Post on 17-Jan-2015
description
Privacy, Privilege, Confidentiality and Ethics
Canadian Bar Association Annual Meeting, Halifax, August, 2011
Mark Hayes, Hayes eLaw LLP, Toronto
Privacy, Privilege and Confidentiality
• 3 distinct and overlapping concepts• Often confused with each other• Important for lawyers to understand different
types of obligations
General Concepts
• Privilege– Legal right that applies in specific circumstances (e.g.
solicitor/client & litigation privilege)• Confidentiality
– Legal duty to hold in strict confidence and not disclose any kind of information that are subject to such duty, not just personal information
• Privacy– Body of statute law governing collection, use and
disclosure of personal information
Control
• Confidentiality– Controlled by client; can be waived (intentionally or
otherwise)• Privilege
– Controlled by client; can be waived (intentionally or otherwise)
• Privacy– Controlled by individual in question; consent or
exception to consent requirement– General reasonableness requirement
Confidentiality
• Source: primarily common law and professional regulations (e.g. Rules of Professional Conduct)
• Broad in scope – Ont. RPC s. 2.03 – “all information concerning the business and affairs of the client acquired in the course of the professional relationship”
• Waiver of duty of confidentiality & solicitor/client privilege: Harish v. Stamp, R. v. Hobbs, Osiris Inc. V. 1444707 Ontario Ltd.
• Waiver of confidentiality does not necessarily waive privilege (if one applies)
Privilege
• Source: primarily common law• Salosky (SCC): "fundamental civil and legal right”• Emerges from the duty of confidentiality inherent in
solicitor/client relationship• Sometimes permanent (e.g. solicitor/client privilege)
or limited by existence of specific circumstances (e.g. litigation privilege only pending litigation)
• Statutory limitations must be clearly and expressly provided by (Blood Tribe Dept of Health v. Canada)
• Waiver of privilege may not affect confidentiality
Privacy• Primarily statutory• Must obtain informed consent for collection, use
or disclosure of personal information by an organization in the course of its commercial activities
• In addition to consent requirement, collection, use or disclosure of PI must be reasonable
• Only collect as much information as is required• Publicly available personal information is not
exempt from consent requirement
Privacy
• Application: any organization engaged in commercial activity– Includes lawyers, unless acting as agent for individual in
personal capacity (Ferenczy)– This conclusion not accepted by Privacy Commissioner
• Various administrative requirements– Provide access to or correct PI in possession on request– Keep PI secure– Retain PI only for long as is required
Consent Exemptions
• For lawyers, exemptions from consent requirement are critical
• Some important ones:– Required by law– Investigations of breach of statute or contract– Private purposes (if acting for individual)– Provincial privacy laws in BC and Alberta have
additional exemptions
Cases on Lawyers and Privacy
• Can’t disclose PI pursuant to summons issued by an individual without jurisdiction to compel production (i.e. other lawyer) - PIPEDA Case Summary #2009-005
• Consent not required to disclose personal information in response to writ of seizure issued by court - PIPEDA Case summary #2003-174
• Law firms cannot collect credit reports without consent: PIPEDA Case Summary #2006-340
• Solicitor’s lien insufficient grounds to deny access to personal information - Settled case summary #30 (2007)
• Not reasonable to use individual’s SIN for general identification purposes – limited to payroll and income tax purposes - PIPEDA Case summary #2002-69
Overlaps
Privilege (specific circumstances)
Confidentiality (information
from or about client)
Privacy (specified types of
information)
Client information subject to privilege
Personal information subject to privilege
Personal information
that is confidential
Obligations Different But Consistent
• For the most part, all of privacy, privilege and confidentiality consistent in requiring:– Access to information be limited– Appropriate security steps be taken
• Major difference– Privilege and confidentiality controlled by client (who
can waive rights)– Privacy controlled by legislation and consent of
individual concerned - client cannot validly instruct lawyer to breach privacy
Privacy and Privilege
• Privacy statutes: individual must be given access to PI– Many examples of litigants requesting access from lawyers
• What if PI is privileged?– PIPEDA s. 9(3) excludes access obligation if “information is
protected by solicitor-client privilege”– But what about other privileges?– PIPEDA Case Summary #2008-397: also applies to litigation
privilege; liberal interpretation– PIPEDA Case Summary #2010-001: court procedures more
appropriate to deal with allegation that documents improperly withheld as privileged
Privacy and Confidentiality
• Confidentiality obligation subject to certain exemptions– E.g. Ont. RPC s. 2.03: may disclose confidential information
“where a lawyer believes upon reasonable grounds that there is an imminent risk to an identifiable person or group of death or serious bodily harm, including serious psychological harm that substantially interferes with health or well-being…”
• Privacy laws don’t contain exact same exemption– PIPEDA s. 7(3)(e): “made to a person who needs the
information because of an emergency that threatens the life, health or security of an individual”
– Must inform individual in writing without delay
Builders Energy Services Ltd.
• Alberta IPC Investigation Report P2005-IR-005• Lawyer acting for acquirer of company posted
employee personal information on SEDAR, where it was publicly available
• While case concentrated on whether disclosure of PI was reasonably necessary, clear that lawyer had not considered whether this PI was subject to privacy regime
• Similar considerations often arise in litigation
Technology and Privacy Risks
• Service providers• Storage devices (servers, hard drives, sticks)• Laptops• Blackberries and smartphones• “Cloud computing”
Managing Technology Risks
• Mitigate highest and most immediate risks
– Inventory personal data maintained by the firm
– Employee training and management
• Conduct risk assessment:
– Information systems design and information processing, storage, transmission and disposal
– Responding to and preventing attacks, intrusions and systems failures
• Fix vulnerabilities identified through risk assessment
• Continually evaluate and adjust information security program
Data Retention Policies
• Privacy laws require lawyer to retain PI for only as long as required for disclosed purposes
• Ethical obligations require retention of client files until client releases you and all regulatory and liability issues have passed
• Finding correct balance between hanging on too long and destroying too quickly is tricky, especially since appropriate retention periods may be different depending on nature of data
Summary
• Privacy issues have significant impacts in many practice areas:– Family– Civil and criminal litigation– Real estate– Estates– Employment law
• Even in practices where PI of third parties is not critical, have to worry about employee privacy
Summary
• Think about PI issues whenever you handle PI about individuals who are not your clients– Know your obligations– Know the relevant exceptions you can use to your
advantage and in your clients’ interest• Privacy obligations are constantly changing
– Keep informed; PCC and provincial sites, blogs– Talk to the experts
Thank You!
For a copy of these slides, email me at mark@hayeselaw.com