Privacy And Ethics: A Toolkit for Lawyers

1. Difference Between Privilege and Confidentiality

In common language, the terms privilege and confidentiality are often used interchangeably. In the legal profession, these terms have different meanings.

Privilege

• Found in common law
• Protects information from being disclosed despite the information being relevant
• Most common types are settlement privilege, solicitor-client privilege, litigation privilege and case- by-case privilege
• The rules regarding each type of privilege can be found in each jurisdiction’s Civil Procedure Rules and in the common law

Confidentiality

• Found in the Code of Professional Conduct
• Protects information regarding the business and affairs of a client, which they acquired during the professional relationship with the client
• Broader than privilege, as it protects information regardless of where it came from
• Duty owed even to those seeking legal advice or assistance, regardless of whether the lawyer chooses to represent them

Learn More:

Model Code 3.3-1

2. Tell Me More About the Different Types of Privilege

Solicitor-client

A form of privilege which protects communication between a lawyer and a client who is seeking legal advice. This communication can be oral or in written form. (record, work product).

Litigation

Protects the investigative work of a lawyer. This privilege protects any oral or written communication between a lawyer, its client or a third party, created for the dominant purpose of preparing for current or anticipated litigation.

Settlement

A form of privilege that protects the information that is shared during settlement negotiations. This form of privilege applies regardless of whether the parties reach a settlement agreement.

Case-by-case

A form of privilege that protects relationships that depend on confidentiality (Example: doctor- patient communications).

Learn More:

• Brown v. Cape Breton (Regional Municipality) , 2011 NSCA 32 (CanLII) at para 30
• General Accident Assurance Company v. Chrusz, 1999 CanLII 7320 (ON CA)
• M. (A.) v. Ryan, 1997 CanLII 403 (SCC), [1997] 1 SCR 157
• Solosky v. The Queen, 1979 CanLII 9 (SCC), [1980] 1 S.C.R. 821 at p. 837

3. What is Privacy?

The Supreme Court of Canada defined privacy as “the right of the individual to determine for himself when, how, and to what extent he will release personal information about himself”.

What is Personal Information?

The Privacy Commissioner of Canada states that personal information, generally, means information about your race, national or ethnic origin, religion, age, marital status, medical, education or employment history, financial information, DNA, identifying numbers such as your social insurance number, or driver’s license, and views or opinions about you as an employee.

Learn More:

• R. v. Duarte, at page 46
• Summary of privacy laws in Canada

4. How do I Know What Privacy Legislation Applies?

There is a variety of privacy laws that apply in Canada. Which law applies depends on the nature of the organization handing the personal information, where the organization is based, what type of information is involved and whether the information crosses provincial or national borders. SEE APPENDIX A.

When considering if information falls under the definition of personal information, the following are factors that are often not considered:

• Whether the information is private
• Whether the information is publicly known
• Whether the information is publicly shared
• Whether the individual has an expectation of privacy

Learn More:

• Summary of privacy laws in Canada

Federal Legislation

Privacy Act

The Privacy Act applies in situations where the federal government is handling an individual’s personal information.

This legislation deals with how the government collects, uses and stores personal information.

This legislation also deals with how an individual could access and correct their personal information which is in the hands of the government.

PIPEDA

With some exceptions, the  Personal Information Protection and Electronic Documents Act (PIPEDA) applies in situations where a private sector organization, which is engaged in commercial, for profit behavior, handles an individual’s personal information.

If a province has created legislation that is substantially similar to PIPEDA, and the personal information is not crossing provincial or federal borders, then that provincial legislation applies over PIPEDA. The provinces which have created substantially similar legislation to PIPEDA are Alberta, British Columbia, and Quebec.

PIPEDA also applies to the personal information of employees working in federally regulated jobs.

In most situations, PIPEDA does not apply to not-for-profit groups, charities, political parties and associations.

Learn More:

• Summary of privacy laws in Canada

Provincial Public Sector

Health Setting

The following information applies to how an individual’s personal health information is collected, used and disclosed.

The legislation that applies to the personal health information of individuals is PIPEDA. If a province has created legislation that is substantially similar to PIPEDA with regards to the use, collection and disclosure of personal health information, then that provincial legislation applies over PIPEDA.

The provinces which have created substantially similar legislation to PIPEDA regarding personal health information are, Ontario, New Brunswick, Nova Scotia, and Newfoundland and Labrador.

Learn More:

• Provincial laws that may apply instead of PIPEDA

Employee Information

Public Sector Workplace

Federal public sector workplaces must comply with the federal public sector privacy statute, the Privacy Act. Provincial public sector workplaces must comply with the relevant provincial public sector statute.

Private Sector Workplace

PIPEDA applies to workplaces of “federal works, undertakings or businesses” such as airlines, telecommunications and charted banks.

Provincially regulated workplaces, in every province other than BC, Alberta and Quebec, are not governed by privacy legislation. PIPEDA does not govern the remaining provinces.

Learn More:

• Summary of privacy laws in Canada

What Laws Apply to how the Government Handles Personal Information?

Disclaimer: This is a simplified breakdown of the legislation that applies. If you have a privacy concern, contact a qualified privacy lawyer.

Learn More:

• Summary of privacy laws in Canada

What Laws Apply to How Personal Health Information is Handled

Disclaimer: This is a simplified breakdown of the legislation that applies. If you have a privacy concern, contact a qualified privacy lawyer.

Learn More:

Other provincial laws that may apply

What Laws Apply to How Businesses Handle Personal Information

Disclaimer: This is a simplified breakdown of the legislation that applies. If you have a privacy concern, contact a qualified privacy lawyer.

Learn More:

PIPEDA requirements in brief

5. There has been a data breach! What do I do?

Example of using PIPEDA

1. Does the potential breach fall under PIPEDA’s definition of “breach of security safeguards”?
2. Does the breach involve personal information?
3. Determine whether you are the data controller.
4. Is it reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual?
5. If you said yes to all the questions above, you are required by the statute to:
   1. Report to the commissioner
   2. Notify the affected individual
   3. Fulfill the statutory record keeping requirement
6. After a privacy event it is also important to create a plan for dealing with privacy incidents in the future, and/or evaluate your existing plan.

Privacy Tip

If your organization hires a business consultant, instead of a lawyer, to prepare a privacy report, this report is not protected by solicitor-client privilege.

Litigation privilege may attach to a business consultant’s report, if the report was prepared for the express purpose of preparation for litigation or anticipated litigation.

Privilege may also attach to a business consultant’s report if it was prepared on behalf of the client to provide information to the lawyer so that the lawyer can provide legal advice.

Real Life Example

The Alberta Privacy Commissioner addressed the issue of a data breach in Investigation Report P2005-IR-005.

In this case, the company mistakenly provided employees’ personal information to a business and included it in the business’s contract. This personal information included employees’ home addresses and social insurance numbers. The business then filed those contracts with SEDAR, a platform that enables public companies to fulfill electronic filing requirements mandated by securities regulators. By filing those contracts with SEDAR, the business made the employees’ information accessible to the public.

The Commissioner found that the disclosure of employees’ personal information in the business contracts and onto SEDAR contravened the provincial legislation.

Learn More:

• What you need to know about mandatory reporting of breaches of security safeguards
• Investigation into Brinks Home

6. When does the duty to report override the duty of confidentiality

Four-step process: Future harm example

1. Is there a clear risk to an identifiable person or group of people?
2. Is there a risk of serious bodily harm of death?
3. Is the danger imminent?
4. Is there any other feasible way to prevent the potential injury?

How to answer each question

Learn More:

• Smith v. Jones, 1999 CanLII 674 (SCC), [1999] 1 SCR 455, at para 77-86
• Model Code 3.3-3

What do I do once I determine that disclosure is necessary?

The Model Code states that if a lawyer believes that they need to disclose client information to protect the safety of the public or an individual, they need to contact their local law society for ethical advice.

Limit Disclosure

If, after exploring the above questions, you have determined that your duty to report something outweighs your obligation to keep client information private, you should only disclose as much information needed to address the future harm.¹

Example of limiting disclosure: You have a document which indicates that there is an imminent risk of serious bodily harm or death to an identifiable person or group. This document also contains information about your client committing fraud and counterfeiting or the sale of stolen goods. The information that is unrelated to the imminent risk of serious bodily harm or death to an identifiable person or group should be redacted.

Documentation

The Model Code states that if the lawyer has disclosed client information to protect the safety of the public or an individual, they should document the following as soon as possible:

1. the date and time of the communication in which the disclosure is made;
2. the grounds in support of the lawyer’s decision to communicate the information, including the harm intended to be prevented, the identity of the person who prompted communication of the information as well as the identity of the person or group of persons exposed to the harm; and
3. the content of the communication, the method of communication used and the identity of the person to whom the communication was made.

Learn More:

• Smith v. Jones, 1999 CanLII 674 (SCC), [1999] 1 SCR 455, at para 77-86
• Model Code 3.3-3

What are the other scenarios in which I can disclose confidential information?

• Defending against allegations (Model Code 3.3-4)
• Collecting fees (Model Code 3.3-5)
• Obtaining legal or ethical advice (Model Code 3.3-6)
• Resolving conflicts (Model Code 3.3-7)

Learn More:

Model Code 3.3-3

7. Risks and benefits to using technology

Learn More:

• Model Code 3.1-2 Commentary 4A and 4B

How do you maintain privacy and confidentiality with online and AI tools.

Online Tools

Consider equipping all digital devices with:

• Password protection
• Full-disk encryption
• Firewalls

Ensure that all individuals practice good password hygiene:

• Passwords are not shared or disclosed;
• Use of strong and unique passwords;
• Two-step or multi-factor authentication.

Ensure that any data is deleted in a manner that is consistent with professional obligations. Develop an information security management framework, including:

• Information security policy;
• Privacy policy;
• Incidence response plan;
• Data security literacy plan;
• Cybercrime/digital risk insurance.

AI Tools

Not inputting client information and firm precedents into the tools that are “general/ ‘free’ third-party commercial system/ prompt tools that trains on data scraped from the internet, memorizes data and repurposes it, thereby comprising the security of client information and breaching the duty of confidentiality.”

Use private AI systems, that are on the firms own server, that does not share or store client data externally.

When using public AI systems, lawyers should remove identifying details.

Before using public AI systems review their privacy policy.

Learn More:

• Model Code (3.3-1, 3.1.2 Commentary [4A] [4B])
• Legal Ethics in a Digital Context
• Ethics of Artificial Intelligence for the Legal Practitioner

8. What is cloud computing

Definition

Cloud computing involves data being stores remotely and instead of accessing that information locally, on your computer drive, the data is accessed on the internet.

Examples

• Reviewing a document that someone else created on Google Docs
• Signing a contract on DocuSign
• Saving a client’s file on TitanFile
• Uploading documents onto Closing Folder

Lawyer’s obligations when using cloud services

• Knowing where the cloud company is storing client’s personal information
• Know how cloud companies are handling client’s personal information
• Understand the security and privacy policies and practices of the provider
• Review the terms of service of the cloud provider and ensure that the personal information it entrusts to it will be treated in a manner consistent with PIPEDA.

Practice Tip

• If an organization has obtained an individual’s consent to collect and use personal information for a specific purpose, it does not need separate consent when outsourcing to a cloud provider to process the information for the same purpose outlined at the time of collection. Ideally, at the time of collection, organizations should inform customers in clear and understandable language that their information may be processed by a third-party service provider.
• What would your customers think of the proposed uses? You need to maintain the trust of your customers, while providing them with the best possible service and protection.

Learn More:

• Cloud computing
• Cloud Computing Checklist

The pros and cons of cloud computing

Learn More:

• Cloud computing for small and medium-sized enterprises
• Cloud computing

Questions to ask before using cloud services

Why the cloud?

What information will you input into the service? How sensitive is the information? What are the benefits and risks? What are your privacy obligations?

How can you ensure that you maintain control over the data?

Does your organization maintain control over how the data is used, accessed and retained? Does the cloud provider claim limited liability in the event of a breach? Does the contract include termination procedures that require the provider to delete personal information?

What security measures are in place?

Will the provider encrypt the information? Does the provider have authentication procedures? What are the notification procedures in the event of a security breach?

Unexpected uses

What does the cloud provider do with the information? Is the provider allowed to sell the information or analyse the data for its own purposes?

What is the level of transparency

Do your clients know that you are using cloud services? If the provider uses the information for a purpose not originally anticipated, how will you manage obtaining consent from your clients?

How accessible is the information

Does the provider allow you to meet your obligation to allow individuals to access their personal information? Are you able to transfer the data to a new provider?

The location of the data

Where will the data be stored? Are there risks to having the data stored in that jurisdiction? Are there foreign entities that are allowed access to that information?

Learn More:

• Cloud computing and privacy
• Cloud computing for small and medium-sized enterprises
• Cloud Computing Guide

Can you store information outside of the country or province/territory

PIPEDA (Principle 4.1.3 of Schedule 1 of PIPEDA)

• Does not prohibit even when the provider is outside of Canada
• Organizations are accountable for the personal information that it transfers to the cloud service
• Ensure that the personal information remain protected in the hands of that cloud service provider.

Privacy Act

• Does not address cross border data processing
• Treasury Board requires that an assessment is done to determine whether using services that store personal information outside of Canada is appropriate

PIIDPA - Nova Scotia (S.5)

• Prohibits the storage or access of information outside of Canada
• Applies to public sector bodies
• Permit head of public body to allow if it’s in the public bodies necessary operations

PIPA – Alberta (S.13.1(2), 13.1(3))

• People must receive notice about cross border data transfers

Act Respecting the Protection of Personal Information in the Private Sector - Quebec

• Requires a privacy impact statement before communicating personal information outside the province (S.17)
• Ensure the information would receive adequate protection (S.17)
• Written agreement with terms to mitigate risks (S.17)

Health Legislation in General

• Most prohibit disclosures outside of Canada without consent, some outside of the province

Learn More:

• Guidelines for processing personal data across borders
• Privacy and outsourcing for federal institutions

What Does the Model Code Say About Withdrawal From Representation and Confidentiality

Rule 3.7-1

A lawyer must not withdraw from representation of a client except for good cause and on reasonable notice to the client.

Rule 3.7-2

If there has been a serious loss of confidence between the lawyer and the client, the lawyer may withdraw.

Rule 3.3-2

A lawyer must not use or disclose a client’s or former client’s confidential information to the disadvantage of the client or former client, or for the benefit of the lawyer or a third person without the consent of the client or former client.

Rule 3.3-1

A lawyer at all times must hold in strict confidence all information concerning the business and affairs of a client acquired in the course of the professional relationship and must not divulge any such information unless:

1. expressly or impliedly authorized by the client;
2. required by law or a court to do so;
3. required to deliver the information to the Law Society; or
4. otherwise permitted by this rule.

Rule 3.3-1 [Commentary 3]

A lawyer owes the duty of confidentiality to every client without exception and whether or not the client is a continuing or casual client. The duty survives the professional relationship and continues indefinitely after the lawyer has ceased to act for the client, whether or not differences have arisen between them.

The Model Code allows lawyers to withdraw from representing a client in appropriate circumstances. When a lawyer withdraws from representing a client, that does not mean that their obligation to maintain client confidentiality stops. The obligation to maintain client confidentiality survives the professional relationship between the lawyer and the client.

Learn More:

• Model Code

9. How to handle inadvertent communication: Answers from jurisprudence

1. Notify the sender
2. Advise opposing counsel of the extent to which the documents were examined
3. Promptly return the document
4. Seal the document
5. Do no read the document any further
6. Do not make copies
7. Do not take notes
8. Return any copies or notes already taken
9. Apply to the court for a ruling on whether privilege had been waived
10. Any questions about whether solicitor and client privilege existed, or whether there had been waiver of such privilege, should be resolved by the court before the documents are disclosed or used in any way.

Learn More:

• Celanese Canada Inc. v. Murray Demolition Corp at para 62
• 0678786 BC Ltd v Bennett Jones LLP at para 26-28

10. How to handle inadvertent communication: Answers from the Model Code

Model Code

Rule 7.2-10

This rule applies whether the document is a physical copy or electronic.

This rule also applies if the document came from opposing counsel or the opposing party. Individual law societies in Canada have provided varying detail regarding the extra steps the recipient lawyer has to take.

Rule 3.3-1 [Commentary 7]

It is also important for lawyers who share workspace with other individuals, to ensure that systems are in place so to ensure that confidential information is not inadvertently disclosed.

Learn More:

Model Code

11. How do I access my own information?

How can an individual obtain their personal information under the Privacy Act

• Ensure the information you are requesting falls under the Privacy Act’s definition of personal information
• Determine the federal agency that holds your personal information. If you are unsure which agency holds your information, review the public directory of federal government agencies
• Fill out a Personal Information Request Form
• Send the form to the Access to Information and Privacy Coordinator of the federal institution that has your personal information

Learn More:

Accessing your personal information – federal government

If an organization, governed by PIPEDA, receives a request for access to information, what should they do?

• Obtain the necessary information from the person requesting access to their personal information
• Analyze the request
• Apply any exemptions to providing individuals with their personal information
• Provide the individual with access to their personal information
• Consider time restrictions to how long you can take to provide the individual with the requested information
• Correct any inaccuracies or incomplete information in the individual’s information

Learn More:

• Responding to access to information requests under PIPEDA
• Accessing y our personal information – businesses

12. How should you handle inadvertent communication at the American border?

What can customs and border protection officials do?

• Search you and your property
• Ask you to open your device using your password, voice recognition or fingerprint access
• Look at whatever’s on your device, copy files, and analyze the data

What can customs and border protection officials NOT do?

They are not allowed to use the device to examine remotely stored information (information stored on the cloud).

If I have confidential client information on my device, what should I do?

• Identify yourself as a legal professional
• Explain that your device includes confidential client information and/or privileged information
• Ask the purpose of the search
• Ask to speak to the border official’s supervisor if there is a risk of a breach
• Consider bringing the situation before a court so that a judge may decide how to proceed
• Contact your professional regulatory body practice advisor for advice

Main Take Away

Do not have any privileged information on your device when you are crossing the border.

Learn More:

• The CBA Border Alert Toolkit (Member Only)

13. Appendix A

Provincial and Territorial privacy laws and oversight – Office of the Privacy Commissioner of Canada

Endnotes

¹ Rule 3.3-1 of the Model Code