Seemingly out of nowhere, institutional litigants, insurers and the third-party vendors they retain to support their obligations in responding to claims have been inundated with requests for disclosure on pain of complaints or actions to collect damages under the Canadian federal Personal Information Protection and Electronic Documents Act (PIPEDA). In some instances, parties or their lawyers directly approach non-parties such as medical experts and private investigation companies and demand production of documents separately from any disclosure procedures in the claims or law suits.
It is hard to point to any single rationale for employing the resort to the federal privacy legislation, except that obtaining access to personal information is probably not one of them. Traditionally, a party to a personal injury law suit would, through his or her lawyer, be the conduit for information in health records, employment files and other personal data. The defendant or respondent would be the one making the disclosure request, in order to verify a claim or instruct a medical expert in advance of a medical examination. If the plaintiff or claimant wanted to obtain the independent medical examiner’s notes, he or she would ask for them from the defendant or insurer’s counsel. It is therefore counter-intuitive for the injured party to be making the PIPEDA request of the defendant or respondent. Approaching experts and other hired witnesses behind the back of an adverse party in litigation is also an ethical grey area.
So why would anyone make such a request? The reasons for casting the PIPEDA net can include:
- gaining access to draft reports, to obtain evidence of undue influence on court experts
- obtaining billing records to discredit experts on the basis of payments received to perform examinations and give opinions
- investigation of communications to look for information of bias or bad faith
- provoking an adversarial contest with an independent witness, to be used to discredit the witness’ independence at trial
- launching a complaint and damages suit for slow or inadequate compliance with disclosure requests
There need not be a particular thought-out strategy, in that each request can potentially serve one or more purpose such as the ones outlined above. Where the law firm sends out “PIPEDA requests” as a matter of course, on a template, the practice is not dissimilar to the practice of bulk demand letters that have come under increased scrutiny by Ontario’s Law Society: LSUC v. Deanna Lynn Natale; and legal ethics academics: Salyzyn, “Zealous Advocacy or Exploitive Shakedown?”.
The purpose of this article is not to delve into the particular ethics or legalities of these methods or tactics. Rather, it is to point out some basic misunderstandings of PIPEDA that these targeted efforts seek to create or exploit.
Purpose of PIPEDA to Regulate Information Retention in Commercial Activity
For those who remember, the legislative history leading to the 2000 enactment of PIPEDA was pretty straightforward. As the Canadian Privacy Commissioner’s Guide to the legislation shows, the Act was driven by Industry Canada as a means of promoting public confidence in the new digital economy. The Office of the Privacy Commissioner was placed in charge of administering the Act because of its existing expertise regulating the collection of information by federal government agencies. A random search of Privacy Office decisions and activity would show that the purpose of the regime is to allow Canadians access to data held by businesses, such as financial institutions and credit rating bodies.
The use of the legislation to gain advantages in injury litigation or insurance claims therefore falls outside the purpose of promoting consumer confidence when they shop for clothes online, or when applying for financing on a new car. Therefore, the first question that one must ask as a recipient of a “PIPEDA request” in the course of such litigation or claims is whether the custodian of the personal information is engaged in a “commercial activity” when it obtained the information.
The scope of PIPEDA has been interpreted by the courts to include parties collecting information regarding an insurance claim, such as a claim for no-fault accident benefits following an auto accident. On the other hand, information such as surveillance collected during the course of a defence of a tort action has been held not to be commercial in nature, because business before the courts is not commercial: State Farm Mutual Ins. Co. v. Canada (Privacy Comm.) A recent decision of the Privacy Commissioner, published in 2017, has confirmed that its policy now reflects State Farm. PIPEDA cannot be used to circumvent the court rules for obtaining disclosures.
Personal Information, Not Business Information, is Protected
As one might gather from the legislative purpose, the Canadian Parliament’s intention was to allow individuals in the digital economy to gain ease of access to information that businesses collect from them, to ensure the data is secure, and to afford the opportunity to correct information such as bad credit ratings. The legislation did not contemplate providing access to the businesses’ own information.
The nexus between personal information and the use made of it has been the subject of controversy. Individuals seeking advantages in claims or litigation have cited PIPEDA in seeking draft reports, billing information and other work product information passing between service providers such as medical experts and those who hire them, such as insurers and employers. While each case must be considered on its individual merits, the overriding principle is that individuals are allowed access to the personal information obtained from them, such as doctors’ history notes and medical records supplied by an insurance adjuster. PIPEDA cannot be cited as authority for seeking information beyond what the individual has actually provided or the use that has been made of the information. The ruling in Windowe v. Rousseau is often misstated as rationale for complete disclosure from a doctor performing an independent examination. In fact, the Federal Court held that access was only available to the notes containing the personal information and the final report provided to the insurer:
In light of the Privacy Commissioner’s recognition that there are in the notes information which is personal to Mr. Rousseau and information which is not, it may be said that in the end, Mr. Rousseau has a right of access to the information he gave the doctor, and to the final opinion of the doctor in the form of the report to the insurer. In accordance with Principle 4.9.1. of Schedule I to the PIPED Act, this enables Mr. Rousseau to correct any mistakes in the information he gave the doctor or which the doctor noted, as well as any mistakes in the doctor’s reasoned final opinion about his medical condition. But the process of getting to that final opinion from the initial personal information of Mr. Rousseau belongs to the doctor.
Breach of PIPEDA is not a Breach of Something Else
It is important to observe that the entity that has jurisdiction over PIPEDA is the Privacy Commissioner. It is only after a report by the Privacy Commissioner finding a breach of the Act that an affected party can seek enforcement of the Act before the Federal Court of Canada. Therefore, a threat to complain to a regulatory body such as a provincial professional college is somewhat misleading because such entities do not have the jurisdiction or the expertise to determine whether there has been a breach of the privacy regime. For example, a PIPEDA request citing the Ontario College of Physicians and Surgeons’ (CPSO) bulletin on Third Party Reports might find the following advice:
Physicians must comply with any statutory obligations they may have to provide access to reports, documents or notes. This includes but is not limited to applicable obligations under Ontario and Canadian privacy legislation.
Such advice is helpful to doctors, but there is no legislation, regulation or code of conduct bringing physician PIPEDA compliance (i.e. record-keeping outside clinical practice) within the CPSO’s regulatory or disciplinary power. The CPSO also does not have jurisdiction over private medical assessment companies.
Threatening a Suit for Damages
Under s. 16(c) of PIPEDA, an individual can seek an order from the Federal Court of Canada for an award of damages, including damages for humiliation. However, there is no direct right to sue. Under s. 14, a plaintiff can only sue after a Privacy Commissioner report rules in the individual’s favour that an organization has breached his or her rights under PIPEDA. Thereafter, the report is not binding on the court, and the court is at liberty to disagree that there was ever a breach.
Even where the court agrees with the Commissioner that there was a breach, the typical order is to require the organization to comply with disposition recommended by the Commissioner. This is no small matter, as intentional disobedience with the court order can lead to a finding of contempt of court.
Damages, on the other hand, are not easy to obtain. The leading case on the legal threshold for awarding damages is Randall v. Nubodys Fitness Centres. Consistent with the legislative purpose of protecting privacy in digital commerce, the court held that damages should only be awarded “in the most egregious situations,” such as videotaping in private quarters and phone tapping. A bona fide mistake in the scope of a document disclosure cannot, based on this principle, give rise to automatic liability for damages. The most recent decision as of time of writing, a 2017 decision in A.T. v. Globe24h, awarded $5,000 (a typical award) in damages against a company that published the complainant’s private information online. Having regard to the case law, a custodian of records’ delay or refusal to provide access to data generated in an insurance claim or law suit would be difficult to place in this category of complaint.
A PIPEDA request containing a threat of damages would likely be misleading, if one followed the reasoning in Natale and in Salyzyn’s paper. Given that a party can sue for damages only after the Commissioner’s finding of a breach, there is no basis for threatening a suit in a simple request for disclosure or access.