 Volume 8, No. 3 - May/Mai 2008
ARTICLES When the Government Commits a Privacy Breach or Causes Identity Theft Bill C-27: Identity Theft and Related Misconduct Privacy and Video Surveillance under FIPPA and MFIPPA IPC Special Report on TTC Video Surveillance Recent Cases Illustrate Polarity of Privacy Rules for Litigants Swiping Away Our Privacy EDITORIAL
Eye on Privacy: The OBA Privacy Law Review is published by the Privacy Law Section of the Ontario Bar Association. The Editors welcome submissions on privacy law matters of interest to our members. The articles that appear in this publication represent the opinions of the authors. They do not represent or embody any official position of, or statement by, the OBA except where this may be specifically indicated; nor do they attempt to set forth definitive practice standards or to provide legal advice. Precedents and other material contained herein are intended to be used thoughtfully, as nothing in the work relieves readers of their responsibility to consider it in the light of their own professional skill and judgment. |
|
Pat Flaherty and Jana Stettner*
While there is currently no express obligation in the Personal Information Protection and Electronic Documents Act[2] (PIPEDA) for organizations to notify affected individuals or privacy regulators when breaches occur, government and regulators are paying increasing attention to this issue. Other jurisdictions PIPEDA and PHIPA While there is no express requirement in PIPEDA for organizations to notify affected individuals or privacy regulators that there has been a privacy breach, this does not preclude the Office of the Privacy Commissioner (OPC) from taking the position that notification is nevertheless required under the mandatory principle in Schedule 1 that personal information be protected by “security safeguards” appropriate to the sensitivity of the information.[5] [6] For example, where affected individuals may be able to take steps to prevent the unauthorized use of information that has been lost, the OPC may take the view that, under the security safeguard principle, the organization is required to notify affected individuals of the breach. Unlike PIPEDA, section 12 of PHIPA contains an express obligation for health information custodians to report the theft, loss or unauthorized access of personal health information, regardless of the circumstances or risk of harm to individuals. Section 12 requires notification to be made at the first reasonable opportunity, but does not articulate the specific manner by which notification is to be made nor does it require privacy regulators to be notified. Amendments to PIPEDA While no specific amendments to PIPEDA have been tabled, the OPC has recommended amendments to make notification of breach to affected individuals mandatory.[7] The government has also been considering this issue. The House of Commons Standing Committee on Access to Information, Privacy and Ethics (Committee) tabled a report in May of last year which did not recommend the creation of a general duty to notify in all cases, but instead proposed that organizations have a duty to report certain defined breaches to the Commissioner, who would then make the determination of whether affected individuals should be notified.[8] The government responded to the Committee’s report in October.[9] It supported mandatory notification of individuals and regulators for breaches where there is a “risk of significant harm to individuals”, but did not support a general requirement to provide notification of all breaches. The government also did not support the Committee’s proposal that the Commissioner make the determination of whether affected individuals are to be notified, stating instead that organizations must make this determination on a case by case basis based on an analysis of the risk of harm. In light of the government’s response to the Committee’s report, it seems unlikely that PIPEDA will be amended to require a duty to notify in all cases of breach. OPC’s Guideline and Best Practices While PIPEDA itself does not speak directly to the issue of when notification is required, the OPC has published a guideline to assist individuals in determining whether notification is appropriate.[10] The guideline lists factors for organizations to consider and states that if a breach creates a risk of harm to individuals, those individuals should be notified. The guideline further encourages organizations to report material privacy breaches to the appropriate privacy commissioners(s) so that they are better able to respond to public inquiries. In making the difficult determination of whether to notify affected individuals and regulators, it is useful for organizations to consider the purposes notification is intended to serve. The primary purpose of notifying affected individuals is to enable them to mitigate the risk of harm. Accordingly, whether there is in fact a risk of harm and whether it is possible for the affected individuals to mitigate that risk will be important considerations for organizations in determining whether notification is appropriate. In cases where individuals are notified, it may also be appropriate to notify the relevant privacy regulators so that they are equipped to deal with any questions or complaints they may receive. The primary purpose of notifying privacy regulators of a breach is for them to identify problems of a more systemic nature in an organization which need to be addressed. In this respect, the OPC’s guideline, though it does not create a statutory obligation, may be asserted by prospective plaintiffs as creating a standard of care or best practice that could be relevant when determining whether notification should have been made.[11] Finally, while organizations may view risk of harm to reputation or brand as the largest downside of notifying affected individuals of a breach, there may in fact be more harm to reputation if an organization fails to notify and any preventable harm results. [1] British Govt. Loses Data on Almost Half Its Population (21 November 2007), Wall Street Journal. |
There are a growing number of cases of organizations reporting the loss, mistaken disclosure or theft of personal information collected in the course of commercial activities. Perhaps one of the largest cases of loss of personal information occurred last November, when it was reported that the British government lost two computer disks containing the names, addresses, National Insurance numbers, and in some cases bank account information, of over 40% of the British population.
are also paying close attention, with the majority of US states having already adopted legislation with mandatory breach notification requirements, including in some cases large fines for failure to comply.|
When the Government Commits a Privacy Breach or Causes Identity Theft No Breach Notification Requirement and No Recourse?
The possibility of imposing a statutory privacy breach notification requirement upon private sector companies has been a hot topic of late, as a result of the statutory review of the Personal Information Protection and Electronic Documents Act (PIPEDA)[1] and some high profile privacy breaches.[2] Calls for the imposition of such a legal obligation upon private organizations are not surprising, given concerns about identity theft if personal information falls into the wrong hands. However, what is surprising is the lack of a similar call to impose a statutory breach notification requirement upon a government institution that suffers a privacy breach. Clearly government institutions are not immune from experiencing a privacy breach.[3] It would seem rather strange to have a small family-owned business held to a higher privacy standard than the federal government, which possesses significantly greater resources. Indeed, while individuals can often choose whether or not to provide their personal information to private sector organizations, in many cases they have no such choice with government institutions, which sometimes have a statutory right to collect very sensitive personal information (e.g., Social Insurance Number and financial information for income taxes; health information, etc.). However, the federal Privacy Act currently imposes no breach notification requirement upon government institutions subject to that statute. The Privacy Commissioner of Canada (“Commissioner”) has stated that “an overhaul of the Privacy Act is absolutely critical”,[4] but it is quite likely that PIPEDA will be amended to impose breach notification requirements upon that small family-owned business before any consideration is even given to drafting similar amendments to the Privacy Act. Concerns about Identity Theft a Driving Force for Privacy Breach Notification It has been suggested that there should be a statutory requirement in PIPEDA for private sector organizations to notify those affected by the loss or theft of their personal information “where a high risk of significant harm to individuals or organizations exists”.[5] One of the reasons for notification is to enable the affected individuals to mitigate damages by taking steps to protect themselves, including from the risk of identity theft.[6] In keeping with this “self help” focus, the Commissioner has also published a number of guidance documents on how to prevent identity theft, as well as what can be done if an individual is an identity theft victim.[7] But what about when it is a government entity that is the cause of identity theft – either through a privacy breach or simply as the result of an overbroad collection of personal information and lax standards regarding publication or disclosure of such data? A recent case of the U.S. Court of Appeals is an interesting example of the latter situation. The decision is undoubtedly rather disappointing for privacy advocates in that country, and instructive for those concerned about how their personal information is handled by government entities in Canada. Claim of Identity Theft Victim Rejected by Sixth Circuit of the U.S. Court of Appeals In Lambert v. Hartman (Clerk of the Courts) et al,[8] the Sixth Circuit of the U.S. Court of Appeals rejected a suit of an individual who experienced identity theft as a result of the actions of a government entity. The action certainly seemed to have a sympathetic fact situation. The complainant alleged she had suffered identity theft as a result of the defendants publishing her traffic citation on the Clerk of the Courts’ public website. The scope of the personal information disclosed was rather troubling, as the traffic citation form utilized in the State of Ohio included not just information like name, address and driver’s licence, but also birth date and Social Security Number. As an initial observation, having the Social Security Number collected for a traffic citation is an example of excessive collection of personal information by a government entity. This privacy issue was then exacerbated by the Clerk of the Courts, who then published traffic citations on a publicly accessible website. Indeed, the website made it possible to search and locate traffic citations with all of the individual’s identifying information that was recorded on the ticket. About a year after having received a traffic ticket for speeding, Lambert was contacted by two retail stores about suspicious purchases that had been made in her name. It appeared clear that the identity theft she experienced was directly due to the publication of her traffic citation on the Clerk’s website, with fraudsters subsequently harvesting information from that site. Both the website and the fake identification used by the thief contained a driver’s licence number that was incorrect by one digit, and an individual who was ultimately arrested admitted she stole the plaintiff’s identifying information from the Clerk’s website. However, even after the plaintiff called the Clerk’s office to complain, the government entity refused to remove the information from the website, stating that removing the records would require “vast amounts of manpower”. The plaintiff commenced an action pursuant to 42 U.S.C. § 1983 against both the Clerk of the Courts as well as the Board of County Commissioners. She alleged she had suffered economic damages, including damage to her credit rating and reputation, as a result of her identity being stolen due to the publication of her personal information. Moreover, she claimed that the publication of her traffic citation violated her constitutional right to privacy under the Fourteenth Amendment to the U.S. Constitution, and also sought to certify her complaint as a class action. However, the U.S. Court of Appeals dismissed the complaint, holding that the defendants’ actions did not infringe any constitutional right to privacy under the Fourteenth Amendment to the U.S. Constitution.[9] While there was U.S. Supreme Court jurisprudence which indicated that, in certain circumstances, the Fourteenth Amendment might provide an informational right to privacy to avoid disclosure of personal matters and provide the individual with control of the nature and extent of information released, Lambert’s situation did not implicate a “fundamental liberty interest”.[10] The court indicated that a constitutional right to informational privacy only arose in “two instances”, namely:
In contrast to the “two instances” that had previously been recognized by the 6th Circuit, Lambert’s claim only identified a risk of “financial harm” rather than the potential or actual harm suffered by the plaintiffs in Kallstrom and Bloch. The court was not inclined to expand the list of constitutionally protected privacy interests beyond the existing cases of protection of physical invasion upon personal security and bodily integrity. While identity theft is a serious personal invasion, it did not rise to the level that required constitutional protection. Lambert’s injuries were “more properly described as financial in nature and not truly liberty interests at all”.
Similar Challenges in Canada? While the constitutional framework at issue in Lambert is distinguishable from that found in Canada, the decision is an example of how difficult it may be for an identity theft victim to seek recourse where it is a government institution that causes a privacy problem. Indeed, it is by no means clear what the basis of a claim would be against a Canadian government entity that caused an individual to suffer identity theft. For example, while the federal Privacy Act contemplates the Commissioner receiving and investigating complaints from individuals who allege that a government institution has used or disclosed their personal information otherwise than in accordance with the legislation,[11] the Commissioner is effectively limited to producing a report of findings and “recommendations”.[12] The recourse to the Courts set out by section 41 of the Privacy Act is restricted to allowing an individual “who has been refused access to personal information” by a government institution to seek judicial review of that refusal.[13] As the Commissioner has recently noted, a “section 41 application may not be made in regard to the collection, use or disclosure of a complainant’s personal information by a government institution.”[14] In other words, if a government entity has inappropriately disclosed personal information and this has resulted in identity theft, do not look to section 41 of the Privacy Act to obtain relief from the courts. Moreover, section 74 of the Privacy Act provides a government institution with certain protections from civil proceedings where personal information has been disclosed in “good faith.” This section states:
Thus, if the federal government was the defendant in an action involving facts similar to Lambert, it is conceivable the plaintiff’s claim for relief might be met with a motion to strike. There was no suggestion in Lambert that either the police, the Clerk of the Courts, or the County were acting in “bad faith”, so section 74 of the Privacy Act might prove to be a formidable hurdle. Clearly, the statutory recourse available to a citizen who has experienced identity theft as a result of federal government action (or inaction, as the case may be) is rather thin gruel. Private sector companies subject to PIPEDA that experience a privacy breach find themselves in the midst of class action settlement negotiations,[15] but the statutory privacy regime applicable to the federal government may make that a remote possibility where it is the government that has had personal information lost or stolen. While the common law relating to the tort of invasion of privacy is developing,[16] it is nevertheless uncertain whether these developments would sustain an identity theft claim. So what is a citizen concerned about the privacy of his or her personal information held by a federal government institution to do? Pushing for a breach notification amendment to the federal Privacy Act would be a good start, so that government institutions are obliged to notify affected individuals in the event of a privacy breach that involves their personal information. Then at least “self help” remedies might be available to affected individuals to mitigate potential damages. Admittedly, such an amendment might not be of much assistance in a Lambert-like situation, if a Canadian government institution collected an excessive amount of personal information and had lax publication standards.[17] But a statutory breach notification requirement upon government institutions would be a good start. It would be unfortunate if the attention and resources given to possibly amending PIPEDA to establish a statutory breach notification regime upon private sector entities prevented an equally if not more important amendment being made to the federal Privacy Act. * Howard R. Fohr is a Commercial Counsel with Research In Motion Limited. The views expressed in this article are solely those of the author.
[1] See Fourth Report of the Standing Committee on Access to Information, Privacy and Ethics (May 2007), as well as the Government Response that was presented to the House of Commons on October 17, 2007. |
Privacy Breach Notification – Is the Federal Government Getting a Free Ride?
|
Bill C-27 - Identity Theft and Related Misconduct
Howard Simkevitz*
Identity theft provides an excellent example of the impact technology has had on crime. Reports of identity theft run rampant in the popular press. Interestingly, however, the Criminal Code[1] does not contain a specific identity theft offence. In fact, most of the provisions attempting to address identity theft are fraud provisions that predate the advent of the Internet, save for offences dealing with credit and debit cards[2] and “[u]nauthorized use of a computer”.[3] This latter section is useful insofar as it can be used to capture fraudulent use of identity information over the Internet. The section states:
The effectiveness of the provisions regarding unauthorized use of a computer and fraudulent use of credit or debit cards is limited. For example, although it is illegal to fraudulently use personal information, there is nothing to address the unauthorized collection or possession of, or trafficking in such information. Canada not only lacks a clear definition of the crime (i.e. identity theft), but law enforcement is unable to intervene until, more often than not, it is too late. Seemingly, policy makers have caught on (or have been impelled to catch on) that there is a need to close such legislative gaps. The Bill
Bill C-27[5] had its second reading on January 30th of this year. Assuming there is no election this spring, it is reasonable to assume the bill will pass through the House of Commons. There are at least two reasons why: 1) the bill has not received any significant opposition in either of its readings thus far; and 2) there seems to be recognition by most members of Parliament that something needs to be done to contend with identity theft. The general purpose of the bill is to create three new offences:
Furthermore, and importantly, the bill introduces the concept of restitution for the victim. Discussion The bill’s proposed amendments are laudable in three ways. First and foremost, by criminalizing the foregoing, the bill gives law enforcement the ability to intervene at the stage of possession and trafficking – before fraud has actually been committed. Second, the bill is forward thinking, and tries to anticipate the use of technology and not shy away from it. For example, it does a good job capturing the various technical manifestations of identity, including biometrics, which will undoubtedly be a significant source of identity theft in future years. The anticipatory nature of the bill becomes evident when looking at the very definition of “identity information” in the proposed section 402.1 of the Code:
Though more restrictive than the definition of “personal information” in the Personal Information Protection and Electronic Documents Act,[10] the list in section 402.1 is non-exhaustive, so it does leave room for other incarnations of identity information, as technology inevitably evolves. Third, the bill appears to recognize the power of market forces to assist with regulating the prescribed conduct. As mentioned above, in addition to jail time for fraudulent acts, identity thieves will now be facing the possibility of having to reimburse their victims for costs incurred as a result of the fraud (e.g., the price of rehabilitating identity, replacing cards and documents, and correcting credit history).[11] This notion of restitution becomes increasingly relevant where the accused is an employee of a company. Although the focus of this article is not one of corporate liability, it is important to note that this concept can be found in the Code. Criminal intent may become attributable to an organization where: (i) the organization benefits, to some degree, from the offence, and (ii) a senior officer is a party or has knowledge of the commission of the offence and fails to take all reasonable steps to prevent or stop its commission.[12] However, such a finding requires a threshold of reasonableness by which criminal intent can be imputed. The proposed section 402.2 of the bill states: On review, two issues come to the fore: 1) what are the circumstances that would give rise to a “reasonable” inference that the information is intended for fraud, and 2) how is one to determine that a person was “reckless” as to whether it could be used for fraud. It is unclear what would be the appropriate standard(s) for imputing reasonableness and recklessness in the realm of identity theft. When one talks about identity theft, whether in terms of identity information or, more broadly, personal information, these are distinct privacy-related terms. To date, the only standards available to us are for security — there are no equivalents for privacy. Thus, without clear privacy standards, it may be difficult for companies to mitigate against risk – to assess what is reasonable and what is reckless.
Until a comprehensive set of standards are developed in this area, it may be helpful to look to the following for guidance: i) industry standards and best practices; ii) privacy commissioners and specifically orders they render, which can establish standards;[14] iii) relevant legislation[15] (e.g. privacy acts such as PIPEDA); and iv) jurisprudence in the area.[16] Conclusion The bill comes at a time when there is increased support for the notion that something must be done to combat identity theft. However, this bill may not represent the panacea, and stakeholders should recognize that there is a need to develop a comprehensive framework for contending with identity theft.[17] Privacy standards would be an invaluable addition to the mix. Furthermore, public awareness about how individuals and organizations should handle identity information would also go a long way to ensure the bill succeeds. * Howard Simkevitz is an associate with the Toronto office of the law firm Lang Michener, (416) 360-8600. [1] R.S. C. 1985, c. C-46 [Code]. |
|
Privacy and Video Surveillance under FIPPA and MFIPPA Priscilla Platt and Adam Kardash*
FIPPA and MFIPPA include “videotapes” in the definition of the term “record”.[2] If a videotape identifies individuals, it contains “personal information” under FIPPA and MFIPPA. The institution that collects personal information On March 3, 2008, the IPC issued its landmark report on “Privacy and Video Surveillance in Mass Transit Systems: A Special Investigation Report”.[3] In it, the IPC found that such video surveillance could be authorized under subsection 38(2) of FIPPA or subsection 28(2) of MFIPPA, “for the purposes of law enforcement” or as “necessary to the proper administration of a lawfully authorized activity”. In relation to law enforcement, the IPC considered the role of the TTC Special Constable Services Department in enforcing laws, their powers and jurisdiction and the agreement between the Toronto Police and the TTC Special Constables. In relation to the necessity condition, the IPC adopted the test approved by the Ontario Court of Appeal in Cash Converters Canada Inc., v. Oshawa (City),[4] that is: the lawful authority must be identified and it must be shown how the collection is “necessary”, not merely helpful, to the achievement of the objective. As well, the justification must be provided for all classes of personal information that are collected.[5] The IPC considered the lawful authority in the City of Toronto Act, 2006, which provides the TTC with the exclusive authority to establish a public transit system and found that the collection of the personal information through video surveillance cameras is necessary to the proper operation of a public transportation system in Toronto. In so concluding, the IPC reviewed studies and incidents, terrorist and otherwise, in mass transit systems world-wide. The IPC accepted that safety and security are essential to the proper functioning of the TTC and that all options, including video surveillance, should be employed. It also determined that the collection of images through video surveillance was not merely helpful, but “necessary” to the proper administration of the subway system.[6] The Report made 13 recommendations as to privacy enhancing processes that must be in place before such surveillance may be used. Among the recommendations is that the TTC should implement a maximum retention period of 72 hours for video images not used by the TTC. The IPC also recommended that annual audits be undertaken independently to ensure that the recommendations for video surveillance are abided by. The practices intended to enhance privacy include logs that note who had access to the videos, written confidentiality agreements with staff and signs that provide notices of collection. Going forward, as the TTC implements video surveillance, the IPC recommended that the TTC keep abreast of developments of privacy-enhancing technologies, that it try a particular technology developed by researchers at the University of Toronto that uses object-based encryption to obscure video surveillance images (and then allows for decryption by authorized individuals) and that it conduct public consultations on the use of video surveillance. In its earlier Guidelines for Using Video Surveillance Cameras in Public Places, the IPC recommended consideration of the following, before deciding to use video surveillance:
The IPC conducted a privacy review for the City of Peterborough’s video surveillance program. A group of complainants, concerned that the city had not provided adequate signage, contacted the IPC. Primarily located in specific areas (Millenium Park, boathouse, and museum) to prevent vandalism, the video surveillance cameras were not actively monitored. Footage would be viewed only in response to an incident. The IPC investigated the complaint and made the following recommendations:
In 2002, Justice Gérard LaForest, a former Justice of the Supreme Court of Canada, provided an opinion to the Office of the Privacy Commissioner of Canada regarding the legal implications of the use of video surveillance by the police on public streets. Justice LaForest found that a strong case may be made that, in relation to institutions that are governed by the Charter, “general video surveillance, whether or not recorded, violates section 8 of the [Canadian] Charter [of Rights and Freedoms]”.[9] In commenting on an individual’s “reasonable expectation of privacy” in public spaces, Justice LaForest stated:
Justice LaForest stated further that notice itself would not neutralize the privacy breach:
In Privacy Complaint Report PC-010005-1, the Ontario Provincial Police collected personal information through the application of face recognition technology in order to match the faces of casino patrons to mug shots in the police database.[12] The IPC held that this personal information was collected and used solely for the purposes of law enforcement, specifically section 209 of the Criminal Code, which makes cheating while playing a game or betting an indictable offence. If an investigation concludes that a person has engaged in illegal activity, the facial scan is retained in the OPP database at that particular casino. If an investigation concludes that an individual is not involved in illegal activity, the facial scan is deleted. The personal information is not used for any other secondary purpose beyond law enforcement. More specifically, access by OPP officers is restricted to those working on casino law enforcement and only for that purpose. Therefore, the IPC concluded that the OPP's collection of personal information was in compliance with subsection 38(2) of FIPPA and subsection 28(2) of MFIPPA.[13]
* Priscilla Platt and Adam Kardash are with Toronto office of the law firm Heenan Blaikie.
[1] Guidelines for Using Video Surveillance in Public Places, IPC (October, 2001). Notably, in Privacy Complaints MC06-49 and MC06-67, while video surveillance of employees was found to be excluded under MFIPPA, the IPC, in a Postscript, indicated that such surveillance should be done in such a way as to avoid inadvertently collecting the personal information of other individuals. |
As excerpted from Heenan Blaikie's electronic guide to M/FIPPA, Chapter 20, available at www.accessprivacy.ca
through video surveillance may do so directly, as when it takes the video itself, or indirectly when it obtains the videotape from a third party service provider. In either case, the institution’s collection of the information must be authorized in accordance with subsections 38(2) of FIPPA and 28(2) of MFIPPA. |
IPC Special Report on TTC Video Surveillance
Opening the Floodgates on Public Surveillance? Sylvia L. Tint *
The TTC planned to equip all of its surface vehicles (buses and streetcars) with new surveillance cameras by the end of 2008, with four cameras per vehicle, making for about 7000 cameras on the TTC’s fleet of surface vehicles. It also plans to increase the number of cameras in the subway system to a total of 2300 by the end of 2011, as well as to install cameras inside subway cars.[1] At the time of the report, surveillance video was recorded (not actively monitored) on surface vehicles and retained for 15 hours before being overwritten.[2] Subway surveillance was retained for a maximum of seven days, when it was automatically overwritten. Although it is not generally monitored, live remote access could be obtained when necessary in the subway. The TTC indicated that one of the purposes of video surveillance was safety and security. The complainant argued that the collection of video images of the public was not ‘necessary’, and was being undertaken on the basis of crime prevention and detection despite the fact that there was no evidence that video surveillance significantly reduced the level of crime or threats of terrorist attacks.[3] In light of this allegation, the IPC reviewed the research on video surveillance and crime and found that no clear conclusion could be drawn as to effectiveness, citing among other things methodological flaws in the studies.[4] Notwithstanding this finding, the IPC found that video surveillance was ‘necessary’[5] pursuant to s. 28(2) of the Municipal Freedom of Information and Privacy Act. In light of this conclusion, some may be concerned that we will see a proliferation of video surveillance in outdoor public places. Given the evidence in this case and the Commissioner’s analysis, this is not likely to occur. The report focussed on whether the video surveillance met the necessity condition of s. 28(2): whether each item of personal information that was to be collected was necessary to properly administer the lawfully authorized activity. The report adopted the approach of the Court of Appeal in Cash Converters Canada Inc. v. Oshawa (City)[6] (which itself adopted the approach of the IPC). The report found that the lawful activity was the ‘operation of a public transit system’[7] and accepted that ‘safety and security are essential to the proper functioning of mass transportation systems’.[8] The Commissioner accepted the evidence of a TTC survey of North American transit agencies that reported ‘very positive outcomes’ with video surveillance[9] and the recommendations of transit security experts as to the use of video surveillance. As a result, the Commissioner found that the security issues of a mass transit system were easily distinguishable from the security issues of other outdoor public spaces, given the movement of large numbers of people in small spaces.[10] In light of these conclusions, video surveillance in other public spaces will likely require evidence of ‘special security issues’ specific to the site in order to meet the necessity condition. In addition, given the IPC view that video surveillance should be as minimally intrusive as possible, municipalities will likely be required to maximize the use of emerging privacy enhancing technologies (PET’s). Notably, one of the IPC recommendations to the TTC was to evaluate a new PET developed by two University of Toronto researchers. The IPC further requires the TTC to keep abreast of emerging technologies and adopt them whenever possible. Not only is the TTC required to investigate and undertake new technologies, the report also specifically provides that ‘[i]t is incumbent upon those who wish to deploy surveillance systems to be aware of and adopt PET’s whenever possible, especially as they become commercially available’.[11] Finally, the retention periods of any other proposed open area surveillance will also have to be appropriately minimal. The Commissioner recommended that the TTC amend its retention policy for unused images from seven days to 72 hours, based largely on evidence that the police have utilized this policy successfully in Toronto’s theatre district for years.[12] As a result, it cannot be said that this report gives an automatic green light to increased video surveillance in other public areas, but it does provide some guidance as to appropriate implementation and minimization of intrusions to privacy. * Sylvia L. Tint practices employment law at Willson Lewis LLP.
[1] Privacy and Video Surveillance in Mass Transit Systems: A Special Investigation Report at page 15. |
On March 3, 2008, the IPC issued a special report on increased surveillance proposed by the TTC. The TTC’s plans were approved subject to 13 recommendations to enhance the protection of personal information collected through its video surveillance system. |
Recent Cases Illustrate Polarity of Privacy Rules for Litigants Dan Michaluk*
Juman v. Doucette is the Supreme Court of Canada’s most recent significant statement on the undertaking of confidentiality owed by a party to litigation. Issued in January 2008, it is a decision that favours a strict approach to shielding information contained in unfiled discovery transcripts and productions. Once that material is filed in court, however, the open courts principle demands a presumption at odds with individual privacy, which is currently not mitigated by our Ontario rules. This was recently affirmed in Moore v. Bertuzzi, a December 2007 decision of the Ontario Superior Court of Justice. What’s disclosed in the discovery room stays in the discovery room In Juman v. Doucette, the Supreme Court of Canada unanimously held that a litigant’s undertaking of confidentiality prohibits a party from making a bona fide report of criminal conduct to law enforcement without seeking court approval. The underlying action was a negligence claim against a day care and day care worker, which was filed after a child suffered a seizure while under care. The police investigation was ongoing, but the police had not yet laid charges by the time the day care worker’s examination for discovery was scheduled. The day care worker filed a motion to request an express restriction on disclosure of her transcript and the Attorney General brought a competing motion seeking to vary the implied undertaking to allow disclosure of the discovery transcript to the police. The chambers judge held that both motions were premature, but declared that the A-G and the police were under an obligation not to cause the parties to violate their undertakings without the day care worker’s consent or leave of the court. The Court of Appeal allowed an appeal of this order. It acknowledged the recognized exception to the undertaking when disclosure is necessary to prevent serious and imminent harm, and then went further to permit the disclosure of suspected crimes to law enforcement without court approval in non-exigent circumstances. Binnie J., writing for the majority of the Supreme Court of Canada, favoured the chambers judge’s approach. He held that giving litigants a discretion to make bona fide reports to law enforcement was a recipe for conflict:
More generally, Binnie J. made a number of statements that favour a high standard for relief from the implied undertaking rule -- a stance he said is justified because examinees are subject to compelled testimony. He said:
In Ontario, a litigant’s privacy interest in discovery transcripts and other unfiled productions is protected by Rule 30.1.01, but the analysis is the same. In fact, Binnie J. considered the limited Ontario jurisprudence in endorsing a rigorous undertaking over the protection of the public interest in the detection and prosecution of crimes. Privacy protection is relinquished once materials are used in a proceeding Once discovery transcripts are used as evidence in a proceeding, the presumption flips because of the open courts principle – a principle that demands all court proceedings be open to the public. This was recently affirmed in Moore v. Bertuzzi, where Master Dash rejected a request for an order directing the plaintiffs not to file the entire transcripts of an examination in support of its motion to compel answers to questions refused on discovery. The discovery dispute arose after hockey player Todd Bertuzzi and a representative of the Vancouver Canucks were examined in a highly publicized action brought by Steve Moore and his family for damages arising out of an alleged on-ice assault by Bertuzzi. Soon after the examinations, the plaintiffs brought a refusals motion and notified the defendants of their intention to file the discovery transcripts in their entirety. In response, the defendants moved for directions. They said that portions of the transcript could be read aloud in open court, but that filing the entire transcript would prejudice the defendant’s right to a fair trial. Master Dash first held that a party who intends to refer to a transcript of evidence at a hearing is entitled to file the entire transcript, even if filing the entire transcript is not essential to the motion. This is because Rule 30.1.01(05) expressly limits the deemed undertaking rule to evidence filed with the court and Rule 34.18 contemplates the filing of whole transcripts unless the opposing party consents. Since the plaintiffs wanted to file the entire transcripts, Master Dash held that the defendants were essentially requesting a sealing order, which he could only grant upon satisfaction of the Dagenais/Mentuck two-step test. He then rejected the defendants’ argument that their right to a fair trial justified the requested restriction, stating that their case for a restriction based on prejudice to fair trial rights was bald and speculative. Master Dash’s brief statement on the potential for harm to the discovery process itself is more significant given our comparison with Juman v. Doucette. Although he noted the potential for such harm, he discounted it based on the clear policy of openness favoured by the rules:
Ought there be a middle ground? While the importance of the open courts principle is beyond dispute, one may argue that the policy embedded in our rules and recognized in Moore v. Bertuzzi might be replaced with a necessity-based norm. Any move towards electronic filing and access to court materials would also weigh in favour of careful reconsideration of the existing framework. * Dan Michaluk from Hicks Morley acts as an advocate on behalf of management in a variety of employment and non-employment matters and has a special interest in information and privacy law, (416) 362-1011. |
Clash of interests – a litigant’s right to privacy and the “open courts” principle. |
Swiping Away Our Privacy
Alberta’s Privacy Commissioner Prohibits ID-Scanning in Nightclubs Nyall Engfield*
Order P2006-011 required Tantra Nightclub in Calgary (“Tantra”) to stop scanning patron identification and destroy the information it had already collected as a result of this practice. The facts are straightforward. Upon arrival at the establishment in March 2005, the complainant’s driver’s license was scanned by a Tantra employee without informing him or obtaining his consent. After a conversation with legal counsel at Penny Lane Entertainment, the corporation which owns Tantra, failed to alleviate his concerns, he filed a complaint with the Commissioner in August 2005. The following five issues were addressed by the Commissioner in the inquiry: (1) did Tantra collect the complainant’s personal information for purposes that are reasonable, and to the extent it is reasonable in accordance with sections. 11(1) and 11(2) of the Personal Information Protection Act; (2) did Tantra have the authority to collect the information without consent under section14; (3) was Tantra required to obtain consent before collection; (4) was Tantra required to provide notice; and (5) had the complainant’s information been protected by reasonable security arrangements under section34 of the Act? In determining reasonableness, the Commissioner applied the standard set out in section 2 of the Act: “what a reasonable person would consider appropriate in the circumstances”. Tantra argued that it collected information from its patrons to ensure their “life, liberty and security”, and only as much information as is necessary to achieve this purpose. It submitted the collection was a deterrent to wrongdoers, who would know that they could be easily identified if they were involved in illegal activity. The Commissioner disagreed, finding that Tantra had failed to draw a correlation between violence and patron safety and collecting driver’s license information. He concluded that Tantra lacked a reasonable purpose. The Commissioner then looked at the issue of consent, and whether Tantra’s collection was permissible without consent under section 14. Since Tantra could not establish a reasonable purpose, in the view of the Commissioner it did not fall under any of the section 14 exceptions. He found the collection was unauthorized, with or without consent. Next, the Commissioner examined the application of sections 7(1) and (2). He considered whether section 7(1) required Tantra to obtain consent before collection, and whether it had made collection a condition of service contrary to section 7(2). The Commissioner reasoned that, since the collection was unreasonable, it did not matter whether or not the complainant had consented to it as the collection was unauthorized. As to section7(2), Tantra argued that patrons had a choice: to decline to have their license scanned or enter the bar. The Commissioner found that under section 7(2) an individual cannot be required to consent to a collection of information that is unnecessary for the supply of a product or service, and therefore, by requiring this as a condition of providing its service, Tantra was in contravention of that section of the Act. The Commissioner then asked whether the organization was required to provide notification before collecting the complainant’s personal information. He noted that, while there was no evidence any notification was in place when Tantra scanned the omplainant’s driver’s license in March 2005, by August 2006 a poster had been mounted at the entrance. The poster explained that the practice was intended “to encourage our patrons to behave responsibly and deter those who are seeking to ruin your experience with us, from entering the venue”. The Commissioner found the poster to be deficient and misleading in that it was not clear about the purposes of collecting the information, nor did it set out information retention periods. He determined that since none of the provisions of section14 applied, and an individual cannot consent to an unreasonable collection, Tantra was required to provide effective notice. It did not do so, and therefore contravened section13 of the Act. Lastly, the Commissioner investigated whether the complainant’s information had been protected by reasonable security arrangements under section 34. Although an affidavit had been provided that detailed general computer security arrangements, there was no evidence as to security measures taken to protect the information once it had been downloaded by one of Tantra’s employees, nor was there evidence as to the security measures taken related to the complainant’s information specifically. In the end, the Commissioner was unable to conclude that Tantra had taken reasonable security measures to protect the complainant’s information. As to remedy, the Commissioner ordered Tantra and its parent company Penny Lane Entertainment Inc. to destroy the information of the complainant and all other patrons and cease its practice of scanning identification. In order to best advise clients who collect personal information, the Commissioner said organizations should ensure the following:
If these can be demonstrated, then the affected individuals should be informed of, and consent to:
At all times, the information collected must be kept demonstrably secure by reasonable security arrangements. If you are representing a client whose personal information has been collected, you should first determine which information has been collected and the purpose it was intended to serve. If the purpose is unreasonable, then an organization is prohibited from collecting personal information in the first place. If the purpose is reasonable, then the collection must be limited to what is reasonable to meet the stated purpose. Even if the purpose of the collection and the amount of information collected are reasonable, an organization still may not collect information unless the individual provides informed consent or the collection falls under one of the exceptions enumerated in section14. * Nyall Engfield is a patent lawyer with the Ottawa law firm Andrews Robichaud, and is involved in prosecuting patent applications and patent litigation, with a special interest in privacy law. |
The use of ID-scanners in bars was the subject of a recent decision by Alberta Privacy Commissioner Frank Work, Q.C. ID-scanners are used to take a digital photograph of a patron’s driver’s license as the patron enters the bar. The scanning is typically made a condition of entry, and patrons are seldom informed as to the storage of their information or its use.|
From the Editorial Desk Abi Lewis*
Since the last issue of Eye on Privacy, we’ve kept a watch on the privacy landscape and it’s been busy, if not changing. That the privacy landscape is changing may be debatable, and if so, what direction? What is not debatable is that the privacy landscape remains active. Recent pointers may also provide some evidence to those who subscribe to the notion of change. Here are a few. On April 25, 2008, the Supreme Court of Canada delivered judgment in two cases that dealt with whether random drug searches conducted by police using drug-sniffing dogs breached section 8 of the Charter of Rights and Freedoms. The two cases were: R. v. A.M., 2008 SCC 19 and R. v. Kang-Brown, 2008 SCC 18. The Supreme Court of Canada ruled in a 6-3 decision that the two random searches conducted at St. Patrick’s High School, Sarnia, Ontario and a bus terminal in Calgary, Alberta in 2002 were unlawful because neither was based on “reasonable suspicion”. In weighing in on the issue of reasonable expectation of privacy, two general principles may be gleaned from the apex court's decisions:
The judgments reflected a factionalized court whose members presented starkly differing constitutional visions on the issue of privacy and random drug searches conducted by police using drug-sniffing dogs. May be the result is not expected since this is the first time that the Supreme Court of Canada has ruled on the relationship between police sniffer dogs and section 8 of the Charter. Not surprising, the judgments have elicited comments from public commentators and stakeholders including the police, government and school administrators. Examples of reactions to the judgments as reported in the media: “We’re no longer going to be able to show up and randomly search,” said Tom Stamatakis, Vice-President of the Canadian Police Association. “What this means for us is we won’t have the ability to bring dogs in at random,” said Paul Wubben, Director of Education for the St. Clair Catholic District School Board in Sarnia. “We want to continue to enunciate clearly that we are going to continue to use these measures in airports and most places of transit,” said Public Safety Minister Stockwell Day. “This is a good day for civil liberties. The judgment is a reasonable compromise between law enforcement aspirations to search indiscriminately and the right to privacy,” said Frank Addairo, President of the Criminal Lawyers’ Association. Obviously, the last word is yet to be heard on the matter. Privacy Commissioner of Canada, Jennifer Stoddart, who was concerned with Ticketmaster’s privacy practices, has urged companies to adopt high privacy standards in their business. The Commissioner investigated Ticketmaster’s information collection practices after her office received a complaint alleging that the company’s policies and practices on the collection, disclosure and use of customers’ personal information did not comply with the Personal Information Protection and Electronic Documents Act (PIPEDA). The Information and Privacy Commissioner of Alberta had earlier looked into a similar complaint last year. Ms. Stoddart was disappointed that “seven years after PIPEDA was enacted, a major online company operating throughout Canada was found to be in violation of the legislation.” The news release issued by the Commissioner’s office noted that the privacy standards of Ticketmaster have since been brought up to standard. Misplaced health records continue to attract media attention, albeit at the municipal level. The Hamilton Spectator in its issue of April 17, 2008, reported that copies of records of about 10 patients at St. Joseph’s Healthcare were found in a garbage dumpster behind an Etobicoke coffee shop. Dr. David Higgins, Chief of St. Joseph’s Healthcare, told the Spectator: “We take this very seriously…We will take guidance from the (Ontario) privacy commissioner’s office on the most appropriate approach... And we will be reviewing our processes to see if there is any system weakness.” Also, the Brantford Expositor in its issue of April 17, 2008 reported that the College of Physicians would investigate why patient documents from a doctor’s office at Terrace Hill Medical Clinic were improperly disposed in garbage bins by the Clinic. The doctor, who found the incident “very disturbing”, would like to take steps to ensure that it never happens again. Ontario’s Information and Privacy Commissioner and the Toronto Star seem to agree on one thing: Toronto Police Chief’s recent idea on how to expand Canada’s National Data Bank raises concerns because of its potential privacy pitfalls. Bill Blair has suggested that DNA samples be collected from anyone who is charged, not just convicted, of a serious crime. The Star in its editorial of April 15, 2008, urged Parliament to proceed in this direction only with great caution. And Dr Ann Cavoukian in a letter to the editor published in the Star of April 18, 2008, shared the same view. She wrote: “My office has urged the police to automatically destroy the fingerprints and photos of innocent people arrested but never convicted, with limited success. We would have even greater concerns with the retention of DNA samples of those who were not convicted.” Always of interest to privacy practitioners is the other side of the equilibrium, access to information. Recently, the Information Commissioner ordered the British government to release minutes of cabinet meetings at which decision to invade Iraq was made. Although the UK Freedom of Information Act provides qualified exemption for this type of records, the Commissioner found that the public interest in disclosing the cabinet minutes outweighs the public interest in withholding the information. Anyway, that’s UK. In Ontario, we do not have public interest override of the cabinet records exemption in the Freedom of Information and Protection of Privacy Act. * Abi Lewis, Ministry of Attorney General – Policy Division, (416) 326-2513. |
|
The OBA Karen Spector Memorial Award for Excellence in Privacy Law
The Karen Spector Memorial Award for Excellence in Privacy Law was established to recognize, honour and celebrate the outstanding achievements of OBA members practising in the area of privacy law in the province of Ontario. The Award is named for the late Karen Spector, in recognition of her excellence and dedication as a lawyer specializing in the practice of privacy law. Karen was active in the Privacy Law Section of the OBA and sat on the Section Executive. Karen established one of the first legal practices dedicated to privacy law in the province, wrote and spoke widely about privacy law issues, and was an exceptional educator and mentor. As we prepare to announce this year’s recipient, we would like to profile the distinguished past recipients of the Award.
Priscilla Platt Priscilla Platt was the first recipient of the Karen Spector Memorial Award for Excellence in Privacy Law. Counsel at Heenan Blaikie, Priscilla has more than 25 years of well-recognized expertise in privacy, access to information and related legal issues both in the public and private sectors. Her experience includes 15 years as Senior Counsel at the Ministry of the Attorney General where she provided advice to the Ontario Government on access and privacy law. An active member of several professional organizations, Priscilla was a founding member of the Privacy Law Sections of both the CBA and the OBA, and has served as Chair of both Sections. She remains a member of the executive of both the Privacy Law and Public Sector Lawyers Sections of the OBA. Since 2007, Priscilla has been an adjunct professor of Information Law at the University of Toronto Law School. Priscilla is also co-author of Heenan Blaikie’s electronic guide to FIPPA and MFIPPA. Jeffrey A. Kaufman Jeffrey Kaufman is a senior partner and Co-Director of the National Privacy Group of Fasken Martineau DuMoulin LLP. Past Chair and Co-Chair of the OBA Privacy Law Section, Jeff has also co-chaired the Canadian Institute Programs on Privacy Law as well as Insight’s Privacy Health Law Seminar. Jeff frequently lectures on privacy for the OBA and other industry associations, and was a featured speaker at the 2004 Issac Pitblado Lectures. He was a member of joint Ontario Privacy Commission/OBA Short Notices Program and the External Editorial Board commenting on the summary of Quebec decisions prepared for the Office of Privacy Commissioner of Canada, and has participated in meetings conducted by the CBA with the Department of Justice, Health Canada and the provincial and federal privacy commissioners. Jeff has authored numerous privacy-related articles and is co-author of the Privacy Law in the Private Sector: An Annotation of the Legislation in Canada, published by Canada Law Book. |