In her statement, the Commissioner made it clear that the Freedom of Information and Protection of
Privacy Act ("FIPPA") applies to all
work-related emails sent to, or received from, the personal email
accounts of public servants and public officials. She advised that,
while there are no freedom-of-information laws that directly
prohibit public servants or officials from using personal email
accounts for work matters, doing so poses two main concerns: 1) it
makes it difficult to search for records that are responsive to an
access to information request, and 2) the use of personal email can
cause privacy and security risks if personal information is
accessed or stored outside of Canada.
The Office of the Information and Privacy Commissioner published
Guidelines that outline how B.C.'s
freedom-of-information laws apply to personal email accounts, and
the risks involved when such accounts are used for government
business. The guidelines address the following three provisions in
FIPPA: Sections 3(1). 6(1) and 30.
1) Section 3(1) – Scope of
The guidelines point out that FIPPA's application to
"public records" is broad in scope and, depending on the
circumstances, may encompass work-related emails sent from personal
accounts. The issue that needs to be addressed in these cases is
whether the personal email remains under the control of a public
The Supreme Court of Canada has established that
where a record is not in the physical possession of a government
body, it will remain under its control if the following questions
are answered in the affirmative:
Do the contents of the document relate to a departmental
Could the government institution reasonably expect to obtain a
copy of the document upon request?
As a precautionary measure, one should assume that any email
that an employee sends or receives that's within the context of
their work duties, whether it be through a work or personal email
account, will be considered to be a record under the public
2) Section 6(1) – Duty to
Section 6(1) of FIPPA requires public bodies to make every
reasonable effort to assist the applicant with their request and to
respond without delay to each applicant openly, accurately and
completely. In order to so do, the public body has an obligation to
perform a complete and adequate search of its records when
responding to the access request. The public entity is required to
take every reasonable step in its search to locate relevant
records, including compelling the production of relevant records
located personal email accounts.
As there are no provisions in FIPPA that directly prohibit
public body employees from using their personal email accounts for
work matters, the guidelines suggest that public bodies should
create a policy on the use of personal email accounts for work
3) Section 30 – Reasonable
The guidelines also call attention to the security risk to
personal information that is associated with the use of personal
email accounts. Public bodies are required under FIPPA to have in
place reasonable security measures that will safeguard against
unauthorized access, collection, use, disclosure or disposal of
personal information. A personal email account, which is usually
web-based, is unlikely to comply with the security requirements set
out in section 30 of FIPPA. The guidelines address some of the
obvious concerns that arise out of using a personal email account
when attending to business, including third party access to content
and inadequate security features for the personal webmail
In essence, the use of personal email accounts for work purposes
will result in several challenges for public bodies under FIPPA.
The guidelines were created to better illustrate these challenges
and to recommend that public bodies put in place policies that
address the use of personal email accounts for work purposes.
The Office of the Privacy Commissioner of Canada has ruled that the collection and use of a plaintiff's personal information for the purpose of defending against a civil lawsuit is not a "commercial activity" and, ...
While corporate executives are increasingly becoming aware of their obligation to be informed of cybersecurity threats and the steps being taken by their company to prevent data breaches, it is equally important for executives to ensure that the employees are educated with respect to cyber threats.
A recent privacy decision regarding pre-installed software on laptops may have implications for companies operating not only in the traditional hardware space, but for those companies venturing into the burgeoning "Internet of Things" ecosystem.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).