All About Information

Last Thursday and Friday I attended and spoke at the Canadian Association of University Business Officers workshop on Emergency Preparedness. Perhaps it was the inspirational kickoff by M. Richard Fillion of Dawson College, but it felt like a very special event and it was a pleasure to collaborate with a group of experienced administrators who are obviously committed to tackling a tough challenge.

I spoke on the legal perspective on managing on-campus violence, with a focus on the need for information sharing. Dr. Philip Klassen of the Centre for Addiction and Mental Health’s Law and Mental Health Program and Dr. Phil Wood, Dean of Students McMaster University, gave great presentations on the same subject from their own perspectives. Dr. Wood has also blogged about the event here.

Here is the full text of my speech, entitled “A Legal Perspective On Managing the Threat of On-Campus Violence.” I’ve linked to the various references that came up in the speech and the following Q&A below. I hope these are of use to the attendees and others.

• The Virginia Tech Review Panel Report. I particularly recommend Chapter 4.
• United States Secret Service and United States Department of Education, Implications for the Prevention of School Attacks in the United States. This stresses the efficacy and importance of threat assessment systems.
• Robert Bickel and Peter Lake, The Rights and Responsibilities of the Modern University. An important book on universities’ duty of care.
• IPC/Ontario, Privacy and Video Surveillance in Mass Transit Systems: A Special Investigation Report. This has a significant statement on special constables and the meaning of “law enforcement” in FIPPA.
• United States Department of Education, Family Educational Rights and Privacy Act (Proposed Amendments).
• Re Hamilton Health Sciences and Ontario Nurses Association, 91 C.L.A.S. 228 (Surdykowski). This recent case is about the collection of medical information through standardized forms for the purposes of short-term disability benefit administration. The collection of medical information for individual risk assessment and accommodation purposes is a different matter, but there are ideas in here that are significant and restrictive. I raised it in questioning whether employers should consider bargaining for some clarity on their right to collect. My earlier blog post on this case is here and I have blogged on medical information management here.
• Young v. Bella, 2006 SCC 3. This case illustrates the potential liability that can be mitigated by formal threat assessment systems.

There was a really good comment after the speech from Mike from Queen’s University, who thought the my use of the term “care team” was inappropriate given the role the university is really playing and the sensitivity about taking on an overt caregiver role. I completely agree, and from now on will work the term “assessment team” or “CUBIT” - for Comprehensive Behavioral and Threat Assessment Team - into my language. Thanks!

Last November 26th, the Alberta Court of Queen’s Bench dismissed a judicial review application which sought to quash an arbitrator’s endorsement of a site-access testing policy brought in by an Alberta construction site owner.

Petro Canada implemented a site access drug and alcohol testing rule at an Oil Sands construction site in 2004. It required Bantrel (the employer) to apply the policy to its employees who were already on site. The drug test to be conducted was not a “current impairment test,” but it gave employees two months’ notice so they could refrain from drug use and pass a test. Most or all of the employer’s available work was on the Petro Canada site, so employees who refused or failed the test were laid off with or without accommodation as appropriate.

In March 2007, an arbitration board chaired by Arbitrator Phyllis Smith held the employer had implemented a reasonable work rule. She reasoned that an employer that imposes a work rule based on a third-party requirement must still demonstrate that it is reasonable to enforce the third-party requirement. Despite this, she held that testing was reasonable in all the circumstances. Even though the employer was not testing for current impairment she held that site access testing implemented on two months’ notice was a reasonable risk management tactic:

The design of the policy insofar as it applied to current employees was such that it would only detect, through non-negative test results, the most significant risks to the workplace, namely persons who were either unwilling to or unable to give up drug use for any time at all.

Risk management was justifiable, she held, based on the nature of the work (undoubtedly safety sensitive) and based on general evidence of work-related drug use in the Alberta construction industry and general evidence supporting efficacy of testing over supervisory monitoring. Ms. Smith expressly held that the employer need not prove that it has a drug and alcohol problem to justify risk management testing (as opposed to current impairment testing).

Ms. Smith also held the employer had not violated the Alberta Human Rights, Citizenship and Multiculturalism Act. Although her analysis is not particularly probing, she appears to have held that site access testing is a BFOR based on the same general evidence supporting its reasonableness. She did note that employees were accommodated, with treatment where appropriate.

The Alberta Court of Queen’s Bench upheld both of these parts of Ms. Smith’s award as reasonable.

While notable, this case demonstrates a markedly different balancing of interests than displayed in recent Ontario arbitration awards, a point noted by Ms. Smith and again by the Court. It is also partly explained by Petro Canada’s broader, risk management purpose - a purpose given weight based on evidence of a broad challenge relating to drug use in the Alberta construction industry and a uniform adoption of site access testing by construction site owners. In Ontario, and perhaps elsewhere, site access drug testing should still be approached with substantial caution.

United Association of Journeymen and Apprentices of the Plumbing and Pipefitting Industry of the United States and Canada, Local 488 v. Bantrel Constructors Co., 2007 ABQB 721.

On October 5th of last year, Ontario Arbitrator Surdykowsky made some broad statements in upholding a grievance which challenged a standard medical information form administered for the purpose of adjudicating short term disability benefits.

The form was administered by the employer’s third-party adjudicator in all applications for STD benefits. It included a consent to collect information from any “party” involved in treatment and requested, among other information, primary and secondary diagnoses, medical history, information on tests and investigations performed and specific information on program of treatment.

Mr. Surdykowsky held that the standard for eligibility in the employer’s STD plans (there were two different ones at issue) did not justify collection of this information for the purpose of adjudication. One plan, for example, simply specified that employees must submit a satisfactory medical certificate showing an inability to perform regular job duties. Mr. Surdykowsky held that the employer was limited to asking for a certificate focused directly on the eligibility requirement unless there was an objectively reasonable basis for doubting the accuracy or truth of the health care provider’s certification.

Mr. Sudykowsky also engaged in a very principled analysis of an employer’s right to medical information. He held that employee privacy rights cannot be outweighed by expediency or efficiency, so even though the collection of further and more detailed medical information may be justified as an absence becomes prolonged and attendance management and accommodation processes become engaged, such information should not be routinely collected at the beginning of an absence on a form that is administered strictly for the purpose of determining benefit eligibility. And while recognizing that broader requests for medical information up front may actually reduce conflict given that health professionals are not “always entirely objective,” Mr. Surdykowski held that employee privacy rights weigh against a departure from a strict necessity requirement.

As part of his broad analysis, Mr. Surdykowski also endorsed the following general principles (in my words):

• A union can bargain the scope of a medical information request form on behalf of its members. An individual may chose not to consent but may be denied benefits. An employer does not act coercively by informing an employee of the potential negative repercussions of failing to consent to disclosure of all information on the form.
• When collecting information for the purpose of adjudicating short term disability benefits or approving a short term medical leave, employers are normally restricted to collecting a certification of disability, the general nature of the illness or injury (which is different from diagnostic information), that the employee has and is following a treatment plan (but not the plan itself), the expected return to work date, and what work the employee can or cannot do.
• Medical consents should generally authorize disclosure from a specific health care provider. They should not authorize contact between the employer or its agent and the health care provider in a manner that cuts the employee out of the “medical information loop” and, more generally, should not authorize the disclosure of information generated course of future care.

While this is a decision based on specific and relatively restrictive collective agreement language, Mr. Surdykowski’s fully-reasoned decision (which is based on 20 days of hearing) may be authoritative and conflicts with fairly standard employer practices. Unionized employers should consider it and reflect upon their short term disability or sick leave administration practices, their medical consent forms and their collective agreement and benefit plan language.

Importantly, the Surdykowski award is only about the information an employer may request for the purpose of adjudicating short term disability benefits. Although he comments peripherally on employers’ need for information in the accommodation process, to the extent an employer has a need for more fulsome information to provide accommodation or to develop a plan for safely returning an employee to work, it may be justified in seeking further and more detailed medical information. Based on the reasoning in the Surdykowski award, such requests should be tailored as much as possible to meet the need in any given case.

Re Hamilton Health Sciences and Ontario Nurses Association, 91 C.L.A.S. 228 (Surdykowski).

This is the title of the forward to our just-published Hicks Morley Information and Privacy Post. If you follow this blog you’ll be familiar with most of the content, which we aggregate, edit down to size and index for convenience in order to create The Post. Please download a copy here.

This edition contains some of my favorites and most notables since August, including:

• The Prince Edward Island decision -HZPC Americas Corp. - on conversion claims and intangible property
• The Cheskes adoption disclosure decision, in which the Ontario Superior Court of Justice said that consensual disclosure is a principle of fundamental justice
• A pair of decisions by the British Columbia IPC on the collection of personal information - the School District No. 75 decision on the psychometric profiling of employment candidates and the University of British Columbia decision on investigations into employee computer misuse
• The Ontario Divisional Court’s holding in Kitchenam that the deemed undertaking rule protects against disclosure

We hope you enjoy!

On August 20th, the Alberta Office of the Information and Privacy Commissioner dismissed a complaint in which an employee alleged an invasion of privacy because his employer reported his medical restrictions to the Alberta Infrastructure and Transportation’s Driver Fitness and Monitoring Branch.

The employee, who was required to drive as part of his job, submitted a letter from his psychologist in support of a leave request. The letter indicated he was unsafe to drive and included detailed information about his mental condition. The employer granted the leave and asked the psychologist whether he had reported the employee’s restriction to the province. When the doctor declined to answer the employer’s request for information, the employer reported the restriction itself and included a copy of the psychologist’s letter. The province ended up placing several monitoring conditions on the employee’s license.

In deciding that the report complied with both the Alberta Personal Information Protection Act and the Alberta Freedom of Information and Protection of Privacy Act, the IPC made several findings of technical significance. For example, it read the exception in section 20(c) of PIPA broadly in finding the employer’s non-consensual disclosure was permissible. Of broader significance, however, are the IPC’s obiter comments on the employer’s collection of diagnostic information. While implying that diagnostic information may sometimes be needed by an employer or insurer to support decision-making, it endorsed the use of medical advisers as playing a role in protecting employee privacy:

Diagnostic information should only be provided directly to the employer’s group insurer who is responsible for evaluating an employee’s eligibility for any benefits where applicable. An exception to this practice would be organizations with in-house health units staffed by qualified medical practitioners, who may reasonably receive this information provided it is kept in strict confidence. These units manage workplace injuries, accidents and safety which are governed by workers’ compensation and occupational health and safety requirements. In such cases, collection of diagnostic information by an employer may be reasonable.

It is true that employer medical advisers play an important role in employee privacy. By taking custody of medical information on behalf of employers, they are the means by which employers ensure proper, limited use of the information. For more about an adviser’s role and some thoughts on reconciling this role with the adviser’s contractual duty to the employer, see my earlier post, Medical information management for employers.

Investigation Report P2007-IR-005 F2007-IR-004 (20 August 2007, Alberta I.P.C.).

Although there have been previous cases that have recognized the common law tort of invasion of privacy in Ontario and a few recent cases in which Ontario courts have made strong statements in refusing to strike claims based on the tort, the confines of the tort have not yet been clearly articulated. On September 21st, Deputy Judge Criger issued a small claims court judgement in which she articulated a form of test that balances an individual’s expectation of privacy in personal information against any countervailing interests in the information’s collection use and disclosure. Here is her six-part test:

1. Is the information acquired, collected, disclosed or published of a kind that a reasonable person would consider private?
2. Has the Plaintiff consented to acquisition or collection of the information?
3. If not, has the information been acquired or collected for a legal process or public interest reason? If so, what is that reason?
4. Has the Plaintiff consented to disclosure or publication of the information?
5. If not, has the information been disclosed or published for a legal process or public interest reason? If so, what is that reason?
6. Is the legal process or public interest reason put forward for acquisition, collection, disclosure or publication one that a reasonable person would consider outweighs the interest of the individual in keeping the information private?

The case is about a plaintiff who told his aunt that he was HIV positive in confidence and the aunt’s subsequent disclosure of this information to his mother. Deputy Judge Criger held that the plaintiff had established a breach but did not prove his damages.

Caltagirone v. Scozzari-Cloutier, [2007] O.J. No. 4003 (Ont. S.C.J.) (QL).

The Vancouver Province reports that the University of British Columbia has asked the British Columbia Supreme Court to review the Information and Privacy Commissioner for British Columbia’s September 24th order that was made in response to its reasonable grounds investigation into employee time theft (my report here).

The Province says material filed in court by the University says the order “denies the university the ability to investigate misconduct.” Indeed, one of the issues raised by the order is the level of scrutiny that is appropriate to apply to how an investigation is conducted when there are clear grounds for conducting it. Those with an interest in security will claim that once there are grounds for an investigation, an investigator needs sufficient flexibility to conduct a thorough investigation even if it involves “fishing.” Although it may be explained by the context - perhaps the IPC is only saying something about the stakes at play in a time theft investigation - the IPC’s order conflicts with this view. Thanks to Michael Geist for posting on this.

On October 5th, the Ontario Superior Court of Justice held that a police service unlawfully disclosed information about and individual’s withdrawn criminal charges in the course of conducting background checks.

The applicant, a social services worker, was charged with four counts of sexual assault and four counts of sexual exploitation. At trial, the charges were withdrawn and the applicant entered a peace bond. The applicant was later denied a license for a group home, denied employment and terminated from employment, assumingly based on information provided in criminal background checks. In response, he brought an application seeking an order to have information about the withdrawn charges expunged from police records.

The Court held that the police were authorized to collect and retain information about withdrawn charges and rejected the applicant’s (potentially disruptive) argument that retention of the records violated various Charter provisions. It did, however, hold that the applicant had not given his informed consent to disclosure. There was a dispute about whether the applicant actually signed any consents, but the Court held that the police service’s standard consent form was nonetheless insufficient to support disclosure of information about the withdrawn charges:

In this application, none of the relevant pieces of legislation were attacked and people unfamiliar with the legislation might be forgiven for being surprised at the breadth of information police services are authorized to maintain. I conclude, however, that the maintaining of information that charges have been laid, albeit subsequently withdrawn, is not in any way prohibited by legislation. On the other hand, I see nothing in any legislation which authorizes the release of information reporting that the subject of the inquiry was charged with sexual offences, which were subsequently withdrawn. The release form, which may or may not have been signed by Mr. Tadros, is not sufficiently specific in its terms to encompass this particular eventuality, and Mr. Tadros could be excused for assuming that at the time the application was made for the information, he had no record of any sort and need not be concerned about any adverse effect which might result on his employment prospects. There is a basic unfairness in the dissemination of this type of information as evidenced by the apparent effect it did have on his employment chances.

The breadth of information provided in Ontario criminal background checks has been the subject of significant criticism. For information on the policy-related significance of this judgement see “Criminal Background Checks - Balancing Public Safety, Security and Privacy” by John Swaigen.

Tadros v. Peel Regional Police Service, 2007 CanLII 41902 (ON S.C.).

On September 24th the Office of the Information and Privacy Commissioner for British Columbia held that the University of British Columbia violated the British Columbia Freedom of Information and Protection of Privacy Act by conducting a “reasonable grounds investigation” of an employee’s personal computer use.

The employee, an engineering technician, had a history of productivity problems. Although the University adduced evidence that it was managing the
employee’s performance, the complainant countered with evidence that he used his computer for non-work-related purposes openly and that and that the University tolerated this. The University’s acceptable use policy also allowed for “incidental personal use” within some restrictions.

The University decided to investigate the employee’s computer use after receiving a complaint about the his untimely service. It started by collecting the log file that listed websites visited. This showed a significant number of non-work-related websites, so the University then used software (spyware) to collect data that allowed it to identify the period of time the grievor spent on non-work-related sites. The spyware also captured screen shots in two minute intervals and, as a result, captured the employee’s personal correspondence, his bank account number and other information about his personal finances.

The adjudicator held that the University was not authorized to collect the log file, the more detailed information collected by the spyware and the screenshots. Her decision is significant for three reasons.

First, the adjudicator applied the contextual necessity test recently articulated by Commissioner Loukedelis in Order F07-10 (my report here). In this test, necessity is assessed in the entire context and in light of the privacy-protective purpose of the Act. In discussing this test, the adjudicator held that an employer must not necessarily exhaust all less intrusive means of meeting a legitimate objective to meet the necessity test, but that this is one factor to consider in the analysis.

Second, the adjudicator’s reason for finding that the collection of screen shots was violative rules out the collection of screen shots as an investigatory tool unless the content of the websites is the basis for the investigation - e.g. for pornography investigations. She said:

Information which reveals the complainant’s specific activities on non-work related websites is not, in this case, directly related to UBC’s human resources activities. As UBC notes, this is not a case involving an allegation that an employee accessed inappropriate material on the internet. The specifics of the complainant’s banking transactions, or his personal correspondence, are not relevant to any program or activity of UBC’s. The GESS Report, therefore, has some information that is relevant to managing the complainant’s employment, and some information which is not.

Third, in finding it was not necessary for the University to collect the log data and information about the amount of time the employee spent on non-work-related sites, the adjudicator relied heavily on the University’s permissive approach to personal use. In light of this approach, she held that the next necessary and reasonable step would have been to put the employee on notice of his misconduct rather than conduct surreptitious surveillance.

It is difficult to understand how the surreptitious collection of information about an employee’s internet use can be necessary in the absence of any attempt to question the employee about his activity, especially when the supervisor was aware of that activity and the complainant knew the supervisor was aware of it.

While it would be easy to frame this case as a message to employers about the harms of condoning personal use, there may be more to it than first meets the eye. This is because the foundations of workplace computer use are arguably changing. Not only are the internet applications used in day-to-day living more pervasive, the rise of “Web 2.0″ is starting to blur the line between personal use and business use. One may also argue that employees in some sectors (especially professionals) are spending more and more of their waking day working. So can the reasonable employer afford to do anything but condone personal use? And what does this do to the idea, accepted widely in the existing case law, that an employee should have no expectation of privacy on a work computer system? This case may signal a next wave in workplace monitoring litigation in which some of these questions will be raised and answered.

University of British Columbia (Re), 2007 CanLII 42407 (BC I.P.C.).

On October 4th, a 6-3 majority of the Supreme Court of Canada held that an investigating police officer owes a private law duty of care to the suspect under investigation. This is a duty of care case and not directly about information and privacy. There are, however, a couple of points of significance to readers of this blog.

First, investigations obviously involve the collection of personal information, and the new duty will inform such collections. Unlike section 8 of the Canadian Charter of Rights and Freedoms, which only operates to restrict the collection of information, the new duty could conceivably require its collection. In fact, in this case one of the allegations was that the police breached their duty of care by failing to re-investigate after receiving exculpatory evidence after charges were laid. Based on the majority’s reasoning, there is no reason why a private investigator or a member of a company’s audit or security staff would not be found to be subject to an analogous duty quite apart from any factors related to the underlying relationship between the investigator’s principal and her suspect.

Second, this is the first time the Supreme Court of Canada has commented on the important Jane Doe duty to warn case, which was relied upon by the majority (of five judges) at the Court of Appeal in recognizing the new duty. Writing for the majority of the Supreme Court, McLachlin C.J.C. said that Jane Doe was not analogous and noted that there is significant debate over the content and the scope of its ratio. For the minority, Charron J., went further and explained:

Hence, the trial judge in Jane Doe held that where the police are aware of a specific threat to a specific group of individuals, the police have a duty to inform those individuals of the specific threat in question so that they may take steps to protect themselves from harm. As Moldaver J. (as he then was) said, speaking for the Divisional Court in confirming that the action could proceed to trial, “[w]hile the police owe certain duties to the public at large, they cannot be expected to owe a private law duty of care to every member of society who might be at risk”: Jane Doe v. Metropolitan Toronto (Municipality) Commissioners of Police (1990), 72 D.L.R. (4th) 580, at p. 584. Hence, Jane Doe cannot be read to stand for the wide proposition that the police owe a general duty of care to all potential victims of crime. Such an interpretation would ignore the fact that there must be more than mere foreseeability of harm before a duty of care will arise; there must also be sufficient proximity between the parties and the absence of policy considerations negating the existence of any prima facie duty of care.

Hill v. Hamilton-Wentworth Regional Police, 2007 SCC 41.