1. No category

A Zero-Sum versus Positive-Sum Paradigm

Volume 7 • Number 7
In This Issue:
June 2010
A Zero-Sum versus
Positive-Sum Paradigm
A Zero-Sum versus PositiveSum Paradigm
Dr. Ann Cavoukian and Dr. El Emam..........77
Becoming Jane or John Doe:
Can Civil Litigants Use a
Pseudonym to Protect
Their Privacy?
Wendy Matheson and Alex Smith...................81
“Smile, You’re on Candid
Camera ...” — How Arbitrators
View Video Surveillance
Derek Knoechel.............................................85
Ann Cavoukian, Ph.D.
Information and Privacy Commissioner of Ontario
Khaled El Emam
Associate Professor, University of Ottawa;
Canada Research Chair in Electronic Health Information
Individual rights are frequently pitted against societal rights or the public interest.
When individual and societal rights collide, there is often an attempt to balance
one against the other. The zero-sum paradigm dictates that the two goals (in this
case, individual versus societal rights) are mutually exclusive and that each of the
goals can only be attained at the expense of the other goal — the two goals can
never be attained simultaneously.
Privacy is often viewed as an individual right that must be sacrificed in order to attain
other socially desirable, but competing goals. For example, the right to privacy is often
traded off to achieve national security goals. In the health sector, patient privacy may be
sacrificed in the interests of health research and quality improvement. Over the years,
the traditional zero-sum approach to managing competing goals has meant that privacy
rights have been allowed to gradually deteriorate in favour of achieving other more
urgent goals, such as minimizing a terrorist threat.
The Information and Privacy Commissioner of Ontario (“IPC”) is committed to
bringing about a paradigm shift, by demonstrating how information technology,
introduced to serve one function, can be designed and implemented in a manner
such that privacy is maintained or enhanced, without derogating from the
functionality of the technology. By building privacy into the design and
implementation of information technology, the goal of protecting the individual’s
right to privacy and the original goal of the information technology can be attained
simultaneously. This process, referred to as “Privacy by Design,” shifts the
traditional zero-sum paradigm to a positive-sum paradigm, in which both goals are
maximized to the greatest extent possible.
CANADIAN PRIVACY LAW REVIEW • Volume 7 • Number 7
Canadian Privacy
Law Review
The Canadian Privacy Law Review is
published monthly by LexisNexis Canada Inc.,
123 Commerce Valley Drive East, Suite 700,
Markham, Ont., L3T 7W8, and is available by
subscription only.
Web site: www.lexisnexis.ca
Design and compilation © LexisNexis Canada Inc.
2010. Unless otherwise stated, copyright in
individual articles rests with the contributors.
ISBN 0-433-44417-7
ISSN 1708-5446
ISBN 0-433-44418-5 (print & PDF)
ISBN 0-433-44650-1 (PDF)
ISSN 1708-5454 (PDF)
Subscription rates: $205.00 plus GST (print or PDF)
$320.00 plus GST (print & PDF)
Editor-in-Chief:
Professor Michael A. Geist
Canada Research Chair in Internet and
E-Commerce Law
University of Ottawa, Faculty of Law
E-mail: [email protected]
LexisNexis Editor:
Boris Roginsky
LexisNexis Canada Inc.
Tel.: (905) 479-2665 ext. 308
Fax: (905) 479-2826
E-mail: [email protected]
Advisory Board:
•
•
•
•
•
•
•
•
Ann Cavoukian, Information and Privacy
Commissioner of Ontario, Toronto
David Flaherty, Privacy Consultant, Victoria
Elizabeth Judge, University of Ottawa
Christopher Kuner, Hunton & Williams,
Brussels
Suzanne Morin, Bell Canada, Ottawa
Bill Munson, Information Technology
Association of Canada, Toronto
Stephanie Perrin, Service Canada, Integrity
Risk Management and Operations, Gatineau
Patricia Wilson, Osler, Hoskin & Harcourt LLP,
Ottawa
Note: This Review solicits manuscripts for consideration by the
Editor-in-Chief, who reserves the right to reject any manuscript or
to publish it in revised form. The articles included in the Canadian
Privacy Law Review reflect the views of the individual authors and do
not necessarily reflect the views of the advisory board members. This
Review is not intended to provide legal or other professional advice
and readers should not act on the information contained in this Review
without seeking specific independent advice on the particular matters
with which they are concerned.
78
A Zero-Sum Paradigm —
Privacy versus Data Quality
Health care is an information-intensive industry. At the individual
level, the efficient and effective delivery of health care depends on
the ready availability of accurate and complete health information
about individuals. At the societal level, maintaining and improving
the health of populations requires extensive knowledge about the
factors that contribute to good health, causes and treatments for
medical conditions and diseases, emerging medical technologies,
and policies and procedures for the efficient and effective delivery
of health care. Such knowledge is typically generated through
comprehensive research and the ongoing assessment of the care
that is provided to patients. The predominant way in which such
health research is conducted around the world is through access
to health information that is accumulated during the course of
providing health care to individuals.
Ontario’s Personal Health Information Protection Act, S.O. 2004,
c. 3, Schedule A (“PHIPA”), permits the collection, use and
disclosure of personal health information for secondary purposes,
such as health research that is seen as benefiting society as a
whole. Where the collection, use or disclosure is specifically
permitted by PHIPA, health information custodians need not obtain
consent from individuals. In some cases, certain conditions must be
met. For example, in the context of health research, a Research
Ethics Board (“REB”) must approve the use of personal health
information, without consent. Where the collection, use or
disclosure is not specifically permitted by PHIPA, health
information custodians must either obtain direct consent from
individuals or de-identify the health information. In practice,
however, since it is often not practical to obtain consent,
particularly with respect to previously collected data (i.e.,
retrospective data), health information custodians frequently rely
on de-identification when using or disclosing health information for
purposes that are not specifically permitted by PHIPA.
Under PHIPA, health information custodians have a general
obligation not to collect, use or disclose personal health
information if other information will serve the purpose, and not to
collect, use or disclose any more personal health information than
is reasonably necessary to meet the purpose. This means that
health information custodians have a general obligation to collect,
use and disclose de-identified health information rather than
personal health information, if the de-identified information would
be sufficient to serve the purpose. These general limiting principles
apply whether or not the collection, use or disclosure is specifically
CANADIAN PRIVACY LAW REVIEW • Volume 7 • Number 7
permitted by PHIPA and whether or not individuals have
consented to the collection, use and disclosure of their
health information.
PHIPA defines identifying information as “information
that identifies an individual or for which it is reasonably
foreseeable in the circumstances that it could be
utilized, either alone or with other information, to
identify an individual.” Health information that is deidentified in a manner such that an individual cannot be
re-identified would fall outside of the scope of PHIPA.
However, when traditional methods of de-identification
are used, it is often possible to re-identify individuals. To
the extent that it is reasonably foreseeable in the
circumstances that it would be possible to re-identify
individuals, the information would be considered to fall
within the scope of the definition of personal health
information and be subject to all of the limitations and
restrictions imposed by PHIPA.
To reduce the re-identification risk to the level where
re-identification is not reasonably foreseeable in the
circumstances, health information custodians may alter
and/or remove all direct and indirect identifiers prior to
using or disclosing health information for secondary
purposes. It is important to note, however, that the
more variables that are altered and/or stripped from a
database, the less useful the database will be for
secondary purposes. Thus, individual privacy may be
achieved through strict de-identification, but often at
the expense of data quality. Alternatively, data quality
may be preserved, but at the expense of patient privacy.
This is the classic zero-sum paradigm, which we make
every effort to avoid. In its place, we prefer to use a
positive-sum paradigm, which maximizes the positive
attributes of both interests.
health information provides the highest degree of
privacy protection, while ensuring a level of data quality
that is appropriate for the secondary purpose. This
privacy-enhancing technology provides an excellent
example of what can be achieved using a doublyenabling, positive-sum approach which maximizes both
goals — in this case, individual privacy and data quality.
According to this framework, the overall reidentification risk exposure associated with a particular
disclosure of personal health information is a function of
four factors:

The re-identification probability;

The mitigating controls that are in place;

The motives and capacity of the data recipient
to re-identify the data; and

The extent to which an inappropriate disclosure
would be an invasion of privacy.
The last two factors are considered to be intrinsic to
the data recipient and the personal health information
that is disclosed and not subject to change by a health
information custodian. In contrast, a health information
custodian may change the re-identification probability
(by increasing the amount of de-identification) and the
mitigating controls. To reach an acceptable level of risk,
the health information custodian may reduce the reidentification risk and/or add more mitigating controls.
Since these two factors work in opposite directions, the
health information custodian can manipulate them to
balance one factor off against the other.
Framework for Maximizing both Privacy and
Data Quality
The re-identification probability can be controlled
through the de-identification technique. More stringent
de-identification techniques reduce the risk of reidentification. The other three factors are assessed
using checklists.
Dr. Khaled El Emam, a senior investigator at the
Children’s Hospital of Eastern Ontario Research
Institute (“CHEO”), has resolved this dilemma through
the development of a tool that de-identifies personal
health information in a manner that simultaneously
minimizes both the risk of re-identification and the
degree of distortion to the original database. The
application of this tool to any database of personal
Once a request for data has been received, the health
information custodian can determine at the outset if the
overall risk exposure is acceptable or not. If the risk
exposure is not acceptable, the health information
custodian may either de-identify the data further and/or
put in place more mitigating controls. If the data
recipient wants better quality data (i.e., less deidentified data), he or she must agree to additional
79
CANADIAN PRIVACY LAW REVIEW • Volume 7 • Number 7
mitigating controls which are included in a data sharing
agreement. If the data recipient does not agree to
additional mitigating controls, then the health
information custodian must compensate by increasing
the extent of de-identification and thereby reducing the
exposure risk. The recipient and health information
custodian must work together to achieve the level of
data quality that is necessary for the recipient’s
purposes and the level of risk exposure that is
acceptable to the health information custodian. A
balance may be attained when the re-identification risk
is low and the mitigating controls are low, or when the
re-identification risk is high and the mitigating controls
are also high.
A Positive-Sum Paradigm —
Privacy and Data Quality
The value of the de-identification tool may be
demonstrated through a real-life case scenario.
It is common for Canadian and U.S. hospitals to disclose
prescription records to commercial companies. This
data is then analyzed to provide research and market
intelligence for the pharmaceutical industry, insurers,
government agencies, and in some cases, to provide
drug utilization benchmarking services back to
the hospitals.
Prescription records which are provided to external
organizations do not contain any information that
directly identifies patients. For example, patient name
and address are not included in these records. The
assumption is made that because the prescription
information is stripped of all direct identifiers, it falls
outside of the scope of privacy legislation. However,
this is an assumption that should not be taken
for granted.
80
For example, if a record contains gender, date of birth,
and postal code information about the patient, then the
patient would be quite easy to re-identify by linking the
record with other publicly available information (e.g.,
public registries about homeowners and borrowers). As
another example, if a record contains the gender, age,
some postal code information, as well as admission and
discharge dates of a patient in a hospital, then these five
pieces of information would likely make the patient
unique among all admitted patients. Unique patients are
much easier to re-identify. These re-identification risks
pose a threat to patient privacy.
In 2008, a Canadian company, Brogan Inc., requested
prescription records from CHEO, as part of a larger
national effort to develop a hospital prescription records
database. An analysis of the CHEO data indicated that
the probability of re-identifying patients using the original
variables requested by Brogan was unacceptably high to
the hospital. The application of Dr. El Emam’s framework
provided a new de-identified record layout with an
acceptably low level of risk of re-identification.
Specifically, admission and discharge dates were replaced
with quarter/year of admission and length of stay in days;
patient age was provided in weeks; and the postal code
was truncated to include only the first character. In
addition, the data sharing agreement between Brogan
and CHEO was modified to include additional mitigating
controls (e.g., an audit requirement and a breach
notification protocol). Thus, CHEO was able to achieve
its goal of protecting patient privacy, while preserving the
level of data quality that was deemed to be necessary for
Brogan to include CHEO’s prescription data in the
national hospital prescription record database: a positivesum, doubly-enabling solution, that satisfied the goals of
both parties — win/win, not win/lose — a powerful
reflection of Privacy by Design.
CANADIAN PRIVACY LAW REVIEW • Volume 7 • Number 7
Becoming Jane or John
Doe: Can Civil Litigants Use
a Pseudonym to Protect
Their Privacy?
article we refer to both initials and Jane or John Doe as
the use of “pseudonyms.”
The Principle of Openness
A would-be Jane or John Doe must contend first with
the strong presumption in favour of the “openness” of
the courts, particularly in respect of judicial acts. In
MacIntyre v. Nova Scotia (Attorney General),3 Justice
Dickson (as he then was) quoted Jeremy Bentham’s
rationale for this presumption:
In the darkness of secrecy, sinister interest and evil in every shape
have full swing. Only in proportion as publicity has place can any
of the checks applicable to judicial injustice operate. Where there
is no publicity there is no justice.4
Wendy Matheson
Alex Smith
Partner,
Torys LLP
Associate,
Torys LLP
Whether litigants are suing or being sued, one of the
first sacrifices they make is their privacy regarding the
matters in dispute. The resulting public revelations can
sometimes lead to embarrassment, or worse, which has
been described as “an unavoidable consequence of an
open justice system.”1
Today’s increased recognition of the importance of
privacy interests may seem at odds with the limited
recognition they receive in civil litigation. Litigants often
ask, “Can I shield my identity from the public?” Usually,
the answer to this question is no. The importance of an
open court system is normally the overarching public
policy imperative. The open court principle has been
described as “the very soul of justice.”2
Court processes exist, however, through which litigants
can ask that their privacy be recognized. One such
measure is to allow them to protect their privacy by
using a pseudonym or initials instead of their legal name.
Doing so is a protection against the public, not the
opposite party. An examination of the developed law
reveals that the use of initials or a pseudonym is not
driven by the interests of protecting privacy per se,
though there are suggestions that it may yet develop in
that direction. This article explores and enumerates the
limited circumstances in which a party can proceed
using his or her initials, or become, for the purposes of
the record, Jane or John Doe. For convenience, in this
The presumption of openness is usually sufficient to
dispose of the argument that the privacy rights of a
party should be protected. As Dickson J. held,
Many times it has been urged that the ‘privacy’ of litigants requires that the public be excluded from court proceedings. It is
now well-established, however, that covertness is the exception
and openness the rule. Public confidence in the integrity in the
court system and understanding of the administration of justice
are thereby fostered.5
MacIntyre was a case about public access to executed
search warrants and related informations, but the
reasons advanced for the presumption of openness also
apply in the civil context.6 In civil litigation, judges
determine the rights of parties, and these judicial
determinations are not truly open to public scrutiny if
the identity of one of the parties is a secret. In
consequence, subrule 14.06(1) of Ontario’s Rules of Civil
Procedure7 requires that the title of every court
proceeding set out the names of all parties.
Openness is not merely a matter of guarding against
“judicial injustice,” as Bentham called it. Courts have
observed that the use of pseudonyms gives rise to
other concerns:
It is easier for false allegations against innocent defendants to be
maintained if plaintiffs are not exposed to the full glare of public
scrutiny. And an action involving an unnamed plaintiff will minimize the opportunity for third parties to come forward with
knowledge of the case. This latter concern could work to the
benefit or the detriment of either side in the case.8
81
CANADIAN PRIVACY LAW REVIEW • Volume 7 • Number 7
The issue of third parties coming forward is not a
concern about moral hazards affecting the judge or a
party; rather, it is a concern about an impairment of the
court’s ability to discover the truth.
Each of these considerations informs the strong
presumption in favour of openness and militates against
the use of pseudonyms in civil litigation.
Nor is consent of the parties alone sufficient to obtain
an order. Often, all parties would be happy to litigate in
private. The court, however, must consider the
interests of the public.9
The Exceptions
While Rule 14 requires that the parties to a civil action
be named, subrule 2.03 provides that the court “may,
only where and as necessary in the interests of justice,
dispense with compliance with any rule at any time.”
This rule provides a starting point to seek an order to
use a pseudonym, but the onus rests with the party
seeking to do so.10
The presumption in favour of openness and against the
use of pseudonyms can be overcome in some
circumstances, including to prevent harm and to protect
the innocent. The use of pseudonyms may also be
allowed to protect confidentiality when the very
purpose of the action is to protect confidentiality.
Finally, there may be some scope for new exceptions,
such as the use of pseudonyms in the context of
anonymous Internet activity. Each of these
circumstances is discussed below.
(i) The Prevention of Harm and
the Protection of the Innocent
A party will be permitted to use a pseudonym if it is
established that he or she would otherwise likely suffer
irreparable harm. The court has employed a three-part
test, based on the test for an interlocutory injunction:11
(1) whether there is a serious issue to be tried;
(2) the likelihood of irreparable harm; and,
(3) the balance of convenience.12
The heart of this test is the inquiry into the likelihood of
irreparable harm, and the evidence before the court on
the motion will be important. This is illustrated by two
82
decisions of the Ontario Superior Court of Justice
involving Dr. Stubbs, a plastic surgeon who performed
penile enhancement surgery. Two of Dr. Stubbs’
patients were dissatisfied with the results of their
operations. Each sought to sue using a pseudonym.
They also sought orders banning the publication of their
names and any identifying information.13
In the first Stubbs action, the motion was supported by
the affidavit of a treating psychiatrist.14 Because the
psychiatrist concluded that the disclosure of the plaintiff’s
identity could be very traumatic for the plaintiff, the
Court concluded that the second stage of the test had
been met and, ultimately, granted the order.
In the second Stubbs action, the plaintiff provided no
evidence of irreparable harm other than his own
stated concern that he would be embarrassed.15 The
Court concluded that this evidence was insufficient,
since “the subjective feelings of the plaintiff cannot be
the test for giving an anonymity order.”16 An approach
based on subjective feelings, the Court held, would
“open the floodgates for preliminary motions for
anonymity orders.”17
The Stubbs decisions highlight the importance of proving
the likelihood of irreparable harm. This is true not only
regarding the unusual facts of the Stubbs cases, but also
regarding the far more common circumstance of civil
sexual assault claims. In the recent case of Jane Doe v.
D’Amelio,18 Justice Nolan of the Ontario Superior Court of
Justice held that, in the absence of medical or psychological
evidence, the plaintiff’s own affidavit evidence of
irreparable harm was an insufficient basis for granting the
anonymity order sought.19 Overcoming the presumption
of openness “requires clear and compelling evidence.”20
A similar conclusion was reached in John Doe v. B(S),21 in
which the Supreme Court of Newfoundland and
Labrador refused an order permitting a plaintiff to
commence an action using a pseudonym. The intended
defendant was the plaintiff’s employer, who was later
convicted of sexually abusing the plaintiff. However, no
evidence of harm was provided on the motion. The
Court observed that the embarrassment caused by the
publicity surrounding the evidence that is likely to be
submitted is not sufficient reason to make the order.22
CANADIAN PRIVACY LAW REVIEW • Volume 7 • Number 7
The third stage of the test involves determining the
balance of convenience. The two Stubbs decisions differ
on the test to be applied. In the first Stubbs case, the
Court held that the balance of convenience is not
between the parties but “between the plaintiff and the
public.”23 In the second Stubbs case, the Court held that
this stage of the test also requires an assessment of the
balance of convenience between the plaintiff and the
defendant.24 In that case, Justice Cumming found that
[a]s a general proposition, it is probable that witnesses are more
likely to be truthful in their testimony if they know it is subject to
being scrutinized by an audience within the context of their
identity being known.25
The protection of plaintiffs is also important in
determining the balance of convenience. In J. Doe v.
TBH, both the plaintiff, a victim of sexual assault, and
the defendant, a publicly funded agency, sought
permission to use pseudonyms. The Court held that
victims of sexual assault were innocent victims who
could be protected at the cost of public accessibility of
the court system.26 In making this finding the Court
relied on MacIntyre, in which protection of the innocent
was identified as a social value of superordinate
importance.27 It is unclear whether J. Doe v. TBH, which
was decided before Jane Doe v. D’Amelio and both
Stubbs cases, would be decided the same way today,
absent evidence of harm. In J. Doe v. TBH, the defendant
was unsuccessful. Even though the agency was a
charitable organization doing “very good work and
caught up in a situation not of their own making,” this
social value was not of sufficient importance to justify
making the order.28
The key to obtaining an order on this basis appears to
be good evidence of irreparable harm — more than
mere embarrassment. The court will balance that harm
against the other interests at stake. Privacy is not a focal
point of the test.
(ii) Protection of Confidentiality
A court may also permit the use of a pseudonym where
disclosure of the plaintiff’s name would effectively destroy
the right to the confidentiality that the plaintiff seeks to
protect through an intended action. Put another way,
confidentiality will be protected where “confidentiality is
precisely what is at stake” in the action.29
This principle was articulated in A.(J.) v. Canada Life
Assurance Co.,30 which involved plaintiffs suing an insurer
that had allegedly revealed the HIV status of the
plaintiffs without their consent. The plaintiffs were
allowed to proceed with the action under pseudonyms
to ensure that justice was done.31
This exception appears to be grounded in the principle
that there is no right without a corresponding remedy.
If the right to keep information confidential could be
vindicated only by disclosing the confidential information
through court proceedings, then the right itself would
be useless.
(iii) Anonymous Internet Activity
Another (and as yet only potential) basis for proceeding
under a pseudonym involves disclosure orders in cases
of anonymous Internet activity.
The Federal Court of Appeal raised this potential basis
for an anonymity order in BMG Canada Inc. v. John
Doe.32 In BMG, Canadian music producers wished to
bring an action against certain persons who they had
reason to believe were infringing copyright through
“music sharing” on the Internet. The producers did not
know the identities of the prospective defendants, who
used pseudonyms for their online activities. To identify
the prospective defendants and serve them with a
claim, the producers sought an order for third party
discovery against the prospective defendants’ Internet
service providers (“ISPs”).
Citing privacy concerns and the Personal Information
Protection and Electronic Documents Act (“PIPEDA”),33
the ISPs refused to provide the names of their clients
without a court order. The Federal Court of Appeal
held that, as part of the test for granting an order, “the
public interest in favour of disclosure must outweigh the
legitimate privacy concerns of the person sought to be
identified” and that, in the circumstances of the case,
the balance favoured disclosure of the identity of the
prospective defendants.34 The Court then made the
following observation:
83
CANADIAN PRIVACY LAW REVIEW • Volume 7 • Number 7
[I]t must be said that where there exists evidence of copyright infringement, privacy concerns may be met if the court
orders that the user only be identified by initials, or makes a
confidentiality order.35
Despite this reference to the possibility of an order
permitting the use of a pseudonym, seeking that order
has not been common practice in the cases that follow
BMG, and there is no reason to assume that the order
would be automatic. Yet it is interesting to see that
privacy interests in anonymous music sharing may be
worthy of that protection. If that is so, a more
compelling case would be available with respect to
anonymous Internet speech, which is founded on the
Charter right of freedom of expression.
No case appears to have yet raised Charter rights in the
context of a litigant seeking to use a pseudonym in civil
litigation. It has, however, long been recognized in the
United States that anonymity is a component of free
speech. This principle was developed before the
Internet and recognizes that from time to time
throughout history, people have been able to criticize
oppressive practices and laws either anonymously or
not at all. The United States Supreme Court has said, “It
is plain that anonymity has sometimes been assumed for
the most constructive purposes.”36 Although there is
not the same long jurisprudential history in Canada, the
relationship between freedom of expression and
anonymity was considered in the Elections Canada v.
National Citizen’s Coalition case,37 in which the Ontario
Court of Justice found that the removal of individuals’
right to remain anonymous constituted an unjustified
breach of the Charter right to freedom of expression.
would know the identity of the party seeking a
pseudonym). It is difficult to see why the world at large
ought not to know that someone is music sharing. But a
more compelling case could be made that anonymous
speech may call for this protection, particularly where
anonymity is sought out of fear of reprisal.
The Reach of the Right to Privacy
Since the MacIntyre decision of the Supreme Court of
Canada, now 30 years ago, our legal system has
increasingly recognized privacy. Legislative change has
come through the introduction of PIPEDA and other
privacy legislation in Canada. The courts have made
clear that the Charter includes an expectation of privacy
under both ss. 7 and 8.39 Society now demands privacy
protection in many business relationships. Yet the cases
about the use of pseudonyms demonstrate that the
assertion of a privacy interest alone has not been
enough. The countervailing public interest in an open
court system is a strong one, repeatedly affirmed
since MacIntyre.40
As the trend toward increased privacy protection
continues, the courts may have to consider that issue
directly and determine whether privacy should have
greater recognition and, if so, in what circumstances.
1
2
3
4
5
6
7
8
It must be recognized, however, that the principle of
open courts is also tied to the Charter right of freedom
of expression. As the Supreme Court of Canada stated
in CBC v. New Brunswick, “openness permits public
access to information about the courts, which in turn
permits the public to discuss and put forward opinions
and criticisms of court practices and proceedings.”38
When the activity at issue is anonymous Internet
activity, it remains to be seen the extent to which a case
will be made for the use of pseudonyms. Usually, a
party seeks to use a pseudonym to obtain protection
from the world at large, not the opposite party (who
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
84
B.(A.) v. Stubbs, [1999] O.J. No. 2309, 44 O.R. (3d) 391
at para. 23 [Stubbs 1999].
Sierra Club of Canada v. Canada (Minister of Finance), [2002]
S.C.J. No. 42, [2002] 2 S.C.R. 522 at para. 52 [Sierra Club
of Canada].
[1982] S.C.J. No. 1, [1982] 1 S.C.R. 175 [MacIntyre].
Ibid. at para. 53.
Ibid. at para. 59.
Ibid. at para. 62.
R.R.O. 1990, Reg. 194.
Re John Doe, [2005] N.J. No. 394, 2005 NLTD 214 at para. 17.
See, for example, the comments of Steele J.A. in the Manitoba
Court of Appeal in Jane Doe v. Manitoba, [2005] M.J. No. 151,
2005 MBCA 57.
Jane Doe v. D’Amelio, [2009] O.J. No. 4042, 98 O.R. (3d) 387 at
para. 10.
T.(S.) v. Stubbs, [1998] O.J. No. 1294, 38 O.R. (3d) 788 at
para. 29 [Stubbs 1998]; Stubbs 1999, supra note 1; Jane Doe v.
D’Amelio, supra note 10.
Supra note 10 at para. 13.
Stubbs 1998 ibid. at para. 1; Stubbs 1999 supra note 1 at para. 1.
Ibid. at para. 22.
Supra note 1 at para. 26.
Ibid. at para. 27.
Ibid.
Supra note 10.
Ibid. at paras. 20, 22.
Ibid. at para. 20.
Supra note 8.
Ibid. at para. 6.
Supra note 11 at para. 55.
CANADIAN PRIVACY LAW REVIEW • Volume 7 • Number 7
24
25
26
27
28
29
30
31
32
33
Supra note 1 at para. 35.
Ibid. at para. 36.
[1996] O.J. No. 839, 45 C.P.C. (3d) 1 at para. 5.
Ibid. at para. 4.
Ibid. at para. 9.
A.(J.) v. Canada Life Assurance Co., 70 O.R. (2d) 27
at para. 21 (H.C.J.).
Ibid.
Ibid.
[2005] F.C.J. No. 858, 2005 FCA 193.
S.C. 2000, c. 5.
“Smile, You’re on Candid
Camera ...” —
How Arbitrators View
Video Surveillance
Derek Knoechel
Associate
Fasken Martineau DuMoulin LLP
Canadian arbitrators have been dealing with the issue of
how to deal with video surveillance of employees for
over two decades. Early decisions dealt with off-site
surveillance of employees suspected of faking or
exaggerating illnesses. But countless battles have since
been waged over the use of video surveillance cameras
in and around the workplace. When can such
equipment be used in the workplace? When can the
resulting evidence be relied upon?
Video Cameras in the Workplace
There have been numerous skirmishes over the use of
security cameras covering entrances and exits to the
worksite and other non-working areas. The use of hidden
cameras at the worksite as part of an investigation has also
been the subject of much controversy. By far the most
fever-pitched battles have been over the surveillance of
production work, monitoring employees for disciplinary
reasons or conducting surveillance of social or sensitive
areas of the workplace.
34
35
36
37
38
39
40
Supra note 32 at paras. 36, 42.
Ibid. at para. 45.
McIntyre v. Ohio Elections Commission, 514 U.S. 334 (1995);
Talley v. California, 362 U.S. 60 (1960).
Canada (Elections Canada) v. National Citizen’s Coalition, [2003]
O.J. No. 3420 at paras. 18, 20-21, 34, 36-38, s. 1 analysis [2003]
O.J. No. 3939 at paras. 29-30, 32 (Ont. C.J.).
[1993] 3 S.C.R. 480 at para. 23.
R. v. Dyment, [1988] 2 S.C.R. 417 at 427; Cheskes v. A.G. Ont.,
[2007] O.J. No. 3515 at para. 112 (Ont. S.C.J.).
See, for example, Sierra Club of Canada, supra note 2.
In each instance, the employer’s property rights and
right to manage the workplace has been weighed
against employees’ privacy interests. Those privacy
interests find some support in privacy legislation and
Canada’s Charter of Rights and Freedoms, where
applicable. There has been considerable debate,
particularly in Ontario, regarding whether there exists a
freestanding legal right of privacy in unionized
workplaces. Despite this debate, in English Canada a
general consensus has begun to emerge amongst
arbitrators that more intrusive methods of employee
monitoring such as video surveillance will only be
permitted if it is justified and reasonable in
the circumstances.
In Quebec, it is important to note that both the Quebec
Civil Code and the Quebec Charter of Rights and
Freedoms contain specific legislative provisions which
protect the right of privacy and more precisely, the right
not to be subject to certain forms of intrusive
observation. The essential criteria analyzed by
arbitrators is whether the employee has a reasonable
expectation to privacy in the circumstances.
Of course, context is particularly critical in these types
of cases. The manner in which video cameras are
deployed and the purposes for which resulting images
are to be used are vitally important. Those factors may
be considered in determining the extent to which such
cameras invade employees’ reasonable expectations of
personal privacy. The language of a governing collective
agreement may create additional hurdles or rights for
an employer.
Some arbitrators have upheld the installation of cameras
at various locations but placed limits on how they are
used. Continuous real-time observation of video images
85
CANADIAN PRIVACY LAW REVIEW • Volume 7 • Number 7
has generally been seen as more intrusive than the
review of images in response to incidents that are
reported by other means. Specific tracking of individual
employees will be objectionable unless there are
convincing reasons for doing so. The fact that an
employer has previously installed video cameras
without objection will not preclude a union challenge if
the employer expands the use of such cameras.
For example, in a decision following five years of
arbitration hearings, Cargill Foods and UFCW, Local 633
(2008), an Ontario arbitrator ruled that the expansion
of the employer’s video surveillance system to
investigate incidents relating to food safety, plant
security and discipline was a legitimate exercise of
management rights. However, the arbitrator also found
that the employer had failed to provide the union with
the notice required by the collective agreement. The
arbitrator directed the employer and the union to
discuss outstanding implementation issues.
Following unsuccessful discussions between the parties,
the arbitrator issued another decision in 2009. In that
decision, the arbitrator directed the employer to
remove some cameras, provided express directions
regarding the retention of the recordings, and imposed
procedural requirements upon the use of such
recordings in future proceedings.
Use of Video Evidence at Arbitration
At an arbitration hearing, the use of video evidence
obtained from employer-installed cameras is not always
straightforward. While it may be relevant, and often
more reliable than eye-witness accounts, that’s not the
end of the matter.
In Quebec, the test is clearly set out in s. 2858 of the
Civil Code, which states that “the Court shall, even of its
own motion, reject any evidence obtained under such
86
circumstances that fundamental rights and freedoms are
breached and that its use would tend to bring the
administration of justice with disrepute”.
Elsewhere in Canada, arbitrators have the discretion to
receive and accept such evidence as they consider
proper. They can allow or disallow evidence whether or
not it would be admissible in court. However they must
provide a fair hearing. Although some arbitrators have
held that their discretion should not be used to exclude
relevant evidence, however obtained, others have taken
the opposite view in the context of video surveillance.
The same qualities that may make video evidence a
more reliable form of evidence (the precise depiction of
behavior and events), presents a greater potential
violation of employees’ privacy. As a result, some
arbitrators have engaged in a “balancing of interests”.
They impose a “reasonableness” test for the admission
of video evidence. Under this approach, employers are
required to justify both the decision to use video
surveillance and the manner in which video evidence
was ultimately collected.
Most Canadian arbitrators recognize that excluding
relevant evidence from a hearing is an extraordinary
step. As a result, they will generally allow video
surveillance evidence if there are adequate signs that
there was a breach of trust by the employee. If the
employer has reasonable cause to believe that this is the
case, video surveillance may well be an appropriate
response, if undertaken in a reasonable manner. On the
other hand, arbitrators have tended to exclude such
evidence where video surveillance is found to be
abusive or unduly intrusive. In light of the privacy
concerns involved, employers are generally advised to
only engage in video surveillance where they can clearly
justify their actions.
CANADIAN PRIVACY LAW REVIEW • Volume 7 • Number 7
ELECTRONIC VERSION AVAILABLE
A PDF version of your print subscription is available for an additional charge.
A PDF file of each issue will be e-mailed directly to you 12 times per year,
for internal distribution only.
87
CANADIAN PRIVACY LAW REVIEW • Volume 7 • Number 7
INVITATION TO OUR READERS
Do you have an article that you think would be appropriate for
Canadian Privacy Law Review and that you would like to submit?
AND/OR
Do you have any suggestions for topics you would like to see featured in future issues of
Canadian Privacy Law Review?
If so, please feel free to contact Michael A. Geist
@[email protected]
OR
[email protected]
88

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz