This slide show was part of a presentation by mark Hayes at the 2011 Canadian Bar Association Annual Meeting in Halifax, Nova Scotia on August 16, 2011.

1. Privacy, Privilege, Confidentiality and Ethics Canadian Bar Association Annual Meeting, Halifax, August, 2011 Mark Hayes, Hayes eLaw LLP, Toronto

2. Privacy, Privilege and Confidentiality 3 distinct and overlapping concepts Often confused with each other Important for lawyers to understand different types of obligations

3. General Concepts Privilege Legal right that applies in specific circumstances (e.g. solicitor/client & litigation privilege) Confidentiality Legal duty to hold in strict confidence and not disclose any kind of information that are subject to such duty, not just personal information Privacy Body of statute law governing collection, use and disclosure of personal information

4. Control Confidentiality Controlled by client; can be waived (intentionally or otherwise) Privilege Controlled by client; can be waived (intentionally or otherwise) Privacy Controlled by individual in question; consent or exception to consent requirement General reasonableness requirement

5. Confidentiality Source: primarily common law and professional regulations (e.g. Rules of Professional Conduct) Broad in scope – Ont. RPC s. 2.03 – “all information concerning the business and affairs of the client acquired in the course of the professional relationship” Waiver of duty of confidentiality & solicitor/client privilege: Harish v. Stamp, R. v. Hobbs, Osiris Inc. V. 1444707 Ontario Ltd. Waiver of confidentiality does not necessarily waive privilege (if one applies)

6. Privilege Source: primarily common law Salosky(SCC): "fundamental civil and legal right” Emerges from the duty of confidentiality inherent in solicitor/client relationship Sometimes permanent (e.g. solicitor/client privilege) or limited by existence of specific circumstances (e.g. litigation privilege only pending litigation) Statutory limitations must be clearly and expressly provided by (Blood Tribe Dept of Health v. Canada) Waiver of privilege may not affect confidentiality

7. Privacy Primarily statutory Must obtain informed consent for collection, use or disclosure of personal information by an organization in the course of its commercial activities In addition to consent requirement, collection, use or disclosure of PI must be reasonable Only collect as much information as is required Publicly available personal information is not exempt from consent requirement

8. Privacy Application: any organization engaged in commercial activity Includes lawyers, unless acting as agent for individual in personal capacity (Ferenczy) This conclusion not accepted by Privacy Commissioner Various administrative requirements Provide access to or correct PI in possession on request Keep PI secure Retain PI only for long as is required

9. Consent Exemptions For lawyers, exemptions from consent requirement are critical Some important ones: Required by law Investigations of breach of statute or contract Private purposes (if acting for individual) Provincial privacy laws in BC and Alberta have additional exemptions

10. Cases on Lawyers and Privacy Can’t disclose PI pursuant to summons issued by an individual without jurisdiction to compel production (i.e. other lawyer) - PIPEDA Case Summary #2009-005 Consent not required to disclose personal information in response to writ of seizure issued by court - PIPEDA Case summary #2003-174 Law firms cannot collect credit reports without consent: PIPEDA Case Summary #2006-340 Solicitor’s lien insufficient grounds to deny access to personal information - Settled case summary #30 (2007) Not reasonable to use individual’s SIN for general identification purposes – limited to payroll and income tax purposes - PIPEDA Case summary #2002-69

11. Overlaps Personal information subject to privilege Client information subject to privilege Personal information that is confidential

12. Obligations Different But Consistent For the most part, all of privacy, privilege and confidentiality consistent in requiring: Access to information be limited Appropriate security steps be taken Major difference Privilege and confidentiality controlled by client (who can waive rights) Privacy controlled by legislation and consent of individual concerned - client cannot validly instruct lawyer to breach privacy

13. Privacy and Privilege Privacy statutes: individual must be given access to PI Many examples of litigants requesting access from lawyers What if PI is privileged? PIPEDA s. 9(3) excludes access obligation if “information is protected by solicitor-client privilege” But what about other privileges? PIPEDA Case Summary #2008-397: also applies to litigation privilege; liberal interpretation PIPEDA Case Summary #2010-001: court procedures more appropriate to deal with allegation that documents improperly withheld as privileged

14. Privacy and Confidentiality Confidentiality obligation subject to certain exemptions E.g. Ont. RPC s. 2.03: may disclose confidential information “where a lawyer believes upon reasonable grounds that there is an imminent risk to an identifiable person or group of death or serious bodily harm, including serious psychological harm that substantially interferes with health or well-being…” Privacy laws don’t contain exact same exemption PIPEDA s. 7(3)(e): “made to a person who needs the information because of an emergency that threatens the life, health or security of an individual” Must inform individual in writing without delay

15. Builders Energy Services Ltd. Alberta IPC Investigation Report P2005-IR-005 Lawyer acting for acquirer of company posted employee personal information on SEDAR, where it was publicly available While case concentrated on whether disclosure of PI was reasonably necessary, clear that lawyer had not considered whether this PI was subject to privacy regime Similar considerations often arise in litigation

16. Technology and Privacy Risks Service providers Storage devices (servers, hard drives, sticks) Laptops Blackberries and smartphones “Cloud computing”

17. Managing Technology Risks Mitigate highest and most immediate risks Inventory personal data maintained by the firm Employee training and management Conduct risk assessment: Information systems design and information processing, storage, transmission and disposal Responding to and preventing attacks, intrusions and systems failures Fix vulnerabilities identified through risk assessment Continually evaluate and adjust information security program

18. Data Retention Policies Privacy laws require lawyer to retain PI for only as long as required for disclosed purposes Ethical obligations require retention of client files until client releases you and all regulatory and liability issues have passed Finding correct balance between hanging on too long and destroying too quickly is tricky, especially since appropriate retention periods may be different depending on nature of data

19. Summary Privacy issues have significant impacts in many practice areas: Family Civil and criminal litigation Real estate Estates Employment law Even in practices where PI of third parties is not critical, have to worry about employee privacy

20. Summary Think about PI issues whenever you handle PI about individuals who are not your clients Know your obligations Know the relevant exceptions you can use to your advantage and in your clients’ interest Privacy obligations are constantly changing Keep informed; PCC and provincial sites, blogs Talk to the experts

21. Thank You! For a copy of these slides, email me at mark@hayeselaw.com