All About Information

On September 24th the Office of the Information and Privacy Commissioner for British Columbia held that the University of British Columbia violated the British Columbia Freedom of Information and Protection of Privacy Act by conducting a “reasonable grounds investigation” of an employee’s personal computer use.

The employee, an engineering technician, had a history of productivity problems. Although the University adduced evidence that it was managing the
employee’s performance, the complainant countered with evidence that he used his computer for non-work-related purposes openly and that and that the University tolerated this. The University’s acceptable use policy also allowed for “incidental personal use” within some restrictions.

The University decided to investigate the employee’s computer use after receiving a complaint about the his untimely service. It started by collecting the log file that listed websites visited. This showed a significant number of non-work-related websites, so the University then used software (spyware) to collect data that allowed it to identify the period of time the grievor spent on non-work-related sites. The spyware also captured screen shots in two minute intervals and, as a result, captured the employee’s personal correspondence, his bank account number and other information about his personal finances.

The adjudicator held that the University was not authorized to collect the log file, the more detailed information collected by the spyware and the screenshots. Her decision is significant for three reasons.

First, the adjudicator applied the contextual necessity test recently articulated by Commissioner Loukedelis in Order F07-10 (my report here). In this test, necessity is assessed in the entire context and in light of the privacy-protective purpose of the Act. In discussing this test, the adjudicator held that an employer must not necessarily exhaust all less intrusive means of meeting a legitimate objective to meet the necessity test, but that this is one factor to consider in the analysis.

Second, the adjudicator’s reason for finding that the collection of screen shots was violative rules out the collection of screen shots as an investigatory tool unless the content of the websites is the basis for the investigation - e.g. for pornography investigations. She said:

Information which reveals the complainant’s specific activities on non-work related websites is not, in this case, directly related to UBC’s human resources activities. As UBC notes, this is not a case involving an allegation that an employee accessed inappropriate material on the internet. The specifics of the complainant’s banking transactions, or his personal correspondence, are not relevant to any program or activity of UBC’s. The GESS Report, therefore, has some information that is relevant to managing the complainant’s employment, and some information which is not.

Third, in finding it was not necessary for the University to collect the log data and information about the amount of time the employee spent on non-work-related sites, the adjudicator relied heavily on the University’s permissive approach to personal use. In light of this approach, she held that the next necessary and reasonable step would have been to put the employee on notice of his misconduct rather than conduct surreptitious surveillance.

It is difficult to understand how the surreptitious collection of information about an employee’s internet use can be necessary in the absence of any attempt to question the employee about his activity, especially when the supervisor was aware of that activity and the complainant knew the supervisor was aware of it.

While it would be easy to frame this case as a message to employers about the harms of condoning personal use, there may be more to it than first meets the eye. This is because the foundations of workplace computer use are arguably changing. Not only are the internet applications used in day-to-day living more pervasive, the rise of “Web 2.0″ is starting to blur the line between personal use and business use. One may also argue that employees in some sectors (especially professionals) are spending more and more of their waking day working. So can the reasonable employer afford to do anything but condone personal use? And what does this do to the idea, accepted widely in the existing case law, that an employee should have no expectation of privacy on a work computer system? This case may signal a next wave in workplace monitoring litigation in which some of these questions will be raised and answered.

University of British Columbia (Re), 2007 CanLII 42407 (BC I.P.C.).

On October 4th, a 6-3 majority of the Supreme Court of Canada held that an investigating police officer owes a private law duty of care to the suspect under investigation. This is a duty of care case and not directly about information and privacy. There are, however, a couple of points of significance to readers of this blog.

First, investigations obviously involve the collection of personal information, and the new duty will inform such collections. Unlike section 8 of the Canadian Charter of Rights and Freedoms, which only operates to restrict the collection of information, the new duty could conceivably require its collection. In fact, in this case one of the allegations was that the police breached their duty of care by failing to re-investigate after receiving exculpatory evidence after charges were laid. Based on the majority’s reasoning, there is no reason why a private investigator or a member of a company’s audit or security staff would not be found to be subject to an analogous duty quite apart from any factors related to the underlying relationship between the investigator’s principal and her suspect.

Second, this is the first time the Supreme Court of Canada has commented on the important Jane Doe duty to warn case, which was relied upon by the majority (of five judges) at the Court of Appeal in recognizing the new duty. Writing for the majority of the Supreme Court, McLachlin C.J.C. said that Jane Doe was not analogous and noted that there is significant debate over the content and the scope of its ratio. For the minority, Charron J., went further and explained:

Hence, the trial judge in Jane Doe held that where the police are aware of a specific threat to a specific group of individuals, the police have a duty to inform those individuals of the specific threat in question so that they may take steps to protect themselves from harm. As Moldaver J. (as he then was) said, speaking for the Divisional Court in confirming that the action could proceed to trial, “[w]hile the police owe certain duties to the public at large, they cannot be expected to owe a private law duty of care to every member of society who might be at risk”: Jane Doe v. Metropolitan Toronto (Municipality) Commissioners of Police (1990), 72 D.L.R. (4th) 580, at p. 584. Hence, Jane Doe cannot be read to stand for the wide proposition that the police owe a general duty of care to all potential victims of crime. Such an interpretation would ignore the fact that there must be more than mere foreseeability of harm before a duty of care will arise; there must also be sufficient proximity between the parties and the absence of policy considerations negating the existence of any prima facie duty of care.

Hill v. Hamilton-Wentworth Regional Police, 2007 SCC 41.

In some chance timing given the release of the report on the Canadian investigation into the TJX breach, I presented today at a lunch meeting of the Association of Certified Forensic Investigators of Canada together with David Malamed of Grant Thonrton. We called the presentation “Data Breach Response: A Multidisciplinary Perspective.”

This is the first presentation David and I have given on an project we started at the beginning of the summer together with Karen Gordon, an expert crises communicator from Squeaky Wheel Communications. The idea we are promoting is that organizations should be using multi-disciplinary teams to manage breach response and, whether internal or external experts are used, the team should be defined in a formal breach response plan.

I’ve posted a copy of the presentation here.

The Privacy Commissioner of Canada and the Office of the Information and Privacy Commissioner of Alberta have released their joint report into the TJX/Winners data breach. They found that TJX breached the collection, retention and safeguarding rules in both the federal and Alberta commercial privacy statutes.

With respect to TJX’s system for preventing the fraudulent return of goods, the commissioners held that TJX breached both statutes by collecting drivers license and other provincial ID numbers to identify individuals who returned goods without a receipt. While they accepted the importance of identifying such individuals for purposes of fraud control, they also held that retaining this sensitive data was not necessary and that TJX also did not give adequate notice of the purposes for its collection. The commissioners said:

A driver’s license is proof that an individual is licensed to operate a motor vehicle; it is not an identifier for conducting analysis of shopping-return habits. Although licenses display a unique number that TJX can use for frequency analysis, the actual number is irrelevant to this purpose. TJX requires only a number—any number—that can be consistently linked to an individual (and one that has more longevity and is more accurate than a name and telephone number).

Moreover, a driver’s license number is an extremely valuable piece of data to fraudsters and identity thieves intent on creating false identification with valid information. After drivers’ license identity numbers have been compromised, they are difficult or impossible to change. For this reason, retailers and other organizations should ensure that they are not collecting identity information unless it is necessary for the transaction.

Having made this finding, they accepted TJX’s proposal to create unique identifiers from provincial ID numbers by using cryptographic hashing and approved of a three-year retention period for this information.

On the collection and retention of payment card information for processing purposes, the commissioners held that TJX’s retention of information for 18 months in accordance with its contractual obligations to financial institutions was reasonable, but were critical of TJX’s practice of retaining the information for longer periods for “troubleshooting” purposes. They reasoned that TJX had not clearly established “troubleshooting” as a primary purpose for collection, nor had it established the need to retain information in order to troubleshoot.

Finally, the commissioners held that TJX did not meet the safeguarding standard in both acts, primarily because it failed to upgrade its wireless encryption protocol within a reasonable period of time. Version 1.1 of the Payment Card Industry Data Security was released in September 2006 and endorsed the “Wi-fi Protected Access” or “WPA” encryption protocol. The commissioners said that TJX should have been adhering to this standard by “late 2006.” They commented:

TJX relied on a weak encryption protocol and failed to convert to a stronger encryption standard within a reasonable period of time. The breach occurred in July 2005, conversion began in October 2005, and the pilot project was completed in January 2007. We are also aware that the final conversion to a higher level of encryption will be completed soon.

Furthermore, while TJX took the steps to implement a higher level of encryption, there is no indication that it segregated its data so that cardholder data could be held on a secure server while it undertook its conversion to WPA.

TJX had a duty to monitor its systems vigorously. If adequate monitoring of security threats was in place, then TJX should have been aware of an intrusion prior to December 2006.

This comes just days after a settlement was announced in the related class action lawsuit.

Report of an Investigation into the Security, Collection and Retention of Personal Information (26 September 2007, C.P.P. and Alberta O.I.P.C.).

Arbitrator Brent held that the University of Windsor did not violate its faculty collective agreement or the Ontario Freedom of Information and Protection of Privacy Act by publishing teaching evaluation scores on a secure network for access by students and other members of the university community.

She made three findings. First, she held that the change in practice did not breach a frozen practices provision in the collective agreement because the publication condition (freedom from publication, as was argued) was not fundamental to the employment relationship. Second, she held that the express collective agreement restriction on disclosure of faculty personal information did not apply because the information disclosed was not “personal information” under the collective agreement. In reaching this finding, she relied on permissive collective agreement language that referred to the use of teacher evaluation data to construe the term “personal information.” Finally, she held that FIPPA did not apply based on its employment-related records exclusion and the fact that the data was used in the University’s promotion, tenure and renewal process. In rejecting the Association’s argument that student use of the data brought the records under the auspices of the Act, she said:

To argue that it ceases to become a “labour relations” or “employment-related” matter once it is made available to the students would in my view have the effect of excluding SET from FIPPA when it is used for employment related purposes but then including it when it is used to provide information to students. Such a result would be contrary to the Court of Appeal’s decision that once it is determined that FIPPA does not apply to certain material, then that material is exempt from FIPPA for ever.

University of Windsor and University of Windsor Faculty Association (Re) (19 February 2007, Brent).

Yesterday, the Ontario Superior Court of Justice invalidated Ontario’s new adoption disclosure regime, which opened past and future adoption records to searching adult adoptees and birth parents notwithstanding individual consent. The judgement contains a significant discussion of how section 7 of the Canadian Charter of Rights and Freedoms restricts government disclosure of personal information.

The applicants, three adopted persons and a father who was recorded as a birth parent in government records despite some uncertainty about his paternity, objected the the adoption disclosure regime brought in by the provinces Adoption Information Disclosure Act. In short, the Act allowed adult adopted persons to obtain information that could be used to identify their birth parents and allowed birth parents to obtain similar information in respect of their children who had reached 19 years of age. These disclosures could be made without consent, but the regime did feature two protections. Adopted individuals and birth parents could file a “no contact” notice, in which case thier searching parents and adoptees would be restricted from contacting them despite receiving information that would allow for contact. Adopted individuals and birth parents could also apply for a non-disclosure order, to be granted in exceptional circumstances to protect against “sexual harm” or “significant physical or emotional harm.”

Mr. Justice Belobaba held that the regime violated the applicants’ section 7 rights. His key factual determination was that the applicants had established a reasonable expectation of privacy in their adoption records based on the history of the adoption regime: “Since 1927, the statutory framework in Ontario has been predicated on confidentiality.” Based on this finding and the principles articulated by the Supreme Court of Canada in R. v. O’Connor, Belobaba J. found that the applicants’ liberty interest was engaged by the propsetive dislcosure of their identifying information. He then went on to find that the applicants’ had been deprived of this interest in a manner inconsistent with the following newly-articulated principle of fundamental justice:

Where an individual has a reasonable expectation of privacy in personal and confidential information, that information may not be disclosed to third parties without his or her consent.

Addressing the seeming strictness of this principle, Belobaba J. suggested that governmental interests in disclosure may be partly managed based on the “reasonable expectation of privacy” qualifier, which he characterized as a manageable and predictable legal principle. Beyond this, he suggested that governments should be responsible for justifying non-consensual disclosures under the Charter’s saving provision.

Counsel for the Attorney-General raised some concerns about the need to balance interests in the process of formulating a principle of fundamental justice. It wasn’t clear to me if the submissions on this point were directed at the broadly stated “right to privacy” principle or at the more refined Suggested Principle [as quoted above]. In any event, let me set out my understanding of balancing at the section 7 stage of the analysis.

The balancing of individual and societal interests within section 7 is only relevant when elucidating a particular principle of fundamental justice - and here the relevant intersts were balanced using language such as “reasonable expectation of privacy.” Once the principle of fundamental justice has been elucidated, however, it is not within the ambit of section 7 to bring into account further societal interests, such as the rights of the searching adoptee or birth parent or the implications for government record-keeping etc. These considerations will be looked at, if at all, under section 1, where the Crown has the burden of proving that the impugned law is demonstrably justified in a free and democratic society.

On the facts and despite the two protections in the Act, Belobaba J. held that the government had not met its section 1 onus and issued a declaration of invalidity.

Cheskes v. Ontario (Attorney-General) (19 September 2007, Ont. S.C.J.).

We took young Hugo on his first surf trip to Halifax recently, and after enjoying a couple of weeks of beautiful weather and very bad surf, it took me about fifteen and a half hours from the time I dropped him and Seanna off at the Halifax airport to drive to our door in Toronto. (Dad travels with surfboards while mom travels with baby. And yes, I am a type “A” personality.)

Tom Petty’s newest, Highway Companion, pretty much blows my mind, but there’s only so many times I could listen to it (and sing along loudly enough to keep me alert) before seeking relief in the modern equivalent of talk radio. Here are the information-related podcasts that I listened to on the way home, listed in order of appreciation.

1. “Electronic Evidence,” ABA Book Briefs Podcast (14 August 2007). An interview with Sharon Nelson and John Simek, co-authors of The Electronic Evidence and Discovery Handbook. Includes a good practical discussion on managing forensic experts.
2. “Attorney-Client Privilege and the Work-Product Doctrine,” ABA Book Briefs Podcast (10 July 2007). An interview with Edna Epstien, Author of Attorney-Client Privilege and the Work-Product Doctrine. Good for issue identification. One good one: When an in-house lawyer sues for wrongful dismissal and alleges she was terminated for whistleblowing, in what circumstances will the records containing her advice be producible?
3. “Negotiating Tip: Negotiating with Email,” Negotiating Tip of the Week (5 May 2007). This podcast series is by Dr. Josh Weiss, Associate Director of the Global Negotiation Project at the Program on Negotiation at Harvard. This one is really about negotiation, but has an outside link to records management. The last of the five tips: don’t negotiate by e-mail unless you have to.
4. “What Hewlett-Packard’s Spying Scandal Tells Us about the Limitations of Corporate Boards,” Knowledge@Wharton Audio Articles (23 October 2006). Primarily about governance but describes the context for a much-discussed privacy issue.
5. “Ten Rules for Managing Electronically Stored Information,” Litigation Podcast: Tips and Tactics (29 March 2007). Tips on proactive ESI management.

As David Fraser reports, the Information and Privacy Commissioner/Ontario has used her order-making powers under the privacy part of Ontario’s public sector privacy legislation for the first time after receiving a privacy complaint about the collection of personal information relating to the sale of second hand goods. For the Commissioner’s news release click here and for a copy of the order, click here.

On September 10th, the British Columbia Court of Appeal dismissed an application for leave to appeal in a novel application for contempt based on an alleged breach of the implied undertaking rule.

The plaintiffs alleged that the Insurance Corporation of British Columbia unnecessarily disclosed obtained information in materials served on third parties in support of a production order. They relied on an ICBC internal policy that recommended (in part) that such information only be disclosed in third-party production motion materials as “absolutely necessary.” The application was dismissed and the Court of Appeal dismissed the application for leave to appeal, holding that the appeal was not prima facie meritorious.

The Court of Appeal quoted the following passage from the application judge’s decision:

It is a matter of judgment to be exercised by counsel what information obtained by parties through the litigation discovery process needs to be disclosed to non parties in furtherance of the litigation in which that information has been obtained.

Any court-imposed constraint on that judgment is antithetical to the underlying rationale of court compelled disclosure, with its necessary intrusion on a litigant’s general right to privacy. That rationale is the need to do justice between the parties.

Implicit in the law and Rules governing disclosure is the proposition that justice between the parties is best assured when disclosure of all relevant evidence from whatever source may be compelled by the court, subject to claims of privilege.

Imposition of constraints on the parties’ use of information obtained through the discovery process in the litigation in which it is obtained, by expanding the scope of the implied undertaking, could inhibit counsel in their investigation of the case and undermine the rationale for court compelled disclosure.

***

The law delineating the scope of the implied undertaking of confidentiality respecting use of information obtained through the litigation discovery process draws a bright line. Use of that information within the litigation is permitted use. Use outside the litigation for an “alien” or “collateral” purpose is not permitted without the consent of the affected party or an order of the court.

That bright line tends to expedite litigation, which is the goal of all recent reforms of civil litigation procedure in various jurisdictions. An obscure line would tend to promote procedural controversy, which is antithetical to that goal. The current bright line sacrifices litigants’ privacy for more procedural certainty. Its ultimate goal is to achieve a just result in the litigation.

The plaintiffs’ applications seek to have the court impose the policy reflected in s. 8.3.2 of the Manual as a constraint on the use of information obtained through the litigation discovery process within the litigation. If the court were to impose that policy by expanding the scope of the implied undertaking of confidentiality to limit use of information obtained through the litigation discovery process within the litigation in which it was obtained, the bright line would become an obscure line. There is no precedent for imposing such a policy. For the reasons stated, I decline to do so.

Jampolsky v. Shattler, 2007 BCCA 439.

I’ve taken a deeper look at Chapter 4 of the report of the Virginia Tech Review Panel and created this graphic, which compartmentalizes the various pieces of information about Cho Seung Hui that were known by groups inside and outside the university. As outlined in text in the state report, the graphic illustrates that the Virginia Tech Police Department, Virginia Tech Residence Life and the various teachers who worked most closely with Cho had potentially relevant information about Cho that was not shared with Virginia Tech’s multidisciplinary Care Team (which had formal responsibility for threat assessment). It also illustrates that Cho’s high school had information that might have been of assistance to Virginia Tech, but was not shared when he registered or in the course of his studies.

Barring any significant developments, this is probably the last I’ll blog about Virginia Tech. Before moving on, however, I do feel compelled to share a personal thought. This is a blog, after all. You see, I’ve been a very responsible lawyer in blogging about this issue and have kept things nice and objective. I’ve purposely chosen not to use the word “tragedy” because I thought it unhelpful and obfuscatory.

Chapter 4, however, got to me. Perhaps it’s because I’m a new father and the Chapter starts with a story about Cho having a heart problem as an infant and his corrective medical procedure leading, at age three, to the start of severe emotional problems. It also touched me that, through the great efforts of his parents and his public school educators, Cho seemed to be managing his difficulties pretty well up until university. Then it all rapidly spiraled downwards to the terrible ending. Though he’s ultimately responsible for an atrocious act, I’m sad for Cho as I’m sad for his parents and his victims.

All of which underlies the essence of this issue. When privacy is balanced against security it rarely seems a fair fight. Privacy is well understood as a fundamental human right, yet security tends to be cast as just another intangible concept, and worse, one associated with institutional or governmental rather than human interests. I don’t believe that it’s always fair to characterize security interests this way. Security can be as much about helping troubled individuals as about preventing harm to others. I’m engaged by the Virginia Tech case because it demonstrates this well. Perhaps tragedy is a helpful word after all.