The use of personal email for business is a significant problem
for records retention and privacy programs.
On March 18, 2013, the British Columbia Information and Privacy
Commissioner (OIPBC) announced an
investigation into the use of personal email accounts by public
servants in that province. Although the investigation is taking
place in a public sector context, the investigation is also
relevant for organizations in the private sector.
Records Management Obligations
Communications taking place outside of the organization's
email records management system may not be captured in compliance
with the organization's records management system. The OIPBC
reminds public servants in Guidelines on
the Use of Personal Email Accounts for Public Business
(released on March 18, 2013) that personal email may still be
subject to the British Columbia Freedom of Information and
Protection of Privacy Act (FIPPA).
FIPPA applies to records in the custody or
control of a public body. A record will be under
the control of the organization if (a) the record relates to a
departmental matter and (b) the government institution could
reasonably expect to obtain a copy of the record upon request. The
OIPBC's general rule is that "any email that an employee
sends or receives as part of her or his employment duties will be a
record under the public body's control, even if a personal
account is use." These records may, therefore, be subject to
access to information requests even though the organization does
not have possession of the email record.
This isn't just a public sector problem. For example,
subsection 23(1) of the British Columbia Personal
Information Protection Act ("PIPA"), which applies to
private sector organizations in British Columbia, provides that an
organization must provide an individual with the individual's
personal information under the control of the
organization. There is no obvious reason why the meaning of
"control" in PIPA should be narrower than FIPAA.
Information Security Obligations
The OIPBC also expressed concern regarding the security of
personal email in the Guidelines. This issue applies equally to the
public and private sectors. Depending on the service used by the
employees and whether copies of the email are downloaded to
unencrypted devices, the email may be stored in an insecure
Private organizations should be aware that section 34 of PIPA
requires the organization to protect personal information in its
custody or under its control by making reasonable
security arrangements to prevent unauthorized access, collection,
use, disclosure, copying, modification or disposal or similar
risks. Organizations may be faulted for turning a blind-eye to the
practice of employees using personal email systems that do not
provide for adequate security. In assessing the risk, organizations
should consider whether they would have breach
notification responsibilities in the event an employee's
personal email was compromised and that email contained
personal information collected by or on behalf of the
Even leaving aside the possibility of a breach, organizations
should consider whether employees transmitting personal information
outside of the administrative, technical and physical security
controls established by organization would violate representations
made by the organization in its public privacy policies.
FMC is one of Canada's leading business and litigation law
firms with more than 500 lawyers in six full-service offices
located in the country's key business centres. We focus on
providing outstanding service and value to our clients, and we
strive to excel as a workplace of choice for our people. Regardless
of where you choose to do business in Canada, our strong team of
professionals possess knowledge and expertise on regional, national
and cross-border matters. FMC's well-earned reputation for
consistently delivering the highest quality legal services and
counsel to our clients is complemented by an ongoing commitment to
diversity and inclusion to broaden our insight and perspective on
our clients' needs. Visit:
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
On Thursday, September 22, 2016, Dentons hosted a panel discussion about the management of liabilities and risks associated with environmental crises, including potential liabilities for directors and officers and provided insight into risk and liability techniques associated with environmental crisis management.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).