Privacy Laws & Codes of Conduct

Solicitor-Client Privilege and the duty of confidentialityCBA Document

The internet is almost everywhere. One can find wireless hotspots in hotel lobbies, airports and coffee shops. While extremely convenient, these public wireless networks relied upon by lawyers and others are far less secure than one may think and have the potential to threaten client confidentiality and Solicitor-Client Privilege.

Even if a network is dependable, the people and devices sharing it may not be. When sharing a Wi-Fi hotspot for example, all the laptops and computers connected to the hotspot are part of a Local Area Network (LAN). This is a similar network setup to those found in offices that use intranet and closed network systems. This sort of networking allows people, with very little technical knowledge, to access the information sent over networks, and depending on the security of the devices connected to it, the data saved on hard disks. In short, is the Wi-Fi at your local coffee shop that much different from the 1950s party line where neighbours shared a single phone line?

One could argue that sending data over such networks indicates a lack of intent to keep the information confidential, a requirement of the Privilege.

Ethical Obligations – Guidelines for Practising Ethically with New Information Technologies – CBA Document

The Code principles apply to all forms of communication, including electronic communication using new information technologies. Lawyers must display the same care and concern for confidential matters regardless of the information technology being used.

Lawyers must ensure that electronic communications with or about a client are secure and not accessible to unauthorized individuals. When communicating confidential information to or about a client, lawyers should employ reasonably appropriate means to minimize the risk of disclosure or interception of the information. In assessing whether to use a particular information technology to communicate confidential information to or about a client, lawyers should assess the situation from different perspectives. What are the risks that a particular information technology poses for inadvertent disclosure or interception? What impact will the choice of technology have on the client with respect to costs, accessibility, and ease of use?

Alberta Health Information Act (HIA)

Under section 60 of the HIA, custodians are required to take reasonable steps to maintain
administrative, technical and physical safeguards to protect the confidentiality of health
information, and patient privacy. This includes protection against unauthorized use, disclosure,
access to, or modification of the health information.
In addition, section 8 of the regulations states that custodians must:
• Identify and maintain a written record of all administrative, technical and physical safeguards
you have in place to protect health information
• Periodically assess these safeguards to ensure their continued effectiveness
• Designate an individual to be responsible for overall security and protection of health
information
• Ensure that staff are aware of, and adhere to, all administrative, technical and physical
safeguards
• Establish penalties that may be imposed against anyone who breaches or attempts to breach
safeguards
• Before storing information in a jurisdiction outside of Alberta, allowing a person outside of
Alberta to use information or disclosing information to such a person, enter into a written
agreement that ensures the information is adequately safeguarded (regulation 8(4)).

Compliance with Alberta’s Personal Information Protection Act (PIPA)

Compliance with the federal privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA): Safeguarding personal information

Lawyers are familiar with the need to safeguard their clients’ information. However, like all organizations, work options available to lawyers have evolved considerably. In the course of their practices, lawyers and support staff often work using computers, laptops, smart phones and other mobile devices. The use of such devices presents a number of challenges in safeguarding personal information.
Lawyers can face a number of potential vulnerabilities in the course of their practice, including the following:
-Poor security measures for paper documents, computer systems, computer applications, mobile devices, computer networks, wireless networks or email transmission.
-Misplacing paper or electronic documents; traces left by electronic documents (i.e. metadata) insecure courier/postal communication.
-Third-party suppliers and partners may mishandle information (including third-parties offering cloud computing services).

PIPEDA requires personal information to be safeguarded at all times. Personal information should be safeguarded through the use of: physical measures, for example, locked filing cabinets and restricted access to offices; organizational measures, for example, security clearances and limiting access on a “need-to-know” basis; and technological measures, for example, the use of passwords and encryption.

The more sensitive the information is, the stronger the safeguards must be. One measure to ensure that personal information is secured is to avoid physically removing the information from the office at all, or to limit doing so to the greatest extent possible. There are many technological solutions that allow lawyers to securely access office systems remotely. Such solutions, provided they are implemented in a secure manner and employ appropriate encryption standards and firewalls, can offer the best protection for personal information.
Any laptops and other mobile devices and media must be secured, including through the use of encryption. Highest care must also be taken when working in public spaces or on devices to which more than one person may have access. As well, lawyers or law firms considering cloud computing solutions must carefully consider the privacy and security implications of any service they may create or subscribe to.
Lawyers must use contractual or other means to provide a comparable level of protection while the information is being processed by a third party. Where any third-party service provider may have access to or otherwise handle personal information on behalf of a lawyer, including cloud computing service providers, it is strongly recommended that a written agreement be put in place between the third-party and the lawyer. Such a contract should include provisions governing the jurisdiction where information will be processed or stored, ownership and use of information, the level of privacy controls used by the service provider, access and correction procedures, audits, and deletion procedures. Lawyers must remember that they remain accountable for information transferred to third-parties for processing. PIPEDA also requires organizations to be transparent about their personal information handling practices. Accordingly, organizations should notify clients when using a service provider located outside Canada and advise them that their personal information may be subject to the laws of a foreign jurisdiction.

Law Society of Alberta:
A lawyer is responsible for maintaining the safety and confidentiality of the files of the client in the possession of the lawyer and should take all reasonable steps to ensure the privacy and safekeeping of a client’s confidential information.