Investigating without running afoul of privacy laws

Investigating without running afoul of
privacy laws

Dan Michaluk
October 3, 2012

Outline

• Governing privacy law
• Access to business system information
• Surveillance outside the workplace
• Gathering internet evidence

Investigating without running afoul of privacy laws

Governing privacy law

• Nothing stops you from investigating (or auditing)
• But there are a variety of means by which individuals
can cause the conduct of an investigation to be
reviewed
• There may be liability for over-stepping



• Privacy regulation (patchy application to EEs)
• Federal works and undertakings – PIPEDA
• State Farm, 2010 FC 736
• Johnson v Bell Canada, 2008 FC 1086
• Employment in BC, Alberta Quebec
• Broad public sector application o/s Ontario



• Individual privacy rights
• Implied rights under a collective agreement
• Intrusion upon seclusion tort
• Jones v Tsige, 2012 ONCA 32
• Privacy statutes
• BC, Sask, Man, NL (+ Quebec Charter)
• Section 8 of the Charter (for government)
• See Longueuil, 1997 SCC on application



• Rules of evidence
• Labour arbitrators split 50/50 on authority to exclude
• Some court cases accept authority to exclude
• See Mathews, 2007 BCSC 1825
• Section 7 of Manitoba Privacy Act



• A recent example – Calgary Police, F2012-07
• Internal sexual misconduct investigation
• Review of work e-mail account
• Search for “password”
• Found password to outside account
• Searched outside account



• A recent example – Alberta Govt (Sims, 2012)
• Credit checks on 26 employees by internal
investigator as part of a needs or motive analysis
• Without consent
• Agreed that employees “suffered emotional stress”
as a result of privacy breach
• Arbitrator awards $1,250 each


Access to business system information
• The ideal – single purpose systems
Mine Yours



• The reality – significant intermingling
• Utility of internet invites personal use at work
• Utility of handheld devices puts work on personal
devices
• Utility and value of cloud computing puts your work
system on a computer with others’ work systems



• The problem – bad law
• CACE asks this Court to re-balance employer and
employee interests. To strike a proper balance, the Court
should give significant weight to the primary function of a
work-issued computer and should recognize that a work-
issued computer is only one part of a work information
system that must be routinely accessed by an employer
for a variety of legitimate reasons.
(CACE factum in R v Cole)



• One solution – more law and policy
• You deal with data security in your cloud contracts.
Have you dealt with audit and investigation
requirements?
• Your acceptable use policies must be clear that
personal use is conditional on specific and detailed
rights and requires a sacrifice of personal autonomy



• Other more fundamental solutions
• Revert to a no personal use rule
• Segregate the data created by personal use from
the data created by work use (this is what BYOD
technology and policy attempts to do)


Surveillance outside the workplace

• Intrusion upon seclusion tort
One who intentionally intrudes, physically or otherwise, upon the seclusion of
another or his private affairs or concerns, is subject to liability to the other for
invasion of privacy, if the invasion would be highly offensive to a reasonable
person.

1. Intentional, unauthorized intrusion
2. Upon private affairs or concerns
3. Highly offensive to the reasonable person


Surveillance outside the workplace

• An obvious risk that you ought to address
• Structure the decision to retain
• Reasonable grounds?
• Who decides?
• Structure the retainer
• Authorized means? Unauthorized means?
• Requirements (e.g., video only in public)
• Indemnification for breach


Gathering internet evidence

• If published, then likely okay
• Judges likely to be conservative
• see Murphy v Perger, 2007 ONSC
• see UFCW v Alberta, 2012 ABCA 130
• Most privacy statutes have exclusions for “publicly
available information”
• Subject to interpretation
• Seek advice if privacy legislation applies
• If not excluded, investigation exemption may apply



• If not published
• Receiving a printout from a friend is okay
• Hacking in (e.g., through a found password) is
prohibited by the Criminal Code
• Impersonating someone with intent to gain
advantage is prohibited by the Criminal Code



• If not published…
• The CBA Code of Professional Conduct (lawyer as
advocate rule) says:
• The lawyer may properly seek information from any potential
witness (whether under subpoena or not) but should disclose the
lawyer’s interest and take care not to subvert to suppress any
evidence or procure the witness to stay out of the way. The
lawyer shall not approach or deal with an opposite party who is
professional represented save through or with the consent of
that party’s lawyer.



• If not published…
• The CBA Code of Professional Conduct (avoiding
questionable conduct) says:
• Public confidence in the administration of justice and the legal
profession may be eroded by irresponsible conduct on the part
of the individual lawyer. For that reason, even the appearance of
impropriety should be avoided.
• Arguably applies because the tactic for gaining access to
information entails taking advantage of the subject


Investigating without running afoul of privacy laws

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Semelhante a Investigating without running afoul of privacy laws

Semelhante a Investigating without running afoul of privacy laws (20)

Mais de Dan Michaluk

Mais de Dan Michaluk (20)

Último

Último (20)

Investigating without running afoul of privacy laws