This is the third post in a series on BYOD (bring-your-own-device) and the obligations of directors relating to the protection of corporate confidential information. The first post examined the issue from the perspective of the director’s statutory fiduciary duty and duty of care. The second post made the case for a board information governance policy. This post examines the content of a board information governance policy.

The elements of a board information governance policy will vary with the nature of the corporation, the sensitivity of the information, the importance of the information to the corporation, the technical skills of the directors, and the willingness and financial ability of the corporation to invest in technological solutions. The following is a non-exhaustive list of possible topics for inclusion in a policy.

Scope of the Policy

a. Scope of confidential information

A board information governance policy should define the scope of confidential information. At a minimum, this will include all material, non-public information about the corporation and all personal information collected or used by the corporation. However, the corporation may also owe express or implied duties of confidentiality to third parties, such as suppliers, business partners, shareholders and clients, among others. It is desirable to include this type of information under the policy as well.

b. Application of the policy

A board information governance policy should also describe the types of communications and records that are governed by the policy. Does the policy only apply to communications between corporate officers and the directors or to all records relating to the director’s duties or to specific classes of records? Although the focus of this post is on electronic communications, a board information governance policy may also address printed material.

Information Technology and Security

a. Security requirements on director-owned devices

A board information governance policy might define for directors the minimum security requirements for director-owned or third-party-owned devices. The policy could also provide directors with a point-person who can assist the director in implementing those requirements or assessing compliance with them.

The content of the security requirements should be determined in consultation with the corporation’s technology department. Consideration may be given to requiring that all devices be protected by strong passwords and remote wiping technology. The policy may require operating systems of a particular version or higher with anti-virus protection of a particular version or higher.

In situations where the board is expected to receive extremely sensitive information, the corporation may require the director to agree to permit the corporation to install software allowing the corporation to control the device and wipe the device remotely. A corporation may require that directors receiving or storing highly sensitive information or personal information of employees do so only on encrypted devices.

b. Use of personal or third-party email accounts

The board information governance policy might provide guidance on the use of personal or third-party (e.g. the director’s employer) email accounts. The corporation should consider whether the use of personal or third-party accounts is consistent with the corporation’s record retention and information security policies.

If personal or third-party email accounts are permitted by the corporation, consideration should be given to establishing clear guidelines regarding the terms of service for those accounts, back-up requirements and disaster recovery protocols.

If non-personal third-party accounts are being used, such as an account provided by the director’s employer or another organization in which the director is involved, special attention should be given to determining whether the policies related to those accounts are in conflict with the corporation’s interests. It is not uncommon for employers to claim the right of ownership and the right of inspection of all communications conducted through the employer-provided email account.

Records Management

a. Commingling of information

A board information governance policy should establish the corporation’s expectations regarding the commingling of corporate information with the director’s personal information or information related to the director’s employment or duties in connection with other corporations.

In addition to assessing whether commingling presents problems relating to the corporation’s records retention programs, consideration might be given to whether commingling creates an unacceptable risk of inadvertent disclosure.

The corporation should also consider electronic discovery issues in the event that the corporation’s information must be extracted for litigation. This is not simply an inconvenience issue. Is the corporation prepared to have its records reviewed in the course of another company extracting information related to litigation involving that other company?

b. Records retention and destruction obligations

A board information governance policy may address special records retention and destruction obligations relating to board materials and communications.

For example, what is the corporation’s policy regarding corporate records in the possession or control of the director at the end of his or her service? Are all records to be destroyed? If the director will retain the records, is it necessary for the corporation have an express agreement with the director to maintain those records for a minimum period of time and to provide the corporation with access to the records as may be required?

Another special issue may be records relating to committee work, including special committees appointed to review major transactions. Not infrequently the corporate secretary and management directors will be excluded from the work of these committees. Consideration should be given to whether and how those records will be retained without interfering with the independence of the work of those committees. If those records are to be retained, how will they be retained if the directors are using personal or third-party information technology and email accounts?

Even the basic application of a corporate records retention policy may involve special adaptation to the board. For example, if a director is using an email system controlled by a third party, such as the director’s employer, is the records retention policy applied to that email system in conflict with the corporation’s records retention schedule. Will directors during and subsequent to their service be asked to destroy records in accordance with a records retention schedule? Should any special consideration be given to records relating to the board’s conduct during major corporate transactions, such as mergers and acquisitions or dispositions?

c. Litigation hold obligations

A board information governance policy might clarify the director’s obligations with respect to the preservation of electronic records in the event of litigation. The policy may require directors using their own devices and personal email accounts to provide access to those devices and accounts for the purposes of preserving and gathering information that is relevant to the litigation. A board information governance policy will also describe the limits on that access. For example, it may be unreasonable to demand access if the director has been sued by the corporation or in situations where the corporation refuses to provide a defence to the director or is otherwise adverse in interest to the director.

Additional issues should be addressed if directors are permitted to use email accounts and information systems that are not controlled by the directors, such as those controlled by the director’s employer. Will the director be responsible for ensuring that the third party will provide access to those systems for the purpose of preserving and gathering relevant electronic information?

Communications Protocols

a. Special Classes of Communications

A board information governance policy may also set out protocols for handling particular types of communications. Prior to developing these protocols, the corporation may wish to employ a risk analysis of the likelihood and consequences of a breach of confidence relating to particular classes of communications.

A protocol for quarterly financial information might require password protected or encrypted formats. Directors may be prohibited from communicating about undisclosed financial results by email unless password protected or encrypted. Similarly, information relating to proposed executive compensation may be sufficiently sensitive to warrant special procedures. Communications and documents relating to a merger, a major acquisition or disposition, or litigation might be restricted to secure portals through which directors could access information and communicate with one another.

Protocols may also restrict communications to certain electronic addresses. For example, the board information governance policy may require directors to use designated email addresses for communication and not resort to text messages, instant messaging services or PIN messages or forwarding email from a work account to a personal account at the cottage. These alternative methods of communication may be convenient when dealing with a major, urgent event, but may also create security, record retention and litigation management problems precisely when those issues matter most to the corporation.

Informational Conflicts of Interest

a. Sharing information with corporate parents or subsidiaries

A board information governance policy could also address potential conflicts of interest relating to information. For example, in the case of cross-appointments between parents and subsidiaries, what are the duties of directors regarding corporate information? Appellate courts in Canada have yet to wrestle to the ground the problems created by information sharing in a corporate group, although one appellate court has commented in a judicial aside that it seemed impractical to say that the directors of a subsidiary can never tell its secrets to the parent company. Nevertheless, should there be official, documented channels of communication in order to manage issues where there may be emerging conflicts of interest or where sharing of information might result in a loss of privilege?

b. Sharing information with nominating or appointing shareholders

There is significant potential for informational conflicts of interest in the relationship between a director and his nominating or appointing shareholder. Leaving aside securities laws issues relating to selective disclosure, the basic corporate rule appears to be that the director is required to maintain confidentiality. This may, of course, lead to a conflict between the director’s duties to the corporation and the director’s duties to his or her nominating shareholder.

A board information governance policy may address this situation directly for the mutual protection of the director, the corporation and the shareholder. The policy may require official, documented channels of communication. The policy may also address whether in these circumstances it is appropriate for the director to use email accounts, devices or information systems owned or controlled by the shareholder, in order to avoid the perception of impropriety.

Building Board Capacity and Compliance

a. Assistance and Education

Although directors may have a statutory duty to supervise the management of the corporation, non-management directors may not know who within the organization to call to get assistance or how to obtain information on technological issues associated with complying with their duties to protect the corporation’s information.

Consideration might be given to providing directors with direct access to a knowledgeable information technology and security professional who can assist the director in securing his or her devices and home networks and troubleshoot issues that the director has. The simple act of setting up a separate email folder on a smartphone or assisting the director in installing personal, remote wiping software may greatly enhance the security of the corporation’s information.

Depending on the technical sophistication of the directors and the technology and security complexity of the corporation’s information governance and records retention standards, corporations may also wish to consider providing education to directors upon first appointment and periodically thereafter.

b. Breach Disclosure

Directors should also have a clear understanding of their obligations with respect to what the corporation considers to be a breach of confidentiality as well as the director’s duty to report a breach. Directors should understand the protocol for losing a tablet, laptop or smartphone containing corporate confidential information.

c. Self-Audit and Review

Board self-evaluation might include consideration of whether directors and the corporation are complying with the board information governance policy. Periodic review of the board’s actual practices against the information governance policy is advisable not only to enhance compliance but also to ensure that the information governance policy is practical and does not become an unintended liability in litigation as a result of not being followed.

The security and information governance issues that arise with “bring your own device” or BYOD are not restricted to employees of the corporation. These issues also affect information governance practices when communicating with the board of directors. In my previous post in this series, I examined the duties that directors have in safeguarding corporate information and the questions that directors might ask themselves in assessing whether they are being prudent and diligent.

This post examines the case for a board information governance policy. The last post in this series will address the elements of a board information governance policy.

The purposes of a board information governance policy

The fundamental reasons for developing a board information governance policy are (1) to establish expectations regarding the standard of care the directors are expected to bring to the management of corporate information and (2) to assist directors through corporate procedures and technology in fulfilling their duties to protect that information.

The special position and risks of BYOD and directors

Directors occupy a special position within the corporation. Except with respect to matters reserved to shareholders, the board of directors are the ultimate decision-makers. Information that they receive is likely to be highly sensitive corporate financial and strategic information, which may not become publicly known until authorized for disclosure by the board.

The board of directors of a public corporation will be comprised of at least some non-management directors. Unlike senior officers and management directors, these “independent directors” are unlikely to be working on corporate-owned or corporate-controlled devices. These directors may not even use corporate-controlled email accounts. Instead, these directors may be using personal email accounts or those of their employer. Electronic communications with these directors and among the directors as a group will, therefore, be mediated through non-corporate-controlled information technology systems, notwithstanding that the directors are likely to be dealing with some of the most sensitive information of the corporation.

Independent directors are also more likely to have other employment or sit on the boards of other corporations. This introduces the possibility of the commingling of the corporation’s information with information of third parties in a way that will complicate the application of the corporation’s records retention and security policies.

Consider, for example, the simple issue of a corporate information security department being able to remotely control the corporate director’s mobile device to enforce security protocols. If a director is also using the same device to receive information from his or her employer and another corporation on which he or she sits as a director, who, if anyone, should have control over that mobile device? What are the consequences if the device is remotely wiped by one corporation resulting in the loss of information relevant to the other corporation?

The case for the board information governance policy

The utility of a board information governance policy is that it provides the flexibility to recognize that the information governance challenges at the board level and with senior officers communicating with directors may be different from those relating to other employees. It provides an opportunity for the directors to set out a set of guidelines to govern their information practices and heightens attention to cybersecurity issues at the board level at a time when security regulators are increasingly requiring corporations to disclose material cybersecurity risks and breaches.

The next and last post in this series outlines the elements of a board information governance policy.

The information security concerns relating to employees using their own devices for work (such as smart phones, netbooks and laptops) are a hot topic. Although “bring your own device” or BYOD is here to stay, the practice of employees using their own devices for employment duties creates information governance challenges.

What about the role of BYOD at the level of the board of directors? Corporate officers, including the corporate secretary, frequently communicate with board members through electronic means. Directors are also likely to communicate with one another between meetings through electronic means. It is not uncommon that these electronic communications may include preliminary evaluation of strategic matters, legal advice, draft employee compensation arrangements, material contracts and draft financial reports.

This post examines some of the duties of directors with respect to the use of their own devices and email accounts. Subsequent posts will set out the case for a board information governance policy and examine some of the elements of such a policy.

Is it really a problem?

Before dismissing the information governance challenges related to electronic board communications, consider the following questions:

• How often is information sent to directors at personal email addresses or to email addresses belonging to other companies that may employ the director?

• Does the corporation have a good handle on the device and security standards being used by directors when they are handling some of the most sensitive material non-public information of the corporation?

• What assurance is there that third-party technology policies do not create rights in the information sent to those third-party accounts, such as, for example, when a director is employed by another company?

• What happens if confidential information is retrieved and stored on a director’s personal device and the device is lost or stolen or lacks security protection? Is the device capable of being wiped?

A director’s duty of to protect corporate information

A director has a duty to bring the care, diligence and skill of a reasonably prudent person to the protection of confidential corporate information.

Directors owe a statutory duty of care in fulfilling their obligations to the corporation. Paragraph 122(b) of the Canada Business Corporations Act, RSC 1985, c C-44 (CBCA), for example, provides that directors and officers must “exercise the care, diligence and skill that a reasonably prudent person would exercise in comparable circumstances”.

In addition to the duty of care, directors of Canadian business corporations owe a duty of loyalty to the corporation. The duty of loyalty is a common law duty that has been incorporated into most corporate legislation in Canada. For example, paragraph 122(a) of the CBCA provides that every director must act honestly and in good faith with a view to the best interests of the corporation.

The Supreme Court of Canada has described this “statutory fiduciary duty” as including a duty to maintain the confidentiality of information acquired by being a director. This statutory duty also typically prohibits directors from using information acquired by virtue of their position for personal gain.

Even leaving aside the fiduciary duties of a director, a duty of confidence may arise anytime a person receives information that has a quality of confidence about it in circumstances in which there is an express or implied obligation of confidentiality.

Issues for directors to consider

The care, diligence and skill to be exercised by a reasonably prudent director depend on the circumstances. There is, therefore, no single prescriptive information governance practice that will fulfil a director’s statutory duty of care. The types of controls that a director may wish to consider deploying depend on the sensitivity of the information and its importance to the corporation.

Below is a checklist of questions that a director may wish to review as part of determining whether the director’s information governance practices are consistent with, and capable of, fulfilling the director’s duties of confidentiality to the corporation.

Device and Network Security

• Is the device only used by the director or is it shared with other people, such as family members?

• Are all devices on which the director views electronic communications and material secured by a strong password (at least 8 characters containing at least one number, one capitalized letter and one symbol) and protected by anti-virus software that is frequently updated?

• Are all devices on which the director stores corporate information encrypted? If not, are there particular types of information that should not be stored on those devices, such as personal information of employees and officers or material non-public information relating to merger discussions or financial results?

• Is the device enabled with a remote wiping technology in the even that it is lost or stolen?

• Is the director using the device when connected to wifi? Does the director use secure wifi connections? Is the director’s home network protected by a firewall?

Account and Information Security

• Does the director access information through a secure portal? If not, are there particular types of sensitive information that should only be available in this way?

•  Is the director receiving information through an email address to which others have access, such as an administrative assistant? Should those third parties be bound by a confidentiality agreement?

• Is the director receiving information at a personal email address or an email address belonging to another corporation? If so, is this appropriate for all types of information? Do the terms of service of the personal email address provider or the terms of use of another corporation’s email policy permit access to the email account by third parties? Are those third parties governed by confidentiality agreements?

• Is the email account protected by a strong password? Is email encrypted when transmitted? Are email and other electronic records encrypted when stored?

• Is the email address provided as part of a cloud-based service? If so, does the director understand what limitations there are on that service?

• Does the director have the technical skills to understand whether information retained on the device is being collected, used or stored by other applications without the director’s knowledge?

Document Management

• Is the director storing electronic records on a third-party’s system? If so, are the records password protected or logically separated from records that can be viewed by others? For example, are records received by the director stored on his or her employer’s systems in a manner that would permit others to view or otherwise inspect those records?

• Does the director print material? Is that material stored in a secure location? Who else has access to the information?

Records Retention

• Does the director have the technical and administrative capability to comply with the corporation’s records retention policy? For example, does the corporation’s records retention policy require retention of emails between directors about the corporation’s business for a defined period of time? Is the director able to ensure compliance?

• If the director is using the email or electronic storage services of another corporation in which he serves as an employee, will the director have access to that email if he or she is no longer employed by that corporation? If not, has provision been made to migrate those records in the event of retirement or dismissal?

Litigation

• Does the director have the technical and administrative capability to comply with a litigation hold in the event that litigation arises and records created, retained or received by the director are responsive to the issues in the litigation?

• Has the director mixed personal and business uses on the device in a way that will make it more likely that the director’s personal records or records relating to his or her duties to another corporation will need to be inspected in the event the device must be produced for litigation purposes?

• These issues may be daunting for directors. However, there are technological solutions. Directors may wish to consider more structured ways to receive board information, such as through secure portals or third-party cloud based board communication service providers.

In subsequent posts on this topic, I’ll look at these issues from the perspective of the corporation embarking on creating information governance policies for the board.

The use of personal email for business is a significant problem for records retention and privacy programs.

On March 18, 2013, the British Columbia Information and Privacy Commissioner (OIPBC) announced an investigation into the use of personal email accounts by public servants in that province. Although the investigation is taking place in a public sector context, the investigation is also relevant for organizations in the private sector.

Records Management Obligations

Communications taking place outside of the organization’s email records management system may not be captured in compliance with the organization’s records management system. The OIPBC reminds public servants in Guidelines on the Use of Personal Email Accounts for Public Business (released on March 18, 2013) that personal email may still be subject to the British Columbia Freedom of Information and Protection of Privacy Act (FIPPA).

FIPPA applies to records in the custody or control of a public body. A record will be under the control of the organization if (a) the record relates to a departmental matter and (b) the government institution could reasonably expect to obtain a copy of the record upon request. The OIPBC’s general rule is that “any email that an employee sends or receives as part of her or his employment duties will be a record under the public body’s control, even if a personal account is use.” These records may, therefore, be subject to access to information requests even though the organization does not have possession of the email record.

This isn’t just a public sector problem. For example, subsection 23(1) of the British Columbia Personal Information Protection Act (“PIPA”), which applies to private sector organizations in British Columbia, provides that an organization must provide an individual with the individual’s personal information under the control of the organization. There is no obvious reason why the meaning of “control” in PIPA should be narrower than FIPAA.

Information Security Obligations

The OIPBC also expressed concern regarding the security of personal email in the Guidelines. This issue applies equally to the public and private sectors. Depending on the service used by the employees and whether copies of the email are downloaded to unencrypted devices, the email may be stored in an insecure environment.

Private organizations should be aware that section 34 of PIPA requires the organization to protect personal information in its custody or under its control by making reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification or disposal or similar risks. Organizations may be faulted for turning a blind-eye to the practice of employees using personal email systems that do not provide for adequate security. In assessing the risk, organizations should consider whether they would have breach notification responsibilities in the event an employee’s personal email was compromised and that email contained personal information collected by or on behalf of the organization.

Even leaving aside the possibility of a breach, organizations should consider whether employees transmitting personal information outside of the administrative, technical and physical security controls established by organization would violate representations made by the organization in its public privacy policies.

On Data Privacy Day (January 28), the Canadian Radio-television and Telecommunications Commission (CRTC) amended its notice regarding a mandatory code for wireless services and invited Canadians to comment on the proposed provisions. A hearing on the wireless code is scheduled for February 11, 2013.

There are a number features of the wireless code that are particularly interesting from a privacy and data security perspective:

• The CRTC is suggesting that consumer be “provided with a personalized summary of how key terms and conditions” of a contract would apply to that consumer prior to the consumer entering into the agreement. In addition, the code would also mandate upfront, clear and concise disclosure privacy policies.

• The CRTC is also suggesting that the consumers would have recourse to make a complaint to the Commissioner for Complaints for Telecommunications Services (CCTS). It is unclear whether this might include complaints with respect to the privacy disclosures of the wireless services provider and, if so, whether the CCTS could order monetary compensation.

• The CRTC would mandate that consumers be offered an online tool to allow the consumer to monitor the balance of included usage allowances and any additional fees during a billing cycle. Consumers would also be entitled to obtain a usage alert at 50% and 100% of billing cycle limits, which would be an amount set by the consumer or $50.

Draft Regulations recognize CASL should not apply to ”regular business communications” 

Industry Canada has published long-awaited draft Regulations that would lessen the impact of Canada’s Anti-Spam Law (CASL) on businesses.  Or in the words of the Regulatory Impact Analysis Statement, to: 

provide relief to businesses through targeted exemptions where the broad application of the Act would otherwise impede business activities that are not within the intended scope of the legislation.

Under the heading “Proposed exemptions to address stakeholder concerns”, the Statement explains:

Since it applies broadly to commercial electronic messages, the Act captures some regular business communications that are not the types of threats that were intended to be captured within the scope of the Act. To ensure these business communications are not regulated under the Act, the Regulations include business to business exemptions for commercial electronic messages that are sent within a business, or sent between businesses that are already in a business relationship, where the messages are sent by an employee, representative, contractor or franchisee and are relevant to the business, role, function or duties of the recipients. These proposed exemptions address many of the most serious concerns raised in the consultations about the unintended application of CASL to ordinary, transactional business communications.

The Canadian government has not issued a formal entry into force date for the Anti-Spam law, and the date has been a moving target since CASL was passed into law in December 2010.  Informally, CASL, the CRTC Regulations, and the proposed Industry Canada Regulations are expected to enter into force late in 2013.

Industry Canada’s Proposed Approach

Comments are due on February 4 on the proposed Regulations.  Here is a summary of Industry Canada’s proposed approach to clarify the application of the Act, and more importantly, to carve out “non-threatening” commercial electronic messaging.

1.  Limited Exemptions for Certain Types of Message

Exemptions are proposed for CEMs sent:

• within a business;
• between businesses already in a business relationship, sent by employee, representative, contractor or franchisee, where message is relevant to business, role, function or duties of recipient;
• by foreign businesses and accessed by a visitor to Canada;
• as a response to an inquiry; and
• due to a legal obligation, or to enforce a legal right.

2.  Third-Party Referrals

Existing business relationship (also non-business, personal or family relationship) would permit third-party referral. 

Example:  Client of Company and Potential Client of Company have a business, non-business, personal or family relationship.  Client refers Potential Client to Company.  Company sends a single consent request message to Potential Client, including name of Client and identification and unsubscribe requirements set out in the Act and CRTC Regulations.

3.  Clarifying What is Required where Sender is an “Unknown Third Party”

CASL permits consent to be obtained to receive messages from a third party unknown to the recipient, in certain circumstances.  The proposed Regulations specify that the recipient must have the ability to unsubscribe and alert the “original requester” that he has withdrawn his consent.  That “original requester” must notify each third party sender that the recipient’s consent has been withdrawn.

4.  Membership in a Club, Association or Voluntary Organization

The proposed Regulations clarify the definition and scope of these “non-business relationships”, and include references to the purpose and not-for-profit status of these organizations.

5.  Limited Exemptions for Protecting, Upgrading and Updating Computer Networks

The proposed Regulations include new definitions for computer programs that are to be excluded from the “installation consent” requirements:  those installed (i) to prevent illegal activites that present an imminent risk to network security; and (ii) to update and upgrade an entire network.

Certain Questions Clarified

The Regulatory Impact Statement clarifies that not all messages sent “in a commercial context” are necessarily CEMs.  For example, Industry Canada notes that:

• a CEM is a message that “encourages participation in a commercial activity”: therefore a message such as a courtesy SMS or an unsubscribe notification (without that encouragement) is not a CEM;
• a CEM is a message sent to an electronic address:  “…[t]he publication of blog posts or other publications on microblogging and social media sites is not within the intended scope of the Act”.

What Industry Canada has Not Done

Industry Canada has rejected stakeholder requests to:

• “grandfather” consents obtained under PIPEDA (rejected as the CASL consent requirements are much more stringent than PIPEDA’s);
• send CEMs from Canada to recipients outside Canada on behalf of foreign companies (rejected as a potential loophole to be exploited by spammers);
• permit manufacturers to send CEMs to end-users of their products (rejected as potentially too broad);
• revise the “unknown third party” approach to make it less complex and burdensome (rejected as tracking and managing consents is not “unduly onerous”).

A growing number of businesses in Canada, the United States and elsewhere has become involved in weighing in on the proposed Regulations.  The outcome of the current regulatory review will be worth watching, for all those impacted by CASL. 

It is 2013, and time for a bit of tough love. Here are five data governance matters that need your attention as soon as possible.

1. Enough of the Unencrypted USB Keys. December 2012 ended with Human Resources and Skills Development Canada reporting that a USB key containing personal information of Canadians had gone missing. Just months before, Elections Ontario apparently lost USB keys containing unencrypted personal information of Ontarians. The use of unencrypted USB keys to store or transfer personal information or any confidential corporate information is the number one practice that organizations should address in 2013. The solution is not overly complex. Just stop it already! And, also make sure that subcontractors don’t use unencrypted USB devices when handling your data.

2. BYOD is Here to Stay; Stop Pretending Otherwise. Employees are coming to work with their own smart phones, laptops, tablets, and other devices. There is no point pretending that employees don’t have proprietary rights and privacy rights in these devices with heavy-handed and unworkable policies on their use. But turning a blind eye to the fact these devices may introduce security risks and can be used as unencrypted USB keys is also not an option. It is time to develop a workable policy. Be clear with employees regarding appropriate use. Audit compliance. If your organization is of sufficient size, it may be a wise investment to employ a “show me – don’t just tell me” policy. Invest in a video showing proper use of these devices and, perhaps more importantly, the cost and consequences of improper use. If it is a condition of BYOD that the organization be able to wipe the whole device remotely, consider illustrating what that is going to mean so that employees understand that they may lose data that they consider to be theirs and that is not backed-up.

3. End the Denial About Your Website Data Collection. You know that part of the website privacy policy that says the organization doesn’t share personal information with third parties? Or, the bit about how the organization only uses information for the purposes described in the privacy policy? Saying it doesn’t make it so. Chances are that even in an organization with very good privacy practices this statement is not 100% accurate, particularly if the organization is engaged in on-line advertising, uses third-party website analytics services, or has third-party content on its site. These activities may involve the transmission of personal information about the user without the knowledge and consent of the individual. If staff in the marketing and technology departments say there is no personal information being shared, ask whether any non-personal data is being shared. Ask what that that non-personal information is. There is a decent chance that some of the data being shared is data that a Canadian Privacy Commissioner would consider to be personal information.

4. Stop Ignoring Unstructured Data; It Might Be Your Achilles’ Heel. Data privacy policy? Check. Records retention policy? Check. Litigation hold procedure? Check. Wait, what’s that? Your organization is using social media. Employees are storing documents in electronic and physical files that are not saved in a centralized repository with pre-defined fields or labels. All of this unstructured data is probably falling outside of the organization’s procedures and policies for dealing with the collection, use, retention and destruction of information. Unstructured data doesn’t need to be the weak link, provided that it is not ignored. It is time to start tackling why employees are using unstructured files and responding with solutions that can address the usefulness of the unstructured data while managing its risks.

5. Really, Why is “That” Confidential? Yes, yes, everything about the organization’s business is confidential. Except that half of it is on the corporate website or in public filings and everyone in the organization with a user ID has access to the other half of it. Okay, I’m being deliberately provocative. However, this one also falls in the category of “saying it doesn’t make it so”. If information is confidential, then there should be many contextual clues so that employees are re-sensitized to the need to protect the information. Limiting access, requiring higher levels of clearance and training, using watermarks to establish the custodian of the information, having properly labelled and locked shredding containers, all contribute to better information security practices by providing employees with contextual reminders of the importance of information security and confidentiality.

Here’s a brain teaser. Who owns an e-mail? The sender? The recipient? Both? Typical e-mail footers seem to assert some type of ownership by the sender by directing that the e-mail is only for the attention of an intended recipient and that the sender prohibits retention and use by other persons. In the U.K, the answer to who owns an e-mail appears to be neither the sender nor the recipient.

In Fairstar Heavy Transport N.V. v. Adkins, [2012] EWHC 2952, decided by the Technology and Construction Court of the Queen’s Bench Division of the English High Court, the issue was whether the plaintiff company, “Fairstar” had a proprietary interest over e-mails held by the defendant “Adkins” who was formerly the CEO of Fairstar. Adkins was not directly employed by Fairstar. Instead, Fairstar contracted with Adkins’ company. The plaintiff had been taken over by a competitor in a hostile bid and Adkins had been terminated.

According the court decision, Adkin’s incoming emails while he was CEO would be automatically forwarded by Fairstar’s server to Adkin’s e-mail account hosted by a third party. Copies of the e-mails on Fairstar’s server were automatically deleted after being forwarded. Copies of e-mails sent by Adkins did not go through Fairstar’s server unless someone at Fairstar was copied.

Fairstar wanted access to the e-mails in relation to the construction of a vessel in a Chinese shipyard, which turned out to be a substantial liability for Fairstar and with respect to which Adkins was involved in the negotiations. Fairstar’s position was that, notwithstanding that it had no claim to the medium in which the e-mails were stored, it had a proprietary claim to the content of the e-mails.

In examining the possibility of a proprietary claim, the court considered five options:

1. Title to the e-mail remains with the creator (or his or her employer) irrespective of who receives the e-mail or how many times it is forwarded.

2. Title to the e-mail passes to the recipient (or his or her employer).

3. In the alternative to (1), even though title to the e-mail remains with the creator, the recipient has a licence to use the content for any legitimate purpose consistent with the circumstances in which the e-mail was sent.

4. In the alternative to (3), even though title has passed to the recipient, the creator continues to have a licence to retain the content and to use it for any legitimate purpose.

5. In the alternative to each of the foregoing, title is shared between the sender and recipient and anyone else to whom the e-mail is sent.

The court concluded that options (1) and (2) were not workable. Indeed, either option would lead to the possibility of a party having the right to demand that an e-mail (subsequently regretted) be returned or destroyed.

The court held that options (3) and (4), which involve one party retaining ownership and the other party a licence (presumably irrevocable) to use the e-mail, effectively left the concept of ownership devoid of any real meaning because only illegitimate uses could be precluded. If a breach of copyright or confidentiality was not in issue, there would be very little, if any use, left to restrain as being illegitimate.

The court also rejected option (5). The court hypothesized that the result of a joint proprietary might mean presumably that if a supplier lost its database of e-mails, it could demand all of its correspondents to deliver up a copy of the e-mail in order to reconstitute the database.

In the case of a letter, the recipient of the letter “owns” the letter in the sense of the tangible thing.  Of course, the owner’s right to reproduce the content of the letter is subject to copyright just as I might own the book on my bookshelf but my entitlement to reproduce the book or passages from it are subject to applicable copyright laws.

The question of who owns an e-mail is of course more complex since it is not a tangible thing in the same way as a letter or book.  However, might it not be analogous to the author making a copy of a letter and sending the original or the copy or the author of book retaining a copy of the manuscript.  Author and recipient each are entitled to own and use their own copy subject to copyright laws. No one would suggest that the author could demand return of the copy of the letter or book, subject, of course, to duties of confidence or other equitable rights and obligations. Might the reason why the options discussed by the court don’t make sense have to do with thinking about an e-mail as a single thing, whereas an e-mail is a message transmitted electronically and always already involves a copy (perhaps many times over) once created and even more so when sent.  Thoughts?

A 2011 report for the Pew Research Center’s Internet and American Life Project found that Americans between the ages of 18 and 24 exchanged on average nearly 110 text messages on a normal day and that an average of 109.5 messages on a normal day with a median user exchanging approximately 50 text messages a month. Even those in an older age group – 30 to 49 – were texting in significant numbers at an average of 27 texts per day.

Text messages are not confined to personal use, although that is likely still the most pervasive use of text messaging. Close-knit team members may use text messages to convey brief information or simply to prompt a call or attention to email. Text messages may also be used more nefariously as a means to communicate information in an attempt to avoid detection by an employer, particularly when sent and received from employee-owned mobile phones.

In the public sector environment, there may be a duty to produce text messages in response to access to information requests if those text messages are under the “control” of a public institution subject to access to information legislation. Access to information legislation typically defines “records” broadly in a technologically neutral way. The issue, however, is whether text messages are under the “control” of the institution. The answer is straightforward with respect to employer-owned mobile devices. However, the answer is more complex when dealing with employee-owned devices. The Supreme Court of Canada has endorsed an understanding of “control” that would include some power of direction over the record. Whether a policy on employee text messaging would be sufficient to establish control is uncertain.

In response to the possibility that records are falling outside of the access to information system, the Information Commissioner of Canada recently initiated an investigation into the use of text messages and similar forms of communication in the Federal public sector. The Commissioner noted that there is no government-wide policy on text messaging. Her investigation appears, however, to be limited to government-issued wireless devices.

In the private sector, the issue is equally complex. Leaving aside privacy issues relating to non-work-related texts on employer-owned devices, it is impractical for an employer to control the use of text messaging on personal devices. What is clear, however, is that inappropriate use of text messaging may pose a significant record-keeping and compliance challenge for organizations. My colleagues have posted about harassment complaints involving text messages sent and perhaps not sent. More broadly, however, text messages pose challenges for managing communications regarding matters that may be highly regulated or potentially litigious. If a regulatory investigation is commenced or litigation reasonably anticipated, the organization may need to take steps to direct employees to preserve relevant text messages.

There is no easy answer to the issue of text messages. However, like Canada’s Information Commissioner, it may be time to consider whether your organization’s policy and employee training is up to the challenge.

Lookout Canada and the U.S.: European regulators are working to give Europe a head-start as a safe jurisdiction for cloud computing.

European Commission Supports Cloud Computing

The European Commission has announced that it will draft model contract terms that organizations could use in cloud computing contracts and service level agreements. In a document entitled “Unleashing the Potential of Cloud Computing in Europe”, the European Commission stated that it “aims at enabling and facilitating faster adoption of cloud computing throughout all sectors of the economy”. The Commission wishes to address the “perception” that cloud computing may bring additional risks by making it easier to signal and verify compliance (though standards and certification) and by developing legal frameworks, such as an initiative on cyber security. The Commission summarized the business case for devoting Commission resources to cloud computing as follows:

Addressing the specific challenges of cloud computing would mean a faster and more harmonised adoption of the technology by Europe’s businesses, organisations and public authorities, resulting, on the demand side, in accelerated productivity growth and increased competitiveness across the whole economy as well as, on the supply-side, in a larger market in which Europe becomes a key global player. Here, the European ICT sector stands to benefit from important new opportunities; given the right context, Europe’s traditional strengths in telecommunications equipment, networks and services could be deployed very effectively for cloud infrastructures. Beyond that, European application developers large and small could benefit from rising demand.

The Commission identified several barriers to an accelerated adoption for cloud computing, including:

• Contractual standards regarding data access, portability, change of control, ownership of data and dispute resolution processes.

• Regulatory fragmentation due to differing national legal frameworks and uncertainties over applicable laws, given that cloud services may span multiple jurisdictions.

• Proliferation of security standards and uncertainty by organizations regarding the security of those standards and the interoperability of data formats to permit portability.

Among the Commission’s activities for 2013:

• The Commission has challenged itself to develop model terms for cloud computing service level agreements for professional cloud users by the end of 2013. The Commission will also review clauses that could be used in contracts involving the transfer of personal data to countries outside of the EU.

• The Commission will also develop standardized contract terms for consumer agreements for cloud computing.

• The Commission supports the development of uniform standards and the certification of organizations providing cloud computing services. The Commission will be tasking the European Telecommunications Standards Institute with developing a set of necessary standards for security, interoperability, data portability and reversibility. The Commission will also assist in the development of an EU-wide voluntary certification scheme.

UK Information Commissioner Provides Constructive Guidance

In other developments, the U.K. Information Commissioner’s Office (ICO) has issued “Guidance on Cloud Computing”, which should prove to be a useful resource for privacy professionals and counsel who are beginning to grapple with cloud computing technologies and mandatory reading for Canadian companies operating in the U.K. Although there are significant differences between Canadian and U.K. privacy laws, this ICO resource is a useful starting point because of the clear and practical approach to decoding the “lingo” of cloud computing and describing the privacy issues. In-house counsel may especially appreciate the use of specific short examples to illustrate concepts.

Among the points covered in the ICO booklet are:

• Assess the risk of processing highly sensitive data in the cloud. The ICO does not, however, put any types of data off-limits. The ICO states: “Often, the question may not be whether the personal data should be put into the cloud but what the data protection risks are and whether those risks can be mitigated.”

• Consider that moving data to the cloud may create additional types of data. Metadata regarding usage statistics or transaction histories of users may be recorded and should be covered by the organization’s privacy policy.

• Privacy impact assessments should be considered before engaging in large or complex cloud services.

• Assessment of the administrative, technical and physical controls of the cloud service provider is not a “one-time” event. Organizations should engage in a “continual cycle of monitoring, review and assessment”. Furthermore, organizations should ensure that they are notified of any changes to subcontractors and those subcontractors are approved.

• Use third-party audits and certifications. The ICO supports the use of third party audits and industry certifications to assist organizations assessing the physical, technical and administrative security measures of the cloud service provider. Responsibility remains, however, with the organization to satisfy itself that the cloud service provider has adequate security measures in place to maintain data security.

The ICO states that technical security measures of a cloud computing program should include:

• Access control through the use of a robust authentication program involving individual username and strong passwords and an administrative program to create, update, suspend and delete user accounts.

• Encryption of data while in transit and, if possible, at rest (i.e. when stored) should be considered. It is important, however, to ensure that the encryption process also contains a “robust key management arrangement”. This is because access to the decryption key means access to the data and, in addition, inadvertent loss of the key would result in the loss of data.

• Data retention and destruction procedures to provide for the overwriting and destruction of data consistent with the organization’s document retention protocol and following a transfer to another cloud service provider or discontinuance of the use of the cloud service provider’s services.

• Limits on the cloud service provider’s access to the organization’s data and controls on whether and how the cloud service provider may use the organization’s data. There should be “an audit process that will alert the cloud customer if unauthorised access, deletion or modification occurs.”

On the thorny subject of international transfers of data becoming subject to the laws of the organization to which the data transfer is made, the ICO joined the trend towards international comity by stating as follows:

If a cloud provider is required to comply with a request for information from a foreign law enforcement agency, and did comply, the ICO would be likely to take the view that, provided the cloud customer had taken appropriate steps to ensure that the use of the cloud services would ensure an appropriate level of protection for the rights of data subjects whose personal data would be processed in the cloud, regulatory action against the cloud customer (in respect of the disclosure of personal data to the foreign law enforcement agency) would not be appropriate as the cloud provider, rather than the cloud customer, had made the disclosure.

Movement to cloud computing appears inexorable.  Jurisdictions that are first movers to develop standards and to facilitate the advantages of the cloud computing industry may have the advantage in the long-run.  Digital strategy, anyone?

One of the hot topics in privacy policy at the moment is the question of whether there should be a right to be forgotten. Should, for example, an indiscretion captured in a photo and shared via social media be purged?

The Canadian Civil Liberties Association (CCLA) has weighed into the debate by tackling a specific and pressing issue: The retention and disclosure of non-conviction records in police background checks. The CCLA’s recent report is provocatively titled “Presumption of Guilt?”

The CCLA notes that most people who interact with police will never be convicted of a crime. These people may be victims of crime, be witnesses, or be targets of an investigation or a “person of interest”. In some cases, a person is simply has an undiagnosed or untreated mental health need and law enforcement officers are first responders. Records of these interactions may be created in each of these cases. In addition, of course, records will be created in situations where the police lay charges that are subsequently withdrawn or individuals are acquitted of an offence.

In the case of adults, these varied “non-conviction” records are not subject to legal requirements for destruction. CCLA comments that Criminal Records Act provides for removal of records of absolute and conditional discharges from RCMP databases within relatively short time frames. However, there is no requirement with respect to other types of non-conviction records. Moreover, CCLA concludes in its Alberta investigation that records of absolute and conditional discharges of adults as well as other non-conviction records of adults may continue to be maintained in provincial databases for lengthy periods of time and possibly indefinitely. (There are greater restrictions on the retention of youth criminal records.)

The CCLA is calling for reform given the increasing use of criminal background checks in employment. The CCLA is concerned that these records may be misleading without sufficient context and be unfair to the subject of the records who may not be in a position to refuse to disclose those records.  To address these concerns, the CCLA has outlined seven recommendations which are reproduced below:

1.  Non-conviction records should be regularly reviewed and destroyed in the overwhelming majority of cases.

2.  Non-conviction records should be retained for inclusion in a police background check only in exceptional cases where police believe that doing so is necessary to reduce immediate public safety threats. The decision to treat a case as an exceptional one should be done at the time that the non-conviction record is created; i.e., immediately after the charge is dismissed, withdrawn or otherwise resolved by way of a non-conviction.

3.  Where the government requests that a decision be made whether to retain a non-conviction record, the affected individual should be notified and provided with a right to make submissions.

4.  If it is decided that retention is appropriate in a given case, the affected individual should have a right of appeal in front of an independent adjudicator.

5.  Where non-conviction records are retained, they should be disclosed only in relation to certain employment or volunteer positions.

6.  Proper monitoring mechanisms regarding the use and impact of all forms of police background checks should be put in place, including adequate data collection and public reporting.

7.  Provincial human rights legislation should protect individuals from unwarranted discrimination on the basis of non-conviction disposition records.

 In the meantime, employers should be cautious in their use of background checks to ensure that they are adhering to their legal obligations.  For more information regarding the law related to the use of background checks in employment, readers might consider checking out “The HR Manager’s Guide to Background Checks and Pre-Employment Testing” authored by Adrian Miedema (FMC lawyer) and Christina Hall.

The Government of Ontario has commenced a consultation on a new proposed Unclaimed Intangible Property Program. The possibility of this new program for unclaimed property was mentioned in the 2012 Budget and reported on in a previous post. The Government has released a consultation paper, which includes a series of questions. The deadline for submissions is October 12, 2012. Given the additional burden this may pose for businesses, it is to be hoped that the consultation period is extended.

Ontario previously enacted an Unclaimed Intangible Property Act in 1989. However, this legislation was never proclaimed into force and ultimate was repealed as of December 31, 2011, by the operation of the Legislation Act, 2006.

The Government of Ontario is proposing that the new program for unclaimed intangible property would be based on the Uniform Unclaimed Intangible Property Act, which was developed by the Uniform Law Conference of Canada. This form of legislation would impose upon Ontario business the obligation to take prescribed steps to notify owners of abandoned unclaimed property. If the property remains unclaimed, holders must file a report and transfer the property to the Government of Ontario, which then can use the property until it is claimed (if ever). There would be fines for non-compliance. The Government of Ontario would maintain a publicly searchable registry of the property it has received. Owners may file a claim for the property.

What constitutes “property” for the purposes of the new program is up for grabs. The breadth of that definition will directly affect the number and types of business that will face additional administrative burdens. If, for example, Ontario were to include gift certificates and gift cards, this would have significant implications for Ontario retailers.

Another issue that is open for debate is the time period after which property should be considered to be abandoned. The general period of time is five years. Thus far, there has been insufficient consideration given to the interaction between Ontario’s Limitations Act, 2002 and an unclaimed property program. Legislation tends to ignore the effect of limitation periods on the enforceability of intangible property rights and, therefore, the issue of whether the property should be considered abandoned or the property rights considered unenforceable. In Ontario, the basic limitation period is two years from the date of discovery of the claim or the date on which a reasonable person with abilities and in the circumstances of the person could have discovered the claim.  However, the limitation period for demand obligations does not commence until a demand for performance is made.

The issue of limitation periods is also relevant to the transitional provisions of for an unclaimed intangible property program. Ontario is proposing not to enact a transitional period that would have exempted property that became unclaimed more than five years before the coming into force of the legislation. The effect of this is uncertain. Apart from the problem that businesses may have records for the past seven years, some businesses may have considered the rights of the property holders unenforceable for accounting purposes, provided the obligation was not a demand obligation.

During the consultation period, the Government is asking:

1. Whether any modifications to the Uniform Unclaimed Intangible Property Act should be made?
2. What types of property should be included or excluded? Do certain types of property present unique challenges?
3. Are the time periods for considering property abandoned in the Uniform Unclaimed Intangible Property Act appropriate?
4. What are the challenges for businesses in transitioning into the new program?
5. Are there additional issues that the Government should be aware of?
6. How should the Government continue the consultation as the new program is developed?

The consultation document is available here. Remember, the consultation deadline is October 12, 2012.

The Office of the Privacy Commissioner of Canada recently released a fact sheet entitled, “Accessing Personal Information under the Personal Information Protection and Electronic Documents Act” along with an FAQ for individuals and a guide for businesses as to their responsibilities.

With some exceptions, the Personal Information Protection and Electronic Documents Act (PIPEDA) requires organizations to provide individuals with a method of requesting disclosure regarding the personal information collected about those individuals as well as a means for correcting that information.

Subject to certain exceptions:

• Access requests must be responded to within 30 days.
• Individuals must be told what information has been collected, how it has been used and to whom it has been disclosed.
• Individuals must be provided with the opportunity to review the personal information collected about them at minimal or no cost.
• Records must be corrected if it is factually inaccurate or incomplete.

It is critically important that staff are trained to recognize personal information access requests.  These requests do not always come through the “official channels” that have been set up by organizations, such as an address for the Privacy Officer.  Although the request will be made in writing, it may come to front-line staff.  In addition, organizations should consider developing a protocol for responding to these requests with a check-list for ensuring that all relevant sources of data are reviewed.  Access is not limited to documents such as printed records or electronic word-based files.  Personal information can include photographs and videos as well as electronic information that is held in multiple locations.  A robust records retention policy can assist organizations in locating records as well as ensuring that they are appropriately destroyed to limit retention and, therefore, burdensome access requests.

Many types of business records do not have a prescribed statutory or regulatory retention periods.  In some cases, organizations may use limitation periods for lawsuits to inform the choice for a retention period.  There is nothing objectionable to this practice but it can be too simplistic.

Consider the record retention policy of hypothetical company ABC Co. located in Ontario.  Let’s assume ABC Co. produces widgets.  Although this discussion applies equally to the services industry, it is easier to illustrate with products. Let’s also assume that the record retention policy states that design and production records are to be kept for 2 years after the year in which the last shipment of its widgets were produced.  ABC Co. chose this retention period because it understands that the limitation period for bringing a claim in Ontario is 2 years.

There are a number of problems with the way in which ABC Co. chose the retention period.

First, the retention period assumes that the only applicable limitation period is the one in Ontario.  That might be a fine assumption if ABC Co.’s products were only sold and used in Ontario.  If not, then the applicable limitation period for negligence might be the limitation period in another jurisdiction, depending on conflict of laws rules.

Second, the retention period assumes nearly immediate discovery of any problems with the widgets and does not take into account the possibility of a latent defect.  But what if the defect is hidden and isn’t discovered for several years?  In Ontario, the basic limitation period under the Limitations Act, 2002 is 2 years from the date the claim is discovered.  In simple terms, a claim is discovered on the day on which the person knew or ought to have known that (i) that the injury, loss or damage had occurred (ii) that the injury, loss or damage was caused by or contributed to by the faulty widget (iii) that the act or omission was that of ABC Co., and (iv) that, having regard to the nature of the injury, loss or damage, a proceeding would be an appropriate means to seek to remedy it. If the defect in ABC Co.’s widgets take a few years to discover, then the limitation period won’t start running until that time.

Third, the chosen retention period does not take into consideration of the useful life of the product or the probability of the defect occurring at different points over that useful life.  Let’s assume that the useful life of the widget it 20 years and let’s assume that the probability of the defect going undetected for 10 years is high.  In this fact scenario, the records might be relevant between 10 and 15 years from distribution.  The ultimate limitation period based on the “act or omission” of ABC Co. (rather than discoverability) is 15 years under the Limitations Act, 2002.  Therefore, a person who has a claim because of the defective widget might have up to 15 years to discover the defect.      

Finally, the chosen retention period does not take into account whether the records are likely to be useful to ABC Co. with respect to the most likely types of risks of dispute.  Quality control records and records regarding tests performed on the widgets might be very useful.  Design documents may also be useful, particularly if the widgets were designed by others.  But daily run records may not be of high value.

So, ABC Co.’s 2-year retention period would not be “wrong” but it may not be the most useful for its business.  Instead, ABC Co. will want to look at a mix of factors.  What is the useful life of the product? Where is it distributed? What is the potential for latent defects in the product lingering fro years unnoticed?  What is the potential scope of injury, damage or loss that could be caused by the product? How useful are the records in assisting the organization in dealing with any litigation that could arise? What are limitation periods for claims based on the potential for latent problems?

Today the Canadian Bar Association held an update session for members on Canada’s Anti-Spam Legislation (“CASL”).  An oral presentation was provided by Andy Kaplan-Myrth, a Policy Advisor in the Digital Policy Branch at Industry Canada and a member of the team that developed and is implementing CASL.

Here’s what we heard from the discussion.  [Please note that information and comments provided by Mr. Kaplan-Myrth and other participants are intermingled with my own below.  The following is not intended as a verbatim report on the presentation.]

• Industry Canada is targeting the release of further draft regulations for comment by the summer; however the ultimate timing depends in part on internal government processes including Treasury Board approval;
• The regulations will reflect some concerns heard during and since last year’s comment process on the last draft regulations.  As we noted in past posts, many industry stakeholder believed that the earlier draft regulations did not go far enough to clarify obligations and provide needed exemptions;
• Industry Canada is focusing on exempting activities that clearly do not constitute “spam”, where a line can clearly be drawn to define permitted activities and exclude others;
• Industry Canada welcomes comments on the regulations, and beyond that process, is also seeking input from stakeholders on what areas of CASL and definitions should be clarified in information bulletins;

More substantive questions discussed:

Q:  Does it make sense for the “form and content” (ie. contact information and unsubscribe) requirements to apply to messsages: sent within businesses, to their employees?  sent B2B, such as banking transactions? that must be sent by law?  that are responses to an inquiry?

A: In some cases…not really.  The forthcoming draft regulations may address these.

Q:  How do you set up third-party referrals under CASL?

A: Referral marketing can be done with appropriate consent, but don’t forget that consent must meet both CASL and PIPEDA requirements.

If it’s a “refer a friend” scenario, and the person is truly a friend or family under the law, then CASL will not apply.  (As some have suggested, CASL will legally define for us who our true friends are.)  Under regulations to come, the definition of a “friend” may be broadened to include virtual friends met online.

Q:  What’s required to get express consent, and document it?

A:  Oral consent, and even a check-box is acceptable (perhaps even pre-checked, if the request for consent is clearly conveyed).  Australia has provided some practical guidance for business under its Spam Act 2003 on obtaining consent, and a range of other topics.  Although Canada’s legislation is different from Australia’s, the CRTC may provide similar forms of guidance on practices to obtain consent and related issues.  As mentioned above, both Industry Canada and the CRTC are interested to hear from stakeholders on where guidance is most needed.

As for documenting consent:  this will be up to clear internal policies and practices.  These are intentionally not spelled out anywhere, to give organizations the latitude to find what works for them…while meeting the CASL requirements.

Q:  Can organizations rely on PIPEDA consents under CASL?

Remember that CASL “overrides” PIPEDA, to the extent of any conflict (s. 2 of CASL).  And that CASL expressly requires a high standard of consent to send commercial electronic messages.  Therefore organizations can’t rely on “grandfathering” PIPEDA consents under CASL, broadly speaking.

If however, existing PIPEDA consent also meets the CASL requirements for implied consent – for example an “existing business or non-business relationship” – then that is sufficient.  Many organizations can and will rely on implied consents to send many of their CEMs during the transition years, the first three years after CASL enters into force (see s. 66 of CASL).

What’s Next?

Although CASL won’t enter into force until 2013, there is a significant amount of preparation going on this year, as noted above, and here.

We have also heard reports that many organizations outside of Canada have not even heard of CASL, so clearly more needs to be done to raise awareness.  For those organizations that are familiar with the U.S. Can-Spam Act requirements, our comparison of CASL to CAN-SPAM may assist.

News media have paid significant attention to court orders requiring production of relevant documents from Facebook and social media sites in the course of litigation.  As described in my recent post, the Ontario Information and Privacy Commissioner has recently published a booklet on privacy and reference checks.

From the Canadian litigator’s perspective, all the fuss might be difficult to appreciate.  In Ontario, for example, the Rules of Civil Procedure require that litigants must disclose to all of the parties to the litigation the existence of every relevant document in their possession, power or control and must produce to the other parties all of those relevant documents that are not privileged.

A document is defined by the Ontario Rules of Civil Procedure to include data and information in electronic form.  Electronic information will be in the power of a party if that party could obtain a copy of it.  So, pictures and posts accessible through your social media account are documents and within your power to produce. The only question is whether those posts are relevant.

Photographs and posts to social media accounts may be relevant to litigation in a number of ways.  In a personal injury or long-term disability case, they may suggest that claims of being unable to enjoy life or to work are exaggerated or false.  They may suggest that a  litigant was in a location or with people as alleged and contrary to protestations otherwise.  They may contain evidence of defamation or the truth of what might otherwise be defamatory statements.

Once litigation has been commenced or is contemplated, litigants and potential litigants should be careful, however, that they do not take steps to “cleanse” their social media accounts.  It often comes as a surprise to litigants that they are required to preserve physical and electronic documents – even if that material might be unhelpful to their case.  However, the preservation obligation will often begin even before litigation has been commenced.  Once a demand letter is drafted or received, or legal advice is sought with respect to potential litigation, a potential litigant may be required to preserve evidence.  Therefore, individuals involved in litigation or where litigation is a reasonable possibility should seek legal advice on their obligations.

Intentionally destroying evidence is called spoliation.  Spoliation occurs where a party (the spoliator) has intentionally destroyed evidence relevant to ongoing or contemplated litigation in circumstances where a reasonable inference can be drawn that the evidence was destroyed to affect the litigation.  In Canada, spoliation usually produces an adverse inference that the evidence would have been unhelpful to the spoliator and may result in sanctions.

A recent U.S. case illustrates some of the pitfalls and, in the U.S. sanctions, for spoliation and social media (Lester v. Allied Concrete Co., Case No. CL09‐223 (Va. Cir. Ct. Sep. 1, 2011), and Lester v. Allied Concrete Co., Case Nos. CL08‐150, CL09‐223 (Va. Cir. Ct. Oct. 21, 2011):

•  The plaintiff was the husband of a woman who was killed in an automobile accident.  He sued the truck driver and the driver’s employer and initially won a substantial damage award.
• During the discovery process for his trial, he was asked about his Facebook account.  The defendants had produced a photo justifying the request that was apparently taken after his wife’s death and showed him holding a beer can and wearing a “I [heart] hot moms” t-shirt.
• The plaintiff, with the lawyer’s advice, deleted the Facebook account and responded that he did not have a Facebook account at the time of responding to the discovery requests.

The Virginia court was not impressed. It cut the damages award to the plaintiff in half and awarded cost sanctions against both the plaintiff and his lawyer.

In Canada, courts are reluctant to make similar awards preferring to remedy the wrong in other ways, such as providing procedural remedies for additional discovery and drawing adverse inferences that the destroyed documents would have been unhelpful to the party who destroyed them.  Courts can also award cost sanctions.  To date, however, courts have not awarded damages against the spoliator.  Nevertheless, once litigation is contemplated – resist the urge to press delete!

.

When a government employee uses workplace email to send and receive personal email, are those emails subject to disclosure under access to information laws?

What about when a government employee uses a personal email account to send and receive emails relating to government business?

Two recent cases – one in Alberta and one in Ontario, answer the first question in the negative.

A recent case in England answers the second question in the affirmative – and a similar result might be expected in Canada based on recent Supreme Court of Canada jurisprudence.

1. Personal email may not be in the custody or control of the public authority

In City of Ottawa v. Ontario, the information requester sought production of communications between an employee of the City and an organization where the employee volunteered.  Subsection 4(1) of the Municipal Freedom and Protection of Privacy Act (“MFIPPA”) provides that a requester is entitled to access to records if it is in the custody or under the control of the City, unless an exemption applies or the request for access is frivolous or vexatious.

The employee used his work email address to receive emails related to his volunteer work.  This was permitted by the City.  However, the City reserved the right to monitor email without notice.  All email was property of the City, but employees were not required to retain personal email under any record-keeping policy.

Initially, the adjudicator concluded that the email was in the custody or control of the City.  After all, the City had physical possession of the emails on its server and had the authority to regulate them.  On judicial review, however, the Ontario Divisional Court concluded that the documents were not in the custody or control of the City.  In order to be in the custody or control of the City, two criteria must be satisfied.  The City must be entitled to obtain a copy of the emails and the emails had to concern a City matter.  However, if personal email was sufficiently intermingled with email relating to City matters, then it would have to be produced.

In University of Alberta v. Alberta (Information and Privacy Commissioner), the requester sought access to emails between an academic at the University and a government grant agency relating to the review of a grant application.  Like the Ontario case, the adjudicator had taken a straight-forward approach: the emails passed through the University’s servers and the University had some right to deal with the emails; therefore, the University must have had custody or control.

The Alberta Court of Queen’s Bench rejected the adjudicator’s approach and adopted the Ontario Divisional Court’s interpretation of the meaning of “custody or control”.  Analogizing the emails to the situation of paper records, the court held that employees may keep private items at an employer’s place of work but that does not bring them within the meaning of custody or control for the purpose of access to information legislation.  The emails in this case were only remotely related to the University’s business and need not be disclosed.

2. Personal email may be producible under access to information requests if related to government business

In order to understand the next two cases, a bit of legislative background is required.  The scope of the Freedom of Information Act 2000 (UK) is somewhat different from federal Canadian access to information legislation.  In the UK, it seems that there is no specific exemption from production for records in a Minister’s Office.  Under the federal Access to Information Act (Canada), the Minister’s Office is not a government institution that is subject to the Act.

In a recent UK decision of the Information Commissioner’s Office (FS50422276), the issue was whether email sent from the Secretary of Education’s personal email address to two special advisors were subject to production under the UK Act.  One of the emails was characterized by the Information Commissioner’s Office as “essentially an action plan and a list of key events or issues in the work of the department for the month of January 2011.”  This characterization was “supported by the fact that much of what was discussed in the email subsequently resulted in official departmental announcements.”

The Information Commissioner’s Office concluded the fact that the email was sent from the Secretary of Education’s personal email address was not determinative of the requirement to produce the email (although this practice was frowned upon for record-keeping purposes).  The relevant question was whether the majority of the email had to do with the business of the department.  In analysing this question, it would be relevant to consider who the sender and recipients were and their roles, if any, within the civil service or the party machine, as well as the substance of the email and how it was used.

Last year, the Supreme Court of Canada considered whether records held by Minister’s Offices were required to be disclosed under the federal Access to Information Act.  The fact that a Minister’s Office was not a governmental institution for the purposes of the federal Access to Information Act did preclude documents held there from being in the “control” of the department and, therefore, producible.  The court held that consideration had to be given as to whether the record related to a departmental matter and, if so, whether there are factors that suggest that the government institution could reasonably expect to obtain a copy of the record.  The court held that some of the factors to consider include the substance of the record, the circumstances in which it was created and the legal relationship between the government institution and the record holder.

As many of us now know, Canada’s Anti-Spam Law is now expected to enter into force in 2013.  Don’t expect things to sit idle until then, however. 

3 Next Steps for CASL in 2012

Following are three next steps for 2012, ranked in order of importance to industry stakeholders:

1.  Industry Canada to issue new set of regulations for comment

As we noted in previous posts here and here, while businesses had hoped that regulations would clarify key terms and obligations under the Act, and lessen the Act’s impact on certain types of communications, many stakeholders were disappointed.  Many businesses considered that neither the Industry Canada regulations as originally published for comment, nor the CRTC regulations as finalized, went far enough to clarify obligations.  Moreover, neither set of regulations provided the exemptions many businesses have called for, to exclude certain categories or types of messages from the application of CASL consent requirements. 

A glimmer of hope is in sight:  Industry Canada is expected to publish a new set of regulations for comment in the coming weeks.  These regulations are expected to contain some exemptions from the application of CASL requirements.  In the comment period, businesses will have the opportunity to comment on the regulations, and seek further changes to make CASL more workable. 

2.  CRTC to issue a series of information bulletins for industry

Anyone who has tried to read through CASL’s provisions and the accompanying CRTC regulations knows that they tend to raise at least as many questions as they answer.  The CRTC is expected to issue information bulletins in the coming weeks to help clarify what is meant, and required, by some key elements of the regulations.  These bulletins may include matters relating to what it means to get consent “in writing” online, and how far businesses must go to make information accessible in “commercial electronic messages”. 

3.  Spam Reporting Centre

The government is currently reviewing bids by third-party service providers to operate the The Spam Reporting Centre.  The Centre will act as a liaison between the public and the government agencies (CRTC, Office of the Privacy Commissioner, Competition Bureau) on spam complaints and monitoring.  The government states that:

“When operational, the Spam Reporting Centre will accept various types of electronic messages from individuals and organizations in Canada. Reporting spam and related electronic threats will not stop such threats completely; however, the data sent to the Spam Reporting Centre will help it identify trends, and try to find out who is sending the spam and other threats and from where. This will aid in the future prosecution and civil proceedings against those responsible for electronic threats in Canada and internationally.”

The final line of the above quote – “future prosecution and civil proceedings”, and “threats in Canada and internationally” – is a stark reminder of two important points. 

First, the government means business.  Its objective is to “drive spammers out of Canada” (then Minister of Industry Tony Clement, 2010).  Second, CASL is designed to reach beyond Canada.  It is designed to capture commercial electronic messages that may be sent from other countries, and also to provide the framework for international monitoring and enforcement. 

3 Things to do while you “wait” for CASL in 2013:

1. Participate in the comment process on the coming draft Industry Canada regulations
2. Remind yourself of the differences between the U.S. CAN-SPAM requirements, and CASL
3. It’s strongly recommended that businesses use the lead time before CASL’s entry into force to get their operations in order.  Prepare your organization’s  CASL audit, checklist, and Compliance Policy.  The CAN-SPAM vs. CASL presentation and an earlier article of ours can help explain the basics. 

On March 24, 2012, the Canadian federal government published draft regulations for comment relating to the imposition of administrative monetary penalties for certain violations of Canada’s new Consumer Product Safety Act.

The Administrative Monetary Penalties (Consumer Products) Regulations relate to violations of ministerial orders relating to the recall or taking measures (such as to stop importing or selling) consumer products.  Using a system of points to assess the gravity of the violation of the ministerial order and the number of violations, the regulations would establish penalty ranges of Cdn. $10,000 to Cdn. $25,000 for commercial organizations.

It should be noted, however, that these are not the only potential penalties for organizations in the supply-chain of consumer products in Canada.  All organizations in the supply chain have day-to-day responsibilities under Canada’s Consumer Product Safety Act.  In particular, from a data governance perspective, organizations should be aware that if they are engaged in the manufacture, importation, advertising, sale (distribution and retail) or testing of consumer products, they have specific record-keeping and reporting obligations.

Section 13 of the Consumer Product Safety Act requires retailers to maintain records of the name and address of the person from whom they obtained a consumer product and the location and period during which the product was sold.  Other organizations must maintain records containing the name and address of the person from whom they obtained the product or to whom they sold it, or both.  These records must be kept for 6 years after the end of the year to which they relate (accordingly, most organizations will likely use a 7-year retention period subject to certain exceptions for longer retention).  These records must be kept in Canada unless an exemption is obtained.

Section 14 of the Consumer Product Safety Act requires manufacturers, importers and sellers of consumer products to make reports regarding any “incidents” relating to those products of which they become aware and to provide the Minister of Health with information regarding such incidents.  An “incident” includes among other things (a) an occurrence in Canada or elsewhere that resulted or may reasonably have been expected to result in an individual’s death or in serious adverse effects on their health, including a serious injury; (b) a defect or characteristic that may reasonably be expected to result in an individual’s death or in serious adverse effects on their health, including a serious injury; (c) incorrect or insufficient information on a label or in instructions — or the lack of a label or instructions — that may reasonably be expected to result in an individual’s death or in serious adverse effects on their health, including a serious injury; or (d) a recall or measure that is initiated for human health or safety reasons.

A person who contravenes these obligations may be prosecuted for a criminal offence and be liable to a maximum fine of Cdn. $5,000,000 or to imprisonment for a maximum term of two years or to both.  Directors and officers may be personally liable if they directed, authorized, assented to, acquiesced in or participated in the commission of the offence.

Today, Ontario’s Minister of Finance, Dwight Duncan, presented Ontario’s proposed budget, “Stronger Action for Ontario“. 

From a privacy and data governance perspective, here are a few things to note:

• Public-Private Partnership for ServiceOntario.  ServiceOntario operates a hub for government registrations, certifications and licensing.  The government is proposing to increase private sector involvement, including in the expansion of online services.
• Unclaimed Intangible Property. Ontario has unclaimed intangible property legislation that has not been proclaimed into force.  The government has indicated that it will move forward to establish and Unclaimed Intangible Property Program that would allow the government to take unclaimed intangible property and use it for government purposes until claimed by the owner of the property.  This will inevitably create data gathering, reporting and payment obligations for businesses operating in Ontario as well as the collection of further information about Ontarians by the government.
• Integration of Social Programs. As mentioned in our previous post, the Drummond Report suggested that there would be benefits to integrating social programs and centralizing data collection.  It appears that the government will move forward on some of these recommendations.
• Sharing Information for Tax Compliance. The Drummond Report also called for greater information sharing to combat the loss of tax revenue in the underground economy. The government is proposing to move forward with, among other things, enhanced information sharing across Ontario ministries, municipalities and with the Canada Revenue Agency. 

The government is also proposing amendments to the Freedom of Information and Protection of Privacy Act to accomplish some of its tax and revenue collection objectives.

Carnegie Mellon CyLab has released a summary of its third survey regarding corporate governance of the privacy and security of digital assets.  CyLab is a centre for cyber security research. The 2012 study was sponsored by RSA, the security division of the information infrastructure company EMC. A summary of the study is available on the RSA website.

The authors of the 2012 study state that less than one-third of Global Forbes 2000 companies who responded to the survey are undertaking basic responsibilities for cyber governance.  Among the key findings were that:

• 94% of respondents stated that they had a formal enterprise risk management program; however, half of the respondents reported that they do not have personnel in key privacy and security roles;
• at the board level, audit committee responsibility for technology risks has decreased in favour of risk committees;
• however, only one-third (approximately) of the respondents reported that their board of directors are focused on activities that would help protect against reputational or financial losses resulting from breaches of data security and the theft of confidential and proprietary information; and
• more than half of the respondents reported that their boards do not review insurance policies for protection against cyber risks.

Data Privacy Day is observed annually on January 28th in a number of jurisdictions with varying formality and support by government officials.  Privacy professionals and consumers use this day annually to raise awareness regarding best privacy practices, to educate consumers and to reflect on the complexity of privacy issues in our global and electronically interconnected economy. 

To learn more about Data Privacy Day, a great strating point with a collection of resources is the Privacy Commissioner of Canada’s website.  Also, check out the U.S. National Cyber Security Alliance website.

January 28, 2012 is World Data Privacy Day. Privacy is interconnected with anti-spam, data management and records retention issues for many industries, particularly those operating in the e-commerce environment.  

To mark this year’s World Data Privacy Day, Fraser Milner Casgrain LLP (FMC) is launching this new blog on data governance.  FMC is a national Canadian law firm with offices in the principal economic centres of Canada.  Our focus in this blog will be to provide interested followers with information on how privacy, anti-spam, records management and e-commerce interact in the Canadian legal environment.  Along the way, we will provide updates on worldwide developments that we think may be of particular interest to businesses operating in Canada with global e-commerce connectivity.

Please check back frequently.  Or better yet, subscribe!