 8 right to be free from unreasonable search. She stressed the difficult challenge school boards face in maintaining safety and order, that the search was supported by policy that was known to students and parents and the relatively unintrusive nature of a sniffer dog search. The other judges’ position seems to be represented by Binnie J., who rejects Deschamps J.’s argument by stating that it fails to recognize the difference between a school board exercising its authority to maintain a safe and orderly school environment and a police search. Without endorsing routine school board searches, Binnie J. reinforces the different function of a school board and implicitly leaves open the possibility that properly constructed and executed routine or generalized suspicion searches by school boards may be lawful. School boards should nonetheless be very cautious in embarking upon any such initiatives and should seek legal advice before proceeding.

R. v. Kang-Brown, 2008 SCC 18.

R. v. A.M., 2008 SCC 19.

Still in NC, enjoying better than expcted surf. Here’s what I’ve been into lately.

• Government of British Columbia, “E-Health Statute Increases Patient Access and Privacy.” The BC government has introduced legislation billed as enabling “e-health” systems that ensure patient privacy. Hat tip to Michael Geist.
• Citzen Media Law Project, “Sykes v. Seidel.” Here’s a link to the Citzen Meida Law Project’s legal threats database entry on the Seidel subpoena. Kathleen Seidel publishes a blog called Neurodiversity on autism-related issues, and was subpoenad by plaintiffs in a austism lawsuit after posting a critique of the lawsuit and its handling. Seidel has moved to quash on a number of grounds and apparently has raised “journalists privilege.”
• Associated Press, “Threatening Graffiti Leads College to Cancel Class.” A recent campus threat response news story from the United States. (New York Times)
• Alice Mathias, “Fear and Learning on Campus.” Here is an editorial that was published in the NYT today on the Virginia Tech event’s more subtle impact on campus life. (New York Times)
• James Alan Fox, “Topics in University Security: Lockdown 101.” This editorial, also published today, criticizes emergency planning overreaction.

This is the one year anniversary of the Virginia Tech shooting. I’ve been engaged to advice on managing the privacy issues and the threat of campus violence since then. My perspective is best summarized in the attachment to this post.

Enjoy!

Last Thursday and Friday I attended and spoke at the Canadian Association of University Business Officers workshop on Emergency Preparedness. Perhaps it was the inspirational kickoff by M. Richard Fillion of Dawson College, but it felt like a very special event and it was a pleasure to collaborate with a group of experienced administrators who are obviously committed to tackling a tough challenge.

I spoke on the legal perspective on managing on-campus violence, with a focus on the need for information sharing. Dr. Philip Klassen of the Centre for Addiction and Mental Health’s Law and Mental Health Program and Dr. Phil Wood, Dean of Students McMaster University, gave great presentations on the same subject from their own perspectives. Dr. Wood has also blogged about the event here.

Here is the full text of my speech, entitled “A Legal Perspective On Managing the Threat of On-Campus Violence.” I’ve linked to the various references that came up in the speech and the following Q&A below. I hope these are of use to the attendees and others.

• The Virginia Tech Review Panel Report. I particularly recommend Chapter 4.
• United States Secret Service and United States Department of Education, Implications for the Prevention of School Attacks in the United States. This stresses the efficacy and importance of threat assessment systems.
• Robert Bickel and Peter Lake, The Rights and Responsibilities of the Modern University. An important book on universities’ duty of care.
• IPC/Ontario, Privacy and Video Surveillance in Mass Transit Systems: A Special Investigation Report. This has a significant statement on special constables and the meaning of “law enforcement” in FIPPA.
• United States Department of Education, Family Educational Rights and Privacy Act (Proposed Amendments).
• Re Hamilton Health Sciences and Ontario Nurses Association, 91 C.L.A.S. 228 (Surdykowski). This recent case is about the collection of medical information through standardized forms for the purposes of short-term disability benefit administration. The collection of medical information for individual risk assessment and accommodation purposes is a different matter, but there are ideas in here that are significant and restrictive. I raised it in questioning whether employers should consider bargaining for some clarity on their right to collect. My earlier blog post on this case is here and I have blogged on medical information management here.
• Young v. Bella, 2006 SCC 3. This case illustrates the potential liability that can be mitigated by formal threat assessment systems.

There was a really good comment after the speech from Mike from Queen’s University, who thought the my use of the term “care team” was inappropriate given the role the university is really playing and the sensitivity about taking on an overt caregiver role. I completely agree, and from now on will work the term “assessment team” or “CUBIT” - for Comprehensive Behavioral and Threat Assessment Team - into my language. Thanks!

On February 14th, the Information and Privacy Commissioner/Ontario held that Queen’s University could deny access to records that would reveal the identities of three female complainants whose harassment complaints led the University to issue a trespass notice to an individual who was not a member of the university community. It noted that the requester had engaged in persistent and harassing behaviour towards the complainants, held there was sufficient evidence to conclude that the requester’s motives were not benevolent and applied the exemptions in sections 14(1)(e) and 20(1)(e) of FIPPA. It further held that disclosure would be presumed to be an unjustified invasion of privacy under 21(3)(b) (which protects information compiled as part of an investigation into a possible violation of law) and that that “absurd result principle” did not justify giving the requester access to e-mails he had sent the University in the course of its investigation.

Queen’s University (Re), 2008 CanLII 5953 (ON I.P.C.).

Bill 29, An Act to amend the Occupational Health and Safety Act to protect workers from harassment and violence in the workplace, was introduced by a private member belonging to the NDP on December 13th of last year. It would amend the Occupational Health and Safety Act to require employers to protect workers from harassment and violence in the workplace whether perpetrated by employees, clients or other individuals the employer serves (e.g. students). This represents an expansion of the Ministry of Labour’s current jurisdiction, which has been held to be limited to addressing the threat of physical violence.

Notably, in its current form, the Bill includes number of duties that are triggered when an employer has reason to believe that harassment or violence has occurred or is likely to occur, including specific duties to:

• identify the source of the harassment or violence;
• ensure that further harassment or violence is prevented or stopped;
• where necessary, take steps to remove the source of the harassment or violence from the workplace; and,
• contact law enforcement, where appropriate.

As drafted, the Bill does not require routine threat surveillance as a measure to prevent harassment or violence.

Similar bills have been introduced by NDP members in the past, but this Bill comes shortly after a Coroner’s Jury report into the death of, Lori Dupont, a nurse who was killed by her former boyfriend (also a resident physician) at a hospital in Windsor. The Coroner’s Jury report recommends changes to the Ontario Occupational Health and Safety Act. It also includes recommendations that stress the importance of information sharing, medical/behavioral monitoring, clear chains of command and decisive, risk-based decision making. Here is a copy of the report along with the Ontario Hospital Association’s media release.

I’ve taken a deeper look at Chapter 4 of the report of the Virginia Tech Review Panel and created this graphic, which compartmentalizes the various pieces of information about Cho Seung Hui that were known by groups inside and outside the university. As outlined in text in the state report, the graphic illustrates that the Virginia Tech Police Department, Virginia Tech Residence Life and the various teachers who worked most closely with Cho had potentially relevant information about Cho that was not shared with Virginia Tech’s multidisciplinary Care Team (which had formal responsibility for threat assessment). It also illustrates that Cho’s high school had information that might have been of assistance to Virginia Tech, but was not shared when he registered or in the course of his studies.

Barring any significant developments, this is probably the last I’ll blog about Virginia Tech. Before moving on, however, I do feel compelled to share a personal thought. This is a blog, after all. You see, I’ve been a very responsible lawyer in blogging about this issue and have kept things nice and objective. I’ve purposely chosen not to use the word “tragedy” because I thought it unhelpful and obfuscatory.

Chapter 4, however, got to me. Perhaps it’s because I’m a new father and the Chapter starts with a story about Cho having a heart problem as an infant and his corrective medical procedure leading, at age three, to the start of severe emotional problems. It also touched me that, through the great efforts of his parents and his public school educators, Cho seemed to be managing his difficulties pretty well up until university. Then it all rapidly spiraled downwards to the terrible ending. Though he’s ultimately responsible for an atrocious act, I’m sad for Cho as I’m sad for his parents and his victims.

All of which underlies the essence of this issue. When privacy is balanced against security it rarely seems a fair fight. Privacy is well understood as a fundamental human right, yet security tends to be cast as just another intangible concept, and worse, one associated with institutional or governmental rather than human interests. I don’t believe that it’s always fair to characterize security interests this way. Security can be as much about helping troubled individuals as about preventing harm to others. I’m engaged by the Virginia Tech case because it demonstrates this well. Perhaps tragedy is a helpful word after all.

As promised, here are some comments on the privacy-related aspects of the Virginia Tech state report. I’ve split this post into a part on legal issues and a part on policy issues.

Legal Issues - With no golden rule, strong policy should guide

Not all risks can be effectively mitigated by detailed policy, but given the need for decentralized decision-making about the sharing of information and the apparent inaccessibility of privacy legislation to laypersons, the student-at-risk/catastrophic violence challenge is clearly one that should be addressed through the promulgation of good policy.

Here’s a key quote from the report:

The widespread perception is that information privacy laws make it difficult to respond effectively to troubled students. This perception is only partly correct. Privacy laws can block some attempts to share information, but even more often may cause holders of such information to default to the nondisclosure option—even when laws permit the option to disclose. Sometimes this is done out of ignorance of the law, and sometimes intentionally because it serves the purposes of the individual or organization to hide behind the privacy law. A narrow interpretation of the law is the least risky course, notwithstanding the harm that may be done to others if information is not shared.

Following this theme, the report runs through a number of disclosures in the Virginia Tech case that could have been made, were not, but would have been permitted under applicable state and federal privacy laws.

Similar to the situation in Ontario (where I practice), in Virginia there’s no single “golden rule” or simplifying model to help teachers, administrators and student volunteers figure out what information can be shared about a student at risk, with whom and under what circumstances. Rather, there are a number of different rules - disclosure “exceptions” to be slightly more precise. These exceptions apply indirectly to the scenarios that commonly confront individuals in university and college communities.

In Ontario, for example, when teachers learn of disturbing behavior in the course of teaching, the legality of reporting that behavior to a case management team is ordinarily governed by the “need to know” rule or exception - i.e. the report is lawful if “necessary and proper in the discharge of the institution’s functions.” While this language may allow a lawyer to interpret whether a disclosure is permissible based on a set of facts, without specific guidance on what to do when a student demonstrates objectively threatening behavior, how’s a teacher to know whether reporting the behavior is permissible?

Post-secondary educational institutions must have systems in place that encourage the exercise of sound judgement and due diligence. Enabling the reporting of information about certain student behaviors through policy so these systems can function on complete and valid information is critical to their effectiveness.

Policy Issues - Parental disclosures and safe harbour provisions

I’d like to identify two good policy issues raised by the report, one for consideration by schools and another for consideration by government.

Issue 1: Should post-secondary educational institutions pursue a policy of sharing information about adult students at risk with their parents?

Consistent with the United States Department of Education’s philosophy on parental involvement, the state report clearly favours information sharing with parents:

During his formative years, Cho’s parents worked with Fairfax County school officials, counselors, and outside mental health professionals to respond to episodes of unusual behavior. Cho’s parents told the panel that had they been aware of his behavioral problems and the concerns of Virginia Tech police and educators about these problems, they would again have become involved in seeking treatment.

I’m not sure what Canadian post-secondary institutions will want to do with this. Is it reasonable to assume that all parental relationships will be supportive? How will institutions know if there is a benefit to the disclosure? If the decision to share information with parents is discretionary, what factors should inform the exercise of discretion? To what extent should schools rely on a disclosure to parents as a complete discharge of their duty of care (assuming such a duty exists)?

Issue 2: Should governments enact new exemptions to allow for disclosures made in a good faith belief that they are necessary for protecting health and safety?

The state report recommends this type of “safe harbour” exemption as a means of cutting through the confusion about how existing and general privacy exemptions apply to the health and safety problem illustrated by Virginia Tech. It states:

Laws protecting good-faith disclosure for health, safety, and welfare can help combat any bias toward nondisclosure.

The current health and safety exemptions in Ontario’s public sector privacy and health privacy statutes are objective standards that are based on a “serious harm” threshold. Short of this relatively high threshold, disclosures are only permitted under other more general exemptions like the “need to know” exemption noted above (which applies only to internal disclosures) or the similarly-obscure “consistent purpose” or “law enforcement” exemptions. Would acceptance of the safe harbour proposal lead to an appropriate clarification of the law? Is it important that privacy legislation be made accessible to laypeople? Will this type of amendment harm the integrity of the legislation?

***

I’m just scratching the surface with these comments, but hope they provoke some good thought amongst those who are interested in this subject. It’s a sad one, but I like the privacy-related ideas that have been raised following the shootings because they are simple, compelling and important. Look for more posts on campus security and privacy in the future.