Tuesday, May 14, 2013

Bill 65 Creates New Corporate Privacy Right by Greg

Last month, I wrote about the Sask Party's choice to redefine "privacy" to apply to corporations under Saskatchewan's securities legislation:

Until now, privacy has been recognized under Canadian law as being an individual right. As Justice La Forest wrote, "An expression of an individual's unique personality or personhood, privacy is grounded on physical and moral autonomy - the freedom to engage in one's own thoughts, actions and decisions..." These core concepts - an individual's unique personality, physical and moral autonomy, and freedom related to personal thoughts and actions - have no place whatsoever in discussing corporate interests.
...
(A) redefinition of privacy to benefit corporations would have consequences that might prove antithetical to a libertarian viewpoint. If a right intended to protect individuals from corporate and state intrusion gets turned on its head, there's no telling what individual interests might end up being annihilated in the name of corporate privacy - from negative reviews to whistleblowing to basic consumer and investor disclosure requirements.

Well, Bill 65 has now been passed without any change to the bill's new declaration of a corporate privacy right. So what will that mean for the interpretation of Saskatchewan law?

It's true - as argued by the Wall government - that the protection of personal information under the Freedom of Information and Protection of Privacy Act isn't directly changed by the wording of securities legislation. But that's largely because FOIP - rather than relying on the term "privacy" as its basis for protecting information - is instead highly specific in its definition of "personal information".

In contrast, the Privacy Act is deliberately broad in addressing breaches of privacy held by a "person" - a term which by law includes a corporation. And the Wall government's choice to declare the existence of corporate privacy under securities legislation will allow corporations to argue that there's some legislative intent to create a cone of silence around corporate activity - meaning that there's now additional risk of a tort claim against anybody who publishes internal documents which a corporation wishes to suppress, or monitors corporate activity without the corporation's agreement. 

Again, the problem could have been avoided by simply mirroring the wording of FOIP and other statutes which protect genuinely confidential information and trade secrets without decreeing that all corporate activity is presumptively hidden from public view. But the Sask Party has instead chosen to completely rewrite the existing meaning of "privacy" to extend it to corporate interests. And we can only guess what fallout that will produce in the years to come.

[A more opininated version of this post can be found at Accidental Deliberations.]

This blog consists of general legal information only, and does not constitute the provision of legal advice to any person or organization. Please contact me at gfingas@grj.ca if you require legal advice related to privacy issues.

Thursday, September 13, 2012

Workplace Internet Use by Greg

Adam Hunter's CBC report features my brief comment on how web surfing at work can serve as grounds for discipline or dismissal. But I'll expand somewhat on the factors which may affect an employer's ability to rely on personal web use to take action against an employee.

First, there's the employer's policy (assuming an employer has one - though the lack of a specific policy don't necessarily rule out discipline or dismissal if an employee's online activity is serious enough to provide just cause on its own even without a warning).

Where a policy is in place, the factors to take into consideration are the wording of the policy itself, whether it's brought to the affected employee's attention, and how stringently the policy is enforced in general - as courts and arbitrators alike will generally be hesitant to find grounds for dismissal in behaviour that's accepted from other employees.

Second, there's the legislation governing the employer. At the moment, there's no specific legislation governing the collection and use of personal information by provincially-regulated private employers in Saskatchewan. But federally-regulated and public-sector employers are subject to legislation limiting what they can collect and use - meaning that they'll need to point to some valid purpose in looking at an employee's personal activity.

Finally, there's the question of whether or not the workplace is unionized. If so, and if terms surrounding online activity have not been collectively bargained with the union, then the employer will normally have to exercise its authority to review employee computer use and impose associated discipline in a reasonable manner.

Again, the sure way to avoid discipline for personal use of work equipment is to avoid mixing the two. But that may not be possible for reasons beyond an employee's control - for example, if a work contact begins a personal conversation through a work e-mail account. And clear guidelines as to what content is permitted and what will give rise to discipline can help both employers and employees to know in advance what's appropriate at work.

This blog consists of general legal information only, and does not constitute the provision of legal advice to any person or organization. Please contact me at gfingas@grj.ca if you require legal advice related to employee use of computer equipment or related privacy issues.

Friday, April 27, 2012

Law Reform Commission of Saskatchewan Recommendations on the Privacy Act by Greg

The Law Reform Commission of Saskatchewan has released a report on the future of the Privacy Act, featuring four general recommendations.

First, the Commission concluded that the general tort of breach of privacy created by the Privacy Act should have a role to play in protecting privacy notwithstanding other means available to pursue the same end. In particular, the Commission compared the Privacy Act to more comprehensive "code" legislation as follows at p. 16:

The comprehensive code approach of legislation like The Freedom of Information and Protection of Privacy Act is desirable, but may lack the flexibility to deal with unexpected and novel circumstances. The Privacy Act may remain useful to fill gaps in the legislation.

Gaps are apt to exist for several reasons. Not all threats to privacy are likely to attract the kind of attention legislators have given to information gathering. New issues can be expected to arise more rapidly than legislators can react. As the British Columbia Law Institute observes:

Without a general civil remedy for violation of privacy, conduct that does not involve the misuse of personal information and that does not reach the level of criminality, but which is still offensively invasive, might not be subject to any legal sanction.

Second, the Commission proposed two noteworthy amendments to the elements of the tort of breach of privacy, both addressing the standard of knowledge of the defendant. Rather than requiring that a breach itself be "wilful", the Commission proposed that the cause of action include proof that the defendant (1) knew or ought to have known that the breach constituted a non-trivial violation of the privacy of the plaintiff; and (2) did not honestly and reasonably believe that some legal justification or excuse existed for the breach.

In effect, these amendments would allow for some liability in cases where evidence about the defendant's actual knowledge and intent is nonexistent or entirely neutral: in such a case the "ought to have known" standard under the first branch could apply, while the absence of an evidentiary basis to establish an honest and reasonable belief would allow the claim to succeed under the second. However, I do wonder whether the combination is more complicated than necessary - and in particular, whether actual or imputed knowledge that a breach is non-trivial should form a separate element of the tort.

Third, the Commission recommended a specific provision to the effect that activities in a public setting may nonetheless enjoy a reasonable expectation of privacy. This would serve as a useful clarification of the types of privacy interests intended to be covered, as past cases have offered conflicting conclusions as to what privacy interest (if any) exists outdoors or on common or public property.

Finally, the Commission proposed two additional listed examples of breaches of privacy. While these may serve to modernize the legislation, though, I wonder whether there could be any dispute that unauthorized access to or surveillance of a computer would already be captured by the general provision in section 2.

We should find out in the relatively near future whether the recommendations are met with some action to update the Privacy Act, and I'll be interested to see whether a set of amendments can spur the type of case-law evolution expected when the Privacy Act and its counterpart legislation elsewhere was passed decades ago.

This blog consists of general legal information only, and does not constitute the provision of legal advice to any person or organization. Please contact me at gfingas@grj.ca if you require legal advice related to a breach of privacy.

Saturday, January 21, 2012

Contrasting Intrusion upon Seclusion and Breach of Privacy by Greg

The Ontario Court of Appeal's landmark decision in Jones v. Tsige, 2012 ONCA 32 establishes a common-law tort of "intrusion upon seclusion" covering some of the territory associated with tort actions for breach of privacy. But while Sharpe J.A. refers extensively to the statutory torts which exist in several provinces including Saskatchewan, there are some key differences between the new common-law tort and the standards applicable to Privacy Act claims to date. Indeed, the Ontario Court of Appeal expressly followed principles set out in U.S. tort law rather than those from Canadian provincial statutes - but in so doing, it raised the question of whether courts interpreting provincial privacy statutes will do the same.

Sharpe J.A. set out the elements of the new tort at para. 71 of Jones v. Tsige:

The key features of this cause of action are, first, that the defendant’s conduct must be intentional, within which I would include reckless; second that the defendant must have invaded, without lawful justification, the plaintiff’s private affairs or concerns; and third, that a reasonable person would regard the invasion as highly offensive causing distress, humiliation or anguish.

Compare the third element in particular to Saskatchewan's Privacy Act, which on its face establishes no obligation on the part of a plaintiff to meet the standard of demonstrating that the defendant's action was "highly offensive". Instead, an action may be brought based on any breach of privacy which is "wilful and without claim of right" (s. 2), including a list of specific actions (s. 3); the obligation then lies on the defendant to prove the application of a defence (s. 4).

The elements of the tort of breach of privacy as defined to date were set out by Ottenbreit J.A. in Bigstone v. St. Pierre, 2011 SKCA 34 at para. 34:

At this stage of the development of the jurisprudence respecting the Act, a claim must contain allegations so that, at a minimum, the following is clear:

1.  the action is pursuant to the Act;

2. there is an act or actions which are claimed to be a violation of privacy which comes within the arguable scope of the Act;

3.  the privacy is that of a person;

4.  the type of privacy interest violated is generally identifiable; and

5.  the violation is wilful and without claim of right.

But to what extent will this standard - acknowledged by Ottenbreit J.A. to represent only an early stage of the development of the law under provincial Privacy Acts - continue to apply in the wake of Jones v. Tsige?

One plausible interpretation would suggest that the more onerous test which must be met by a plaintiff under the common-law tort set out by Sharpe J.A. is justifiable in the absence of legislative action to provide greater privacy protection. However, it may also be argued that the goal of legislators in establishing statutory torts was to allow courts to determine the precise contours of actionable breaches of privacy; indeed, Sharpe J.A. noted precisely this intention at para. 54 of Jones v. Tsige. Defendants facing claims for breach of privacy under statute may thus be expected to argue that the element of offensiveness should be imported into the definition of the statutory tort - and it remains to be seen whether the elements of the common-law tort set out in Jones v. Tsige and the statutory causes of action under provincial statutes will eventually intersect.

Meanwhile, Sharpe J.A. did make clear at para. 82-84 and 87 of Jones v. Tsige that the assessment of damages under the new tort of intrusion upon seclusion will be based on the principles set out in existing Privacy Acts and associated cases. As a result, practitioners in provinces with statutory torts will have reason to keep a close eye on case developments in intrusion upon seclusion.

For more on Jones v. Tsige, see further posts from Barry Sookman, Dan Michaluk, Mark Hayes and Omar Ha-Redeye.

This blog consists of general legal information only, and does not constitute the provision of legal advice to any person or organization. Please contact me at gfingas@grj.ca if you require legal advice related to a breach of privacy.

Friday, July 22, 2011

OIPC's Albert Park Clinic Report - Breaking New Ground Under HIPA by Greg

Information and Privacy Commissioner Dickson's Investigation Report H-2011-001 has received ample media attention over the past few days in its thorough review of mismanagement of personal health information at the Albert Park Family Medical Centre. But while much of the report involves documenting and identifying obvious violations of a trustee's obligations under the Health Information Protection Act and reiterating basic advice as to the types of policies and procedures required to protect personal health information, a few of Commissioner Dickson's observations break some new ground in the interpretation of HIPA.

To start with, Commission Dickson considered the nature of trusteeship under HIPA, particularly in assessing whether Dr. Teik Im Ooi could escape responsibility for management of personal health information by her "managing partner". Commissioner Dickson concluded at para. 65 that notwithstanding her apparent deference to the decisions of her partner, Dr. Ooi remained fully responsible for HIPA compliance as a trustee:

As a partner, if she chose to defer to her partner in terms of patient records and related decisions as she apparently has done, she is nonetheless liable for the consequences of bad decisions made by her former business partner.

Commissioner Dickson went on to note at para. 78 that on taking sole trustee of records containing personal health information, Dr. Ooi was responsible for the management of those records over their full life cycle - including for decisions about off-site storage made by others:

In the circumstances of APFMC, Dr. Ooi had a responsibility to learn of any arrangements made by her present and former partners with respect to off-site storage of patient records and to initiate any action required to ensure compliance with HIPA.

Among the failings identified by Commissioner Dickson was a lack of any system to identify or index large volumes of patient records. Commissioner Dickson held at para. 180 that such indexing is required for a trustee to comply with its obligation under section 17(2)(a) to keep personal health information in a form which is "retrievable, readable and useable for the purpose for which it was collected".

Commissioner Dickson also reviewed the application of HIPA section 18 respecting information management service providers. Commissioner Dickson concluded that the IMSP title applied to numerous parties, including not only the pharmacist tasked with finding storage space for APFMC's records, but also the landlord who provided the space and even Dr. Ooi's own children and their friends who were paid to review, cull and move files.

This finding may have been primarily intended to ensure that Dr. Ooi's use and disclosure of personal health information received scrutiny under section 18(1). However, it also serves to impose potential liability on the IMSPs themselves under section 18(3) - highlighting the danger that even a party which would not see itself as likely to hold any obligations under HIPA might itself become liable through the mistakes of a trustee.

Finally, Commissioner Dickson recommended that the Minister of Justice consider commencing a prosecution under HIPA - which would represent a new step in Saskatchewan. In a future post, I'll deal with the ramifications of that step in more detail.

This blog consists of general legal information only, and does not constitute the provision of legal advice to any person or organization. Please feel free to contact me at gfingas@grj.ca if you require legal advice related to privacy or access to information.