There are a number of curious features to the Privacy Notice splash page for Canada’s new online tool for making access to information (ATIP) requests.

The online tool is certainly a welcome development and nothing in this post is meant to detract from that important effort. However, there are a number of issues raised by the Privacy Notice accompanying the tool that are worth considering and debating when considering how to structure and implement privacy notices.

1. Transparency

The online tool contains a “Privacy Notice” on the first page that is more than 530 words long. That doesn’t include all of the information that the reader is directed to by way of hyperlinks or references.

Personally, I don’t think 530 words even when combined with hyperlinks is excessive, although it should be borne in mind that this is for a single tool on a single portal!

What is curious is that the Privacy Notice is not the totality of the privacy terms. There are also “Terms and Conditions” in the footer of the webpage. However, there is no indication in the Privacy Notice that those Terms and Conditions might also contain a “privacy notice”, which is different from and contains additional information regarding information collected by users of the website.

So here’s the question – should all privacy information be in one place? If you split it up, should you be sure to cross-reference it? Would anyone be misled into thinking the Privacy Notice was all there is, given its prominence?

2. Express Consent

Another interesting feature is that the user must also expressly click wrap his or her agreement to the front page Privacy Notice by checking a box that states:

I have read, understood and agree with the above Privacy Notice.

Why must the user expressly agree to the Privacy Notice?

This is not a feature of the paper form, nor is it a feature of the Terms and Conditions, which also contains a “privacy notice”.

What does the express agreement to some, but not all, of the “privacy terms” accomplish? Does the “express consent” feature of the Privacy Notice splash page give a user the false sense that this is all there is?

3. Details

Another interesting feature of the Privacy Notice is that the Privacy Notice leaves the user to figure out his or her legal rights. The Privacy Notice is plainly worded, but much of the detail is in the hyperlinks or in clauses that are external to the Privacy Notice. Of course, the Privacy Notice is not governed by the federal Personal Information Protection and Electronic Documents Act and so we aren’t really comparing apples to apples if we are comparing the Privacy Notice to what you might find in the private sector. However, the following examples are worth considering:

• Retention. The user is told that personal information ”will be kept for the period of time identified in standard Personal Information Bank PSU 901 (Access to Information and Privacy).” The hyperlink isn’t particularly illuminating. If the user accesses it, the user will be told:

For information about the length of time that specific types of common administrative records are maintained by a federal government institution, including the final disposition of those records, please contact the institution’s Access to Information and Privacy Coordinator.

• Disclosure. The user is told that information “may be shared with other organizations only in accordance with paragraph 8(2) of the Privacy Act.” A hyperlink elsewhere in the Privacy Notice takes the user to the whole of the Privacy Act. From there, the user is on his or her own. That would be like a private sector entity saying. We disclose your information in accordance with s.7(3) of PIPEDA – here’s a link to the Act – figure it out.

That’s not to say that the Privacy Notice isn’t an improvement over the paper form. The paper form does not even disclose to the user the handling practices of the user’s personal information once the form is submitted. All the paper form states is:

The personal information provided on this form is protected under the provisions of the Access to Information Act and the Privacy Act.

Is this disclosure adequate? Are private sector organizations just over-complicating matters?

4. Security

There is one last interesting feature of the Privacy Notice. Apparently, if “you are concerned about the confidentiality of information, including your personal information, in transit, you should consider sending it directly to a government institution by secure means.” The recommendation? Mail. This seems to be an odd thing to say, given that the portal to make the online request is supposed to be a secure portal with 128 bit encryption.

Thoughts?

Asking “why” is a powerful deterrent to over collection and, as a recent Alberta case demonstrates, can be a powerful check on “over disclosure”.

In Order F2013-12, the issue for the Office of the Information and Privacy Commissioner of Alberta was whether the entirety of an accident report created from information collected from the driver of one vehicle should be automatically and routinely disclosed by the police to the other driver involved in the accident.

The form established by the Registrar for the accident report collects the driver’s name, address, date of birth, gender, home phone number, work phone number, and operator’s license.

The case for disclosure looked strong:

• The Alberta Traffic Safety Act requires drivers who are involved in an accident to complete an accident report with the policy.

• The form of accident report is prescribed by the Registrar of Motor Vehicles.

• The police are required to collect the accident report.

• If requested, a driver is required to disclose to the police or anyone sustaining loss or injury, the driver’s name, address, operator’s licence, name and address of the registered owner of the vehicle, licence plate of the vehicle, and the financial responsibility card issued in respect of the vehicle.

• The police are permitted to provide the Registrar with a copy of the accident report.

• The police are permitted to release information in the accident report to a person if the person may be liable to pay damages.

The Freedom of Information and Protection of Privacy Act permitted disclosure of personal information for a purpose in accordance with a law that authorizes or requires disclosure, but only to the extent necessary to carry out the purpose in a reasonable manner.

The Adjudicator agreed that in theory disclosure of an accident report was authorized by law. However, the disclosure provision was permissive – that is, the police had discretion to exercise.

So, why did the police exercise the discretion to disclose the entirety of the report? The Adjudicator didn’t receive a good answer. It seems it was the practice of the police to do so. But the drivers in this case had not asked for each other’s information. Even had they done so, the Traffic Safety Act did not require disclosure of the drivers’ birth dates or telephone numbers. Moreover, no party requested a copy of the accident report.

The disclosure was gratuitous in order that the drivers need not ask for copies of the report and in order to ensure that the drivers meet their obligations to one another. In the result, the Adjudicator ordered the police to cease disclosing more information than was necessary for that more limited purpose – such as name, address and operator’s licence.

The use of personal email for business is a significant problem for records retention and privacy programs.

On March 18, 2013, the British Columbia Information and Privacy Commissioner (OIPBC) announced an investigation into the use of personal email accounts by public servants in that province. Although the investigation is taking place in a public sector context, the investigation is also relevant for organizations in the private sector.

Records Management Obligations

Communications taking place outside of the organization’s email records management system may not be captured in compliance with the organization’s records management system. The OIPBC reminds public servants in Guidelines on the Use of Personal Email Accounts for Public Business (released on March 18, 2013) that personal email may still be subject to the British Columbia Freedom of Information and Protection of Privacy Act (FIPPA).

FIPPA applies to records in the custody or control of a public body. A record will be under the control of the organization if (a) the record relates to a departmental matter and (b) the government institution could reasonably expect to obtain a copy of the record upon request. The OIPBC’s general rule is that “any email that an employee sends or receives as part of her or his employment duties will be a record under the public body’s control, even if a personal account is use.” These records may, therefore, be subject to access to information requests even though the organization does not have possession of the email record.

This isn’t just a public sector problem. For example, subsection 23(1) of the British Columbia Personal Information Protection Act (“PIPA”), which applies to private sector organizations in British Columbia, provides that an organization must provide an individual with the individual’s personal information under the control of the organization. There is no obvious reason why the meaning of “control” in PIPA should be narrower than FIPAA.

Information Security Obligations

The OIPBC also expressed concern regarding the security of personal email in the Guidelines. This issue applies equally to the public and private sectors. Depending on the service used by the employees and whether copies of the email are downloaded to unencrypted devices, the email may be stored in an insecure environment.

Private organizations should be aware that section 34 of PIPA requires the organization to protect personal information in its custody or under its control by making reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification or disposal or similar risks. Organizations may be faulted for turning a blind-eye to the practice of employees using personal email systems that do not provide for adequate security. In assessing the risk, organizations should consider whether they would have breach notification responsibilities in the event an employee’s personal email was compromised and that email contained personal information collected by or on behalf of the organization.

Even leaving aside the possibility of a breach, organizations should consider whether employees transmitting personal information outside of the administrative, technical and physical security controls established by organization would violate representations made by the organization in its public privacy policies.

The U.S. Federal Trade Commission (FTC) announced on Data Privacy Day (January 28) that it had reached a settlement with a cord blood bank in respect of the loss of nearly 300,000 customers’ personal information. The lost data included contact information, social security numbers, credit and debit card account numbers, drivers’ licences, banking information, and medical information. The information had been stored on unencrypted backup tapes, an external hard drive and a laptop that were stolen from a backpack left in an employee’s car for several days.

In the statement of allegations, the FTC alleged that the blood bank misrepresented that it maintained reasonable and appropriate practices to protect consumers’ personal information from unauthorized access. The proposed settlement involves an order prohibiting future misrepresentations and requiring the cord blood bank “to establish and maintain a comprehensive information security program that is reasonable designed to protect the security, confidentiality, and integrity of personal information collected from or about customers.” The proposed settlement also requires the organization to submit to independent privacy assessments for a period of 20 years.

Although the FTC settlement concerns an incident in December 2010, the use of unencrypted portable storage devices to transport personal information appears to continue to be an all too common phenomenon. In Canada, there has been a string of cases in which government custodians in Canada have lost control of unencrypted storage devices containing personal information.

The FTC settlement is a cautionary tale. Many organizations assert that they take appropriate administrative, technological and physical security precautions regarding the protection of personal information. If the risk of loss of data is not a sufficient reason to stop the practice of using unencrypted portable storage devices, the FTC settlement is a reminder that there is the potential for prosecution or liability for misrepresentation in using a manifestly unsafe data transfer method.

The FTC settlement is equally instructive for Canadian organizations. Even though, to date, the approach of the FTC in relying on consumer protection provisions regarding unfair trade practices and misrepresentations has not taken root in Canada, Canadian organizations may wish to consider that Canadian common law and consumer protection legislation also prohibits misrepresentations and unfair and deceptive practices – quite apart from compliance with privacy legislation.

On November 20, 2012, the UK’s Information Commissioner’s Office (ICO) issued the Code of Practice on data anonymization, entitled “Anonymisation: managing data protection risk.” I discussed the draft Code and consultation in a previous post.

In addition, the ICO has announced an “Anonymisation Network” (www.ukanon.net – not yet up and running) to host detailed case studies and illustrations of good practice.

The Code is developed within the framework of the Data Protection Act, 1998 (UK), and, therefore, should not be considered to be directly applicable outside the UK. However, the case studies and discussion of data anonymization techniques are useful reading for all organizations considering the conversion of data sets to an anonymized form.

Some highlights from the ICO’s discussion of data anonymization are:

• If an organization converts personal data into an anonymized form, the resulting anonymized data will not constitute personal information. This will continue to be case even though the organization may be able to de-anonymize the information.

• A difficult technical issue for organizations will be whether the anonymized data could be combined with information by a third party to re-identify the individual. The ICO’s position, based on judicial precedent, is that the risk of identification must be greater than remote and reasonably like in order for the data to be considered to be personal data for the purpose of data protection legislation.

• In assessing the risk of re-identification, the ICO recommends using the “motivated intruder” test. In other words, would a person who starts without any prior knowledge but who wishes to identify and individual be able to access resources and investigative techniques to de-anonymize the data? The motivated intruder is not, however, assumed to resort to criminality or have specialist equipment or skills.

• Data that is from low sensitivity sources with a low risk of re-identification may be published by the organization as part of a commitment to open government. However, the ICO recommends that data from highly sensitive sources with a significant risk of re-identification should be made available under limited use restrictions in order to control through contractual terms the use to be made of the data.

• The ICO takes the position that in most cases anonymization does not require an individual’s consent under the Data Protection Act, 1998. However, organizations should address the possibility of anonymizing data through disclosure in privacy policies. By contrast, if an organization collects personal data through re-identification, the organization must have the individual’s knowledge and consent.

A summary document prepared by the ICO is available here.

On November 15, 2012, the Sexual Orientation and Gender Identity Conference (SOGIC) of the Ontario Bar Association (OBA) held a seminar on “Sexual Orientation & Gender Identity: Managing Personal Privacy and Reputational Risks in an Online Era“. I was invited to participate as a speaker. 

One of my (tongue-in-cheek) messages at the event was that you only have privacy rights for as long as no one is interested in what you are doing. It might be 45 years since the late Rt. Hon. Pierre Trudeau said that the State has no business in the bedrooms of the nation, but the continual parade of sex scandals demonstrates the State and the public still considers to what happens between consenting adults to be very interesting and worthy of opinion. Just open any North American daily newspaper this past week.

Certainly, there are numerous criminal and civil protections for privacy in Canada that Canadians and members of the LGBTQ community can rely on for privacy protections depending on the nature of the breach.  These include public and private sector privacy legislation, Criminal Code provisions (interception of private communications, harassing phone calls, spreading false messages and hate speech), the new tort of intrusion upon seclusion, statutory invasion of privacy torts (in some provinces), appropriation of personality, libel and defamation, nuisance and breach of confidence.

However, these remedies all have significant limitations. Private sector privacy legislation has no teeth when dealing with a non-commercial blogger. All of the court-based remedies require seeking vindication in a public forum. For defamation, the facts and photos might be embarrassing but if the defendant can prove they are true or part of responsible journalism or a qualified privilege defence applies, the subject of the facts and photos has no remedy. Even when privacy rights are vindicated, any monetary remedy is relatively small and the publicity and the digitized record of the event giving rise to the intrusion of privacy is likely, at least at the present time, to continue on with a life of its own unless publication of the intrusion was relatively contained and the operators of the site are willing to take the material down.

My colleagues on the panel were very thought-provoking. Here are some of my “take-aways” for further thinking and discussion:

• There is a gap in privacy protection for employees and job candidates (other than in British Columbia, Alberta and Quebec, public sector employees, and employees of federal undertakings). We are principally relying on Human Rights legislation for moral suasion.

• There is a gap in privacy protection with respect to electoral information gathered by political parties and information collected by elected officials. Can this be justified on the basis of promoting our democratic system of government? Or, do elected officials lose credibility when dealing with private sector privacy mistakes when they have exempted themselves from an obligation to protect the privacy of their constituents?

• We need to have a serious conversation about the “right to be forgotten”. A right of minors might be a useful starting point. Should an indiscreet photo or a story posted by a minor’s friend when the minor is 16 have an unlimited shelf-life on the Internet, or does this impinge too far on freedom of expression?

• The time may soon be ripe to recognize a tort of publication of embarrassing private facts based on the U.S. and New Zealand tort. What will it look like? How do we protect robust freedom of expression and at the same time provide individuals with protection from becoming the subject of targeted shaming by groups who do not share the same values as the target?

• Will the limit of $20,000 for general damages for the tort of intrusion upon seclusion be exceeded in the short-term? Or, will plaintiffs be able to demonstrate successfully to the court that the breach of privacy caused specific economic harm?

• Is the term “privacy” confusing the issue (except to privacy advocates)? Is the main issue systematic and unwelcome private-sector and public-sector surveillance? In other words, a question of control? Is a necessary ingredient of a free society, in the digital age, one in which individuals have protection from the unauthorized use of information that is public in a nominal sense?

Thank you SOGIC for putting on this timely seminar.

Cyber security month continues in Canada with the release of the Auditor General’s Fall 2012 Report. Chapter 3 evaluates the federal government’s progress on protecting Canadian critical infrastructure against cyber threats. As the Auditor General noted, the federal government is uniquely positioned to protect Canadians because of its access to foreign intelligence and other information sources that are not available to other stakeholders.

What is the Auditor General’s assessment? The federal government has been stating its commitment to address cyber security threats to critical infrastructure since 2001. However, “[d]espite several past strategies and funding, […] progress in achieving these commitments has been slow.” It appears that that the government’s focus has been on policy development (and, perhaps, redevelopment) rather than monitoring threats and building sectoral partnerships.

For example, the federal government announced the creation of the Canadian Cyber Incident Response Centre (CCIRC) in 2005 to serve as a national readiness and response team for cyber threats. The CCIRC still does not operate 24 hours a day, 7 days a week and there are no plans for it to do so. Instead, it operates Monday to Friday, from 8 a.m. to 4 p.m. Eastern Time. The government plans to extend the operational hours, but not provide 24/7 coverage. Cyber threats or attacks outside of those hours are reported to the Government Operations Centre, which then pages an employee at CCIRC.

There are concerns that the CCIRC is not included early enough when incidents do occur. In part, this is because it is not the initial point of contact for sectoral incidents; however, there also appears to be interdepartmental confusion. For example, CCIRC was not notified of an attack on government systems until more than a week after the intrusion was discovered.

Given that critical infrastructure is owned by the private sector or managed through provincial, territorial or municipal governments, partnerships with the federal government on national cyber security is critical. However, with the exception of the energy and utilities sector network managed by National Resources Canada, partnerships with within other sectors are only now starting to be developed and are not in complete coverage.

Public Safety Canada has, for the most part, agreed with the Auditor General’s recommendations.

A 2011 report for the Pew Research Center’s Internet and American Life Project found that Americans between the ages of 18 and 24 exchanged on average nearly 110 text messages on a normal day and that an average of 109.5 messages on a normal day with a median user exchanging approximately 50 text messages a month. Even those in an older age group – 30 to 49 – were texting in significant numbers at an average of 27 texts per day.

Text messages are not confined to personal use, although that is likely still the most pervasive use of text messaging. Close-knit team members may use text messages to convey brief information or simply to prompt a call or attention to email. Text messages may also be used more nefariously as a means to communicate information in an attempt to avoid detection by an employer, particularly when sent and received from employee-owned mobile phones.

In the public sector environment, there may be a duty to produce text messages in response to access to information requests if those text messages are under the “control” of a public institution subject to access to information legislation. Access to information legislation typically defines “records” broadly in a technologically neutral way. The issue, however, is whether text messages are under the “control” of the institution. The answer is straightforward with respect to employer-owned mobile devices. However, the answer is more complex when dealing with employee-owned devices. The Supreme Court of Canada has endorsed an understanding of “control” that would include some power of direction over the record. Whether a policy on employee text messaging would be sufficient to establish control is uncertain.

In response to the possibility that records are falling outside of the access to information system, the Information Commissioner of Canada recently initiated an investigation into the use of text messages and similar forms of communication in the Federal public sector. The Commissioner noted that there is no government-wide policy on text messaging. Her investigation appears, however, to be limited to government-issued wireless devices.

In the private sector, the issue is equally complex. Leaving aside privacy issues relating to non-work-related texts on employer-owned devices, it is impractical for an employer to control the use of text messaging on personal devices. What is clear, however, is that inappropriate use of text messaging may pose a significant record-keeping and compliance challenge for organizations. My colleagues have posted about harassment complaints involving text messages sent and perhaps not sent. More broadly, however, text messages pose challenges for managing communications regarding matters that may be highly regulated or potentially litigious. If a regulatory investigation is commenced or litigation reasonably anticipated, the organization may need to take steps to direct employees to preserve relevant text messages.

There is no easy answer to the issue of text messages. However, like Canada’s Information Commissioner, it may be time to consider whether your organization’s policy and employee training is up to the challenge.

October is Cyber Security Awareness Month.

Canada’s Auditor-General is expected to release a report on Canada’s Cyber Security Strategy. The report is expected to be an important assessment of Canada’s preparedness for further cybersecurity attacks.

In the meantime, and perhaps pre-emptively, the Government of Canada announced, on October 17, 2012, an investment of CAD$155 million over five years to improve the detection of, and response to, continually evolving cyber threats to government systems and services.

A portion of the funding will be invested in the Canadian Cyber Incident Response Centre (CCIRC). The purpose of the funding for CCIRC will be to:

• Improve incident response across Canada, and enhance the ability of government and its partners to maintain awareness of the cyber environment; and

• Strengthen analytical capability to improve mitigation advice and incident response.

Cybersecurity is not formally a part of Canada’s Open Government strategy,  However, the security of electronic government information and digital government services is critical to the success and effectiveness of that strategy and should be considered a “fourth pillar”. The other pillars of the Open Government strategy are:

• Open Data: Offering government data in useful formats for the use of private sectors and non-governmental organizations

• Open Information: Pro-actively release information to Canadians rather than to wait for access to information requests.

• Open Dialogue: Use web-based technologies to engage with Canadians on government policies and priorities.

The Office of the Information Commission of Canada (OIC) has commenced a public consultation regarding the modernization of the Access to Information Act (Canada). The consultation period commenced on September 28, 2012 and will continue until December 21, 2012.

Individuals and organizations interested in participating in the public consultation may do so electronically. The OIC has dedicated webpages to submit feedback. The General Questions tab provides space for an online forum regarding five themes:

Right of Access. The OIC asks whether only persons who are citizens or physically present in Canada should be able to obtain government held records.

Coverage of the Act. The OIC asks what criteria should determine whether a federal entity that spends taxpayer money or performs public functions is or is not subject to access to information legislation.

Limitation on the Right of Access. The OIC asks whether the categorical approach to certain exemptions from disclosure should be eliminated and replaced with a case by case approach requiring the federal institution to establish that injury, harm or prejudice would result. The OIC also asks what role the public interest should play.

Cabinet Confidences. The OIC asks whether Cabinet deliberative secrecy should continue to be invoked to prevent disclosure of records that directly inform Cabinet decisions. If the exclusion is to be maintained, the OIC asks on what basis and whether the Commissioner should be able to review those documents.

Awareness and Education. The OIC notes that the Commissioner has not education and awareness mandate and asks whether this should change.

In addition to the General Questions, the OIC has prepared specific, more detailed questions to which it invites submissions.

As the OIC states, “[a]ccess to information underpins many of our most cherished rights and freedoms such as the freedom of expression the freedom of the press and the right to vote.” It is to be hoped that Commissioner Legault is successful in sparking an organized discussion on reform.

It’s “Right to Know” week in Canada. It is off to an interesting start.   Canada’s Information Commissioner, Suzanne Legault, announcement in her Annual Report that she will be engaging in a public dialogue as she prepares to make recommendations to Parliament to revise Canada’s access to information laws (even as the budget for her office has been slashed).

The federal Access to Information Act is 30 years old. Nova Scotia and New Brunswick can claim bragging rights to the oldest access to information legislation in Canada, dating from 1977 and 1978 respectively. In most jurisdictions in Canada, there have been no major revisions to access to information laws (1) to account for the volumes of electronic data, public-private partnerships, and Crown and shared governance corporations that have burgeoned in the decades that have followed or (2) to account for the opportunities that information technologies present for sharing that data with citizens.

However, governments across Canada are increasingly embracing the concept of “Open Government”.  Open Government is an initiative to leverage information collected by governments by making it available to citizens and businesses in a proactive way. At the federal level, Open Government involves three main “streams”: (1) Disclosing information in readily useable formats (Open Data). (2) Proactively releasing information (Open Information); and (3) Engaging Canadians directly in policy development through Web 2.0 technologies (Open Dialogue).

British Columbia may be the furthest ahead in embracing Open Government. British Columbia is already proactively releasing information that is commonly requested. In addition, British Columbia has committed to releasing the results of individual access to information requests. However, it has been a bumpy ride with allegations by the B.C. Freedom of Information and Privacy Association, that British Columbia is failing to electronically post about 67% of completed access requests.

Meanwhile, in Ontario, the Information and Privacy Commissioner, Dr. Anne Cavoukian, held a conference last week regarding Open Data. Key to the Ontario Commissioner’s initiative is her “Access by Design” principles. These principles are to inform new government initiatives so that information is “pushed out” to the public more proactively to avoid the overburdened and inefficient access to information process.

Could we be seeing some traction for reform?

One of the hot topics in privacy policy at the moment is the question of whether there should be a right to be forgotten. Should, for example, an indiscretion captured in a photo and shared via social media be purged?

The Canadian Civil Liberties Association (CCLA) has weighed into the debate by tackling a specific and pressing issue: The retention and disclosure of non-conviction records in police background checks. The CCLA’s recent report is provocatively titled “Presumption of Guilt?”

The CCLA notes that most people who interact with police will never be convicted of a crime. These people may be victims of crime, be witnesses, or be targets of an investigation or a “person of interest”. In some cases, a person is simply has an undiagnosed or untreated mental health need and law enforcement officers are first responders. Records of these interactions may be created in each of these cases. In addition, of course, records will be created in situations where the police lay charges that are subsequently withdrawn or individuals are acquitted of an offence.

In the case of adults, these varied “non-conviction” records are not subject to legal requirements for destruction. CCLA comments that Criminal Records Act provides for removal of records of absolute and conditional discharges from RCMP databases within relatively short time frames. However, there is no requirement with respect to other types of non-conviction records. Moreover, CCLA concludes in its Alberta investigation that records of absolute and conditional discharges of adults as well as other non-conviction records of adults may continue to be maintained in provincial databases for lengthy periods of time and possibly indefinitely. (There are greater restrictions on the retention of youth criminal records.)

The CCLA is calling for reform given the increasing use of criminal background checks in employment. The CCLA is concerned that these records may be misleading without sufficient context and be unfair to the subject of the records who may not be in a position to refuse to disclose those records.  To address these concerns, the CCLA has outlined seven recommendations which are reproduced below:

1.  Non-conviction records should be regularly reviewed and destroyed in the overwhelming majority of cases.

2.  Non-conviction records should be retained for inclusion in a police background check only in exceptional cases where police believe that doing so is necessary to reduce immediate public safety threats. The decision to treat a case as an exceptional one should be done at the time that the non-conviction record is created; i.e., immediately after the charge is dismissed, withdrawn or otherwise resolved by way of a non-conviction.

3.  Where the government requests that a decision be made whether to retain a non-conviction record, the affected individual should be notified and provided with a right to make submissions.

4.  If it is decided that retention is appropriate in a given case, the affected individual should have a right of appeal in front of an independent adjudicator.

5.  Where non-conviction records are retained, they should be disclosed only in relation to certain employment or volunteer positions.

6.  Proper monitoring mechanisms regarding the use and impact of all forms of police background checks should be put in place, including adequate data collection and public reporting.

7.  Provincial human rights legislation should protect individuals from unwarranted discrimination on the basis of non-conviction disposition records.

 In the meantime, employers should be cautious in their use of background checks to ensure that they are adhering to their legal obligations.  For more information regarding the law related to the use of background checks in employment, readers might consider checking out “The HR Manager’s Guide to Background Checks and Pre-Employment Testing” authored by Adrian Miedema (FMC lawyer) and Christina Hall.

Ontario’s Information and Privacy Commissioner (IPC) is a prolific author of timely and interesting commentary on pressing privacy issues. Earlier this month, the IPC released a new paper on “drones” or unmanned aerial vehicles (UAVs) entitled, “Privacy and Drones: Unmanned Aerial Vehicles“.

The privacy issues relating to drones differ from typical video surveillance. Typically, video surveillance involves mounted cameras that record activities in a single location or that must be moved on the ground from location to location. By contrast, drone technology permits users to gather information from unique vantage points in the air and offer greater dynamic-gathering capability. Drones have become increasingly powerful with the ability to sharper video images at greater distances and with infrared and thermal imaging capability. As the IPC notes, the combination of UAV technology and facial recognition programs means that drones could be used to continuously track individuals when “in public” and when “in private”.

UAV technology is deployed not only for military and law enforcement purposes, but also in many civilian applications. As the IPC notes, drones operate in such diverse applications as atmospheric research, mineral exploration, survey and inspection of remotely installed equipment (e.g. pipelines), and emergency monitoring.

The IPC is calling for greater public debate and consultation in Canada. In particular, the IPC would like public debate regarding the necessity of any proposed UAV program and the policies required to ensure that the program is acceptable to Canadians. The IPC’s view is that the use of drones by the state (including law enforcement) should require a warrant if it will involve “sustained surreptitious surveillance”.

Beyond debate, the IPC has suggested that in most applications, it may be appropriate to employ IPC recommends anonymous video analytics software, loaded on the device, processes the video feed to detect facial patterns in data being recorded by UAVs. This technology can be deployed to screen video feeds in real time to obscure permanently images that resemble faces.

In addition, the IPC advocates federal amendments to Transport Canada aviation regulations to require drone operators to obtain a special flight operations certificate that would involve a privacy protection program.

Canada’s Federal Court of Appeal released an interesting decision on the obligations of individuals using on-line resources to determine their eligibility for government programs.  The upshot – a reasonably diligent individual must ask questions about his or her own particular situation and cannot simply stop with broad statements on a website.

The claimant quit his job to move to a new city where his wife had accepted employment.  The claimant looked at a government website and concluded that he was not eligible for employment insurance  (EI) benefits.  The claimant was wrong in coming this conclusion but did not find out about his error until it was too late for him to apply for benefits.  He sought administrative relief on the basis that he had good cause for the delay in applying for benefits. The basis for his position was that the “the principal message initially conveyed to the reader of the website was that only those who lose employment through no fault of their own are eligible, and he did not regard voluntarily leaving his job as “losing” his employment.”

Initially his application was refused.  However, he was successful before the Board of Referees. The Board held that it was reasonable for the claimant to rely on the website (not least because of the claimant’s information technology background and previous experience as a claimant of EI benefits).  This decision was reversed on appeal to an Umpire.  The Umpire found that if the website was too complex or confusing, then a reasonable claimant would make further inquiries. The claimant appealed to the Federal Court of Appeal.

The court agreed that the Umpire overturned the Board’s decision on the wrong basis.  The Board never found (and the claimant did not argue) that the website was too complex or confusing.  On the contrary, the Board found (and the claimant argued) that the main message of the website was clear.  The allegation was that the main message of the website was that the claimant was not eligible.

However, the court also concluded that the Board was incorrect about whether the claimant could rely on that message.  The court held as follows with respect to the duties of an individual looking at websites for information:

[13] [...] A reasonable person who relies on the website for information must do more thorough research than [the claimant] apparently undertook. A reasonable person would not have been so misled by its initial general statements about eligibility as to be deterred from looking for more specific information relevant to his or her situation. The statements early in the website that EI is for those who lose employment through no fault of their own are general enough to include those who are longer employed because they voluntarily quit their job with just cause.

[14] In my view, the website contained enough information to have alerted a reasonable person in [the claimant's] position to wonder whether he or she might be eligible for benefits and to contact the Commission to find out or to make an application for benefits. The question is not whether a particular claimant found the information clear and unambiguous, and decided that further search of the website was pointless, but whether a reasonable person would have so regarded it. It is not alleged that the website contained erroneous material.

[15] Since the website does not purport to deal with the specifics of every person’s particular situation, claimants cannot reasonably treat information on it as if it were personally provided to them by an agent in response to an inquiry about their eligibility on given facts. That it can now take several days to speak with a Commission agent by telephone does not justify [the claimant's] delay.

As Canadians were getting ready to head off for a long-weekend, Canada and the U.S. released a Statement of Privacy Principles intended to govern sharing of information between the two countries in connection with the Canada-U.S. Security Perimeter agreement.

Canada and the U.S. have expressly declared that the Statement of Privacy Principles is non-binding and does not create any rights or obligations under domestic or international law.  Accordingly, its utility appears to be limited to a guiding statement of intentions.

There are twelve principles.  Three are particular worthy of noting:

• Permission for Onward Transfers to Third Countries. Information shared by Canada with the United States (or by the United States with Canada) may be shared with third countries.  For example, data shared by Canada with the U.S. may be shared with a third country if onward sharing would be consistent with the domestic law of the United States and any sharing conforms to international agreements and arrangements between the United States and third countries.  If there are no applicable international agreements, the originating country (in our example, Canada) is supposed to be notified of the information transfer.
• Redress.  Canada and the United States are supposed to provide for remedies where a person’s privacy has been infringed by international sharing or where there has been a violation of data protection rules with respect to that individual.
• Individual Access and Rectification.  Canada and the United States are supposed to provide individuals with access to personal information as well as the ability to seek rectification and/or expungement of their personal information.  If access is to be limited, the country restricting access is supposed to provide specific grounds consistent with domestic law.

The UK Information Commissioner’s Office (ICO) has released a draft Code of Practice on Data Anonymisation.  The UK ICO will be conducting a consultation on the draft Code until August 23, 2012.

The UK ICO states that the Data Protection Act (UK) should not be a barrier to prevent the anonymization of personal data.  Moreover, once data is anonymized, the UK ICO states that the data can be disclosed to others without being subject to the Data Protection Act.  This remains true, even if the disclosing organization retains the ability to re-identify the data.

The UK ICO’s interpretation of the Data Protection Act is that data that has been properly anonymized can be deployed for new uses without the consent of the individual from whom the data was initially collected.  The exemption from the need to obtain consent is subject to a number of provisos:

• the anonymization must be effective (the UK ICO recommends a privacy impact assessment);
• the purpose for which the anonymization takes place is legitimate (and any ethical approvals have been obtained);
• there are no detrimental effects on particular individuals;
• the organization’s privacy policy or some other form of notification explains the anonymization process; and
• there is a system for collecting individuals’ objections (even though consent is not required).

In assessing the effectiveness of anonymization, the UK ICO states that organizations must consider whether a motivated intruder could re-identify the individual using the data set.  An organization must consider whether information that has purportedly been anonymized could be combined with other information to identify an individual.  If so, then this would be a disclosure of personal information.  The UK ICO suggests that organizations disclosing anonymized data will want to assess the disclosure risk “in the round”.  In other words, all organizations disclosing part of the data set should consider whether another organization (or, the public) could identify the information from the information being disclosed.

Importantly, the UK ICO distinguishes identification from an educated guess.  In order for there to be a re-identification issue creating a risk of disclosure, the data set must be capable of being used for more than establishing a probability that an individual has the characteristics attributed by the data set.

One of the most helpful aspects of the draft Code of Practice are the thoughtful examples of anonymization techniques that will help organizations understand the privacy principles in action.

Ontario’s Information and Privacy Commissioner, Anne Cavoukian, and IBM Fellow, Jeff Jonas, have released a very interesting paper entitled “Privacy by Design in the Age of Big Data“.

“Big Data” is the buzz word used to describe the latest frontier in data analysis.  In very simple terms, we are producing huge quantities of structured and unstructured data through our electronic activities.  Organizations are now able to “crunch” extremely large data sets involving disperse data from various aspects of those digital footprints that we leave behind through our activities.  Moreover, the increased sophistication of technologists in developing algorithms and the increasing processing power of technology means that the analysis of extremely large data sets may take place almost in real time, thereby permitting organizations to act or react to opportunities as they present themselves.

The size of the data sets, the combining of data about individuals from multiple sources or interactions, and the risk of inadvertent disclosure or unauthorized access creates significant privacy risks.  However, there is also a significant risk that a lack of understanding by the public and legislatures or a significant privacy breach at this critical stage of development of Big Data analysis could produce a knee-jerk legislative or policy reaction.  We only need to recall how justified and unjustified fear of “Big Brother” databases have entrenched privacy legislation that has historically prevented sharing of information across government departments and agencies.

Ontario’s Information and Privacy Commissioner, Dr. Cavoukian, and IBM Fellow, Mr. Jonas, demonstrate that privacy and “Big Data” can co-exist.  We can have the benefits of both.  Their paper outline seven technical principles employed in Mr. Jonas’ “next generation” systems, which balance the utility of Big Data with privacy principles by embedding those principles in a very sophisticated way into the systems employed by the technology.  Of course, the technology itself is not the complete answer to privacy issues.  The point is that by embedding privacy principles into the technology, the technology will not frustrate an organization’s adherence to privacy principles.

For example, accountability and transparency are embedded into the feature of “full attribution” — that is, all data can be traced back to its source and changes accounted for in real time.  However, by using sophisticated technologies to de-identify data on transfer, the data sets will be anonymous when placed into the Big Data database used for deployment of the Big Data analytics.

If you are interested in “Big Data”, be sure to join me, Nathalie Des Rosiers (General Counsel, Canadian Civil Liberties Association) and Colin McKay (Manager, Global Public Policy, Google Canada) at the Canadian Institute’s Forum on Privacy Law and Compliance (September 20-21, 2012) where we will be presenting on this topic.

On June 4, 2012, the Information and Privacy Commissioner of Ontario (“IPC”) released her 2011 Annual Report.  The theme of the report “Ever Vigilant” was chosen because, according the IPC’s press release, the reintroduction of “lawful access” legislation (discussed in my previous posts here, here and here) “represented one of the most invasive threats to our privacy and freedom” that the IPC has encountered and represent, in her words, what she is calling “Surveillance by Design.”

Here are some highlights relating to access to government-held information from the Annual Report and accompanying material.

• A record number (45,159) of access to government-held information requests were filed in Ontario in 2011 (up 16% year over year).
• A record number of appeals (1,214) appeals were issued regarding government responses to those access to government-held information requests.
• The dramatic increases in public demand for government-held information reflects the role of the Internet and accompanying technologies and provides the opportunity for greater civic participation but requires proactive rather than reactive approaches to information disclosure.
• The IPC has developed 7 principles to guide “Access by Design” to guide government and public sector organizations in re-thinking access to government-held information.
• The IPC calls on the Government of Ontario to develop an “Open Data” portal by the end of 2012.  The IPC is setting an example by making raw statistics available along with its report.

When a government employee uses workplace email to send and receive personal email, are those emails subject to disclosure under access to information laws?

What about when a government employee uses a personal email account to send and receive emails relating to government business?

Two recent cases – one in Alberta and one in Ontario, answer the first question in the negative.

A recent case in England answers the second question in the affirmative – and a similar result might be expected in Canada based on recent Supreme Court of Canada jurisprudence.

1. Personal email may not be in the custody or control of the public authority

In City of Ottawa v. Ontario, the information requester sought production of communications between an employee of the City and an organization where the employee volunteered.  Subsection 4(1) of the Municipal Freedom and Protection of Privacy Act (“MFIPPA”) provides that a requester is entitled to access to records if it is in the custody or under the control of the City, unless an exemption applies or the request for access is frivolous or vexatious.

The employee used his work email address to receive emails related to his volunteer work.  This was permitted by the City.  However, the City reserved the right to monitor email without notice.  All email was property of the City, but employees were not required to retain personal email under any record-keeping policy.

Initially, the adjudicator concluded that the email was in the custody or control of the City.  After all, the City had physical possession of the emails on its server and had the authority to regulate them.  On judicial review, however, the Ontario Divisional Court concluded that the documents were not in the custody or control of the City.  In order to be in the custody or control of the City, two criteria must be satisfied.  The City must be entitled to obtain a copy of the emails and the emails had to concern a City matter.  However, if personal email was sufficiently intermingled with email relating to City matters, then it would have to be produced.

In University of Alberta v. Alberta (Information and Privacy Commissioner), the requester sought access to emails between an academic at the University and a government grant agency relating to the review of a grant application.  Like the Ontario case, the adjudicator had taken a straight-forward approach: the emails passed through the University’s servers and the University had some right to deal with the emails; therefore, the University must have had custody or control.

The Alberta Court of Queen’s Bench rejected the adjudicator’s approach and adopted the Ontario Divisional Court’s interpretation of the meaning of “custody or control”.  Analogizing the emails to the situation of paper records, the court held that employees may keep private items at an employer’s place of work but that does not bring them within the meaning of custody or control for the purpose of access to information legislation.  The emails in this case were only remotely related to the University’s business and need not be disclosed.

2. Personal email may be producible under access to information requests if related to government business

In order to understand the next two cases, a bit of legislative background is required.  The scope of the Freedom of Information Act 2000 (UK) is somewhat different from federal Canadian access to information legislation.  In the UK, it seems that there is no specific exemption from production for records in a Minister’s Office.  Under the federal Access to Information Act (Canada), the Minister’s Office is not a government institution that is subject to the Act.

In a recent UK decision of the Information Commissioner’s Office (FS50422276), the issue was whether email sent from the Secretary of Education’s personal email address to two special advisors were subject to production under the UK Act.  One of the emails was characterized by the Information Commissioner’s Office as “essentially an action plan and a list of key events or issues in the work of the department for the month of January 2011.”  This characterization was “supported by the fact that much of what was discussed in the email subsequently resulted in official departmental announcements.”

The Information Commissioner’s Office concluded the fact that the email was sent from the Secretary of Education’s personal email address was not determinative of the requirement to produce the email (although this practice was frowned upon for record-keeping purposes).  The relevant question was whether the majority of the email had to do with the business of the department.  In analysing this question, it would be relevant to consider who the sender and recipients were and their roles, if any, within the civil service or the party machine, as well as the substance of the email and how it was used.

Last year, the Supreme Court of Canada considered whether records held by Minister’s Offices were required to be disclosed under the federal Access to Information Act.  The fact that a Minister’s Office was not a governmental institution for the purposes of the federal Access to Information Act did preclude documents held there from being in the “control” of the department and, therefore, producible.  The court held that consideration had to be given as to whether the record related to a departmental matter and, if so, whether there are factors that suggest that the government institution could reasonably expect to obtain a copy of the record.  The court held that some of the factors to consider include the substance of the record, the circumstances in which it was created and the legal relationship between the government institution and the record holder.

The British Columbia Information and Privacy Commissioner (“IPC”) has released guidelines on cloud computing. The guidelines apply to the public sector bodies to which British Columbia’s Freedom of Information and Protection of Privacy Act (“FIPPA”) applies.

Paragraph 30.1(a) of FIPPA restricts the ability of public bodies in British Columbia to transfer data outside of Canada.  Subject to limited exceptions, public bodies in British Columbia are permitted to store personal information outside of Canada only with consent of the individual with respect to whom the information relates. The consent must be provided in writing and specify to whom the personal information may be disclosed.

The British Columbia IPC recognizes that some vendors are offering cloud computing services that store information solely within Canada. However, the IPC cautions that public bodies must make inquiries to determine whether they can rely on these representations. In addition, the IPC states that public bodies must consider whether there are reasonable security measures, such as:

• corporate policies, procedures and standards with respect to security and privacy;
• controls regarding access by authorized users;
• infrastructure security, including layered security controls and patch management;
• encrypted transmission and storage of personal information;
• contractual safeguards for the information to prevent unauthorized use, to require mandatory breach reporting and to permit audits.