All About Information

Last Thursday and Friday I attended and spoke at the Canadian Association of University Business Officers workshop on Emergency Preparedness. Perhaps it was the inspirational kickoff by M. Richard Fillion of Dawson College, but it felt like a very special event and it was a pleasure to collaborate with a group of experienced administrators who are obviously committed to tackling a tough challenge.

I spoke on the legal perspective on managing on-campus violence, with a focus on the need for information sharing. Dr. Philip Klassen of the Centre for Addiction and Mental Health’s Law and Mental Health Program and Dr. Phil Wood, Dean of Students McMaster University, gave great presentations on the same subject from their own perspectives. Dr. Wood has also blogged about the event here.

Here is the full text of my speech, entitled “A Legal Perspective On Managing the Threat of On-Campus Violence.” I’ve linked to the various references that came up in the speech and the following Q&A below. I hope these are of use to the attendees and others.

• The Virginia Tech Review Panel Report. I particularly recommend Chapter 4.
• United States Secret Service and United States Department of Education, Implications for the Prevention of School Attacks in the United States. This stresses the efficacy and importance of threat assessment systems.
• Robert Bickel and Peter Lake, The Rights and Responsibilities of the Modern University. An important book on universities’ duty of care.
• IPC/Ontario, Privacy and Video Surveillance in Mass Transit Systems: A Special Investigation Report. This has a significant statement on special constables and the meaning of “law enforcement” in FIPPA.
• United States Department of Education, Family Educational Rights and Privacy Act (Proposed Amendments).
• Re Hamilton Health Sciences and Ontario Nurses Association, 91 C.L.A.S. 228 (Surdykowski). This recent case is about the collection of medical information through standardized forms for the purposes of short-term disability benefit administration. The collection of medical information for individual risk assessment and accommodation purposes is a different matter, but there are ideas in here that are significant and restrictive. I raised it in questioning whether employers should consider bargaining for some clarity on their right to collect. My earlier blog post on this case is here and I have blogged on medical information management here.
• Young v. Bella, 2006 SCC 3. This case illustrates the potential liability that can be mitigated by formal threat assessment systems.

There was a really good comment after the speech from Mike from Queen’s University, who thought the my use of the term “care team” was inappropriate given the role the university is really playing and the sensitivity about taking on an overt caregiver role. I completely agree, and from now on will work the term “assessment team” or “CUBIT” - for Comprehensive Behavioral and Threat Assessment Team - into my language. Thanks!

On January 21st, Master MacLeod of the Ontario Superior Court of Justice issued an order which allowed the parties to a complex e-discovery to proceed. He cited the Sedona Canada Principles and issued a limited order after considering the potential costs and the impact on individual privacy rights that would be associated with a definitive order for more fulsome production.

In litigating a class action claiming product liability damages caused by a heart valve, the plaintiffs brought a motion to challenge the defendants’ production of (1) two clinical trials databases which included adverse events data, (2) questionnaires used to collect adverse event data and (3) a data entry database associated with the adverse events databases. The two clinical trials databases were maintained by the University of Pittsburgh (a non-party) pursuant to a research agreement. Likewise, the questionnaires were held by clinicians thoughout the world pursuant to research agreements. The defendants’ legal rights to the data entry database (called “POP”) were less clear, a significant complication given the University’s residence in a foreign jurisdiction.

There was no dispute that 28 “freezes” of the adverse events databases (representing data stores at a point in time) included highly relevant information, but the plaintiffs claimed that the defendants’ production effort was too slow and that the defendants’ manner of production did not allow them to assess the data’s validity. One of the defendants’ key objections: the University had redacted patient initials and birth-dates from the production. The University did not adduce evidence on the motion, but the defendants argued on the University’s behalf that it would be exposed to liability and a potential breach of U. S. federal or state privacy legislation if it provided the data in unredacted form. The defendants also raised the costs the University was bearing and would additionally bear if further, more fulsome production was to be ordered.

Master MacLeod considered the competing demands and said that the production “solution” should meet four criteria. He said:

• The data produced to the plaintiffs must be substantially the same data as that which has been reviewed by the defendants’ own experts. If not then the plaintiff and defendant experts are being asked to draw conclusions based on different information.
• The forensic continuity of the data must be demonstrable such that any issues about authenticity or accuracy can be readily answered.
• The process of redaction must not leave the data less meaningful or useful. While the exact birth-dates and initials of the patients may not be necessary to analysis of data, it will for example be critical that data attributable to specific patients can still be tracked and where there are associated slides or tissue samples or other medical records produced in the litigation this can be matched to the data in the same way as previous to the redaction.
• The process of redaction must not unduly delay production.

Master MacLeod held that the current manner of production did not meet the criteria. In particular, he took exception to the fact that the defendants’ experts were apparently working with original and unredacted data, which he said could put the plaintiffs at a disadvantage. The defendants’ use of unredacted information may also have led him to conclude that patient privacy, while warranting protection, may ultimately need to yield to “the imperative of justice.”

Master MacLeod’s order was limited in that it merely established a process and criteria to allow the e-discovery to proceed. The key part of the order, for example, read:

In the event the data cannot be produced in redacted form in a timely fashion or if the redactions can be shown to compromise the integrity of the data or if the redacted data is significantly different than the data available to the defence experts, the plaintiff expert is to be given access to complete and accurate copies of the 28 data freezes as well as a current set of data.

There are other aspects of the order that are of significance. For example, Master MacLeod reasoned that the POP database (being potentially controlled by a non-resident) was analogous to deleted or residual electronically stored information as that term is used in Sedona Canada Principle 6. He said, “Only if [the plaintiffs] cannot answer the questions accurately and there remain important unexplained anomalies in the AVERT data should it be necessary to consider production of the POP database.”

For more on the Sedona Conference’s Sedona Canada Principles and for a summary of Master MacLeod’s 2006 order in this same case, see the LexUM E-Discovery Canada website.

Andersen v. St. Jude Medical Inc., [2008] O.J. No. 430 (QL) (S.C.J.).

On February 1, the Federal Court of Appeal ordered a matter back to the Privacy Commissioner so that she could determine what parts of notes taken by a doctor in the course of providing an independent medical examination were the examination subject’s personal information.

The dispute arose under PIPEDA, and was about access to information in notes taken by a doctor in the course of providing an IME. The most significant part of the decision is the Court’s response to the doctor’s argument that the information in his working notes was not the subject’s personal information. The Court said:

Mr. Rousseau has a right of access to the information he gave the doctor, and to the final opinion of the doctor in the form of the report to the insurer. In accordance with Principle 4.9.1. of Schedule I to the PIPED Act, this enables Mr. Rousseau to correct any mistakes in the information he gave the doctor or which the doctor noted, as well as any mistakes in the doctor’s reasoned final opinion about his medical condition. But the process of getting to that final opinion from the initial personal information of Mr. Rousseau belongs to the doctor.

This Court, in Canada (Information Commissioner) v. Canada (Minister of Citizenship and Immigration) [in a decision under the Access to Information Act], has recognized that “the same information can be “personal” to more than one individual” (at para. 15). It may well be, in the end, that some information in the notes will be personal to both Mr. Rousseau and Dr. Wyndowe. A balancing exercise similar to that proposed in our ruling in Canada (Information Commissioner) would then need to be performed.

I believe this is the first time that a court has considered the matter of access to “mixed” personal information under PIPEDA. Mixed personal information is personal information about more than one person, and can be difficult to deal with in an access request. It is often created in the course of investigations where a person who is interviewed gives an opinion or recounts facts about another.

The Court did not mention section 9(1) of PIPEDA, which reads, “Despite clause 4.9 of Schedule 1, an organization shall not give an individual access to personal information if doing so would likely reveal personal information about a third party.” It also mentioned the issue of “work product” information earlier in the award, but did not address whether the doctor’s working notes were likely to speak about him in his professional rather than personal capacity and, hence, be work product rather than personal information. Given these limitations, the award speaks more about things to come than lay down any authority on the meaning of personal information.

Other parts of the award are interesting if not notable. For example, I believe it contains the most detailed discussion by a court about the meaning of “in the course of commercial activity,” the key trigger language for the application of the Act.

Wyndowe v. Rousseau, 2008 FCA 89 (CanLII).

On October 5th of last year, Ontario Arbitrator Surdykowsky made some broad statements in upholding a grievance which challenged a standard medical information form administered for the purpose of adjudicating short term disability benefits.

The form was administered by the employer’s third-party adjudicator in all applications for STD benefits. It included a consent to collect information from any “party” involved in treatment and requested, among other information, primary and secondary diagnoses, medical history, information on tests and investigations performed and specific information on program of treatment.

Mr. Surdykowsky held that the standard for eligibility in the employer’s STD plans (there were two different ones at issue) did not justify collection of this information for the purpose of adjudication. One plan, for example, simply specified that employees must submit a satisfactory medical certificate showing an inability to perform regular job duties. Mr. Surdykowsky held that the employer was limited to asking for a certificate focused directly on the eligibility requirement unless there was an objectively reasonable basis for doubting the accuracy or truth of the health care provider’s certification.

Mr. Sudykowsky also engaged in a very principled analysis of an employer’s right to medical information. He held that employee privacy rights cannot be outweighed by expediency or efficiency, so even though the collection of further and more detailed medical information may be justified as an absence becomes prolonged and attendance management and accommodation processes become engaged, such information should not be routinely collected at the beginning of an absence on a form that is administered strictly for the purpose of determining benefit eligibility. And while recognizing that broader requests for medical information up front may actually reduce conflict given that health professionals are not “always entirely objective,” Mr. Surdykowski held that employee privacy rights weigh against a departure from a strict necessity requirement.

As part of his broad analysis, Mr. Surdykowski also endorsed the following general principles (in my words):

• A union can bargain the scope of a medical information request form on behalf of its members. An individual may chose not to consent but may be denied benefits. An employer does not act coercively by informing an employee of the potential negative repercussions of failing to consent to disclosure of all information on the form.
• When collecting information for the purpose of adjudicating short term disability benefits or approving a short term medical leave, employers are normally restricted to collecting a certification of disability, the general nature of the illness or injury (which is different from diagnostic information), that the employee has and is following a treatment plan (but not the plan itself), the expected return to work date, and what work the employee can or cannot do.
• Medical consents should generally authorize disclosure from a specific health care provider. They should not authorize contact between the employer or its agent and the health care provider in a manner that cuts the employee out of the “medical information loop” and, more generally, should not authorize the disclosure of information generated course of future care.

While this is a decision based on specific and relatively restrictive collective agreement language, Mr. Surdykowski’s fully-reasoned decision (which is based on 20 days of hearing) may be authoritative and conflicts with fairly standard employer practices. Unionized employers should consider it and reflect upon their short term disability or sick leave administration practices, their medical consent forms and their collective agreement and benefit plan language.

Importantly, the Surdykowski award is only about the information an employer may request for the purpose of adjudicating short term disability benefits. Although he comments peripherally on employers’ need for information in the accommodation process, to the extent an employer has a need for more fulsome information to provide accommodation or to develop a plan for safely returning an employee to work, it may be justified in seeking further and more detailed medical information. Based on the reasoning in the Surdykowski award, such requests should be tailored as much as possible to meet the need in any given case.

Re Hamilton Health Sciences and Ontario Nurses Association, 91 C.L.A.S. 228 (Surdykowski).

The Ontario IPC and Hewlett-Packard have released a joint-paper entitled, “RFID and Privacy - Guidance for Health-Care Providers.” The report discusses the privacy issues associated with RFID health care applications as grouped into three types:

• those involving tagging things
• those involving tagging things linked to people and
• those involving tagging people.

It identifies the latter two types as being privacy sensitive, with tagging “things linked to people” being more sensitive if the the link is strong, as is the case with tags affixed to individually-prescribed vials of medicine. As with most IPC reports of this type, the authors have generally guarded against making potentially binding statements on specific issues. While the authors note many new applications and comment generally on their potential benefit, the report neither endorses nor denounces any specific application. The most strong statement in the report was made about an application totally unrelated to health care. On the use of contactless identification cards for employee identification purposes, the authors said:

RFID-embedded (“contactless”) Identification cards are a special category of health care RFID use. Here we must distinguish between employee identification (and access) cards (whether “smart” or not), and patient identification cards. Employee Identification cards are increasingly being equipped with RFID technologies in order to identify and authenticate the bearer and facilitate access to physical spaces and other (e.g. computer) resources, as well as for process control and audit purposes. Dual or multi-purpose employee identity cards can serve differing functions at different times, according to context. Such a multi-purpose card and the data it contains, if not properly controlled, invites over-identification for some functions, function creep, and unwanted employee profiling.

While making this strong statement on employee identification, the report said that an RFID patient identification program may be acceptable where it…

…responds to a defined problem or issue in a limited, proportional and effective manner, and is deployed in a way that minimizes privacy and security risks, at least as effectively as any alternative solution.

I sense the two pull quotes above were the subject of considerable discussion. And while employers in Ontario should take heed of the report’s warning, the IPC has a very limited jurisdiction to enforce employee privacy rights in Ontario, even on behalf of employees who work at hospitals.

I spoke at our annual pension and benefit conference this morning on the role of the company medical advisor and data breach due diligence. The latter issue is as topical as ever, and I was happy to drive home the message that managing the personal habits and attitudes of employees is critical to a complete due diligence program. I’ve posted a copy of my slides here.

On August 20th, the Alberta Office of the Information and Privacy Commissioner dismissed a complaint in which an employee alleged an invasion of privacy because his employer reported his medical restrictions to the Alberta Infrastructure and Transportation’s Driver Fitness and Monitoring Branch.

The employee, who was required to drive as part of his job, submitted a letter from his psychologist in support of a leave request. The letter indicated he was unsafe to drive and included detailed information about his mental condition. The employer granted the leave and asked the psychologist whether he had reported the employee’s restriction to the province. When the doctor declined to answer the employer’s request for information, the employer reported the restriction itself and included a copy of the psychologist’s letter. The province ended up placing several monitoring conditions on the employee’s license.

In deciding that the report complied with both the Alberta Personal Information Protection Act and the Alberta Freedom of Information and Protection of Privacy Act, the IPC made several findings of technical significance. For example, it read the exception in section 20(c) of PIPA broadly in finding the employer’s non-consensual disclosure was permissible. Of broader significance, however, are the IPC’s obiter comments on the employer’s collection of diagnostic information. While implying that diagnostic information may sometimes be needed by an employer or insurer to support decision-making, it endorsed the use of medical advisers as playing a role in protecting employee privacy:

Diagnostic information should only be provided directly to the employer’s group insurer who is responsible for evaluating an employee’s eligibility for any benefits where applicable. An exception to this practice would be organizations with in-house health units staffed by qualified medical practitioners, who may reasonably receive this information provided it is kept in strict confidence. These units manage workplace injuries, accidents and safety which are governed by workers’ compensation and occupational health and safety requirements. In such cases, collection of diagnostic information by an employer may be reasonable.

It is true that employer medical advisers play an important role in employee privacy. By taking custody of medical information on behalf of employers, they are the means by which employers ensure proper, limited use of the information. For more about an adviser’s role and some thoughts on reconciling this role with the adviser’s contractual duty to the employer, see my earlier post, Medical information management for employers.

Investigation Report P2007-IR-005 F2007-IR-004 (20 August 2007, Alberta I.P.C.).

I’ve taken a deeper look at Chapter 4 of the report of the Virginia Tech Review Panel and created this graphic, which compartmentalizes the various pieces of information about Cho Seung Hui that were known by groups inside and outside the university. As outlined in text in the state report, the graphic illustrates that the Virginia Tech Police Department, Virginia Tech Residence Life and the various teachers who worked most closely with Cho had potentially relevant information about Cho that was not shared with Virginia Tech’s multidisciplinary Care Team (which had formal responsibility for threat assessment). It also illustrates that Cho’s high school had information that might have been of assistance to Virginia Tech, but was not shared when he registered or in the course of his studies.

Barring any significant developments, this is probably the last I’ll blog about Virginia Tech. Before moving on, however, I do feel compelled to share a personal thought. This is a blog, after all. You see, I’ve been a very responsible lawyer in blogging about this issue and have kept things nice and objective. I’ve purposely chosen not to use the word “tragedy” because I thought it unhelpful and obfuscatory.

Chapter 4, however, got to me. Perhaps it’s because I’m a new father and the Chapter starts with a story about Cho having a heart problem as an infant and his corrective medical procedure leading, at age three, to the start of severe emotional problems. It also touched me that, through the great efforts of his parents and his public school educators, Cho seemed to be managing his difficulties pretty well up until university. Then it all rapidly spiraled downwards to the terrible ending. Though he’s ultimately responsible for an atrocious act, I’m sad for Cho as I’m sad for his parents and his victims.

All of which underlies the essence of this issue. When privacy is balanced against security it rarely seems a fair fight. Privacy is well understood as a fundamental human right, yet security tends to be cast as just another intangible concept, and worse, one associated with institutional or governmental rather than human interests. I don’t believe that it’s always fair to characterize security interests this way. Security can be as much about helping troubled individuals as about preventing harm to others. I’m engaged by the Virginia Tech case because it demonstrates this well. Perhaps tragedy is a helpful word after all.

As promised, here are some comments on the privacy-related aspects of the Virginia Tech state report. I’ve split this post into a part on legal issues and a part on policy issues.

Legal Issues - With no golden rule, strong policy should guide

Not all risks can be effectively mitigated by detailed policy, but given the need for decentralized decision-making about the sharing of information and the apparent inaccessibility of privacy legislation to laypersons, the student-at-risk/catastrophic violence challenge is clearly one that should be addressed through the promulgation of good policy.

Here’s a key quote from the report:

The widespread perception is that information privacy laws make it difficult to respond effectively to troubled students. This perception is only partly correct. Privacy laws can block some attempts to share information, but even more often may cause holders of such information to default to the nondisclosure option—even when laws permit the option to disclose. Sometimes this is done out of ignorance of the law, and sometimes intentionally because it serves the purposes of the individual or organization to hide behind the privacy law. A narrow interpretation of the law is the least risky course, notwithstanding the harm that may be done to others if information is not shared.

Following this theme, the report runs through a number of disclosures in the Virginia Tech case that could have been made, were not, but would have been permitted under applicable state and federal privacy laws.

Similar to the situation in Ontario (where I practice), in Virginia there’s no single “golden rule” or simplifying model to help teachers, administrators and student volunteers figure out what information can be shared about a student at risk, with whom and under what circumstances. Rather, there are a number of different rules - disclosure “exceptions” to be slightly more precise. These exceptions apply indirectly to the scenarios that commonly confront individuals in university and college communities.

In Ontario, for example, when teachers learn of disturbing behavior in the course of teaching, the legality of reporting that behavior to a case management team is ordinarily governed by the “need to know” rule or exception - i.e. the report is lawful if “necessary and proper in the discharge of the institution’s functions.” While this language may allow a lawyer to interpret whether a disclosure is permissible based on a set of facts, without specific guidance on what to do when a student demonstrates objectively threatening behavior, how’s a teacher to know whether reporting the behavior is permissible?

Post-secondary educational institutions must have systems in place that encourage the exercise of sound judgement and due diligence. Enabling the reporting of information about certain student behaviors through policy so these systems can function on complete and valid information is critical to their effectiveness.

Policy Issues - Parental disclosures and safe harbour provisions

I’d like to identify two good policy issues raised by the report, one for consideration by schools and another for consideration by government.

Issue 1: Should post-secondary educational institutions pursue a policy of sharing information about adult students at risk with their parents?

Consistent with the United States Department of Education’s philosophy on parental involvement, the state report clearly favours information sharing with parents:

During his formative years, Cho’s parents worked with Fairfax County school officials, counselors, and outside mental health professionals to respond to episodes of unusual behavior. Cho’s parents told the panel that had they been aware of his behavioral problems and the concerns of Virginia Tech police and educators about these problems, they would again have become involved in seeking treatment.

I’m not sure what Canadian post-secondary institutions will want to do with this. Is it reasonable to assume that all parental relationships will be supportive? How will institutions know if there is a benefit to the disclosure? If the decision to share information with parents is discretionary, what factors should inform the exercise of discretion? To what extent should schools rely on a disclosure to parents as a complete discharge of their duty of care (assuming such a duty exists)?

Issue 2: Should governments enact new exemptions to allow for disclosures made in a good faith belief that they are necessary for protecting health and safety?

The state report recommends this type of “safe harbour” exemption as a means of cutting through the confusion about how existing and general privacy exemptions apply to the health and safety problem illustrated by Virginia Tech. It states:

Laws protecting good-faith disclosure for health, safety, and welfare can help combat any bias toward nondisclosure.

The current health and safety exemptions in Ontario’s public sector privacy and health privacy statutes are objective standards that are based on a “serious harm” threshold. Short of this relatively high threshold, disclosures are only permitted under other more general exemptions like the “need to know” exemption noted above (which applies only to internal disclosures) or the similarly-obscure “consistent purpose” or “law enforcement” exemptions. Would acceptance of the safe harbour proposal lead to an appropriate clarification of the law? Is it important that privacy legislation be made accessible to laypeople? Will this type of amendment harm the integrity of the legislation?

***

I’m just scratching the surface with these comments, but hope they provoke some good thought amongst those who are interested in this subject. It’s a sad one, but I like the privacy-related ideas that have been raised following the shootings because they are simple, compelling and important. Look for more posts on campus security and privacy in the future.

Paul Broad and I posted our fall edition of the Hicks Morley Information and Privacy Post today. It’s available here. In addition to some brief commentary on “data breach low hanging fruit,” we’ve included summaries of cases that we’ve reviewed since publishing our spring edition. The top draws in our current edition:

• The Divisional Court’s FOI decision on the annonymization of databases and whether replacing a unique identifier (that is also personal information) creates a new record
• The Ontario Court of Appeal’s finding that the public interest override in Ontario’s FOI legislation is unconstitutional and its reading-in remedy
• A decision by labour arbitrator Paula Knopf on a challenge to an employer’s short term disability administration practices
• The latest Ontario decision in the recent flare-up in drug testing litigation, a decision by labour arbitrator Jane Devlin
• A June 27th American e-discovery case that illustrates how not to manage a complex e-discovery project

Please check out the Post. Hope you enjoy!