Editor:
Abiodun O. Lewis

Introduction

A Privacy Impact Assessment (PIA) is intended to provide a thorough analysis of how a client’s project may impact an individual’s privacy. Projects warranting a PIA include new information systems or programs, or changes to an organization’s existing information handling practices – which may affect how privacy is protected. PIAs identify a project’s existing and potential risks to privacy, and recommend how these risks can be addressed. A typical PIA also discusses a project’s data flows, privacy safeguards, technical architecture, and compliance with privacy laws.

PIAs are often written, and then reviewed, by interdisciplinary teams including privacy consultants, lawyers, security specialists, policy specialists, IT developers, business users, risk managers, and hopefully, representatives of the individuals whose privacy stands to be affected by a specific project. These representatives include an organization’s privacy officer, customer service or complaints division, ombudsperson, or ethics representative. The involvement of these “data subject advocates” is important because PIAs tend to be performed, or outsourced, by organizations and not by the actual individuals whose privacy may be impacted by the project.

This article discusses the circumstances in which legislation in several Canadian jurisdictions and the US requires organizations to perform PIAs. Then, it discusses how the increasing popularity of PIAs can be attributed partly to factors other than legal requirements, such as government policies. Finally, the article concludes with a discussion of how PIAs have evolved, and speculates on the future direction of PIAs.

Ontario

Ontario’s Personal Health Information Protection Act, 2004 (PHIPA) regulates the privacy of health information in the province. According to the PHIPA Regulation (section 6(2)), a “health information network provider” is an organization which provides services to multiple health information custodians (defined at PHIPA section 3(1)), in order to enable the health information custodians to share personal health information with one another. For example, the Ontario Telemedicine Network (OTN) acts as a health information network provider when it enables physicians (i.e. who are health information custodians) to share patient information with other physicians at remote sites via OTN’s teleconferencing technology.

The PHIPA Regulation (section 6(3)5) requires each health information network provider to conduct a PIA, and to share the results of the PIA with health information custodians who rely on the health information network provider’s services (e.g. OTN would conduct a PIA and share a summary of the PIA with the physicians and hospitals who use OTN’s services). The PHIPA Regulation does not require health information custodians to perform a PIA; however, the Office of the Information and Privacy Commissioner/Ontario (IPC/Ontario) recommends that health information custodians perform PIAs in certain cases. (See section “PIA Policies and Best Practices” below for more information)

Alberta

Alberta’s Health Information Act (HIA) regulates the privacy of health information in the province and establishes what are arguably the most rigorous legislated PIA requirements in Canada. The HIA establishes the role of “custodian” which includes a range of organizations and individuals who provide health care to patients or facilitate health care (e.g. hospitals, health boards and authorities, and health care professionals; see HIA section 1(1)). As per section 64 of the HIA, when a custodian implements administrative practices or information systems which interact with individually identifying “health information” (defined at HIA section 1(1)(k)), the custodian must first perform a PIA and submit the PIA for review and comment to the Office of the Information and Privacy Commissioner/Alberta (IPC/Alberta).

While the IPC/Alberta reviews and comments on the PIA, it does not provide actual “approval” of the PIA; the same approach applies regarding the references below to the IPC/Alberta reviewing a PIA. The PIA requirement would apply, for example, when a regional health authority planned to implement “tele-homecare” information technology to permit patients to electronically send medical information to their health care providers. The HIA also imposes PIA requirements with respect to “data matching”, the practice of combining information found in two or more databases that results in combined information, which identifies individual patients (defined at HIA section 1(1)g). Data matching is used in medical research and health system management. Before engaging in data matching, a custodian must first perform a PIA and submit the PIA to the IPC/Alberta for review and comment. The PIA must describe how the custodian will collect patient information for use in the data matching, and how the custodian will use and disclose the resulting combined information (HIA section 71).

Under the HIA, Alberta Health and Wellness (Alberta Health) can order custodians to share patients’ health information with it so that Alberta Health may use the information for particular purposes such as planning, resource allocation and health system management (HIA section 46(1)). However, before ordering custodians to share patient information, Alberta Health must first perform a PIA and submit it to the IPC/Alberta for review and comment. Alberta Health must consider the IPC/Alberta’s comments regarding the PIA before issuing the order for custodians to share patient information with Alberta Health (HIA section 46(5)).

The Health Information Amendment Act, 2009 (HIA Amendment Act) will expand the contexts in which Alberta Health must perform PIAs. The HIA Amendment Act (previously Bill 52) received royal assent on June 4, 2009, but had not come into force at the time of writing. One of the changes the HIA Amendment Act makes to the HIA is that it defines the Alberta electronic health record (EHR), a shared electronic repository of health information which will permit custodians to share patients’ health information with one another (HIA Amendment Act section 20, to become HIA section 56.1(a)).

The Act empowers Alberta Health to direct health care providers to share patients’ health information with the EHR in order for other health care providers and certain other entities to access the information (HIA Amendment Act section 20, to become HIA section 56.3(2)). However, before issuing a directive to share patients’ information with the EHR, Alberta Health must first perform a PIA describing how sharing patients’ information via the EHR may affect patient privacy, and must submit the PIA to the IPC/Alberta for review and comment. Alberta Health must consider the IPC/Alberta’s response to the PIA (HIA Amendment Act section 20, to become HIA section 56.3(3)).

British Columbia

British Columbia’s Freedom of Information and Protection of Privacy Act (FIPPA) establishes privacy responsibilities for the BC government and its agencies. Before a government ministry implements new legislation, systems, or initiatives, the ministry must perform a PIA to determine whether the new legislation, systems, or initiatives comply with the ministry’s privacy responsibilities under FIPPA. The ministry must follow any rules established by the Minister of Labour and Citizens' Services (Minister of Labour) on how to perform the PIA (FIPPA sections 69(1)(c), and 69(5)). Also, the Minister of Labour must issue a report listing the PIAs that each BC government ministry has conducted (FIPPA section 69(3)(c)). The Act does not appear to indicate how frequently the Minister of Labour must publish the report.

FIPPA also imposes PIA requirements on the BC Ministry of Health Services (BC Health) with respect to “health information banks.” The E-Health (Personal Health Information Access and Protection of Privacy) Act (E-Health Act) permits BC Health to establish “health information banks,” which are shared electronic repositories of health information that contain information regarding multiple patients, and which may be accessed by multiple health care providers (E-Health Act section 3(1)). For example, BC Health could establish a health information bank to collect lab test results for patients across the province to be used by health care providers for patient care purposes. FIPPA establishes privacy rules with respect to health information banks, and requires BC Health to perform a PIA regarding the proposed activities of any health information bank it establishes (FIPPA section 69.1(5)(a)).

Also, a health information bank may enter into an agreement to provide an organization with patients’ information stored in the bank, so that the organization may use the information to perform research or health system planning (E-Health sections 14 – 15, and 19). Before a health information bank enters into an agreement to provide patient information to an organization, the health information bank must perform a PIA to evaluate how providing the information may impact patient privacy (FIPPA section 69.1(5)(b)).

Newfoundland and Labrador

The Newfoundland and Labrador Centre for Health Information Act (Centre for Health Act) governs the activities of the Newfoundland and Labrador Centre for Health Information (Centre). The Centre develops health information systems which facilitate the provision of health care, including the province’s health information network, and also supports research, health system management, and policy development.

The Regulation under the Centre for Health Act establishes privacy responsibilities for the Centre. Specifically, the Regulation requires the Centre to perform a PIA before implementing a health information system which permits the storage and disclosure of patients’ information. Upon completing the PIA, the Centre must prepare privacy impact statements as required to explain how developments with the information system may impact patient privacy, and must make the privacy impact statements available to the public upon request (Centre for Health Act Regulation section 7).

United States

The US federal E-Government Act was enacted in 2002 to enhance the management and delivery of electronic information and services by the US government to the public (Library of Congress). For example, the E-Government Act (section 3602) establishes the Office of Electronic Government which is responsible for activities such as posting government forms online and collecting completed forms from the public. The E-Government Act also establishes privacy responsibilities for government agencies that use information technology.

Before a government agency develops information systems which interact with individuals’ information, the agency must first perform a PIA regarding the system, ensure that the agency’s Chief Information Officer reviews the PIA, and provide the public with the results of the PIA (section 208). For example, an agency must perform a PIA (and the follow-up steps described above) before implementing an information system which will be used to compile individuals’ contact information (section 208).

PIA Policies and Best Practices

There are many circumstances in which performing a PIA is not a statutory requirement, but is an important matter of policy or industry best practice. For example, in its PIA Guidelines for PHIPA, the IPC/Ontario recommends that even organizations that are not legally required to perform a PIA should still do so with respect to the organization’s existing or proposed information systems which interact with patient information (section 1.2). Similarly, in the US, at least one author recommends performing PIAs to help ensure that organizations satisfy their responsibilities under the new Health Information Technology for Economic and Clinical Health Act (HITECH Act), which is part of the US government’s economic stimulus legislation that promotes the adoption of health information technology (Nahra).

Furthermore, governments in some jurisdictions have implemented rules requiring government departments to perform PIAs in certain contexts. For example, the Government of Ontario’s internal PIA guidelines require that a provincial ministry perform a PIA to determine how a proposed information system or project will impact individuals’ privacy before the project may proceed (this requirement does not apply to information systems or projects which will not interact with personal information). Similarly, the federal government’s internal PIA guidelines require that a federal department perform a PIA when developing a new program or service. The department must share the PIA with the Office of the Privacy Commissioner of Canada early on in the project’s development, and must share the results of the PIA with the public.

Finally, performing a PIA may be required as a condition of project funding. Canada Health Infoway (Infoway) is a federal agency which funds electronic health record projects and requires projects to complete a PIA as a condition of funding.

Evolution of PIAs

Policy requirements to perform PIAs in the public sector have resulted in a growing number of PIAs being conducted over the past decade, with PIAs evolving from strict “legal compliance assessments” to broader documents including descriptions of a project’s business requirements, data flows, policy implications, and technical architecture. These additional components require input from multiple subject matter experts and stakeholders, this being especially true for large scale projects that are regional, national, or even international in scope.

As PIAs have started to include a broader range of information, PIAs sometimes provide stakeholders with their first opportunity to learn about certain aspects of their projects. Such aspects might include a complete list of the project’s data elements, the business requirements of the project’s partners, or the privacy concerns of the organization’s customers. In this sense, PIAs can be valuable, internal education tools.

The growing breadth of PIAs also means that PIAs can be lengthy and difficult to understand, especially for the public (when PIAs are publicly available). In some cases, PIAs have evolved from “overly legal” documents to “overly technical” ones. As such, while PIAs have developed into “privacy measurement tools” with broad utility for project stakeholders, using simpler language and approaches to PIAs would make PIAs more valuable to the average public reader.

Furthermore, when an organization produces multiple PIAs for its various projects, the PIAs are often starkly different from each other in terms of scope, methodology, and language. This article has already outlined the rules of the road as to when PIAs must be performed. However, project stakeholders and the public would benefit from consistent “rules of the road” as to how PIAs are performed and how to respond to PIA findings. Public and private stakeholders will receive greater value from PIAs that are designed around increased simplicity, consistency of PIA methodologies and findings, and greater availability of PIAs to the public.
 

*Kevin Rodkin and Michelle Gordon are privacy lawyers at Anzen Consulting Inc.
 

1. Open Courts, Access to Court Records, and Privacy

The impact of recent advances in technology on privacy in relation to the publication of judicial decisions and access to court documents provides a useful way of understanding the underlying issues raised by openness on the one hand and privacy on the other. For courts, openness is essential to the proper administration of justice. Openness historically meant that members of the public could, with limited exceptions, access courtrooms and view the proceedings. Decisions were “obscurely” available, as were the records of the proceedings, since the difficulties associated with obtaining the records meant that true access was attenuated. Thus, while there was technical “openness”, there was also “practical obscurity”. With the advent of technology, powerful search engines and publicly available court and tribunal decisions on sites like CANLII, “openness” has taken on a new meaning. Given technology, together with the wide availability of this information, many individuals no longer have “practical obscurity” when they are involved in the justice system.

As a consequence, the Canadian Judicial Council approved the “Use of Personal Information in Judgments and Recommended Protocol” in March, 2005. In it, while recommending that decisions be made available on the internet, the Protocol also suggests restraint in publication of sensitive personal information and identifying information in certain instances. The Protocol recommends that certain personal data identifiers, such as social insurance numbers, dates of birth, bank accounts and credit card numbers not be included in decisions. Moreover, it suggested that consideration should be given to not including identifying information where dissemination of that information “could harm innocent persons or subvert the course of justice.”

In February, 2009, the Supreme Court of Canada issued a “Policy for Access to Supreme Court of Canada Court Records”, which, among other things, deals with the inclusion of personal information within court records, access to records and judgments. The Policy defines “personal data identifiers” as “personal information that, when combined together or combined with the name of an individual, would enable the direct identification of the individual and pose a serious threat to the individual’s personal security” , and “personal information” as “information about an identifiable individual” including the age of the individual, any identifying numbers or biometric information, but excludes the name of an individual and the name and address of his or her lawyer or agent.

The Policy goes on to state that “[p]ersonal information, including personal data identifiers, shall not be included in a court record unless it is required for the disposition of the case.” Under paragraph 5.2, the parties are obliged to “[limit] the disclosure of personal data identifiers and personal information to what is necessary for the disposition of the case and advise the Court whether there are personal data identifiers that “could pose a serious threat to the individual’s personal security (e.g., identity theft, stalking and harassment).” It is noted that the parties may be required to file a redacted version of a document or court record that omits these personal identifiers.

Further changes to Ontario’s Rules of Civil Procedure, coming into force on January 1, 2010 may, in perhaps more subtle ways, impact on personal information that may be available in litigation. Rule 1.04 of the Regulation is amended to introduce the concept of proportionality to civil litigation. The Rule states that “the court shall make orders and give directions that are proportionate to the importance and complexity of the issues, and to the amount involved, in the proceeding.”

In respect of document discovery, Rule 30.02 indicates that the scope will change from information “relating to any matter in issue” to “relevant to any matter in issue” [emphasis added]. As well, Rule 29.2, in applying the proportionality Rule to the discovery process, indicates that when “making a determination as to whether a party or other person must answer a question or produce a document, the court shall consider whether … (c) requiring the party or other person to answer the question or produce the document would cause him or her undue prejudice”.

2. Open Justice, Access to Tribunal Records, and Privacy

Adjudicative tribunals are not in a dissimilar position to courts in trying to balance openness with the desire to mitigate the impact of technology on privacy. The British Columbia Information and Privacy Commissioner, David Loukidelis, addressed this issue in a speech made at the “2nd Annual New Directions in Administrative Law.” In the slides entitled “One Information and Privacy Commissioner’s Perspective on Privacy and Administrative Tribunals,” the Commissioner suggested that tribunals ought to consider fair information practices in handling the personal information relevant to the proceedings. For example, he suggested that tribunals ought to collect only personal information which is necessary to the proceedings and limit access to that information internally to staff who need it to do their job. As well, the personal information should be kept securely and subject to a retention schedule. As to the decisions themselves, the Commissioner recommended that they contain only the personal information that is required in the circumstances and that tribunals consider making publicly available an edited version that does not contain identifiers, while making the unedited version available to the parties.

In August, 2009, the British Columbia Information and Privacy Commissioner and the Ministry of Attorney General for the Province of British Columbia issued a joint consultation paper entitled “Access and Privacy Issues: a Guide for Tribunals”. The paper explains the differences as between courts and tribunals in relation to openness and, given that the constitutional duties applicable to courts would not apply to tribunals, notes that “administrative tribunals are obliged to engage in a finer balancing of these competing interests.” The Guide also deals with the collection of personal information by tribunals, providing access to documents and publishing decisions. In these instances the Guide urges tribunals to establish policies and procedures that take into consideration “privacy principles when collecting, using and disclosing personal information.” In light of the implications of the electronic age for documentation and decisions issued by tribunals, the paper states that “privacy concerns have been identified about the potential for data-mining, identity theft, stalking, and other misuses by powerful search tools that can access and extract personal information from those decisions and documents.”

Saskatchewan’s Information and Privacy Commissioner expressed a similar sentiment in Investigation Report 2005-001. Commissioner Gary Dickson ruled that the Automobile Injury Appeal Commission was not required to publish its decisions on its website without the consent of the applicant. In applying Saskatchewan’s FIPPA, the Commissioner ruled that the disclosure of the personal information was a breach of the Act. The Commissioner recommended anonymizing or severing the names of the parties before posting a decision on the internet.

The CanLII website reflects the uneven practice in relation to identifying individuals in decisions issued and made public by tribunals. The Consent and Capacity Board and the Ontario Workplace Safety and Insurance Appeals Tribunal both anonymize the identities of individuals who were parties to the proceedings, while the Ontario Labour Relations Board, the Grievance Settlement Board and the Public Service Grievance Settlement Board do not.

3. The Application of Ontario’s Access and Privacy Legislation to Adjudicative Tribunals

A. Disclosure of Personal Information
There have been a number of decisions made under Ontario’s Freedom of Information and Protection of Privacy Act (FIPPA) and its municipal counterpart, MFIPPA in relation to administrative tribunals dealing with both the right of access and privacy. In the main, absent any other statutory provisions to the contrary, FIPPA and MFIPPA will apply in this context in much the same way as they apply to records of non-tribunal institutions. However, the implications for tribunals are different.

The Information and Privacy Commissioner/Ontario (“IPC”) decisions relating to the authority under FIPPA or MFIPPA to disclose personal information may affect the tribunal’s ability to make information, including its decisions, available to the general public and thus impact on how open its processes may be. Order PO-2511, involving the Ontario Rental Housing Tribunal provides a case in point. This Order set out the history of the previous decisions of the IPC in relation to this tribunal. For example, it noted that in Orders PO-2109 and PO-2265, the IPC suggested that the tribunal cease the practice of disclosing customized reports of its decisions containing the names and unit numbers of tenants. The IPC found that there was no authority for the disclosures by contract under FIPPA and MFIPPA since the information was not subject to the exception to the exemption for personal information dealing with personal information maintained “specifically” for the purpose of making the information publicly available. Subsequently, in Order PO-2372 the IPC found that the disclosure of tenants’ names and unit numbers would be an unjustified invasion of privacy under subsection 21(1)(f) of FIPPA and subsection 14(1)(f) of MFIPPA.

With this background, in PO-2511, the IPC dealt with a request for a particular decision of the Ontario Rental Housing Tribunal. The IPC upheld the Tribunal’s decision to provide a copy of the order to the requester with the tenant’s name and address severed. The IPC ruled as well that the financial information in the Tribunal’s decision could remain since it could not be traced to an individual once the tenant’s name and address were severed. In a Postscript, the IPC urged the Tribunal to adopt “the practice of many administrative tribunals, including this office, of drafting its Orders in a manner which removes personal information and identifiers to better facilitate the public’s access to its body of case law.”

Following on its earlier decisions concerning the severing of records relating to the proceedings of the Ontario Rental Housing Tribunal, the IPC noted that in Order PO-2265, the openness of the proceedings and the application of the Statutory Powers Procedure Act (SPPA) did not mean that personal information should be disclosed in light of FIPPA. There, the IPC stated:

While the SPPA addresses public scrutiny considerations in the context of hearings, in my view, it does not necessarily follow that personal information must be accessible outside the context of these proceedings in order to ensure that the Tribunal is operating in an open and transparent manner.

The accessibility of ‘personal information’ is governed by the Act. I do not accept the appellant’s position that providing access to the tenant names and unit numbers of apartments subject to various Tribunal applications is either necessary in order to meet public scrutiny concerns or effective in subjecting the Tribunal’s activities to public scrutiny, as required by section 21(2)(a) [of FIPPA, 14(2)(a) of MFIPPA].

Accordingly, I find that section 21(2)(a) is not a relevant factor as it relates to the disclosure of tenant names and apartment unit numbers contained in the records.

In addition, in Order PO-2511, the IPC found that the compelling public interest override in section 23 of FIPPA and section 16 of MFIPPA did not apply to authorize disclosure of the personal information contained in the tribunal’s decision. The IPC considered the provisions of the SPPA that provide for open oral hearings and access to written material in relation to written hearings. It concluded that the fact that a hearing may have been held in public did not mean that a decision emanating from such an oral hearing must contain the same personal information; personal information may not be confidential in the hearing and may be withheld in recorded form.

B. Other Implications of the Application of FIPPA and MFIPPA
The IPC has made rulings specific to the tribunal context. For example, in relation to a tribunal member’s notes, the IPC has ruled that they will be in the “custody or under the control” of the tribunal where they are held by the tribunal and integrated with the records of the proceedings. If such records are in the “custody or under the control” of the tribunal, then they are governed by FIPPA or MFIPPA.

In Order P-1132, the IPC found that an Ontario Labour Relations Board panel member’s notes were not in the custody (or control) of the Board. According to the representations of the Board, panel members are independent of the government, the parties, the Chair and each other. Decision-making is unregulated by the Board and the Board places no constraint on the ability of the adjudicators to decide cases freely. The panel member’s notes were never located at the Board’s premises and were in the panel member's personal possession; the Board took no steps to regulate these records. The IPC noted, however, that if copies of the notes had been “physically located in the Board's files or in any other records management system over which the Board had administrative control,” it would have found that the records were in the custody of the Board. In finding that there was no “control” over the records, the IPC noted that the Board did not regulate the use of these records, and took no steps to exert control over them.

In its earlier and seminal decision on a board member’s notes, Order P-396, the IPC held that the issue of whether a tribunal member’s notes are in the custody or under the control of a tribunal is based on the facts of each case since the legislation does not exclude such records from the Act, as it does in respect of judges’ notes. It stated as follows:

The notes which are the subject matter of this appeal are currently located outside the Board premises and are in the Board member's personal possession. The Board does not regulate the use of the notes, and has taken no steps to exert control over them. They were created by the Board member for her own personal use and, according to the Board's representations, which have been adopted by the Board member, she never allowed any other person to see, read, or use the notes for any purpose.

The IPC went on to say that:

However, if the records had been contained in the appellant's appeal file or in any other record keeping system over which the Board had administrative control, in my view, they would properly have been considered in the custody or control of the Board, and governed by the provisions of the Act.

In my view, notes created by tribunal members are not, per se, excluded from the scope of the Act; to do so would require a legislative amendment. The determinative issue is whether particular notes are in the custody or under the control of an institution, based on the circumstances of a particular appeal.

C. Section 64 of FIPPA and section 51 of MFIPPA

This provision states as follows:

(1) This Act does not impose any limitation on the information otherwise available by law to a party to litigation.
(2) This Act does not affect the power of a court or a tribunal to compel a witness to testify or compel the production of a document.

As a result of this section, exemptions under FIPPA and MFIPPA do not act as a shield to prevent information, including personal information, from being available in litigation when it otherwise would be. These provisions apply equally to civil as well as criminal litigation. The IPC has interpreted “information otherwise available by law” in subsections 64(1) of FIPPA and 51(1) of MFIPPA to include the rules of natural justice and the requirements of the SPPA. For example, institutions involved in criminal prosecutions are required by the Charter of Rights and Freedoms to, in general, disclose relevant information to the accused in order to enable full answer and defence.
 

*Priscilla Platt is a Counsel at Heenan Blaikie LLP.
 

In May 2009, the Office of the Privacy Commissioner of Canada (“OPC”) published, on its internet site, a document entitled Guidance on Covert Video Surveillance in the Private Sector (the Guidelines).

Not since the days of George Radwanski has the OPC created the kind of controversy with respect to investigations as we see now. With these Guidelines, the OPC has:

• interfered with an insurer’s right and duty to defend;
• cast aside the best evidence rule and proposed the altering of evidence;
• imposed unreasonable costs on defendants; and
• espoused, as law, unreasonable expectations of privacy in public places.

The controversy is primarily based on two assertions found in the OPC’s Guidelines:

1. covert video surveillance is a tool of last resort for organizations in the private sector, and
2. if covert surveillance is undertaken, the images of all third parties to the investigation must be removed or pixilated from the recording at the earliest opportunity.

Investigators are reporting to their associations that insurers are already raising concerns about the need to comply with the new OPC Guidelines. As a result, the Canadian Association of Private Investigators (“CAPI”) and the Council of Private Investigators – Ontario (“CPIO”), along with the Canadian Association of Special Investigation Units (“CASIU”), have commissioned this article.

We submit that OPC’s Guidelines are vague, open to interpretation, and without legal authority to require strict compliance. With this article, we provide insurers with the background on the OPC Guidelines, and some recommendations on handling investigations going forward.

History of the Guidelines

The federal sector privacy law, The Personal Information Protection and Electronic Documents Act (“PIPEDA”), was passed into law in 2001 and came into effect with respect to provincially regulated industries in 2004. In 2004, CAPI and the CPIO, along with the Canadian Independent Adjusters’ Association (“CIAA”) and CASIU, successfully applied to Industry Canada and obtained for the private investigation and insurance industries the designation of “investigative bodies” pursuant to the regulations of PIPEDA.

Since 2004, the OPC has been relatively quiet with respect to the issue of covert surveillance as it applies to the insurance industry. A few findings under PIPEDA have been made by the OPC with respect to the use of covert surveillance, but most of these pertain to workplace settings. For the most part, investigations in the insurance industry have continued unimpeded by the OPC.

More recently, the OPC has been creeping towards regulating surveillance generally in the Canadian marketplace. First, the OPC released guidelines for the use of overt surveillance in public places by the public sector (the police). Thereafter the OPC released guidelines on the use of overt surveillance in public places by the private sector. Now the OPC is foraging in the arena of covert surveillance in the private sector.

The OPC’s covert surveillance policy agenda started in February 2008, with a staff member from the OPC giving a speech at the national Canadian Life and Health Insurance Association (“CLHIA”) conference. In that speech the OPC stated, among other things, that it viewed covert surveillance as an investigative tool of last resort, that various PIPEDA-based provisions should appear in vendor agreements, and that pixilation should be used to remove third party images from covert surveillance recordings.

In August 2008, the OPC released a draft finding involving a private investigation agency and an insurer with respect to their collection of the images of a third party during a covert surveillance. The OPC held that the private investigation agency should mask or pixilate any third party image as soon as possible after collection and before disclosure to its insurer client.

In September 2008, the OPC published draft Guidelines on covert surveillance in the private sector. This led to a meeting in the offices of the OPC attended by counsel and members of CAPI, the CPIO, CASIU, the Insurance Bureau of Canada (“IBC”), the Canadian Health Care Anti-Fraud Association (“CHCAA”), and the CLHIA. At that meeting, the OPC provided industry stakeholders with the opportunity to make written submissions by November 2008.

In May 2009, the OPC released Case Summary 2009-07, in which the OPC published its policy on masking the images of third parties collected during a covert surveillance. The Guidelines at issue were released shortly thereafter.

Who Controls the Investigation Process?

The OPC considers covert surveillance an “extremely privacy-invasive” form of technology that may only be used in the most limited of cases, and only as a tool of last resort. In our opinion, the OPC’s view of the use of covert surveillance is fundamentally flawed, and should not be followed.

During the consultation process, it was submitted by industry stakeholders that covert surveillance is a legitimate investigative tool that often needs to precede more overt investigation methods such as interviews. One only has to ask: what is more privacy-invasive - covert surveillance that the subject is not aware of or overt investigations such as questions openly asked of a subject’s neighbours, associates, physicians or accountants?

In addition to a common sense privacy assessment (overt versus covert) is the issue of costs. An insurer who has grounds for suspecting deceit by a subject should not be required to take more expensive and less effective investigative steps prior to conducting covert surveillance, especially when the information obtained by covert surveillance is publicly available.

The effectiveness of an investigation is something the OPC seems to summarily dismiss. If the subject of an investigation and their associates are put on notice that surveillance is contemplated, such as by a request for consent, the behaviour of the target changes, and the investigation (the search for the truth) is frustrated.

As the insurance industry knows, covert surveillance is conducted for the purpose of confirming or invalidating suspicions of deceit to prevent payments on fraudulent based claims. If the covert surveillance does not validate the suspicion, the investigation often ends. If the covert surveillance confirms a suspicion of deceit, other investigative steps to confront the problem can be taken.

The OPC seems to have ignored the fact that prior to its Guidelines, insurers were not in the practice of requesting covert surveillance without careful thought. It is the insurer who is paying for the investigation and who has the experience in conducting investigations to protect its interests. Because the insurer pays, covert surveillance is not taken on a blind whim.

Reasonable Expectation of Privacy

The OPC’s view of what constitutes reasonable expectations of privacy in public places does not appear to be derived from Canadian law. In no case that we are aware of has a court rejected covert surveillance evidence based on the submission of a right to privacy in public places. Rather, the courts have set out the test for the admissibility in detail: see Landolfi v. Fargioni (2006), 79 O.R. (3d) 767 (C.A.) (Landolfi).

As a general rule, in the insurance industry covert surveillance is not conducted in private places. It does not take place in people’s homes. It normally takes place in public places, and for it to be effective the subject must not be aware that it is taking place.

The OPC’s position that covert surveillance has the same psychological effect as overt surveillance, where a person has grounds to believe that he or she is being watched and therefore curtailing his or her behaviour, is simply unfounded. As a general rule, covert surveillance is not brought to a subject’s attention unless the person is involved in deceit. And once deceit is uncovered, it rightfully should make the subject uncomfortable.

Even in matters such as the right to privacy on Facebook, the courts have ruled a right to privacy was minimal and outweighed by a defendant’s right to defend his or her case: Murphy v. Perger, (2007) Carswell Ont 9439 (S.C.J.). Without judicial direction on this fundamental issue stating otherwise, we submit the OPC’s Guidelines need not be followed.

Evidence Tampering and the Pixilation Issue

The Guidelines indicate that “if such personal information is captured, it should be deleted or depersonalized as soon as is practicable.” The phrase “as soon as is practicable” leaves the Guidelines open to interpretation.

As an evidentiary matter, the Guidelines seem to inferentially advocate tampering with evidence before the evidence even hits the hands of the lawyers, let alone the courtroom. The test for admissibility of covert surveillance evidence is that the evidence is relevant and necessary, and reliable in the sense that the video is accurate and a fair representation of the facts, and capable of being verified under oath: see (Landolfi).

In our view, any pixilation to any covert surveillance conducted for investigative purposes should only be considered after a ruling on the reliability of the evidence is made. If covert surveillance video evidence is altered prior to its introduction into evidence, a court may rule the evidence is unreliable, and reject it in its entirety. As was held by the Court in Ferenczy v. MCI Medical Clinics, 2004 CanLII 12555, [2004] O.J. No. 1775 (ON S.C.) (Ferenczy), PIPEDA should not be construed as to interfere with the Court’s search for the truth.

As an investigative matter, deleting and depersonalizing information is arguably not practicable until and unless the significance of that third party images are conclusively determined. Such images may not be conclusively determined until the subject of the investigation is examined as to the identity of the third parties, their significance to the purposes of the investigation is known, and until the admissibility of the evidence is addressed.

There is also the issue of costs. Pixilation costs are influenced by a number of factors, including:

• the quantity of third parties captured in the surveillance of a subject,
• the length of the surveillance recording, and
• the technology used.

In most cases, the costs of pixilation will at least double the cost of surveillance.

In summary, there are sound policy reasons why organizations do not need to rush to delete or depersonalize third party images.

We note that there is no prohibition in the Guidelines against the disclosure of third party images in a covert surveillance from a private investigation company to its client organization. As covert surveillance recordings are not shown to the world at large, there seems to be little reason for the need to alter evidence that may one day be needed at a trial or arbitration, unless ordered to do so by a court.

The OPC Complaint Process and the Rejection of OPC Recommendations

In Finding 2009-07, the OPC made recommendations to a private investigation company and an insurer to use covert surveillance as a tool of last resort and to pixilate third party images it collected. These recommendations were expressly rejected and not implemented by the investigators involved.

Unfortunately, neither the OPC nor the complainant opted to bring an application to the Federal Court to enforce the OPC’s recommendations. This may be because the third party whose image was captured on the surveillance was relevant to the investigation, and hence it was a weak case for the OPC based on the facts, or it may have been because the OPC is not comfortable with testing its own policy in the Courts.

In any event, there seems to be little consequence to non-compliance with the OPC Guidelines other than the inconvenience and cost to responding to a complaint. The OPC does not publish the names of those who are subject to complaints and who do not comply with their recommendations. The OPC does not resolve complaints on a timely basis.

Furthermore, insurers should be aware that complaints of this nature are infrequent, and usually brought by persons with questionable motives. As stated above, the existence of covert surveillance normally is not known to those whose images are collected on it. In Finding 2009-07, the existence of the surveillance only came to light when it was used during a proceeding, and as such the merits to its use were obvious.

The bottom line is that insurers should not be deterred from using covert surveillance to protect their interests simply because of the remote chance it may become the subject of an OPC complaint.

Insurer Challenges to OPC Jurisdiction

In a recent and commendable development, State Farm Insurance (“State Farm”) has brought an application to the Federal Court to obtain a ruling as to whether the OPC has jurisdiction over investigations conducted by the insurance industry. It is State Farm’s position that the OPC did not have the jurisdiction to carry out such an investigation, as information collected by an insurer about a third party claim against an insured person is not information collected, used or disclosed “in the course of commercial activities” within the meaning of section 4 of PIPEDA.

Alternatively or in addition, State Farm’s position is that if investigations for insurers by private investigators does constitute a “commercial activity” within the meaning of PIPEDA, then that legislation is ultra vires (outside the powers of) the Parliament of Canada, as activities carried out for the investigation, defence and/or indemnification of third party claims by liability insurers, including the collection of information about the claim, the disclosure or non-disclosure of such information to the claimant, the assertion of rights of non-disclosure and all related matters are properly within the exclusive legislative competence of the provincial government.

While this case does not address issues such as the right to collect evidence in public places and pixilation of evidence after it is collected, it is an interesting development to test the authority of the OPC to regulate the insurance industry.

Going Forward

If nothing else is taken away from this article, the insurance industry should be alive to the following:

• The OPC fulfils an ombudsman role. The Guidelines are only guidelines – they are not law.

• There appears to be little consequence to non-compliance with the Guidelines – insurance fraud is a serious issue and the OPC does not appear willing to bring an application to the Federal Court to test its policy statements against investigations conducted in the public interest.

• If there is a right to privacy in public places, the right is outweighed by an insurer’s right to know as long as there are grounds for the insurer’s investigation prior to ordering covert surveillance.

• If the masking of third party images needs to take place, it should occur only after the admissibility of the evidence has been ruled upon by a court and before it is shown in a public forum.

• Insurers are encouraged to review the wording of their vendor agreements, particularize the grounds for investigation in their files and in their letters to investigators, and provide in their own privacy policy statements their reasons for conducting covert surveillance and not tampering with their evidence.

*Norman Groot is a litigator with Investigation Counsel Professional Corporation, a law firm that focuses on fraud litigation and investigation law matters. Norman is also counsel to CAPI, the CPIO and CASIU. Mr. Groot may be reached at 416-637-3141 or ngroot@investigationcounsel.com.
 

On Thursday, September 17 the Ontario Bar Association hosted a luncheon with Privacy Commissioner of Canada Jennifer Stoddart. The luncheon was co-sponsored by the privacy and citizenship and immigration law sections of the OBA.

Those in attendance had a valuable opportunity to hear directly from the Commissioner responsible for the Personal Information Protection and Electronic Documents Act and the Privacy Act and one of our country’s most active representatives in international privacy circles. Commissioner Stoddart’s remarks focused on two cases that illustrate the increasingly international dimension of privacy.

The Office of the Privacy Comissioner’s (OPC) recently completed investigation of the prominent social networking site Facebook has received global media attention. Commissioner Stoddart spoke about the investigation and the privacy issues it addressed – for users everywhere, not just in Canada. The Facebook investigation is indeed a convincing illustration of the potential for improvements achieved in one jurisdiction to result in more widespread benefit.

The Accusearch case concerned a US-based online data broker that offered a variety of search services on individual consumers, including Canadians. Beginning with a complaint lodged with the OPC in 2004, the case led to a 2005 Federal Court decision confirming that the OPC’s power to investigate is not limited to entities in Canada, and eventually to a variety of co-operative and collaborative enforcement activities between the OPC and the US Federal Trade Commission (FTC). This included inter-agency assistance with investigations as well as an amicus curiae brief filed by the OPC in an Accusearch appeal of a lower court decision in the enforcement action brought by the FTC. The lower court’s injunction prohibiting Accusearch’s continued trade in consumer profiles without consent was ultimately confirmed on appeal.

Commissioner Stoddart pointed to Accusearch as an example of the opportunities, which are being realized, to enhance privacy through international co-operation.

The privacy law section and all in attendance at the luncheon are indebted to Commissioner Stoddart for her remarks and her continuing openness and commitment to dialogue with our community.

 (Above: Jennifer Stoddart speaking at the OBA Luncheon)

*Laura Davison is Deputy Chief Privacy Officer of Deloitte and Vice-Chair of the OBA Privacy Law Section. Laura can be reached at 416-601-6458 or ldavison@deloitte.ca.
 

Ontario’s Information and Privacy Commissioner Issues Report on Jury Vetting

Ontario’s Information and Privacy Commissioner Ann Cavoukian has directed Crown attorneys to stop collecting personal information of potential jurors beyond what is permitted under the Juries Act and the Criminal Code in relation to criminal conviction eligibility.

The Commissioner, who is proposing a fundamental shift in the way that prospective jurors are screened, has recommended that the Ministry of the Attorney General, through its Provincial Jury Centre (PJC) in London, Ontario, be the only central body to screen jurors who are ineligible for jury duty, based on criminal conviction. According to her, PJC as the single entity already in receipt of the names and personal information of all prospective jurors, is in a better position to implement strict privacy and security measures that can be strongly enforced, thereby providing a consistently high degree of protection for personal information. She noted that the new process addresses the lack of consistency in the “patchwork of practices” presently employed by Crown attorney offices and the police.

These recommendations are contained in a 213-page Order PO-2826 issued by the Commissioner on October 5, 2009 entitled “Excessive Background Checks Conducted on Prospective Jurors: A Special Investigation Report”. The Commissioner’s Office launched a major investigation into whether the privacy rights of prospective jurors were breached when the police, acting on behalf of Crown attorneys, conducted background checks through a variety of means, ranging from accessing confidential databases to informally gathering anecdotal information.

Some of the Commissioner’s key findings are:

• One third, or 18 of the 55 Crown attorney offices in Ontario had received background information about prospective jurors since March 31, 2006 – this practice extended well beyond the four locales previously identified in the media;
 

• All 18 Crown attorney offices had gathered personal information that exceeded the criminal conviction eligibility criteria set out in the Juries Act and Criminal Code – in doing so, they had also failed to comply with applicable privacy legislation; and
 

• There were varying practices regarding the disclosure of this information by Crown attorney offices to defence counsel.

Ms. Cavoukian said police background checks of potential jurors was not a “sweeping epidemic” across Ontario, but in a relatively small number of cases, the violation of jurors’ privacy was a “routine practice”. She also found regrettable that this invasive practice should have been put to a stop 16 years ago.

The Commissioner considered Barrie/Simcoe County office as the worst offender among 18 of 55 provincial Crown attorney offices gathering background information about potential jurors. Other cities included Toronto, Windsor and London, with most vetting occurring in smaller centers.

Attorney General Chris Bentley told reporters that the government will reform the Juries Act to impose better privacy protection and promised that it would result in a new juror screen system.

Frank Addario, President of the Criminal Lawyers’ Association, was reported as saying that the entire jury selection system in Canada needs to be reviewed. Mr. Addario noted that several cases have already been appealed due to the revelation.

More information on the Commissioner’s investigation is available online: click here.

Toronto Hydro’s Privacy Breach under Investigation

Ontario’s Privacy Commissioner and the Toronto Police are investigating a privacy breach of Toronto Hydro’s e-billing system.

The media reported that personal information of about 179,000 Toronto Hydro e-billing accounts might have been accessed including names, addresses, Hydro account numbers, the amount of the last bill and any money owed. The fear is that access to such information could allow a fraudster to contact customers in an attempt to draw out details about banking information or passwords that could lead to identify theft.

Toronto Hydro said that it contacted the police after detecting some unusual activity in its e-billing system.

The news release of July 28, 2009, which announced the Commissioner’s investigation of the matter, said that letters about the breach have already been sent by Toronto Hydro to all its customers.

Commentators have noted that the illegal accessing of some Toronto Hydro e-billing accounts has raised privacy concerns about energy companies’ move to smart grids.

As utilities begin to modernize their networks and embrace communication technologies, privacy scholars have cautioned that the issue of protection of personal information of clients has not received due consideration in the bid to control energy use. For example, the cyber security risk is not lost on the North American Electric Reliability Corporation, which has mandated that big utilities and system operators comply with eight standards related to infrastructure protection.
 

Resolutions of Privacy Commissioners and Ombudspersons

Privacy Commissioners and Ombudspersons from across Canada rose from their meeting on September 10, 2009 in St. John’s, Newfoundland, adopting two resolutions on privacy issues.

They urged MPs, who are considering Bills C-46 and C-47, to use caution as they move to expand the investigative powers available to law enforcement and national security agencies to acquire digital evidence. They also urged that service providers ensure that privacy protection is built into online health record systems.

More information is available online: click here.

Facebook Agrees to Upgrade Privacy Safeguards

Facebook, the global social network, has agreed to work with Privacy Commissioner of Canada Jennifer Stoddart to improve privacy safeguards for its users, especially with respect to third parties who offer the add-on programs such as games and quizzes.

Commissioner Stoddart found that Facebook had failed to adequately respond to allegations about its practices that contravened federal privacy law, following a complaint from the Canadian Internet Policy and Public Interest Clinic. She directed Facebook to limit the personal information it gives to companies that make add-on programs for the site or face potential court action.

She described Facebook’s decision to implement the Privacy Commissioner’s recommendations as a positive step towards bringing Facebook in line with the requirements of Canada’s privacy laws. She said: “These changes mean that the privacy of 200 million Facebook users in Canada and around the world will be far protected.”

For more information, please see the Report of Findings issued by the Office of the Privacy Commissioner of Canada online: click here.

Privacy Commissioners Dialogue Further with Google over its StreetView Application

Privacy Commissioner of Canada Jennifer Stoddart and three provincial counterparts have continued their discussion with Google Inc. over the issue of ensuring that Google StreetView comply with Canada’s private sector privacy legislation.

In the latest round of communication, the Commissioners gave a nod of approval to Google’s proposed retention plan for images collected for its StreetView application.

They wrote: “On the whole, the retention period presented to us appears reasonable, given the business purposes, provided Google is meeting its obligations under Canada’s private-sector privacy legislation. As you know, our concerns in this regard have been outlined in previous correspondence and meetings, and in the document, Captured on Camera – Street-level imaging technology, the Internet and you.” Google is proposing to retain images for a maximum period of one year after publication, after which time, the images will be permanently blurred.

The Commissioners also stressed the need for Google to inform the community of its StreetView activities. They wrote: “We would again highlight the need for knowledge and consent – you must let citizens know that they are going to be photographed, when, why, and how they can have their image removed. We would also encourage you to be sensitive about the areas you choose. We note that in your company’s appearance before the ETHI Committee [House of Commons Standing Committee on Access to Information, Privacy and Ethics], you committed to contacting community organizations prior to the launch of StreetView in Canada to notify them of the blurring capability as well as the process for having images removed, in case they wish to explore that option. We appreciate your undertaking to do so.”

More information on the Commissioners’ letter to Google is available online: click here.

Recent Decisions from the Supreme Court of Canada Say Tainted Evidence Can be Used to Convict an Accused unless the Charter Violation is Blatant

For those who follow judicial developments on privacy interests in criminal law cases, the recent decisions of the Supreme Court of Canada in four cases provided more guidance in the contentious area of tainted evidence.

In R. v. Harrison (Harrison), a case involving cocaine trafficking, the Court excluded evidence on the basis that the police showed a “blatant disregard” for rights of the accused under the Canadian Charter of Rights and Freedoms (the Charter). It noted that “the deprivation of liberty and privacy represented by the unconstitutional detention and search was a significant, although not egregious, intrusion on the accused’s Charter protected interests.

While the Court accepted that “the drugs seized constituted highly reliable evidence tendered on a very serious charge”, it nevertheless decided that the Charter violation warranted the exclusion of the evidence. The Court said: “However, the seriousness of the offence and the reliability of the evidence, while important, do not in this case outweigh the factors pointing to exclusion. To appear to condone wilful and flagrant Charter breaches amounting to a significant incursion on the accused's rights does not enhance, but rather undermines, the long term repute of the administration of justice."

In R. v. Grant (Grant), the Court agreed with the trial court that the gun and marijuana that police seized from the accused could be used as evidence against him, noting that the state conduct being challenged could not be characterized as a severe violation of the accused’s Charter rights.

The Court stated the test it must conduct to determine whether to exclude evidence that is deemed to infringe the Charter is as follows:

When faced with an application for exclusion under s. 24(2), a court must assess and balance the effect of admitting the evidence on society’s confidence in the justice system having regard to: (1) the seriousness of the Charter-infringing state conduct, (2) the impact of the breach on the Charter-protected interests of the accused, and (3) society’s interest in the adjudication of the case on its merits. At the first stage, the court considers the nature of the police conduct that infringed the Charter and led to the discovery of the evidence. The more severe or deliberate the state conduct that led to the Charter violation, the greater the need for the courts to dissociate themselves from that conduct, by excluding evidence linked to that conduct, in order to preserve public confidence in and ensure state adherence to the rule of law. The second stage of the inquiry calls for an evaluation of the extent to which the breach actually undermined the interests protected by the infringed right. The more serious the incursion on these interests, the greater the risk that admission of the evidence would bring the administration of justice into disrepute. At the third stage, a court asks whether the truth seeking function of the criminal trial process would be better served by admission of the evidence or by its exclusion. Factors such as the reliability of the evidence and its importance to the Crown’s case should be considered at this stage. The weighing process and the balancing of these concerns is a matter for the trial judge in each case. Where the trial judge has considered the proper factors, appellate courts should accord considerable deference to his or her ultimate determination. [71 72] [76 77] [79] [86] [127]

In two other cases, R. v. Suberu (Suberu) and R. v. Shepherd (Shepherd), the Court upheld the trial courts’ decisions that permitted the use of tainted evidence against the accused.

Privacy Concerns over Surveillance Balloon at Border

An experimental U.S. surveillance balloon, stationed over the St. Clair River and equipped with a $1 million camera, was launched recently to monitor the international waterway and the Blue Water Bridge, which links Sarnia and Port Huron, Michigan.

On August 1, 2009, the Niagara Falls Review reported that residents in the Niagara area have expressed concerns about possible invasion of their privacy, wondering if the same technology could be brought here to watch sections of the Niagara River and the four international bridges.

The newspaper quoted Canada’s Justice Minister, Rob Nicholson, who is also the Niagara Falls MP as saying: "We always have to be careful with any technology and respect people's privacy. There's no question about that. What they are looking for is drugs, guns and the smuggling of people.” He added that Canada and the United States respect each others borders and territory.

The balloon in Sarnia, owned by the Sierra Nevada Corporation, is shaped like an airplane wing and its camera is sensitive enough, U. S. officials say, to read the name of a ship from a distance of 14 kilometres.

The company is testing it at the St. Clair River international boundary and hopes to sell the technology to U.S. Homeland Security.

Plan to Collect Biometric Data for Temporary Residents

On June 9, 2009, the Toronto Sun reported that the federal government plans to start collecting biometric information for applicants for temporary resident permits as early as 2011, and by 2013, all prospective temporary residents, including those who apply for work permits or study permits, will have to submit fingerprints and photographs.

According to the newspaper, the Immigration Department is embarking on the collection of biometric information because of the increase in identity fraud. Deciding that traditional ways of identifying people are no longer good enough, the Department plans to require fingerprints from 15% of prospective temporary residents by late 2011, increasing to 50% in 2012 and 100%, or about 1.6 million people, in 2013.

Government officials wrote in response to the Toronto Sun’s request: “Current screening tools, which rely on biographic information, are no longer accurate, as documents can be easily stolen or altered resulting in multiple or false identities. In contrast, biometrics can be used to uniquely identify and reliably verify an individual.”

While the Department is starting with fingerprints, it may add facial recognition in the future. Biometric data collected will be stored at a central hub in Canada. Fingerprints will be checked by the RCMP.

Immigration Minister Jason Kenney was reported as saying that Canada trails behind Australia and the United Kingdom in using the technology.

*Abi Lewis is a Counsel at the Ontario Ministry of the Attorney General, Policy Division.