Column

Evidence vs Privacy?

Can efforts to avoid charges of spoliation of evidence involve violation of privacy norms?

Evidence

Data storage has become very inexpensive. Finding information among masses of data is steadily becoming more manageable – one can turn loose the power of Google or other search engines on one’s own business data. One can use various forms of predictive coding to sort files for particular topics or for degrees of sensitivity: what’s relevant, what’s privileged, and so on.

On the other hand, it can be dangerous not to keep data. The rules of evidence have always included sanctions against spoliation. In days of electronic discovery, the sanctions are closer to the top of lawyers’ and clients’ minds. Some very dramatic cases in the US have seen parties’ arguments set aside and law firms fined large amounts for failing to produce records. These developments have been noticed in Canada too.

The Rules of Civil Procedure also put parties at risk if they cannot respond to requests to produce documents.(Ontario Rule 34.15(b)). Such requests must be proportional to the matters at stake in the litigation (Ontario Rule 29.2), but in high-stakes actions, this may give little relief.

It has been clear in principle that one is permitted to destroy records according to a reasonable data management policy. Such a destruction does not in itself constitute spoliation or a ground for sanction under the Rules.

However, this principle ceases when litigation is reasonably contemplated that will require production of the records scheduled for destruction. Potential as well as actual parties to lawsuits must implement a legal hold, to preserve records that may be relevant.

Drawing the lines of reasonableness can be difficult. Given the ease of storage and retrieval, a number of large businesses are apparently inclined simply to keep all their data, rather than risk falling on the wrong side of a discovery dispute – or failing to come up with documents they would like to use on their own behalf. Some of the business drawbacks in over-retention are storage costs (maybe low, but not nothing), retrieval and discovery costs, and the risk that harmful items will be discovered that might have properly been deleted before the need for the hold arose.

Privacy

Many if not most such large businesses use personally identifiable information (PII) in their operations. The collection, use and disclosure of such information is subject to privacy law, notably PIPEDA at the federal level and its counterparts in several provinces. Health information is protected across the country.

An important privacy principle is data minimization – one should not collect more PII than one needs for one’s purposes (and than the people involved have consented to being collected), and one should not keep it longer than it is needed for those purposes. Disposing of PII promptly is standard advice to data custodians (anyone who holds PII) in days of frequent data breaches. “Redundant, old and transient (ROT) information is everywhere, taking up space, and adding unnecessary risk. It’s time to identify and clean up the ROT before the ROT causes your house to collapse.”

Balance?

Thus both law and prudence suggest a fairly aggressive policy on deleting records, especially PII.

To what extent are such policies in place, and to what extent do large businesses err on the side of retaining data for purposes of evidence?

Is the Canadian practice more likely to favour the privacy arguments, because cases on spoliation are not so frequent and sanctions not so severe as in the US, and privacy laws are clearer? Privacy laws are usually more precise in their obligations than the rules about spoliation, and one may be inclined to comply more scrupulously to clear directions.

Further, privacy law in Canada comes with regulators and enforcers in the privacy commissions. There is someone to whom people may complain and who may inspect with or without a complaint. There is no one responsible for policing possible spoliation. Most records will never be needed in litigation. If they are, an allegation has to arise about their destruction and a court has to decide on the facts whether a case has been made and what the consequences should be. While these can be severe, they are less likely than a regulatory inspection, with the public attention – and class actions – that may follow.

Add these considerations to the business implications. As one article said, a legal hold notice that compels an organization to preserve everything (and presumably a general policy to the same effect) is “gross negligence, too – except that the sanction is immediate and self-inflicted”. (Harris and Ball, “What’s There to Hold on to?” See note below.)

The bottom line is likely to be a well-managed deletion program, with a legal hold strategy that can be put in place quickly but tailored case by case.

What do you advise?

___________________________

NOTE: Practice Pro, the Law Society of Upper Canada’s risk management organization, has a reading list on electronic discovery issues, including legal holds and record retention, with many useful sources.

Comments

  1. Thanks for your post John. Privacy concerns should not be part of the hold analysis. If the scope of the hold is reasonable, the hold is defensible from a privacy perspective. Over-collection (or holding too broadly) is a problem on its own – often undertaken out of conservatism (fear of sanction, fear of missing a “smoking gun”). Best to think hard and hold and/or collect what you need. No privacy problem with that.

  2. David Collier-Brown

    A now-obsolete hierarchical storage manager (:-)) and a good security policy that includes locking no-longer-active 12″ WORM disks in the basement for X years, then grinding them into dust.

    Data that’s accessed and/or updated stays around, old versions go away.

    Of course, that also assume decent security for the live data, something that many companies fail at…