04 July 2013

Mail Covers and Memory

The New York Times notes that the US Postal Service is "Logging All Mail for Law Enforcement" through the "Mail Isolation Control and Tracking program, in which Postal Service computers photograph the exterior of every piece of paper mail that is processed in the United States - about 160 billion pieces last year".

The Times notes that "it is not known how long the government saves the images" and that "postal mail is subject to the same kind of scrutiny that the National Security Agency has given to telephone calls and e-mail".
At the request of law enforcement officials, postal workers record information from the outside of letters and parcels before they are delivered. (Opening the mail would require a warrant.) The information is sent to the law enforcement agency that asked for it. Tens of thousands of pieces of mail each year undergo this scrutiny.
The Mail Isolation Control and Tracking program was created after the anthrax attacks in late 2001 that killed five people, including two postal workers. Highly secret, it seeped into public view last month when the F.B.I. cited it in its investigation of ricin-laced letters sent to President Obama and Mayor Michael R. Bloomberg. It enables the Postal Service to retrace the path of mail at the request of law enforcement. No one disputes that it is sweeping.
“In the past, mail covers were used when you had a reason to suspect someone of a crime,” said Mark D. Rasch, who started a computer crimes unit in the fraud section of the criminal division of the Justice Department and worked on several fraud cases using mail covers. “Now it seems to be, ‘Let’s record everyone’s mail so in the future we might go back and see who you were communicating with.’ Essentially you’ve added mail covers on millions of Americans.”
The Times notes Bruce Schneier's comment that the program is an invasion of privacy, irrespective of whether it involves a postal worker taking down information or a computer taking images.
“Basically they are doing the same thing as the other programs, collecting the information on the outside of your mail, the metadata, if you will, of names, addresses, return addresses and postmark locations, which gives the government a pretty good map of your contacts, even if they aren’t reading the contents,” he said.
... “It’s a treasure trove of information,” said James J. Wedick, a former F.B.I. agent who spent 34 years at the agency and who said he used mail covers in a number of investigations, including one that led to the prosecution of several elected officials in California on corruption charges. “Looking at just the outside of letters and other mail, I can see who you bank with, who you communicate with — all kinds of useful information that gives investigators leads that they can then follow up on with a subpoena.”
But, he said: “It can be easily abused because it’s so easy to use and you don’t have to go through a judge to get the information. You just fill out a form.”
For mail cover requests, law enforcement agencies submit a letter to the Postal Service, which can grant or deny a request without judicial review. Law enforcement officials say the Postal Service rarely denies a request. In other government surveillance programs, like wiretaps, a federal judge must sign off on the requests.
The mail cover surveillance requests are granted for about 30 days, and can be extended for up to 120 days. There are two kinds of mail covers: those related to criminal activity and those requested to protect national security. Criminal activity requests average 15,000 to 20,000 per year, said law enforcement officials, who spoke on the condition of anonymity because they are prohibited by law from discussing them. The number of requests for antiterrorism mail covers has not been made public.
Law enforcement officials need warrants to open the mail, although President George W. Bush asserted in a signing statement in 2007 that the federal government had the authority to open mail without warrants in emergencies or in foreign intelligence cases.
Court challenges to mail covers have generally failed because judges have ruled that there is no reasonable expectation of privacy for information contained on the outside of a letter. Officials in both the Bush and Obama administrations, in fact, have used the mail-cover court rulings to justify the N.S.A.’s surveillance programs, saying the electronic monitoring amounts to the same thing as a mail cover. Congress briefly conducted hearings on mail cover programs in 1976, but has not revisited the issue.
In a forthcoming article in Privacy Law Bulletin I discuss this month's formal Opinion by EU Advocate General Jääskinen regarding case C-131/12 in the European Union Court of Justice (ECJ), i.e. Google Spain and Google Inc. v Agencia Española de Protección de Datos and Mario Costeja González. The dispute concerns interpretation of the European Data Protection Directive 95/46/EC in relation to internet search engines, construed by some as enshrining a 'right to be forgotten'.

The Jääskinen Opinion - which is not binding on the ECJ - follows a preliminary ruling by the Audiencia Nacional (Spain's national high court) regarding proceedings involving Google Inc, Google Spain (its subsidiary),  the Agencia Española de Protección de Datos (AEPD, Spain's national data protection agency) and Mario Costeja González.

Gonzalez - the data subject - had experienced business difficulties and appeared in La Vanguardia (a leading newspaper)  after the government took action to auction his property to cover social security debts. That coverage was factual. Gonzalez sought to have the information removed from the online version of the newspaper. (Unsurprisingly there appears to have been no action to expunge the information in archived print copies or have the newspaper publish a 'supplementary' statement).

Gonzalez separately contacted Google Spain, with the expectation that search results would not display a link to La Vanguardia's coverage (and an abstract of that coverage) whenever someone searched his name. Unsatisfied, he lodged a formal complaint with the AEPD, which called on Google Spain and Google Inc. to 'forget' the information when presenting search results. Google appealed to the Audiencia Nacional,  which referred several questions to the ECJ. Those questions relate to -
  • the territorial scope of and the applicable national law under the Data Protection Directive
  • whether search engine providers are data controllers
  • whether there is a right to be forgotten. 
Jääskinen in advising the ECJ argued that access by people in Spain (and targeting of those consumers by Google Spain) did not trigger the application of Spanish data protection law, which under Article 4 (1) of the Directive is meant to harmonise with law elsewhere in the EU.  The relevant question was instead whether Google carried out data "processing in the context of the activities of an establishment of the controller" in Spain.  Jääskinen argued that Google indeed was a "data controller" under the Act and Directive: it was irrelevant that Google Inc's servers (and the data processing) were located outside Spain, because Google Inc and its subsidiaries should be treated as a single group and because Google Spain acted as the 'bridge' to Spain's advertising market

The Opinion discusses whether a search engine operator should be considered as a "controller" in relation to Article 2(d) of the Directive. Would the copying, caching, indexing and display of content  from La Vanguardia and other sites  (including personal data such as names, contact details, descriptions and images) constitute processing of personal data?

Jääskinen differentiated between the search engine operator merely supplying an automated 'information location tool' - search results from an 'index' that drew on but did not exercise control over third party sites that featured personal data. The operator would accordingly have a protected status similar to that enjoyed by telecommunications providers, having no awareness of the personal data "in any other sense than as a statistical fact". The third party sites, such as a newspaper site, would instead be controllers under the Directive. Jääskinen argued that the "provision of an information tool does not imply any control over the content", consistent with  the Article 29 Working Party Opinion 1/2008 that characterised "a search engine provider" as acting "purely as an intermediary" and indicating that "the principal controllers of personal data are the information providers".

Search engine operators would be controllers in relation to the cache if they chose not to comply with exclusion codes (robot txt/do not follow tag) on a third party page or chose not to update a page in the cache despite a request received from the third party that originated the cached content. In those instances the operators would need to comply with all obligations imposed by the Directive on data controllers, including the Article 6 data quality principles.

Jääskinen considered that provision of internet search engine services meets the legitimate interests criteria outlined in Article 7 of the Directive, with the automated index reflecting notions of adequacy, relevancy, proportionality, accuracy and completeness.

Jääskinen accordingly considered that a national data protection agency such as the AEPD cannot require an search engine operator such as Google to expunge information from its search results, other than instances where the operator has not complied with the exclusion codes or where a request emanating from the website regarding update of cache memory has not been complied with.

Is there a broad right to be forgotten? Jääskinen says no. The Opinion discusses the Directive's provision for erasure or blocking of data and the right to object, arguing that (in the absence of a new unequivocal right under the proposed Data Protection Regulation) there is no general right to be forgotten. Gonzalez as a data subject has no right to require - on a subjective basis - a search engine operator to prevent indexation of information that has been legally published on third party sites.

Jääskinen considered the fundamental right to the protection of personal data under Article 8 of the EU Charter of Fundamental Rights, along with the corresponding provision in the European Convention for the Protection of Human Rights and Fundamental Freedoms. The Opinion argues that the right to protection of personal data and private life is not absolute. Protection must be balanced with other fundamental rights, in particular the freedom of expression, freedom of information and freedom to conduct business. A generalised right to be forgotten would sacrifice these rights, potentially resulting in censorship by private parties on a subjective basis.

The Opinion recommends that the Court decline to accept a "case-by-case" approach to the present case, as it would open up internet search providers to unmanageable numbers of requests.

03 July 2013

Corporate Persona

'Corporate Personhood and Corporate Persona' [PDF] by Margaret Blair in (2013) University of Illinois Law Review 785-820 argues that
In 2010, the U.S. Supreme Court held in Citizens United v. FEC that restrictions on corporate political speech were unconstitutional because of the First Amendment rights granted corporations as a result of their status as “persons” under the law. Following this decision, debate has been rekindled among legal scholars about the meaning of “corporate personhood.” This debate is not new. Over the past two centuries, scholars have considered what corporate personhood means and entails. This debate has resulted in numerous theories about corporate personhood that have come into and out of favor over the years, including the “artificial person” theory, the “contractual” theory, the “real entity” theory, and the “new contractual” theory.
This Article revisits that debate by examining the various functions of corporate personhood including four functions I have identified in previous work: (1) providing continuity and a clear line of succession in property and contract, (2) providing an “identifiable persona” to serve as a central actor in carrying out the business activity, (3) providing a mechanism for separating pools of assets belonging to the corporation from those belonging to the individuals participating in the enterprise, and (4) providing a framework for self-governance of certain business or commercial activity. In this Article, I focus on the historical evolution of the corporate form, and specifically on how and why corporations have tended to develop clearly identifiable corporate personas. This corporate persona function is highly important to today’s corporations and, because of this func-tion, corporations can become more than simply the sum of their parts. This Article suggests that scholars should keep the corporate persona function in mind in evaluating corporate personhood theories, and return to a theory that sees corporations as more than a bundle of contracts.
Blair concludes -
In much of my prior work, I have, in one way or another, explored the idea that successful business corporations are, and should be treated by the law as, more than just bundles of assets that belong to shareholders. While the role of shareholders in corporations is not trivial — without financial capital, few business enterprises could get out of the starting block — it is the efforts and vision of the entrepreneurs, managers, and key employees, as well as business practices that cultivate innovation and collaboration in teams, that create corporations whose value greatly exceeds the value of the financial capital that has been put in them. The real entity theory of corporations provided a vocabulary that embraces and acknowledges these self-evident facts. But numerous legal scholars since the 1980s have rejected the real entity view of corporations in favor of a theory that dismisses the idea that a firm is more than the sum of the contracts it embodies. 
Legal scholars started down this path by adopting the frameworks that had been developed by economic theorists to provide insight into key relationships within firms and by applying these reductionist models to the law of corporations. Beginning in the 1980s, they produced a substantial literature that starts from three simplifying premises that economists had adopted: (1) that shareholders are the “owners” of corporations, which are simply bundles of assets owned collectively by shareholders; (2) that directors and managers are the agents of shareholders and therefore are supposed to apply themselves to maximizing the value of the shares; and (3) that the best way to achieve higher value for shareholders is to give shareholders more power and control rights so that they can compel managers and directors to maximize share value. 
Frank Easterbrook and Daniel Fischel, for example, wrote a series of articles together in which they developed the implications for corporate law of the idea that corporations are essentially a contracting device with no separate existence and embodying no distinct rights and interests apart from the individuals who contracted together through the corporations. They focused especially on what they thought of as the central or most important contract in any corporation, the principal-agent contract between shareholders and directors/managers. 
Other legal scholars followed this lead, and within a few years, the legal literature on corporations as contractual devices and managers as agents of shareholders exploded. In an insightful analysis of this transformation of legal thinking about corporations, William Bratton notes that the real entity theory of the corporation was essentially “managerialist” — it accepted and legitimized the large corporation in which a managerial hierarchy exercised control. The new nexus of contracts theory, by contrast, was antimanagerialist, emphasizing that managerial authority is derived from the agency relationship with shareholders and that managers serve at the behest of shareholders. It is beyond the scope of this Article to explore all of the reasons why corporate law scholarship began to tilt so strongly in an antimanagerialist direction in the 1980s, after having been quiescently managerialist for nearly half a century. But the 1980s was a period in which many leading thinkers in the United States believed that the country was in decline and that the decline probably had to do with the failures of the bureaucratic and sclerotic corporations that dominated so many industries. “[I]n the 1980s national economic decline-revival became one of the foremost domestic issues, a new and uncomfortable prospect for Americans,” wrote historian Otis Graham.  By the latter half of the decade, vigorous public discussion had melded an impressively broad consensus that the erosion of U.S. economic strength was a reality, that it had not been and would not be stemmed by the Reaganite reforms, and that both relative and in some cases absolute decline had continued through even the remarkable years of expansion in 1983–1990. 
Concern about decline manifested itself in a number of ways. The most salient for our purposes was the idea that executives in the corporate sector, on the whole, had become uncreative, unwilling to take risks, self-serving, empire building, and unaccountable. The new antimanagerialist contractual theory of the firm may have been attractive because it offered a framework for thinking about how the law could help to un-seat these executives and bring in new industrial leadership. The new literature on the nexus of contracts theory of the corpora- tion also offered a way to think about the legal and policy issues raised by a phenomenon then sweeping the financial markets — hostile takeo-vers.  According to the theory, corporate managers cannot be expected to always work tirelessly to maximize the value of a corporation’s stock because they are merely hired agents with their own preferences that are not necessarily the same as the preferences of their principals, the shareholders. If managers fail to maximize the value of the shares of their company, however, the stock price of the company will be lower than its potential, and there will be an incentive for an outside investor to buy up a controlling position in the corporation, then proceed to fire manage- ment or otherwise compel the company to cut its costs or redirect its as- sets so that they have a higher value. 
This story line made the investors who were actively bidding for control of numerous corporations in the 1980s into heroes who were adding value, rather than greedy raiders (as corporate executives initially tried to portray them) who were opportunistically stripping value out of the corporations by ending employee pension plans, renegotiating contracts with unions, or closing plants and shipping production overseas — all while paying themselves large bonuses. Not surprisingly, the image of financiers as the heroes rather than the villains was congenial to corporate finance practitioners and scholars, and scholarship exploring and testing these ideas soon dominated the finance literature as well as the corporate law literature. The nexus of contracts/principal-agent model has thus formed the framework for a large part of the theoretical and empirical scholarship of both finance and corporate law over the last three decades. 
This literature includes arguments that corporate boards and man- agers should be required to be passive in the face of hostile offers so that shareholders could take advantage of the opportunity to sell their shares at a higher price. Similar reasoning has been applied to consideration of a long list of takeover defenses, which generated a large body of literature during the 1980s arguing that takeover defenses reduced the value of corporate shares and that they should therefore be disallowed or con- strained. Arguments were also made that managers and directors should be paid in stock options or other equity claims so that their interests would be more closely aligned with the interests of shareholders.  The corporate bar initially defended corporate directors and managers on the question of takeover defenses. But over time, as managers and directors increasingly adopted compensation packages based on stock options, these had the predicted effect of focusing the attention of directors and managers at firms across the economy — so that most directors and managers now say that their primary duty is to maximize the value of the equity shares of the corporations they run. 
The view of corporations as simply contracting devices has also permeated corporate finance, with practitioners and scholars learning to use the corporate form of organization in a whole new way, as a pure asset-partitioning device that does not implicate any of the other three functions of corporate personhood (continuity in property and contract; self-governance; and the development of intangible assets attached to a corporate persona). So called “special purpose vehicles” (SPVs), or sometimes “special purpose entities” (SPEs) or “structured investment vehicles” (SIVs), are corporations that have no employees, no operations, and no products. Their sole purpose is to facilitate “securitization” of financial assets by allowing the sponsoring corporation to isolate a bundle of financial assets, such as mortgages, car loans, other consumer debt, or commercial debt instruments, and issue debt securities that are claims to the cash flow solely from those assets.  By creating a separate corporation to hold the assets and liabilities of the SPE, the sponsoring financial firm that creates the entity attempts to protect itself from default or bankruptcy if the assets behind the securities fail to generate the projected amounts of cash flow. These entities thus resemble pure nexuses of contracts for the purpose of partitioning assets into entities that have none of the elements that we have identified as part of a corporation’s persona. But it turns out that, without a persona component,  the value of these entities nearly collapsed during the financial crisis when the assets that had been isolated in them lost value. In response, many of the financial firms that created these entities stepped up and took responsibility for making good on the debt securities that had been issued by them, although the terms of the contracts that had created them did not require this. Why? Because the sponsoring firms had something to lose, which the individual SPVs did not have, a corporate persona with substantial reputational value at risk. In other words, some of the value that those entities had was due to an asset of the sponsoring firm that was not listed on the balance sheet of either the sponsoring firm or the SPE. That asset could have been badly damaged if the sponsoring firm had, in fact, allowed the SPEs to fail. Theories that try to explain value creating corporations in pure contract terms, without acknowledging the role of reputational and other noncontractual relationship assets that contribute to value and that are tied to the corporate persona, may fail to explain aspects of corporations that matter most. 
The dominant theory of corporations in the last few decades in finance and in law has been a reductionist, finance inspired approach that regards corporations as mere contractual devices, with no truly separate existence, for which it is misleading and even foolish to speak of such things as the goal, reputation, will, or moral duties of the corporation apart from its contracting agents. The effort by financial market players in recent years to create value by simply repackaging the assets and liabilities of corporations without regard to the impact of such maneuvers on reputation and trust in the entity as a whole, let alone on the financial markets as a whole, it seems to me, is one expression of this mentality. 
But while legal and financial scholars seem to have no use for corporations that have any personality, some of the most successful value creating entrepreneurs of the last decade — Larry Page, Sergey Brin, and Eric Schmidt at Google, and Mark Zuckerberg at Facebook, among others — have emphasized the importance of such factors as “culture” and “reputation” and “innovativeness” in the value creating process at their corporations, and have expressed concern that financial markets excessively discount the importance such factors. Perhaps it is time for financial and legal economics to rethink the contractarian theories and models that have been guiding much corporate law scholarship in recent years and reconsider the view that corporations are, or can be, substantially more than the sum of their contractual parts. The idea that corporations can have a separate persona would be a useful part of that inquiry.

01 July 2013

BC Data Breach

Australia's national Data Breach Bill - the Privacy Amendment (Data Alerts) Bill 2013 (Cth) - appears to have got the tick from the Constitutional & Legal Affairs Committee last week but fizzled thereafter amid excitement about 'who gets to play prime minister'. (My submission to the Committee commented that the Bill was overall disappointing but a useful step to a more effective mandatory data breach reporting regime.)

In Canada the British Columbia Privacy Commissioner has meanwhile recommended changes to the BC Ministry of Health’s privacy practices following three data breaches affecting millions of people in that province.

The Commissioner's investigation report assessed the ministry’s response to the breaches and the ministry’s overall data-handling practices in relation to health research. It highlighted "serious deficiencies" in those practices, with the absence of  "operational and technical safeguards" meaning that employees were able to copy a large volume of personal health data onto unencrypted flash drives and share that data with other parties without detection. That absence was contrary to requirements under section 30 of the BC Freedom of Information and Protection of Privacy Act (FIPPA) for "reasonable security" to protect personal information.

The Commissioner has made 11 recommendations to improve the ministry’s privacy practices "to both facilitate access to information for health research and to address the privacy and data security compliance issues".

They are -
R1 The Ministry should develop and implement additions to the BC Government policy on the use of portable storage devices to require the use of other, more secure, forms of information transfer. Portable storage devices should only be used as a last resort and must always be encrypted. 
R2 The Ministry should ensure user privileges are granted and managed based on the need to know and least privilege principles, ensuring that employees have access only to the minimum amount of personal information they require to perform their employment duties. Access permissions should be assigned consistently and kept up to date. 
R3 The Ministry should implement technical security measures to prevent unauthorized transfer of personal information from databases. 
R4 The Ministry executive should implement an effective program for monitoring and auditing compliance by employees with privacy controls, and by contracted researchers and academic researchers with privacy provisions in agreements, to enable proactive detection of unauthorized use and disclosure of Ministry information. 
R5 The Ministry should ensure that all contracts with contracted researchers and research agreements with academic researchers involving the disclosure of personal health information provide for an appropriate level of security, including privacy protection schedules. These requirements should include limiting the use and disclosure of personal information to specified contractual purposes; taking reasonable security measures to protect personal information; requiring compliance with privacy policies and controls with respect to storage, retention and secure disposal; and requiring notice to the Ministry in the event of a privacy related contractual breach. The Ministry also should use information sharing agreements wherever the substance of an agreement is about information sharing, rather than the provision of services to the Ministry. 
R6 The Ministry should develop a comprehensive inventory of all databases containing personal health information. The inventory should be updated regularly and should set out associated information flows relating to collection and disclosure for research purposes. 
R7 The roles and responsibilities for privacy belonging to the OCIO and branches throughout the Ministry should be documented and effective overall leadership for the Ministry’s privacy management program clarified. There is a particular need to enhance the Ministry’s internal privacy resources. 
R8 The Ministry should develop a Ministry privacy policy that establishes the basic principles of privacy for Ministry employees. 
R9 The Ministry should ensure that the Ministry privacy policy specifically incorporates the collection, use and disclosure of health information for research, including addressing when it may be appropriate to release personal information for health research under s. 35 of FIPPA. It should indicate the kind of information that the Ministry can provide to researchers and the security requirements that need to be met. 
R10 The Ministry should continue to streamline its information access request approval and delivery processes to reduce time delays in access to information for health research. 
R11 The Ministry should ensure that employees with access to databases containing personal health information participate in mandatory privacy training sessions and that their participation is documented.
The Commissioner, in noting that "Privacy and research are allies, not adversaries, in the pursuit of better health outcomes", also released Accountable Privacy Management in B.C.’s Public Sector. It is a new guidance document that "provides a blueprint and step-by-step instructions for public bodies to develop comprehensive privacy programs and protect citizens’ personal information".


In Swan v Monash Law Book Co-operative (t/as Legibook) [2013] VSC 326 the Supreme Court of Victoria has awarded $592,554 damages to a former retail sales assistant subjected to workplace bullying.

The applicant claimed that she had been subjected to sarcasm, hostility, rudeness, violent behaviour and threat of termination by a manager in the workplace. She alleged that the defendant's negligence caused psychological injury by exposing her to an unsafe workplace in which she was subject to that bullying, harassing, and intimidating conduct. She had for example allegedly needed to duck to avoid being struck on the head by a legal text book thrown at her by a Legibook manager.

The Court found that Legibook failed to properly define the relations between it and its employees and its employees inter se and articulate its expectations concerning conduct in the workplace between employees, by job descriptions, employment contracts and workplace behaviour policies.

Dixon J states that
On the basis of the findings that I have expressed above, I am satisfied that Mr Cowell engaged in an established pattern of workplace bullying as so described. He did so, particularly in the period from August 2002 to April 2003. I am satisfied that his behaviour during that period, as I have found it, would be expected by a reasonable person to humiliate, intimidate, undermine or threaten the plaintiff. The incidents of occupational violence were, from 2003, intermittently reinforced with an expectation that such violence might be repeated, engendered by other conduct that did not involve an immediate apprehension of physical violence throughout the period of the plaintiff’s employment by the defendant until August 2007. 
Although the pattern of Mr Cowell’s behaviour was episodic and, after 2003, not characterised by explicit incidents of occupational violence, his conduct characterised the work environment as one in which the plaintiff was subject to stress and emotional distress, humiliation and belittling conduct, intimidation and aggressive managerial direction. In a restricted and confined workplace environment, such behaviours imposed substantial, and significant, emotional stress and distress on the plaintiff. I find that Mr Cowell’s conduct in the workplace threatened to, and did, damage the mental health and wellbeing of the plaintiff throughout the course of her employment by the defendant. 
The Court went on
I am satisfied that the behaviour of [Legibook] from March 2003 through until August 2007 fell short of the expected standard of an employer in the following respects:
(a) The defendant failed to properly define the relations between it and its employees and its employees inter se and articulate its expectations concerning conduct in the workplace between employees, by job descriptions, employment contracts and workplace behaviour policies.
(b) It was immediately clear to the defendant in March 2003 that a want of written position descriptions, written employment contracts and workplace behaviour policies was contributing to the conflict between their two employees. The defendant’s ongoing failure to put proper job descriptions, employment contracts and workplace behaviour policies in place was never explained. That inexcusable and unjustified conduct breached its duty of care to the plaintiff.
(c) Further, the defendant’s failure to take those steps was exacerbated by its repeated misrepresentations to the plaintiff that employment contracts, written job descriptions and workplace behaviour policies were imminent.
(d) The board failed in 2003 to introduce defined procedures for complaints of inappropriate behaviour in the bookroom, or to appropriately train its employees and its own members to deal appropriately with such behaviour and complaints when it was occurring.
(e) It was inappropriate for the defendant, purporting to act as a reasonable employer, to rely on choices made by its employee as to the employer’s proper response to the employee’s complaint especially when such choices were, at least, induced by those misrepresentations. Seeking assurances from the plaintiff that she was happy with the board’s handling of her complaint in the circumstances constituted an inappropriate response.
(f) In considering the plaintiff’s complaint in March 2003, the board recognised that it had given no direction to Mr Cowell as to his dealings with the plaintiff and that this seemed to have led to Mr Cowell developing some rather arbitrary and brusque work practices in his dealing with her.
(g) The board recognised that Mr Cowell was keen to make a good impression upon it and that appropriate workplace conduct should form part of an employee assessment concerning Mr Cowell. Although conceptually appropriate, the board was negligent in failing to follow through with any employee assessment that included consideration of appropriate workplace conduct.
(h) When determining in 2003 that a formal warning to Mr Cowell was not appropriate, the board failed to give any consideration to informal responses, for example, a direct personal communication with Mr Cowell that was not put in the context of any complaint from the plaintiff, about the nature of workplace conduct, including the way its employees related to each other that the board expected at Legibook.
(i) A reasonable employer ought to have directly investigated what was occurring in the bookroom and intervened appropriately to deal with what had occurred. Dr Wyatt considered that April 2003 was the appropriate occasion for intervention by engaging a workplace mediator or conciliator like Mr Jensen.
(j) The defendant had no formal system enabling employees to seek the assistance of the employer when bullying conduct occurred. This was evidenced in a number of respects. There was no complaints mechanism or system. Although Mr Somers liaised with employees on behalf of the board, the system was ad hoc. Further, there was no evidence that Mr Somers had any relevant training or experience and the board’s response to the complaints in 2003 and 2005 supports the conclusion that he did not. Apart from the failure to conduct any formal investigation of the plaintiff’s complaint, there was, in 2003 and 2005, no informal investigation either. Similarly, the board gave no informal warning and there was no discussion, even at a general level, with Mr Cowell. Consequently, the board never made a simple clear statement to Mr Cowell that it would not tolerate behaviour in the bookroom of a character that could constitute workplace bullying. Mr Cowell never knew of the board’s attitude to conduct as described by the plaintiff, irrespective of any issue about whether such conduct had occurred, or might again occur.
(k) The board did not arrange for, or conduct for itself, any risk assessment, either generally or of the circumstances raised by the complaints in 2003 and 2005. The board failed to assess the risks that it identified in March 2003 could result in Workcover claims by the plaintiff. The board did not properly monitor, on an ongoing basis, the behaviour of its employees inter se. Its expressed intentions to ‘chat regularly’ with its employees resulted at best in occasional conduct mostly initiated by the plaintiff. This failure follows on its failure to implement any policy or process. In the relevant sense, that risk of injury to the plaintiff that the board identified was uncontrolled by it.
(l) A further consequence following on the absence of any policy or process concerning workplace conduct and behaviours was that Legibook’s response to the plaintiff’s complaints was inadequate, and its want of a complaint and grievance process permitted its inadequate response to fail all together, to slip away without appropriate resolution. Although the defendant submitted that the periods of no complaint, or of apparent calm in the workplace between complaints, were significant, I do not agree. To the extent that the submission was put to the existence of a duty, I have rejected it. The periods of apparent functionality in the bookroom did not eradicate or alleviate the risks that had been foreseen. When considering breach, a reasonable employer looking forward to identify what it should have done to avoid injury, having identified a risk, could not simply assume that a continuing absence of complaint, or renewed complaint, meant that the risk had abated. In this regard, the defendant is purporting to rely on aspects of its breach of duty - a want of risk assessment, follow-up procedures, and monitoring - to infer that the foreseen risk had resolved and its failure to take such actions was not in breach of its duty. I reject this contention. The absence of overt continuing behaviour, or complaint about behaviour, is not evidence that the risk of harm to the plaintiff’s mental health identified in March 2003 had abated, or could reasonably be considered by a prudent employer to have abated.
(m) A further aspect of the lack of proper policy and process was that Legibook had no safe return to work procedure. The plaintiff’s return to work process was not competently handled and will be further discussed below.
I am satisfied that the defendant failed to take reasonable care for the safety of the plaintiff, specifically in terms of her mental health, in these particular respects.