All About Information

On May 11th, Arbitrator Joseph Carrier dismissed a grievance that claimed a university violated faculty members’ right to privacy by outsourcing its e-mail system to Google.

The association relied on a collective agreement provision that required the university to provide a “computer connection” and another by which the university agreed, “that members have the right to privacy in their personal and professional communications and files, whether on paper or in electronic form.”

Mr. Carrier held that the promise to provide a “computer connection” was not a promise to provide members with e-mail service. He also held that, having provided e-mail service, the university did not breach its privacy-related undertaking by outsourcing to Google. His conclusion on the privacy claim rested on a finding that e-mail communications are inherently insecure. He said:

It is doubtful, and, indeed, there was no evidence offered to demonstrate that such comprehensive e-mail privacy is technologically achievable. It is beyond credulity that the University or indeed the faculty would have intended such a broad and impractical meaning. How could the University reasonably fulfil such an obligation and, for instance, ensure that no third party would seek out or otherwise gain access to a faculty member’s personal files let alone his or her professional communications? It is my view that the provision as worded has a much narrower meaning. It is not an undertaking to protect members’ privacy from all manner of intrusion by third parties; rather, it is an acknowledgement that those rights exist and, at best, an undertaking by the University itself not to subvert or undermine those rights. If it was intended as an absolute guaranty of privacy from all sources, the language used ought to have been much clearer than exists in this provision. It would have to say, for instance, “the University warrants that it will protect the e-mail privacy of faculty from all manner of surveillance, intrusion and/or interception”. Indeed, as Mr. Bickford argued, privacy rights insofar as they exist in law are never absolute. Canadian courts may and do endorse subpoenas which probe into confidential information held by, for instance, banks and similar institutions. It would be surprising if the University could even begin to insulate its faculty from such intrusion.

Professors Schulhofer and Geist gave expert evidence in the matter.

Lakehead University (Board of Governors) v. Lakehead University Faculty Association, 2009 CanLII 24632 (ON L.A.)

On January 27th, the federal Privacy Commissioner released a document entitled “Guidelines for Processing Personal Data Across Borders.” The guidelines reflect the OPC’s pragmatic approach to the issue, but seem to put slightly greater emphasis than in prior commentary on the need for organizations to examine local and polictical factors in their due dilligence process:

In the case of outsourcing to another jurisdiction, PIPEDA does not require a measure by measure comparison by organizations of foreign laws with Canadian laws. But it does require organizations to take into consideration all of the elements surrounding the transaction. The result may well be that some transfers are unwise because of the uncertain nature of the foreign regime or that in some cases information is so sensitive that it should not be sent to any foreign jurisdiction.

The Guideline is available here.

On August 7th, the Office of the Federal Privacy Commissioner of Canada issued a report dismissing a PIPEDA outsourcing complaint filed by Philippa Lawson of the Canadian Internet Policy an Public Interest Clinic.

The report echoes the position the OPC established in Case Summary 313 and Case Summary 333 – that is, that the transfer of personal information into the United States does not necessarily breach the safeguarding requirement in PIPEDA because it exposes the information to the dictates of United States law, but that notification is required given the principle of openness. The OPC does give a little more detail on the required standard of notification in this report than it has done in the past:

Finally, organizations that outsource the processing of personal information must provide sufficient notice with respect to the existence of service-provider arrangements, including notice that any foreign-based service provider may be required by the applicable laws of that country to disclose personal information in the custody of such service provider to the country’s government or agencies. In this respect, CanWest respected its obligation by reliably informing its subscribers, new and existing, of its arrangement with a new U.S.-based e-mail provider and of the potential impact on confidentiality of subscriber information. Consequently, Principle 4.1.3 was not contravened.

The report has been posted on CIPPIC’s website. Hat tip to Michael Geist.

On June 26th, the Information and Privacy Commissioner of British Columbia held that a school board met the “necessary collection” standard in the British Columbia Freedom of Information and Protection of Privacy Act in its use of an online assessment tool for teacher recruiting.  He also held that the Board had complied with the FIPPA security standard and the Act’s requirement for storing and accessing personal information outside of Canada (as the assessment was administered by a third-party with databases located in Nebraska). 

The ”necessity” ruling is broad in its analysis.  The Commissioner held that the meaning of necessity depends on the context:

At the same time, I am not prepared to accept, as the Complainants contend, that in all cases personal information should be found to be “necessary” only where it would be impossible to operate a program or carry on an activity without the personal information.  There may be cases where personal information is “necessary” even where it is not indispensable in this sense.  The assessment of whether personal information is “necessary” will be conducted in a searching and rigorous way.  In assessing whether personal information is “necessary”, one considers the sensitivity of the personal information, the particular purpose for the collection and the amount of personal information collected, assessed in light of the purpose for collection.  In addition to FIPPA’s privacy protection objective is also relevant in assessing necessity noting that this statutory objective is consistent with the internationally recognized principle of limited collection.

On this standard, he held the Board’s collection of personal information was necessary.  Although the Board had successfully recruited teachers for years before implementing the new assessment process, he accepted evidence that the new process was efficacious in identifying the best teachers and allowed the Board to more rapidly screen a large number of candidates.

The USA Patriot Act part of Commissioner Loukidelis’s award is more fact-specific, but also demonstrates a pragmatic approach.  Although he held that the Board was compliant, the Commissioner did recommend that the service provider take steps to replace identifying information with unique numerical identifiers for the purposes of permanently storing data. 

 Note that the collection standard in the British Columbia Act is essentially the same as is included in Ontario’s public sector privacy legislation.  The Ontario standard was recently considered by the Ontario Court of Appeal for the first time the Cash Converters Canada Inc. v. Oshawa (City) decision, released on July 4th.  The Court adopted the standard endorsed by the Ontario Commissioner, which arguably more rigid and restrictive than the one described above. 

Order F07-10 (B.C.I.P.C.).