Ch. 5: Liability for disclosure of conf. info. ITSS Legal Issues Working Group 11/8/96 5-2 Chapter 5 Liability for Disclosing Confidential Information Tort liability A. Negligence 4 General comments Policy decision to limit money spent on IT security Obligation to use secure technology (Firewalls and Gateways) Obligation to comply with policies Limiting Liability B. Other torts: abuse of power, invasion of privacy, breach of confidence 13 Statutory liability C. Breach of various specific statutory provisions (Access to Information Act, Privacy Act, Canadian Human Rights Act, Official Secrets Act, Security Offences Act, Canadian Security Intelligence Service Act, Income Tax Act, Excise Tax Act, Customs Act) 18 Discipline D. What measures permit managers to discipline employees for unlawful disclosures of information? 25 E. Summary 27 Introduction There are many possible sources of liability for disclosing confidential information. However, it is very rare that the federal government or any of its employees has ever been found liable for unlawfully disclosing confidential information. The reasons for this are many. First, it is generally true that it is difficult to sue or prosecute any law which attempts to restrict the flow of information. This is because laws regulating information usually provide a variety of qualifications and defences in order to balance the desire to restrict flows of certain kinds of information with the freedom of expression. Second, government officials all take oaths of secrecy when they join the public service, are subject to security clearance checks, and understand that disclosing confidential information can lead to problems with their personal careers. Officials understand that that government depends to a very large extent on citizens willingly giving accurate information about themselves to the government, and therefore officials protect such information carefully. Further, the Access to Information Act is a relatively new phenomenon and, some would argue, has not fully succeeded in breaking the tradition that government information is to be released only when the government wants it to be released. Third, in order to succeed with a lawsuit or prosecution about confidential information, it is generally necessary to reveal publicly in court the very information that the party does not want revealed. Further, it is generally true that no one (including private business, government and even the person damaged) likes to draw attention to the fact that there has been a security problem with certain information because it can have the effect of reducing trust that the parties involved are capable of dealing with that information in a secure fashion. In the context of civil lawsuits, in order to succeed it is usually necessary to prove that the unauthorized disclosure caused damage to the plaintiff. It is usually very difficult to show what specific damage was suffered when confidential information is disclosed. However, proving damages is not enough: the damages must be caused by a negligent or unauthorized disclosure. To succeed against the government generally requires showing that the government did something that was unreasonable in the circumstances and the unreasonable conduct must have caused the damages. Aside from the difficulties of succeeding with negligence claims generally, it is doubly difficult to succeed against the Crown.1 At common law the Crown cannot be sued for torts. Therefore, liability can only arise by statute. There have been a series of statutes exposing the Crown to increasing possibilities of tort liability. A watershed was the Crown Liability Act of 1953 naming the Crown liable for all torts of the federal Crown. The most recent revisions were in the 1990 Crown Liability and Proceedings Act. However, even under these laws, there are a variety of principles which protect the Crown from negligence actions. The Crown is much less likely to attract liability in tort or nuisance when acting under statutory power, when exercising legislative, judicial or quasi-judicial powers or administrative or prosecutorial discretion. Neither will the Crown will be liable for a mere breach of statute unless the statute expressly indicates that this is to be the case (although breach of statute can be relevant if the other elements of negligence can be proved).2 The Interpretation Act provides that Acts are not binding on the Crown unless they say so expressly. Some statutes expressly protect the Crown from immunity. For example, the Access to Information Act and Privacy Act both provide that the Crown will not be liable for disclosures made in good faith responses to formal requests under those Acts. In addition, there is a principle of interpretation that Crown liability will be interpreted narrowly. For regulatory offences there must be some element of intent, or at least a failure by the government to be diligent in trying to comply with the law. For example, the Access to Information Act and Privacy Act have specific provisions exempting the Crown from civil or criminal liability where the Crown discloses information in good faith pursuant to formal access or privacy request. Even though there have been few successful lawsuits or prosecutions against the Crown or public servants for disclosure of confidential information, one should not be complacent. Numerous cases have found the Crown and public servants liable in other circumstances, including some cases relating to how the Crown provides advice (see Ch. 6). With the change from paper-based information to electronic information, the potential for unauthorized disclosure and damages increases. In a paper environment, very few people have access to any particular file containing confidential information. Further, until recently, information was generally not thought to have much financial value (with intellectual property being the notable exception). Now, in an electronic environment the possibilities for disclosures of confidential information and the financial damages that can arise are much greater than ever before. An electronic environment means that money, signatures, encryption keys and personal identifiers are now “information” which can be transmitted digitally with ease and which can have tremendous financial consequences. (Chapter 10 on Public Key Infrastructure discusses these specific potential liabilities in greater detail.) Electronic information means exponentially more people have potential access to the government’s confidential data than in the paper world (through computer hacking and widespread copying once a confidential file is disclosed). It is important for government to be aware of the laws which apply and how liability can be incurred from disclosure of confidential information in order to continue to emphasize the importance of voluntarily complying with these laws. Liabilities for unlawful disclosure of information depend on the type of information that is disclosed and the circumstances of the disclosure. This paper only attempts to highlight the liabilities. Before beginning this summary, it is useful to set out what types of information are included in this discussion. The term personal information is defined in the Privacy Act to include “information about an identifiable individual that is recorded in any form.” This subject is discussed in greater detail in Chapter 3. This would not include information about corporations. The term commercial information would include commercially sensitive information such as certain copyrighted information, patents, trade marks, trade secrets and, financial and business information. This subject is discussed in greater detail in Chapter 4. The term classified information means information classified by a federal department as Top Secret, Secret or Confidential that relates to the national interest which concerns the defence and maintenance of the social, political and economic stability of Canada and thereby the security of the nation. This report does not have a specific discussion relating to classified information. The risk of potential liability can increase substantially if the government becomes involved in public key encryption and attempts to guarantee the trustworthiness of secret encryption keys and the identity and authority of individuals to enter into contractual relationships. In this context, the potential for damages is very real and the duty of care on the government would be very high. Issues relating specifically to a public key infrastructure are examined in Chapter 10. A. Negligence: general comments In order to make a successful claim in negligence against government, or any public authority, the plaintiff must establish three elements, namely: · that a duty of care existed between the public authority and the plaintiff, · a breach of that duty by the public authority, and · that the plaintiff’s damages were caused by the breach. Where allegations of negligence are brought against a government agency, the test to be applied in Canada is that laid down by Lord Wilberforce in Anns v. Merton London Borough Council.3 First one has to ask whether, as between the alleged wrongdoer and the person who has suffered damage there is a sufficient relationship of proximity or neighbourhood such that, in the reasonable contemplation of the former, carelessness on his part may be likely to cause damage to the latter -- in which case a prima facie duty of care arises. Secondly, if the first question is answered affirmatively, it is necessary to consider whether there are any considerations which ought to negative, or to reduce or limit the scope of the duty or the class of person to whom it is owed or the damages to which a breach of it may give rise ... The courts have been quick to impose a private law duty of care on public authorities under the Anns principle since the Just v. British Columbia decision in the Supreme Court of Canada, in 1989. For this reason, departments should generally presume that they are under a legal duty of care to perform responsibly the statutory functions assigned to them in their sectoral regulatory legislation. Canadian courts are clearly ready to find a duty of care to exist in virtually any regulatory area where the persons intended to be protected by the regulatory scheme suffer damages, physical or economic, which are objectively foreseeable and are caused by a lack of care. The government’s duty of care to preserve, or to secure, information in its possession --including personal or other sensitive information where the risk of harm from its unauthorized use is highly foreseeable -- may arise in number of different ways. It may arise, for example, from a relationship of proximity created under specific statutes between the government and particular users or providers of information (e.g. under generic information statutes like the Privacy Act, the Access to Information Act, the National Archives Act, or in sectoral statutes like the Income Tax Act, the Copyright Act, etc.). (For more on obligations to preserve or secure information, see Chapter 2.) Where a private law duty of care is inferred from a specific statutory function, the scope of the duty will, to some extent, be limited by the purpose of the legislation in question. In other words, the plaintiff must fall within the class of persons to whom the duty is owed. In some cases, the type of damages claimed (e.g. economic loss) must also be within the scope of the mischief which the statute was intended to address.4 A duty of care might also arise under a federal regulatory program with, or without, specific legislation -- for example, if the federal government were to attempt to regulate privacy interests on the Information Highway. If there was specific legislation underpinning such a federal initiative, the courts would first examine the statutory mandate to determine the scope of the duty of care in relation to particular privacy interests alleged to have been harmed. In analyzing the duty of care issue, however, a court would consider not just the governing legislation, but also the details of any program launched in connection with it -- and the degree of reliance which the intended beneficiaries of such a program might be expected to place on government to carry out the program with reasonable care.5 The Scope of the Duty of Care: Some Limitations Even where a duty of care is found, the second branch of the Anns test requires a court to consider whether there are any considerations which “ought to negative, or to reduce or limit the scope of the duty or the class of person to whom it is owed or the damages to which a breach of it may give rise.” The private law duty of care may be limited by: · the manner which the statutory mandate is expressed (e.g.: is the government role limited, or does government purport to ensure a particular result?), · an explicit statutory exemption, that is, a provision in the governing statute which exempts the authority from its common law duty of care -- provided that the immunity clause is drafted in terms which are “clear and precise,”6 or by · ensuring that the public authority’s decisions governing the time, manner and technique of inspection and enforcement are clearly taken, at whatever level, as policy decisions that are closely linked to budgetary, social, political or economic considerations.7 Affordability -- Policy vs. Operational Decisions Can the the government can limit its liability by limiting its duty of care through express policy decisions about the overall cost of the security system it can afford to establish, or about the level of inspection and the degree of enforcement which it is able to undertake once the security system has been established? Prior to the decision in Just v. British Columbia,8 the courts treated virtually all regulatory program budgetary decisions, including the level of inspection and degree of enforcement activity required to maintain the integrity of a regulatory program, as policy decisions. As such, these decisions fell exclusively within the domain of administrative discretion and were not generally reviewed by the courts. In the Just case, the Court appeared to narrow considerably the scope of policy decisions, at least in the inspection and enforcement context. In the view of the dissenting judge (Sopinka J.), the result of the majority’s opinion would be that the reasonableness of virtually every decision under an inspection program could now be reviewed once the threshold policy decision to have an inspection program had been taken. This development raised concerns for governments at all levels because it appeared to increase their liability in negligence substantially for activity which they were authorized to carry on by statute. In 1994, the Supreme Court of Canada revisited the whole question of the tort liability of public authorities in the Brown and Swinamer cases.9 In these cases, the Court examined, in particular, the extent to which the scope of a duty of care under an inspection program might be negated, or limited, when decisions about enforcement strategy were taken as true policy decisions.10 Cory J., in the Brown and Swinamer cases, took the opportunity to clarify his position in Just by showing that the scope of true policy decisions is considerably broader than Sopinka J. had suggested in his (dissenting) characterization of Cory’s position in Just. Cory J. illustrated this by: · highlighting the importance of allowing statutory authorities to set priorities for the allocation of available funds, · emphasizing that “policy” decisions can be taken at any level of authority, that is, by stressing that it is the nature of the decision which is the critical factor, not the position of the person who makes it, · treating decisions dictated by financial, economic, social or political factors or constraints more conclusively as policy decisions than was the case in Just, · underscoring the importance of ensuring that statutory authorities should be “free to govern and make true policy decisions without becoming subject to tort liability as a result of those decisions,” · explicitly refusing to hold the statutory authority to a perfectionist standard of care, but rather to a reasonable standard of care measured against the perceived risks and budgetary constraints, · stressing that challenges to policy decisions on the basis of a lack of good faith should be rare and made only where there is evidence of bad faith “or in circumstances where (the decision) is so patently unreasonable that it exceeds governmental discretion,” and by · extending the scope of protected activities to inspections carried out “as a preliminary step in what will eventually become a policy decision involving the expenditure and allocation of funds.” It should be noted that neither the Brown nor the Swinamer case alters the Court’s readiness to find that statutory authorities have a private law duty of care in carrying out their functions based on the neighbourhood or proximity principle, that is, the Anns principle. On the contrary, the Court emphasized that if government “is to be exempted from liability for negligent conduct in the course of its duty ... the wording of the statutory exemption should be clear and precise.”11 Best Available Technology -- The Standard of Care Once a duty of care to secure data has been found, the Crown is under an obligation to use reasonable care in discharging that duty. But the question here, is “reasonable when measured against what standard?” The duty of care analysis in regulatory liability cases is largely factual in its content and often turns on expert evidence. It is clear, however, that government will not be held to a perfectionist standard of care.12 In the Just case, the Supreme Court of Canada remitted the question of the standard of care to be observed by the Province of British Columbia when removing unsafe material from cliffs adjacent to a busy highway to the trial judge for determination.13 At trial, the court found that the Ministry of Transportation, Communication and Highways for the province had failed to meet a reasonable standard of care after reviewing expert evidence on the inspection systems employed for examining rocky slopes by transportation authorities, including railways, across North America. Recently, one Department settled a case which involved the question whether testing procedures it had employed to detect a plant disease met a reasonable standard of care. In this case, the plaintiffs had alleged that the Department was negligent for using improper and outdated testing procedures. In assessing whether the standard of care for testing had been met, the Department considered objective assessments by three experts. Two of the experts provided an opinion as to whether the inspection protocol met the standard of care when measured against the practice in Canada in the year in which the claims arose. A third, an international expert, was consulted to determine whether the science adopted by the departmental inspectors met a reasonable standard of care according to international standards. It is difficult to determine where, precisely, the courts will turn for standards of reference when considering the reasonableness of the technology for securing data which Canada has in place from time to time. The pace of technological change, especially in the development of artificial intelligence for computers, makes the question of reference standards doubly difficult. One can assume, however, the practice of other governments, in Canada and abroad, would be instructive to the courts on the standard of care issue. It is not so much a question of whether the government has the “latest and best” technology, as whether the technology chosen and the manner of its being kept reasonably current, is generally in step with the “industry” standard -- or departs significantly from it. In this regard, it is important to note that policy decisions about the choice of technology have a “shelf life.” They should be reviewed from time to time to ensure that earlier decisions taken about the technology adopted to ensure the integity of a security system have not become seriously inadequate over time -- i.e. when measured against the program’s ongoing mandate, the reliance created in the public domain by the program, and the manner in which comparable public authorities and/or the private sector have adapted to technological changes affecting the security of information banks. Therefore, while public authorities must be concerned about maintaining a credible security system, they need not keep up with the latest and best technology on every improvement to such systems. Enforcement Discretion Enforcement discretion is a form of policy decision often taken at lower levels of a bureaucracy. Even lower-level decisions about the degree and kind of monitoring and enforcement activity which will be undertaken may be treated as non- reviewable policy decisions where they are closely linked to budgetary considerations. But there are some important limitations in using policy decisions as a means to limit the duty of care which a court would otherwise impose. If a public authority’s program for inspecting and enforcing computer security systems is so inadequate that it is not credible under any objective analysis when compared with the breadth of the statutory mandate and the risk of harm involved, the authority may still be liable in negligence for failing to meet its enforcement responsibilities whether or not it has taken policy decisions concerning the deployment of limited resources. Policy decisions, in such circumstances, may be challenged on the basis that they were not taken in good faith. More About the Standard of Care In Pittman Estate v. Bain, Ontario General Division Judge Lang had to consider a case where a patient contracted HIV from a blood transfusion, contracted HIV and passed it on to his wife some years later. For the purposes of drawing lessons for the security of electronic information, this case raised three important “standard of care” issues. The first is whether the Canadian Red Cross Society (CRCS) should be held to the same standard of care as manufacturers. The second is whether the Red Cross was negligent in not adopting appropriate donor screening, public education and testing procedures at that time (1984). The third is whether the Red Cross was negligent when it discovered that the blood may have been contaminated but its remedial steps were slow. The plaintiffs argued that the Red Cross should be held to the same high standard of care that is applied to manufacturers. Judge Lang noted that the Red Cross has two duties with respect to blood: to assure its safety and to assure sufficient supply for Canadian needs. Comparing the Red Cross to manufacturers, the judge said While the fact that the CRCS is a non-profit organization does not exculpate it from responsibility for negligence, it should not be held to the standard of care imposed on commercial manufacturers who are in the business for a profit and who pass on to their consumers the expense of their liability. Furthermore, the responsibility for regulating the CRCS is that of the public health authorities, and should not be left to consumer litigation. In the case of blood, the societal need for the component produces different considerations. This is not a product that should be removed from the market if inherently dangerous. Blood is an essential source of life to many. Although it is a biologic, the need for the product outweighs the risk. This does not relieve the collector of the blood from the duty to exercise reasonable care, but it perhaps dictates that the collector who does exercise reasonable care, should not be held liable, in the absence of fault on its part, for something it could not reasonably prevent. (p. 313) In the context of IT security, it is unclear how far the courts would look to practices in the private sector for a standard of care analogue, or to the practices of other governments. The courts are not entirely comfortable using private sector analogues to determine a public authority’s standard of care, especially where the activity involved falls uniquely within the public sector (e.g. maintaining information systems to facilitate an income tax scheme). On the second point, the procedures for collecting blood in 1984, Judge Lang found the Red Cross was not negligent, even though we know now that when they balanced all of the information available to them then, and chose the procedures they did, that they made a mistake. The Judge describes how conclusions about negligence can change as new knowledge emerges from a question of scientific debate (which we might consider leading edge knowledge) to a commonly accepted standard. Where the subject-matter is one requiring expert knowledge of a specialized area, and qualified respected specialists cannot themselves reasonably agree on the appropriate conduct, common sense dictates that the court should not decide that one body of opinion is more persuasive than another. Where reasonable informed people disagree, one of them cannot be labelled negligent. (p. 316) Where the service or product falls outside the scientific, technical or medical arena, the courts can consider, but are not bound by, custom in the industry. Such information about the usual practice in the industry, helps the court to determine whether the defendant met the standard of care of their peers. The court is, of course, free to reject that evidence of custom, if it is of the opinion that the entire industry is negligent in adhering to the particular practice. (p. 317) [The Judge cited a number of cases where practices of entire industries were found negligent, and quoting from one case in particular:] ‘If a practitioner refuses to take an obvious precaution, he cannot exonerate himself by showing that others also neglect to take it.’ (p. 318) Judge Lang also quoted a leading American case, T.J. Hooper v. Northern Barge, where the U.S. Supreme Court found the owners of tug boats liable for losses resulting from the failure to equip their barges with radios. The court examined the practice of tug boats generally and found here there was no custom at all as to receiving sets; some had them, some did not; the most that can be urged is that they had not yet become general. Certainly in such a case we need not pause; when some have thought a device necessary, at least we may say that they were right, and the others too slack. The court observed that “a whole calling may have unduly lagged behind in the adoption of new and available devices”14 and where this happens, it is no defence to negligence. From the above, we can conclude that leading edge security technology will not likely be required by the courts, but once a security technique becomes an industry standard, failing to adopt it may be an indication of negligence, and if the entire industry routinely ignores known and preventable security problems, the courts could still find negligence despite this industry ‘practice.’ The third issue in this case relates to the standard of care that will apply once you know there is a problem. Here, the Judge stated: In failing to expeditiously implement its own lookback; in failing, in a timely manner, to require hospitals to keep records by unit number; in failing to monitor the Hospital’s lookback program, and in failing to follow up on its notification program, the CRCS fell below the standard of care expected of a blood banker charged with using its best efforts to protect transfusion requests. (p. 378) It is interesting to note that one of the reasons the lookback happened too slowly was that the hospital in question, rather than doing a manual search of the records, combined the lookback program with the process of computerizing its records, with the result that the lookback took longer than necessary, and this was a factor indicating negligence. When a problem is detected (in this case, the blood was traced to a particular donor and a particular patient), there arises the question of notifying the affected individual. In this case, the Judge found the Red Cross, the hospital and family doctor all negligent in taking too long to take steps to ensure the affected individual was notified. In an IT security context, once a security problem is detected, if it is discovered that certain confidential information has been disclosed or taken, and that harm can result to the parties whose information was taken, there may be a duty to inform those individuals about this problem. As mentioned above, the standard required for taking steps to inform the individuals will vary according to the potential harm to the parties in question. Firewalls and gateways One of the technologies being examined by the Information Technology Security Strategy Steering Committee is firewalls and gateways. “Firewalls” are one of the many measures that may be taken to protect a network from another unauthorized network. The mechanisms used in concrete terms to achieve this objective vary widely, but a firewall may be described as a dual mechanism: first, a mechanism that blocks the circulation of the information, and second, another mechanism that is designed to permit circulation. As a general rule, firewalls are configured in such a way as to protect systems against any entry into unauthorized interactive communication by someone on the “outside.” Secure “gateways” (or guards) not only play the same role as firewalls, but they also have other characteristics, including the ability to examine each package of information that crosses them and that is transmitted either to an authorized user or by a designated authorized user, to ensure that the package does not contain unauthorized information. In the present state of the technology, this function can be applied only to electronic mail or EDI, because this is specific information presented in a specific format and specified place. There will have to be a lot of progress in the field of artificial intelligence before gateways can process packages of general information. Firewalls and gateways do not raise any unique legal issues. The same issues arise with respect to all secure technologies: is there a duty of care, was there negligence, was there damages caused by the negligence? The duty of care will arise independently of the technology, if it arises at all (given the various Crown immunities). If there is a duty of care, the question then becomes what standard of care is required with respect to the use of the technology. Although there are no cases on point, one can be reasonably confident that connecting government computers which hold confidential information to public computers without using any security devices would be negligence. One can predict that courts will look to see what the general standard is for connecting government computers to public networks, observe that the standard is to use firewalls and gateways, and from that we can deduce that a court would likely find an obligation on governments to use firewalls and gateways before connecting to public networks containing confidential information. If the government has taken reasonable care to secure personal information, the mere fact that a hacker succeeds in defeating the security system will not lead to a finding of negligence. No “secure technologies” are perfectly secure. Obligation to comply with policies We pointed out above that the courts will generally not hold the Crown liable when it is exercising its policy-making function, but will hold the Crown liable when it is making operational decisions. Once the government publishes a policy, it becomes difficult to argue that the implementation of the policy is anything other than an operational decision. Thus, there is a clear potential for liability with respect to how policies are implemented. We have noted in numerous places throughout this report Treasury Board policy requirements. For the most part, Treasury Board policies regulate the internal management of government and it would be very difficult to argue that they give rise to a duty of care to anyone outside of government, with the possible exception of Parliament (relating in particular to financial management). However, the policies which instruct departments how to manage confidential information received from citizens and businesses (and how to make government information available to them), could conceivably be evidence of the required standard of care. (The courts would not need to identify a policy to find a duty of care to keep highly personal or commercially valuable information confidential.) However, failure to follow published policies might be taken by a court as the best evidence of negligence.15 Government should be careful about implementing policies which are unduly onerous on its departments or which it has reason to believe are not being implemented. We noted in Chapter 1 that the Auditor General found in his 1990 report that the government was ‘negligent’ in its security of information, and in his follow-up report of 1994 found that while the government had made some progress, the resource-intensive aspects of security were still not receiving sufficient attention. As the government moves towards implementing ambitious projects such as public key encryption, data warehousing, connecting to the Internet, the importance of security will also increase. Failure to implement its security policies could create liability problems later. B. Other torts: abuse of power, invasion of privacy, breach of confidence Abuse of Power Abuse of power is an intentional tort and is sometimes called misfeasance in public office. It concerns actions or decisions taken by a public official without legal justification where the official knew or ought to have known of the lack of authority, and actions based on a statutory provision but which are motivated by malice in the sense of knowingly acting for a reason and purpose incompatible with the intent and purpose of the statute. These are not mere errors in judgement about jurisdiction but require evidence of malice or bad faith.16 This source of liability could arise where an official unlawfully discloses information for a reason that is motivated by malice. The risk of this liability may be more theoretical than real. Abuse of power is a separate cause of action which may give rise to liability in damages. The classic case is the Supreme Court of Canada decision in Roncarelli v. Duplessis (1959) S.C.R. 121, where the Minister (who was also the Attorney General and Premier of the province) revoked a liquor licence and publicly stated that it would be revoked forever as a way to punish the plaintiff for posting bail for several members of the Witnesses of Jehovah. Cancellation of the licence by the Minister was an act that went beyond the exercise of his legal functions and involved improper purpose and bad faith and was intentional. The Minister was held personally liable for damages sustained by the defendant as a result of the cancellation of the licence. Invasion of Privacy Common Law There is much uncertainty about the meaning and scope of the common law tort of privacy particularly since it has become entangled with confidentiality, secrecy, defamation, property and the storage of information.17 In discussing the right to privacy and reasonable expectation of privacy, David McDonald writes: Leaving aside doctrines of constitutional law, American courts have recognized a general right to privacy to protect the kinds of interests which in Canada have been protected under nominate torts such as trespass, nuisance, and defamation. Anglo-Canadian common law has resisted any attempt to develop an umbrella for all these rights. Yet the notion of a “right to privacy” was not unknown in Canada; it is found in some provincial legislation, and the concept of “reasonable expectation of privacy” was and still is found in the Criminal Code provisions proscribing electronic eavesdropping.18 It is now recognized that an independent cause of action does exist at common law for protecting privacy. Prior to a Supreme Court of Canada decision in 1984, Hunter v. Southam Inc., (discussed below) it was thought that the only protection afforded by the common law was through four traditional heads of tort liability, namely: trespass and private nuisance for intrusion on a person’s solitude; public disclosure of private facts where the information published was given in confidence; unauthorized use of an individual’s name or likeness for economic gain; and placing a person in a false light in the public eye. For example, the common law tort of nuisance was held to apply to excessive telephone harassment in the case of Motherwell v. Motherwell.19 In a 1991 Ontario case dealing with invasion of privacy, Roth v. Roth, the Ontario Court General Division reviewed the law in Canada: The first question to be answered is, is there a right to privacy? In Hunter v. Southam Inc., [1984] 2 S.C.R. 145, 41 C.R. (3d) 97, the Supreme Court of Canada acknowledged the existence of such a right, i.e., ‘the right to be let alone by other people’; and that such a right is not dependent upon ‘the notion of trespass’ [p. 159 S.C.R., p. 113 C.R.] but rather ‘is the right to be secure against encroachment upon the citizens’ reasonable expectation of privacy in a free and democratic society’ [p. 159 S.C.R., pp. 113-14 C.R.]. It was there stated that such a right was a general right, one aspect of which is dealt with in s. 8 of the Canadian Charter of Rights and Freedoms, viz., ‘Everyone has the right to be secure against unreasonable search and seizure.’ Such a general right is then envisaged by s. 26 of the Charter, viz., ‘The guarantee in this Charter of certain rights and freedoms shall not be construed as denying the existence of any other rights or freedoms that exist in Canada.’ There being such a general right not dependent on trespass to the person or property, nor in my view to proprietary interest as in nuisance, the next question to be answered is, is there an actionable cause for an invasion of such right in Canada? In Ontario there is no remedy legislated as in some of the other provinces. If there is to be a remedy at present it must be forged by the courts. At the stage of pleadings the courts have refused to dismiss actions for invasion of privacy on the basis that it has not been shown that such a right does not exist: see Capan v. Capan (1980), 14 C.C.L.T. 191 (Ont. H.C.J.). In my view such a right does exist: Hunter v. Southam Inc., supra. Rather, the question is: does the law give a remedy for the invasion of such a right? ... In my view, whether the invasion of privacy of an individual will be actionable will depend on the circumstances of the particular case and the conflicting rights involved. In such a manner the rights of the individual as well as society as a whole are served.20 The Court awarded $20,000 for general damages which included damages for mental distress, anxiety and vexation for invasion of privacy where the defendants repeatedly blocked an access road to the plaintiffs’ cottage, removed property and shut off electricity to the cottage and, $5,000 for exemplary damages since the defendant repeated this conduct after having been convicted of an offence for blocking the road. It is noteworthy that this was a case of privacy that did not involve unauthorized disclosure of information. The remedy of an award of damages may not be available in every common law tort of invasion of privacy. Other civil remedies include an injunction and an order to deliver a document. Therefore an independent cause of action does exist at common law for the tort of invasion of privacy. However, since there are conflicting rights that must be balanced, the Crown’s duty of diligence in any particular case would depend on the unique circumstances of that case. Provincial Privacy Statutes (Except Quebec) There is much debate about whether provincial statutes which modify the law of tort and which were enacted after the coming into force of the Crown Liability Act in 1953 apply against the federal Crown. For a discussion of this problem see the text The Annotated Crown Liability and Proceedings Act 1995 at pages 16 and 17 and the references cited there.21 To be on the safe side, this paper assumes that provincial privacy statutes affecting the law of tort for invasions of privacy bind the federal Crown. Prior to the Hunter v. Southam Inc. decision of the Supreme Court of Canada in 1984, it was thought that the protection afforded under the common law as it relates to privacy was fragmentary and incomplete. That may be the reason why some of the provinces enacted a tort of invading privacy. As discussed by Philip Osborne in his chapter “The Privacy Acts of British Columbia, Manitoba and Saskatchewan” in the book Aspects of Privacy Law, British Columbia acted first. In 1968 the British Columbia legislature passed the Privacy Act and that province became the first Commonwealth jurisdiction to establish an independent cause of action for unreasonable and unwarranted invasion of an individual’s privacy.22 Similar legislation followed in Manitoba (1970), Saskatchewan (1974) and Newfoundland (1981) but since that time only Quebec has passed privacy legislation. These statutes make an offender liable in tort when he “wilfully violates” (or in the case of Manitoba “unreasonably and substantially violates”) the privacy of another person. As discussed in more detail below, Philip Osborne23 in the text Aspects of Privacy Law suggests that these statutes are generally thought to place a heavy burden on the plaintiff to prove an actionable invasion of privacy. Osborne writes that in enacting these statutes, the provinces sought to ensure that no liability would flow from a violation of privacy which is trivial or which had some degree of justification.24 For example, subsection 1(1) of the B.C. Privacy Act states that “it is a tort, actionable without proof of damage, for a person, wilfully and without claim of right, to violate the privacy of another.” Other than eavesdropping or surveillance, the Act gives little indication of what actions will amount to an invasion of privacy. Subsection 1(2) provides that “the nature and degree of privacy to which a person is entitled is that which is reasonable in the circumstances, due regard being given to the lawful interests of others.” Subsection 1(3) directs that the nature, incidence and occasion of the defendant’s act and the relationship between the parties should be taken into account in determining liability for invasion of privacy. Section 2 provides specific exceptions of acts or conduct that will not constitute an invasion of privacy. Reasonableness of the conduct is also the crux of the Manitoba, Saskatchewan and Newfoundland statutes. Section 6 of the Saskatchewan Privacy Act states that the degree of privacy to which a person is entitled depends upon what is reasonable in the circumstances and the lawful interests of others; and that regard shall be had to the nature of the act, the effect on the plaintiff or his family, the relationship between the parties, and the conduct of the defendant in deciding if there has been a breach of privacy. The Saskatchewan Act (section 3), the Newfoundland Act (section 4) and the Manitoba Act (section 3) give examples of what conduct will constitute an invasion of privacy. Negligent conduct would appear not to be a sufficient basis for an action under these statutes. An intent to invade a person’s privacy is required. Despite small differences in the wording of the these statutes, the overall result is likely to be the same. The Manitoba, Newfoundland and Saskatchewan Privacy Acts all state that proof that there has been use of letters, diaries or other personal documents of an individual without the consent of the individual is prima facie proof of a violation of the privacy of the individual.25 Use or disclosure of information as authorized by federal legislation would not be subject to provincial law. However, in addition to federal law providing sanctions for unlawful disclosure of information, query whether provincial law provides an additional redress method i.e., query whether documents filed by an individual with the federal government such as income tax returns would be “personal documents of an individual” for purposes of provincial law. The provincial statutes noted above allow a court to award remedies for a violation of privacy including damages, an injunction, an accounting of profits and an order to deliver up to the plaintiff all documents that have come into the defendants possession by reason or in consequence of the violation.26 In a case decided under the B.C. Privacy Act in 1992, the plaintiff was awarded substantial compensatory and exemplary damages for an invasion of privacy when the defendant spied into her bedroom (Lee v. Jacobson; Weber v. Jacobson).27 One of the circumstances listed in the provincial statutes as not being an invasion of privacy is where the conduct or act is consented to by a person entitled to give consent. Fridman, in his text on torts published in 1990, takes the view that Canadian courts have not found that an invasion of privacy was ever committed. His writing is prior to the Roth decision in Ontario and the Lee and Weber case in British Columbia. Fridman has reviewed the case law under the various provincial privacy statutes and writes: This examination of the case law under the Acts indicates that even where statutes have created or recognized an action for violation or invasion of privacy, Canadian courts have been cautious in their approach to liability. While restating that the common law does not recognize a right to privacy or an action for invasion or violation of privacy, at the same time they have tended to find that alleged statutory violations of privacy have not taken place or, if they have, were protected by the relevant provision of the appropriate Act. It seems clear that, despite the views of textbook writers and other commentators over the past hundred years, Canadian judges are not convinced that there is any great overwhelming need for a significant remedy for complaints about invasions or violations of privacy.28 The tort of invasion of privacy has been found to exist in at least three cases: Hunter v. Southam Inc.; Roth v. Roth; and Lee and Weber. However, they did not involve wrongful disclosure of information. Quebec Privacy Law In Quebec, the right to privacy was affirmed as one of the “fundamental human rights” when the Quebec Charter of Human Rights was enacted in 1975. Article 5 of the Charter provides: “Every person has a right to respect for his private life.” H. Patrick Glenn in his chapter “The Right to Privacy in Quebec Law” in the book Aspects of Privacy Law discusses the interests which the right protects in both the civil and public law of Quebec. At page 43 he writes: Perhaps the most that can be said at the present time is that two general types of conduct have been found to be incompatible with the right to privacy. The first is that of unjustified intrusion, resulting either in the acquisition of information by the intruder or inconvenience to the object of the intrusion. What appears to be protected by the prohibition of such conduct is the solitude of the individual, a condition of isolation from other members of society. The second type of prohibited conduct is that of unjustified diffusion of information or image. Prohibition of this type of conduct appears beneficial to the anonymity of the individual, a condition of freedom from identification. The most relevant of these is the right to solitude. Courts in Quebec have dealt with unwarranted intrusions of this right including by telephone calls being made to debtors at their place of work or at home in the middle of the night for the purpose of disturbing and annoying them and the members of their families. In these cases debt-collection agencies have been held civilly liable for harassment of defaulting debtors. The right to privacy is described by Glenn as “a concept as broad as that of solitude, and the concept of solitude must imply a type of mental or spiritual integrity, a freedom from unjustifiable intrusion into one’s state of mind.” The right is breached by malicious or intentional harassment. The new Civil Code enacted on January 1, 1994 specifically enunciates the right to privacy. Chapter III is titled “Respect of Reputation and Privacy.” Article 35 provides: Every person has a right to the respect of his reputation and privacy. No one may invade the privacy of a person without the consent of the person or his heirs unless authorized by law. Article 36 specifies acts which may be considered as invasions of the privacy of a person. The list however is illustrative and not exhaustive and includes, for example, using a person’s correspondence, manuscripts or other personal documents. Breach of Confidence Fridman indicates that remedies for breach of confidence are not based on tort law but rather evolved from the law of contract and equity. However, he discusses breach of confidence under tort law and describes this cause of action as follows: Breach of confidence involves the wrongful disclosure or use of information received by the defendant from the plaintiff ... where breach of confidence is concerned, the defendant has obtained the relevant information from the plaintiff himself, in confidence, and has disclosed it, or made use of it to the defendant’s own advantage, i.e., his economic advantage. It is often the economic consequences of a breach of confidence, i.e., the commercial ramifications of such behavior, rather than the effect of such a breach upon the personal life of the plaintiff, that is the underlying rationale of liability.29 There are numerous cases involving the tort of breach of confidence.30 However, a few years ago the Information Law and Privacy Section of the Department of Justice asked all Justice regional offices and legal service units if they were aware of any instances where businesses had complained about such a breach and commenced a court action. All replies were in the negative. (Note: the question was not whether or not there were decided cases, but whether any business had actually commenced an action, though not necessarily carried the action to conclusion.) Generally, it is most unlikely that the federal Crown will be subject to liability for the tort of breach of confidence, breach of privacy or under one of ‘right to privacy’ provisions in B.C., Saskatchewan, Manitoba, Quebec and Newfoundland. This is because it is unlikely that legitimate governmental action will constitute a breach of privacy, or that government officials would maliciously or in bad faith interfere with an individual’s privacy. The primary method of ensuring government action interferes with personal privacy no more than necessary is through Parliamentary review of the statutes authorizing the collection of information. C. Breach of various other specific statutory provisions In Chapter 4, we discuss offences for breaching intellectual property rights. Generally, property rights are designed to make the intellectual property information publicly available while still providing for economic incentives to creators of intellectual property. As such, intellectual property information is usually not confidential, although the uses of the information are regulated (the exception is trade secrets, which are, by definition, confidential). In Chapter 8 we discuss offences under the Criminal Code relating to electronic information. These offences are generally not for disclosures of confidential information, but for interception of private communications and mischief with respect to computer data. Breach of the Access to Information Act and Privacy Act We have described in previous chapters how the Access to Information Act and Privacy Act work to protect various kinds of information, such as personal information (see Chapter 3) and commercial information (see Chapter 4), among other kinds of sensitive information (such as law enforcement, advice to government, and confidential inter-governmental information). There are no liability provisions in the Access to Information Act or Privacy Act for unlawful disclosure of information or breach of the Acts. Section 74 of both Acts provides protection from civil proceedings or from prosecution against the head of a government institution or any person under his direction for disclosure in good faith of any record pursuant to the Act and from any consequences that flow from that disclosure. There have been no cases where s. 74 has been judicially interpreted, let alone where the government has been found liable for disclosing information without good faith. Part of the reason for this success is that the Access to Information Act provides full opportunities for parties to be notified of intended disclosures and to object to those disclosures. The procedures involve complaints to the Information or Privacy Commissioners, who have full powers to investigate the intended disclosures and to make recommendations, which are not binding on the government. The Acts provide that every person who obstructs the Commissioner in the performance of his or her duties and functions under the Act is guilty of an offence and liable on summary conviction to a fine not exceeding $1,000. If a complainant is not happy with the recommendations or the government’s intended response to them, the complainant (or either of the Commissioners) can take the case to the Federal Court for a judicial review. Pursuant to the Acts, costs for the Federal Court hearing can be awarded in the discretion of the Court and shall follow the event unless the Court otherwise orders. Costs may be awarded to the applicant even if the applicant is not successful where the application raises an important new principle in relation to the Act. Once these reviews have taken place, it is virtually impossible that the government could be held liable for its disclosures. Unauthorized disclosure of certain confidential government information (such as classified information) is prohibited by the Official Secrets Act and is made a criminal offence. Prosecution of this offence is governed by the Official Secrets Act, the Canadian Security Intelligence Act, the Security Offences Act , the Evidence Act and the Charter of Rights and Freedoms.31 Section 4 of the Official Secrets Act provides an offence for wrongful communication of secret documents or secret information (any document marked “Secret” or “Top Secret”) and of information entrusted to a person in confidence by any person holding office under Her Majesty or as a person who holds or has held a contract made on behalf of Her Majesty. Subsection 14(3) of the Act provides that “where a person guilty of an offence under this Act is a company or corporation, every director and officer of the company or the corporation is guilty of the offence unless he proves that the act or omission constituting the offence took place without his knowledge or consent.” The offence provision in section 15 provides for an indictable offence punishable by imprisonment for a term not exceeding 14 years, or at the election of the Attorney General, on summary conviction by a fine not exceeding $500 or by imprisonment for a term not exceeding 12 months or both. Despite the enormous liabilities, there has been much difficulty in obtaining convictions under the Act. Also, the Official Secrets Act has been criticized for its breadth and ambiguity: The basic problems are that the Official Secrets Act’s provisions overlap with provisions in the Access to Information Act and the Criminal Code, and are too broad and ambiguous to be likely to withstand a Charter challenge. Just as importantly, the present laws make it very difficult to prosecute an illegal disclosure of government information without, in the course the prosecution, making public the very information the government is trying not to disclose.32 The Canadian Security Intelligence Act of course deals with threats to the security of Canada. The Security Offences Act governs the enforcement of certain security and related offences and allows the Attorney General to conduct proceedings to prosecute offences arising out of conduct constituting a threat to the security of Canada within the meaning of the Canadian Security Intelligence Act. Disclosure of certain government information is also prohibited by public service employment terms and conditions, including public service employment legislation.33 Section 3 of the Public Service Employment Act provides that every ‘employee’ within the meaning of the Act shall take an oath of allegiance which includes the words “and that I will not, without due authority in that behalf, disclose or make known any matter that comes to my knowledge by reason of such employment.” The Crown Liability and Proceedings Act34 prohibits the unlawful interception and disclosure by Crown servants of private communications. The Crown is liable to pay damages to the injured party, but the Crown servant is obliged to reimburse the Crown. (This Act is described in greater detail in Chapter 8 on Computer Searches and Privacy.) There are many other legislative sanctions contained in federal statutes. Among them are subsection 104(8) of the Canada Pension Plan and paragraph 44(1)(c) of the Old Age Security Act which provide for an offence punishable on summary conviction for unauthorized communication of privileged information obtained under those Acts; subsection 105(1) and section 106 of the Unemployment Insurance Act which provide for an offence on summary conviction for a fine up to $2,000 or imprisonment up to 6 months, or to both and paragraph 30(c) of the Statistics Act which provides for an offence on summary conviction for a fine up to $1,000 or imprisonment up to 6 months or to both. The Canada Business Corporations Act35 makes it an offence for a corporation to fail to take reasonable precautions to prevent the loss, destruction, falsification or inaccuracies in records required to be maintained by the Act; and to file a mandatory report with the Director that contains an untrue statement of a material fact.36 Income Tax Act Sanctions The confidentiality provisions of the Income Tax Act are found in section 241 of the Act. Subsection 241(1) prohibits the use or disclosure of taxpayer information except as authorized by section 241. Subsections 239 (2.2) and (2.21) create offences punishable on summary conviction for contravention of this prohibition. Persons convicted of these offences are liable to a fine of up to $5,000 or to imprisonment up to 12 months or to both. Subsection 241(1) provides as follows: Except as authorized by this section, no official shall (a) knowingly provide, or knowingly allow to be provided, to any person any taxpayer information; (b) knowingly allow any person to have access to any taxpayer information; or (c) knowingly use any taxpayer information otherwise than in the course of the administration or enforcement of this Act, the Canada Pension Plan, or the Unemployment Insurance Act or for the purpose for which it was provided under this section. Subsection 241(2) of the Act provides as follows: Notwithstanding any other Act of Parliament or other law, no official shall be required, in connection with any legal proceedings, to give or produce evidence relating to any taxpayer information. An exception is contained in subsection 241(3) in respect of: (a) criminal proceedings, either by indictment or on summary conviction, that have been commenced by the laying of an information or the preferring of an indictment, under an Act of Parliament; or (b) any legal proceedings relating to the administration of this Act, the Canada Pension Plan or the Unemployment Insurance Act or any other Act of Parliament or law of a province that provides for the imposition or collection of a tax or duty. The term “official” is defined in subsection 241(10) of the Act to mean any person who is employed in the service of, who occupies a position of responsibility in the service of, or who is engaged by or on behalf of, Her Majesty in right of Canada or a province, or an authority engaged in administering a law of a province similar to the Pension Benefits Standards Act, 1985, or any person who was formerly so employed or who formally occupied such a position or who was formerly so engaged. The term “taxpayer information” is defined in the Act to mean information of any kind and in any form relating to one or more taxpayers that is obtained by or on behalf of the Minister for the purposes of the Act, or prepared from such information but does not include information that does not directly or indirectly reveal the identity of the taxpayer to whom it relates. The term “authorized person” basically means an employee or former employee of Revenue Canada - a person who administers or enforces the Income Tax Act, the Canada Pension Plan, or the Unemployment Insurance Act. Subsection 239(2.2) provides that every person who contravenes subsection 241(1) or an order made under subsection 241(4.1) (an order to prevent unauthorized use or disclosure of confidential taxpayer information made at a legal proceeding relating to the supervision, evaluation or discipline of an authorized person) is guilty of an offence and liable on summary conviction to a fine not exceeding $5,000 or to imprisonment for a term not exceeding 12 months or to both. The same liability is found in subsection 239(2.21) which makes it an offence for any person to whom taxpayer information has been provided for a particular purpose under paragraphs 241(4)(b), (c), (e), (h) or (k) of the Act, or for officials to whom taxpayer information has been made available under paragraphs 241(4)(a), (d), (f) or (i) and who, for any other purpose knowingly uses, provides to any person, allows the provision to any person of, or allows any person access to, that information is guilty of an offence and liable on summary conviction to a fine not exceeding $5,000 or to imprisonment for a term not exceeding 12 months, or to both. Here are the purposes for which information is provided under s. 241(4) which can be disclosed without creating an offence under s. 239(2.21): (a) taxpayer information that can reasonably be regarded as necessary for the purposes of the administration or enforcement of the Income Tax Act, the Canada Pension Plan or the Unemployment Insurance Act, solely for that purpose; (b) for determining any tax, interest, penalty or other amount payable by the person, or any refund or tax credit to which the person may become entitled under the Act or any other amount that is relevant for the purposes of that determination; (c) a person who seeks a certification referred to in paragraph 147.1(10)(a) the certification or a refusal to make the certification solely for the purposes of administering a registered pension plan; (d) taxpayer information provided to officials of other specified government departments for specified purposes including officials of the government of a province; (e) for the purpose of (i) subsection 36(2) or section 46 of the Access to Information Act, (ii) section 13 of the Auditor General Act, (iii) section 92 of the Canada Pension Plan, (iv) a warrant issued under subsection 21(3) of the Canadian Security Intelligence Security Act, (v) an order made under subsection 462.48(3) of the Criminal Code, (vi) section 26 of the Cultural Property Export and Import Act, (vii) section 62 of the Family Orders and Agreements Enforcement Assistance Act, (viii) paragraph 33(3)(a) of the Old Age Security Act, (ix) subsection 34(2) or section 45 of the Privacy Act, (x) section 24 of the Statistics Act, (xi) section 9 of the Tax Rebate Discounting Act, or (xii) a provision contained in a tax convention or agreement between Canada and another country that has the law of force in Canada; (f) provide taxpayer information solely for the purposes of sections 23 to 25 of the Financial Administration Act; (h) use, or provide to any person, taxpayer information solely for a purpose relating to the supervision, evaluation or discipline of an authorized person while employed to assist in the administration or enforcement of the Income Tax Act, the Canada Pension Plan or the Unemployment Insurance Act; (i) provide access to records of taxpayer information to the National Archivist of Canada or a person acting under the direction of that person solely for the purposes of section 5 of the National Archives of Canada Act, and transfer such records to the care and control of such persons solely for the purposes of section 6 of that Act, (k) provide taxpayer information to any person otherwise entitled to it under an Act of Parliament. Subsection 241(5) of the Act provides that an official may provide taxpayer information relating to a taxpayer to the taxpayer and with the consent of the taxpayer, to any other person. These offences apply mainly to officials. They do not apply to a situation where a person who is not an official receives taxpayer information under the authority of paragraph 241(4)(a) and then knowingly uses, provides to any person, allows the provision to any person of, or allows any person access to, that information.37 Subsection 239(2.3) contains the same sanction for communicating a social insurance number in a way that is contrary to that provision. Thus, private businesses (and government institutions) that are required to obtain an individual’s Social Insurance Number for the purpose of reporting employment, investment and interest earnings to Revenue Canada, and who knowingly uses, communicates, or allows to be communicated, the number for any purpose other than that for which it was so provided or for which the person has been authorized in writing by the individual is guilty of an offence and is liable on summary conviction to a fine not exceeding $5,000 or to imprisonment for a term not exceeding 12 months or to both such fine and imprisonment. Thus, the Income Tax Act is very specific in its provisions for disclosure of taxpayer information and is very severe in its sanctions for unlawful disclosure including imprisonment for up to 12 months. There are no known cases dealing with liability for unlawful disclosure of confidential taxpayer information. Individuals have been convicted under the Criminal Code for theft of property such as taxpayers’ files stored on microfiche and lengthy prison terms have been imposed. Part IX of the Excise Tax Act (GST) Sanctions The same liability discussed in respect of the Income Tax Act (ITA) is provided in section 328 of the Excise Tax Act (ETA) for any person who contravenes subsection 295(2) of the ETA, or has been provided with information under subsection 295(4) of the ETA and knowingly uses, communicates or allows to be communicated the information for any purpose other than that for which it was provided. The sanctions provided in subsections 328(1), (2) and (3) of the ETA are parallel to the sanctions provided in subsections 239(2.2), (2.21) and (2.22) of the ITA. Subsection 295(2) of the ETA parallels subsection 241(1) of the ITA; subsection 295(4) of the ETA parallels subsection 241(3) of the ITA; in addition, subsection 241(3.1) of the ITA parallels subsection 295(4.1) of the ETA and paragraph 241(4)(a) of the ITA parallels paragraph 295(5)(a) of the ETA. The rules under the ETA apply to “confidential information” which is very similar to the term “taxpayer information” used in relation to the ITA. Not all provisions authorizing disclosure are listed in the Act. Circumstances may also be provided administratively in the authorization under subparagraph 295(5)(c)(i) of the ETA as follows: An official may provide, allow to be provided, or allow inspection of or access to any confidential information to or by any person, or any person within a class of persons, that the Minister may authorize, subject to such conditions as the Minister may specify, Customs Act Sanctions Paragraph 160(a) of the Customs Act provides that every person who contravenes subsection 107(1) of the Act is guilty of an offence punishable on summary conviction and is liable to a fine of up to $2,000 or to imprisonment for up to 6 months, or to both. Subsection 107(1) has a similar effect to the income tax confidentiality provisions, in that it restricts the communication of information except in certain specified circumstances. Paragraph 160(b) of the Act provides that every person who contravenes subsection 107(1) is guilty of an offence punishable on summary conviction and liable to a fine not exceeding $50,000 or to imprisonment for a term not exceeding 6 months or to both, or is guilty of an indictable offence and liable to a fine not exceeding $500,000 or to imprisonment for a term not exceeding 5 years or to both. There are not as many exceptions in the Customs Act for authorizing disclosure of information and they are not as specific as in the Income Tax Act. Not all exceptions are listed in the Act. Exceptions can be administratively provided for under the Ministerial authorization made pursuant to paragraph 108(1)(b) which is similar to the authorization provided for in paragraph 295(5)(c)(i) of the ETA. Thus, the Minister has a very broad power under both the ETA and the Customs Act relating to disclosure of information. D. What measures permit managers to discipline employees for unlawful disclosures of information? The federal government has the capacity to discipline a public servant who releases government information without authorization. Section 23 of the Public Service Employment Act provides that every deputy head and every employee shall take an oath of secrecy. Furthermore, all employees are subject to the Conflict of Interest and Post Employment Code for the Public Service, which provides, among other things, that employees shall not knowingly take advantage of or benefit from information that is obtained in the course of their official duties and that is generally not available to the public. In the event of a contravention of the Oath or Code, the employer is entitled to disciplinary action pursuant to Section 11 of the Financial Administration Act. Paragraphs 11(2)(f) and (g) of the FAA provide that the Treasury Board may (f) establish standards of discipline in the public service and prescribe the financial and other penalties, including termination of employment and suspension, that may be applied for breaches of discipline and misconduct, and the circumstances and manner in which and the authority by which or whom those penalties may be applied or may be varied or rescinded in whole or in part; (g) provide for the termination of employment, or the demotion to a position at a lower maximum rate of pay, for reasons other than breaches of discipline or misconduct, of persons employed in the public service, and establishing the circumstances and manner in which and the authority by which or by whom those measures may be taken or may be varied or rescinded in whole or in part. Treasury Board sets out its policies on discipline in chapter 6 of the Staff Relations volume of the Treasury Board Manual and on Non-Disciplinary Demotion or Termination of Employment for Cause (ch. 7 of the same volume). There is nothing that specifically addresses information technology or mismanagement of information in those policies. Although the Income Tax Act does not contain provisions to allow managers to discipline employees for breach of the confidentiality provisions of the Act, paragraph 241(4)(h) of that Act and paragraph 295(5)(g) of the Excise Tax Act (GST) provide that an official may use or communicate confidential taxpayer information to supervise, evaluate or discipline an authorized person. The Privacy Act does not contain provisions to discipline employees for breach of the Act. However, paragraph 8(2)(h) of the Privacy Act states that “personal information under the control of a government institution may be disclosed to officers or employees of the institution for internal audit purposes, or to the office of the Comptroller General or any other person or body specified in the regulations for audit purposes.” If an audit were to disclose that an employee breached the Act, that could conceivably lead to disciplinary action. Pursuant to subsection 64(2) of the Privacy Act and 63(2) of the Access to Information Act the Privacy or Information Commissioner “may disclose to the Attorney General of Canada information relating to the commission of an offence against any law of Canada or a province on the part of any officer or employee of a government institution if in the opinion of the Commissioner there is evidence thereof.” The Acts also allow for a similar disclosure by the Federal Court. There is no express provision relating to the discipline of employees who disclose confidential information without appropriate authorization. The lack of lawsuits relating to such disclosures suggest that federal employees are generally very good at keeping information confidential. The apparent policy objective of providing immunity from liability in the Privacy Act and Access to Information Act suggest that the more difficult task is getting public officials to release information when there are authorized to do so. E. Summary To date, the government has a good record of preventing unauthorized disclosure of confidential information. However, it is important to remain vigilant and respect the various laws that protect information and provide for liability in the event of unauthorized disclosure. There are a variety of heads of liability which suggest the government may have a legal duty of care to secure certain information. Government decisions on how best to secure its information holdings should be based on clear policy grounds which reveal the various economic, social and policy factors that are considered in arriving at a particular policy or practice. Policies should not be so onerous that it is very difficult for departments to comply, because the failure to comply with policies may be used by the courts as evidence of negligence. The government will not be held to a perfectionist standard of care in its use of secure technologies, but will be expected to keep up with the prevailing standard. It is not clear where the courts will look to find those standards, although it is likely that practices of other governments will be one basis for comparison as will industry practices. Thus, if firewalls and gateways, encryption or smart card tokens become the prevailing standards to protect sensitive information, it is likely the government will have to adapt these standards as well. If security breaches are detected, courts might find that government is responsible for taking appropriate remedial measures, even if the original breach was not the fault of the government. Finally, government institutions should review their policies, practices and technologies from time to time to ensure they are keeping pace with prevailing standards. ENDNOTES _______________________________ 1 The discussion in this paragraph is based on information found in Crown Law, Paul Lordon ed., Toronto: Buttwerworths, 1991. See also Paul M. Perell, “Negligence Actions Against Government,” Civil Proceedings by or Against Government, Can. Bar Assoc. - Ont. (Toronto, 1985) 2 Canada v. Sask. Wheat Pool (1983), 143 D.L.R. (3d) 9 (S.C.C.) 3 [1978] A.C. 728, at pp. 751-52. See also Just v. British Columbia, [1989] 2 S.C.R. 1228, at p.1235. 4 Gutek v. Sunshine Village (1990), 103 A.R. 195 (Alta Q.B.); Kripps v. Touche Ross & Co., (1992), 69 B.C.L.R. (2d) 62 (C.A.); Teachers Investment and Housing v. Jennings, (1990), 44 B.C.L.R. (2d) 203 (S.C.); Curran v. Northern Ireland Co- ownership Housing Assoc., [1987] 2 All E.R. 13; [1987] A.C. 718 (H.L.) 5 Devloo v. Canada, (1990), 33 F.T.R. Where a public authority undertakes a function, even without express statutory authority, it may expect to be held to a reasonable standard of care in exercising that function. See, for example, Givskud v. Kavanaugh [1994] N.B.J. no. 138. The degree of reliance engendered by a regulatory program’s promotional materials could also be a critical factor in any cause of action founded on negligent misrepresentation by government authorities about the secure state of government data bases. 6 Swinamer v. Nova Scotia, [1994] 1 S.C. R. 445 7 See the Just and Swinamer cases, supra. See also Brown v. British Columbia, [1994] S.C.R.420. 8 [1989] 2 S.C.R. 1228. 9 Brown v. British Columbia [1994] 1 S.C.R. 420; Swinamer v. Nova Scotia, [1994] 1 S.C.R . 445. 10 True policy decisions are usually linked to budgetary, social, political or economic considerations. 11 Per Cory J., in Swinamer. supra. 12 Swinamer v. Nova Scotia, [1994] 1 S.C.R. 445. 13 Just v. British Columbia, [1989] 2 S.C.R. 1228. 14 T.J. Hooper v. Northern Barge, 60 F(2d) 737 (1932) at 740 as quoted in Pittman Estate v. Bain (1994), 112 D.L.R. (4th) 257 at 318 (Ont. G.D.) 15 Canada v. Sask. Wheat Pool (1983), 143 D.L.R. (3d) 9 (S.C.C.) 16.Richard E. Shibley, “The Personal Liability of Members of Municipal, Provincial and Federal Governments,” Civil Proceedings by or Against Government, Can. Bar Assoc. - Ont. (Toronto, 1985) at p. 7 17.G.H.L. Fridman, The Law of Torts in Canada, v.2 (Scarborough: Carswell, 1990), p. 191 18.David McDonald, Legal Rights in the Canadian Charter of Rights and Freedoms 2nd ed. (Scarborough: Carswell, 1989) at pp 227- 228 19 [1976] 73 D.L.R. (3d) 62 (Alta.C.A.) 20 [1991] 4 O.R. (3d) 740 at pp. 757-758 21.David Sgayias, Brian J. Saunders, Donald J. Rennie and Meg Kinnear The Annotated Crown Liability and Proceedings Act 1995, (Scarborough: Carswell, 1995) 22.Dale Gibson, ed. Aspects of Privacy Law, chapter 4 “The Privacy Acts of British Columbia, Manitoba and Saskatchewan” by Philip H. Osborne (Toronto: Butterworths, 1980) at p. 69 23.Ibid., at pp. 89 and 108 24.Ibid., at p. 87 25.The Privacy Act, R.S.M. 1987, c. P125, par. 3(d) The Privacy Act, R.S.N. 1990, c. P-22, par. 4(d) The Privacy Act, R.S.S. 1978, c. P-24, par. 3(d) 26.The Privacy Act, R.S.M. 1987, c. P125, s. 4 The Privacy Act, R.S.N. 1990, c. P-22, s. 6 The Privacy Act, R.S.S. 1978, c. P-24, s. 7 27.Lee v. Jacobson; Weber v. Jacobson (1992) 87 D.L.R. (4th) 401 28.G.H.L. Fridman, The Law of Torts in Canada, v.2 (Scarborough: Carswell, 1990), at p. 204 29.Ibid., at p. 205 30.See for example, Tree Savers International Ltd. v. Savoy [1992] 2 W.W.R. 470 (Alta.C.A.); ICAM Technologies Corp. v. EBCO Industries Ltd. [1994] 3 W.W.R. 419 (B.C.C.A.); and Cadbury Schweppes Inc. v. FBI Foods Ltd. [1994] 8 W.W.R. 727 (B.C.S.C.). 31.Building a Legal Infrastructure for the Information Age, Dept. of Justice Information Law Working Group 1993, at p. 49 32.Ibid 33.Ibid 34. sections 16 - 22 35. subsection 22(2) 36. section 250 37.A.S. Blair, Income Tax Act Confidentiality Provisions (Department of Justice, Canada, Legal Services, Ottawa: October 1993), at p. 15