All About Information

I’ve taken a deeper look at Chapter 4 of the report of the Virginia Tech Review Panel and created this graphic, which compartmentalizes the various pieces of information about Cho Seung Hui that were known by groups inside and outside the university. As outlined in text in the state report, the graphic illustrates that the Virginia Tech Police Department, Virginia Tech Residence Life and the various teachers who worked most closely with Cho had potentially relevant information about Cho that was not shared with Virginia Tech’s multidisciplinary Care Team (which had formal responsibility for threat assessment). It also illustrates that Cho’s high school had information that might have been of assistance to Virginia Tech, but was not shared when he registered or in the course of his studies.

Barring any significant developments, this is probably the last I’ll blog about Virginia Tech. Before moving on, however, I do feel compelled to share a personal thought. This is a blog, after all. You see, I’ve been a very responsible lawyer in blogging about this issue and have kept things nice and objective. I’ve purposely chosen not to use the word “tragedy” because I thought it unhelpful and obfuscatory.

Chapter 4, however, got to me. Perhaps it’s because I’m a new father and the Chapter starts with a story about Cho having a heart problem as an infant and his corrective medical procedure leading, at age three, to the start of severe emotional problems. It also touched me that, through the great efforts of his parents and his public school educators, Cho seemed to be managing his difficulties pretty well up until university. Then it all rapidly spiraled downwards to the terrible ending. Though he’s ultimately responsible for an atrocious act, I’m sad for Cho as I’m sad for his parents and his victims.

All of which underlies the essence of this issue. When privacy is balanced against security it rarely seems a fair fight. Privacy is well understood as a fundamental human right, yet security tends to be cast as just another intangible concept, and worse, one associated with institutional or governmental rather than human interests. I don’t believe that it’s always fair to characterize security interests this way. Security can be as much about helping troubled individuals as about preventing harm to others. I’m engaged by the Virginia Tech case because it demonstrates this well. Perhaps tragedy is a helpful word after all.

As promised, here are some comments on the privacy-related aspects of the Virginia Tech state report. I’ve split this post into a part on legal issues and a part on policy issues.

Legal Issues - With no golden rule, strong policy should guide

Not all risks can be effectively mitigated by detailed policy, but given the need for decentralized decision-making about the sharing of information and the apparent inaccessibility of privacy legislation to laypersons, the student-at-risk/catastrophic violence challenge is clearly one that should be addressed through the promulgation of good policy.

Here’s a key quote from the report:

The widespread perception is that information privacy laws make it difficult to respond effectively to troubled students. This perception is only partly correct. Privacy laws can block some attempts to share information, but even more often may cause holders of such information to default to the nondisclosure option—even when laws permit the option to disclose. Sometimes this is done out of ignorance of the law, and sometimes intentionally because it serves the purposes of the individual or organization to hide behind the privacy law. A narrow interpretation of the law is the least risky course, notwithstanding the harm that may be done to others if information is not shared.

Following this theme, the report runs through a number of disclosures in the Virginia Tech case that could have been made, were not, but would have been permitted under applicable state and federal privacy laws.

Similar to the situation in Ontario (where I practice), in Virginia there’s no single “golden rule” or simplifying model to help teachers, administrators and student volunteers figure out what information can be shared about a student at risk, with whom and under what circumstances. Rather, there are a number of different rules - disclosure “exceptions” to be slightly more precise. These exceptions apply indirectly to the scenarios that commonly confront individuals in university and college communities.

In Ontario, for example, when teachers learn of disturbing behavior in the course of teaching, the legality of reporting that behavior to a case management team is ordinarily governed by the “need to know” rule or exception - i.e. the report is lawful if “necessary and proper in the discharge of the institution’s functions.” While this language may allow a lawyer to interpret whether a disclosure is permissible based on a set of facts, without specific guidance on what to do when a student demonstrates objectively threatening behavior, how’s a teacher to know whether reporting the behavior is permissible?

Post-secondary educational institutions must have systems in place that encourage the exercise of sound judgement and due diligence. Enabling the reporting of information about certain student behaviors through policy so these systems can function on complete and valid information is critical to their effectiveness.

Policy Issues - Parental disclosures and safe harbour provisions

I’d like to identify two good policy issues raised by the report, one for consideration by schools and another for consideration by government.

Issue 1: Should post-secondary educational institutions pursue a policy of sharing information about adult students at risk with their parents?

Consistent with the United States Department of Education’s philosophy on parental involvement, the state report clearly favours information sharing with parents:

During his formative years, Cho’s parents worked with Fairfax County school officials, counselors, and outside mental health professionals to respond to episodes of unusual behavior. Cho’s parents told the panel that had they been aware of his behavioral problems and the concerns of Virginia Tech police and educators about these problems, they would again have become involved in seeking treatment.

I’m not sure what Canadian post-secondary institutions will want to do with this. Is it reasonable to assume that all parental relationships will be supportive? How will institutions know if there is a benefit to the disclosure? If the decision to share information with parents is discretionary, what factors should inform the exercise of discretion? To what extent should schools rely on a disclosure to parents as a complete discharge of their duty of care (assuming such a duty exists)?

Issue 2: Should governments enact new exemptions to allow for disclosures made in a good faith belief that they are necessary for protecting health and safety?

The state report recommends this type of “safe harbour” exemption as a means of cutting through the confusion about how existing and general privacy exemptions apply to the health and safety problem illustrated by Virginia Tech. It states:

Laws protecting good-faith disclosure for health, safety, and welfare can help combat any bias toward nondisclosure.

The current health and safety exemptions in Ontario’s public sector privacy and health privacy statutes are objective standards that are based on a “serious harm” threshold. Short of this relatively high threshold, disclosures are only permitted under other more general exemptions like the “need to know” exemption noted above (which applies only to internal disclosures) or the similarly-obscure “consistent purpose” or “law enforcement” exemptions. Would acceptance of the safe harbour proposal lead to an appropriate clarification of the law? Is it important that privacy legislation be made accessible to laypeople? Will this type of amendment harm the integrity of the legislation?

***

I’m just scratching the surface with these comments, but hope they provoke some good thought amongst those who are interested in this subject. It’s a sad one, but I like the privacy-related ideas that have been raised following the shootings because they are simple, compelling and important. Look for more posts on campus security and privacy in the future.

Paul Broad and I posted our fall edition of the Hicks Morley Information and Privacy Post today. It’s available here. In addition to some brief commentary on “data breach low hanging fruit,” we’ve included summaries of cases that we’ve reviewed since publishing our spring edition. The top draws in our current edition:

• The Divisional Court’s FOI decision on the annonymization of databases and whether replacing a unique identifier (that is also personal information) creates a new record
• The Ontario Court of Appeal’s finding that the public interest override in Ontario’s FOI legislation is unconstitutional and its reading-in remedy
• A decision by labour arbitrator Paula Knopf on a challenge to an employer’s short term disability administration practices
• The latest Ontario decision in the recent flare-up in drug testing litigation, a decision by labour arbitrator Jane Devlin
• A June 27th American e-discovery case that illustrates how not to manage a complex e-discovery project

Please check out the Post. Hope you enjoy!

I gained a penchant for diagrams during my foray into the business world that I make no apologies for!

I’d like to build this post around the diagram below, which illustrates a very common model by which employers manage medical information - i.e., one in which the employer seeks information from an employee’s treating physician through its own medical adviser. 

The point I’d like to make is that role definition is key to effective medical information management.  When there is confusion about the players’ roles and responsibilities (especially vis-a-vis confidential medical information) the management process tends to break down.

Relationship “A” is the employment relationship.  In most cases employers cannot obtain employee medical information without express written consent, but employees have a duty to consent to the release of medical information when it is reasonably necessary to the administration of the employment relationship.  Employers typically need medical information for four purposes:  (1) to determine the validity of an absence, (2) to determine eligibility for an income protection benefit, (3) to develop accommodation plans and proposals and (4) to ensure that employees can safely return to work.

In Ontario, section 49 of the Personal Health Information Protection Act requires employers to use and disclose medical information for only those purposes specified in the written medical release (ordinarily, the four noted above) and, essentially, share information internally on a need to know basis.

Relationship “B” is the treatment relationship.  An employee’s treating physician has a professional and legal duty to act in the employee’s best interests.  This does not mean that a physician must let a patient dictate his or her opinion.  To the contrary, abdicating professional judgment in this manner is a breach of a physician’s duty.  In this regard, the Ontario Medical Association has helped physicians reconcile employee and employer interests by advising them of the health-related benefits of a safe and early return to work.

Treating physicians also have a professional and legal duty to maintain patient confidentiality.  They are subject to the full range of “health information custodian” rules in PHIPA, and may only release medical information to employers based on written consent.

Relationship “C” is either an employment or contractual relationship.  Employers often retain the services of medical professionals to act on their behalf.  These professionals typically (1) take custody of medical information received pursuant to a release and share it with management as permitted by the medical release and on a need to know basis, (2) evaluate and make objective recommendations to the employer about the sufficiency of information provided and (where it is sufficient) about eligibility for paid or unpaid leave, accommodation plans and return-to-work and (3) act as the employer’s liaison (and advocate) with the treating physician.

The medical adviser does not have independent legal or professional duties to the employee.  He or she acts as the employer and shares the employer’s section 49 duty.  Does he or she nonetheless play an important role in medical confidentiality?  Yes.  The medical adviser role helps create a confidentiality screen.  By taking immediate custody of the medical information on behalf of the employer, he or she is the means by which the “need to know” rule is given effect.  This is a difficult role, and sometimes out of a sense that he or she has an independent duty of confidentiality to the employee, the medical adviser takes a position at odds with the employer.  This type of conflict can generally be avoided by establishing reasonable and PHIPA-compliant policy to guide the internal distribution of medical information received pursuant to a medical release.

The advisory model described above is common, but there are other models by which employers seek and obtain medical information they need to make employment-related decisions.  In the Ontario Bar Association’s latest Eye on Privacy, I wrote an article called, “Understanding Church and State - The Occupational Health and Safety Department and PHIPA” I elaborated on Relationship “C” and briefly discussed how the legal duties change when an employer actually provides health care to its employees.  I missed an opportunity to draw diagrams in that article, but if you’re interested in this topic you may nonetheless find them helpful.