In her statement, the Commissioner made it clear that the Freedom of Information and Protection of
Privacy Act ("FIPPA") applies to all
work-related emails sent to, or received from, the personal email
accounts of public servants and public officials. She advised that,
while there are no freedom-of-information laws that directly
prohibit public servants or officials from using personal email
accounts for work matters, doing so poses two main concerns: 1) it
makes it difficult to search for records that are responsive to an
access to information request, and 2) the use of personal email can
cause privacy and security risks if personal information is
accessed or stored outside of Canada.
The Office of the Information and Privacy Commissioner published
Guidelines that outline how B.C.'s
freedom-of-information laws apply to personal email accounts, and
the risks involved when such accounts are used for government
business. The guidelines address the following three provisions in
FIPPA: Sections 3(1). 6(1) and 30.
1) Section 3(1) – Scope of
The guidelines point out that FIPPA's application to
"public records" is broad in scope and, depending on the
circumstances, may encompass work-related emails sent from personal
accounts. The issue that needs to be addressed in these cases is
whether the personal email remains under the control of a public
The Supreme Court of Canada has established that
where a record is not in the physical possession of a government
body, it will remain under its control if the following questions
are answered in the affirmative:
Do the contents of the document relate to a departmental
Could the government institution reasonably expect to obtain a
copy of the document upon request?
As a precautionary measure, one should assume that any email
that an employee sends or receives that's within the context of
their work duties, whether it be through a work or personal email
account, will be considered to be a record under the public
2) Section 6(1) – Duty to
Section 6(1) of FIPPA requires public bodies to make every
reasonable effort to assist the applicant with their request and to
respond without delay to each applicant openly, accurately and
completely. In order to so do, the public body has an obligation to
perform a complete and adequate search of its records when
responding to the access request. The public entity is required to
take every reasonable step in its search to locate relevant
records, including compelling the production of relevant records
located personal email accounts.
As there are no provisions in FIPPA that directly prohibit
public body employees from using their personal email accounts for
work matters, the guidelines suggest that public bodies should
create a policy on the use of personal email accounts for work
3) Section 30 – Reasonable
The guidelines also call attention to the security risk to
personal information that is associated with the use of personal
email accounts. Public bodies are required under FIPPA to have in
place reasonable security measures that will safeguard against
unauthorized access, collection, use, disclosure or disposal of
personal information. A personal email account, which is usually
web-based, is unlikely to comply with the security requirements set
out in section 30 of FIPPA. The guidelines address some of the
obvious concerns that arise out of using a personal email account
when attending to business, including third party access to content
and inadequate security features for the personal webmail
In essence, the use of personal email accounts for work purposes
will result in several challenges for public bodies under FIPPA.
The guidelines were created to better illustrate these challenges
and to recommend that public bodies put in place policies that
address the use of personal email accounts for work purposes.
Peerenboom v Marvel Entertainment (2016 NY Slip Op 31957(U)) is drama-driven case in which the New York County Supreme Court afforded Toronto businessman Harold Peerenboom the right to obtain the private emails...
The Supreme Court of Canada released a landmark decision today giving important guidance on how Canada's federal privacy law, the Personal Information Protection and Electronic Documents Act, should be interpreted.
The Ontario Superior Court of Justice recently approved a settlement agreement in the Lowanski v The Home Depot class action, a decision that highlights adequate protection and a sufficient response can significantly reduce the legal risks after a data breach.
The October 19, 2016 judgment of the European Court of Justice in the matter brought by Patrick Breyer against the Federal Republic of Germany (the "EU Decision") raises the issue of whether an IP address is personal information under the EU Directive 95/46/EC and provides an interesting comparison with the Canadian perspective.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).