Canada: BCCA Leaves Open The Risk Of Exposure To Vicarious Liability For Unauthorized Use Of Personal Information By Employees

The BC Court of Appeal has affirmed the Chambers Judge's decision in Ari v. ICBC 2015 BCCA 468.

In this case, the putative plaintff advanced a proposed class action claim, alleging an ICBC employee misused personal information of 65 customers.

The plaintiff alleged vicarious liability for breach of the statutory tort of invasion of privacy under the Privacy Act, as well as statutory negligence for failure to protect personal information pursuant to FOIPPA.

ICBC sought to have the claim for vicarious liability under the Privacy Act dismissed.  The BCCA agreed with the Chambers Judge and did not dismiss that part of the claim.  A claim based on vicarious liability under s. 1 of the Privacy Act remains open.  In this case, the Court decided there was sufficient connection between ICBC and the alleged wrongdoing, taking into account ICBC's alleged role in the creation or enhacement of the risk of unauthorized access.

The BCCA also upheld the Trial Judge's decision to strike the FOIPPA claim.  The Court reviewed Saskatchewan Wheat Pool, where the SCC declined to recognize a nominate tort of statutory breach.  Applied to FOIPPA, any civil liability arising as a result of a breach of statute should be considered in the context of the law of negligence, and there is no action for negligent breach of a statutory duty.

The Court discussed the implications of the duties imposed by FOIPPA and said:

"Section 30 does not legislate a specific standard of care. The duty is to "make reasonable security arrangements". "Reasonableness" denotes a range of acceptable conduct. This suggests a public body may make its own policy decisions as to the manner in which it fulfills this statutory obligation. The duty is therefore a contextual one, and would no doubt vary depending on the nature of the business of the particular body. Furthermore, there is nothing in the broad wording of the section that suggests it should found a new private law duty of care to an individual, as opposed to the public at large."

As there is no common law privacy tort in BC, the plaintiff's claim now depends entirely on the statutory cause of action.  Whether the Court will ultimately determine whether vicarious liability should flow to ICBC as a result of its role in creating or enhancing the risk of breach of privacy remains to be explored. 

It is interesting that in discussing the Saskatchewan Wheat Pool case, the BCCA noted that (although a nominate tort of statutory breach should be rejected) proof of statutory breach, causative of damages, may be evidence of negligence; and a statutory formulation of a duty may afford a useful standard of reasonable conduct.  In other words, in considering a breach of the Privacy Act, a Court may look to FOIPPA (in the case of public bodies) as a standard.

Along with Evans v. Bank of Nova Scotia, and other emerging cases, Ari serves as a stark warning to organizations about the prospective exposure to vicarious liability related to access and disclosure of personal information by employees.  Organizations ought to be working diligently to put appropriate procedures, security and training in place to reduce the risks associated with the actions of their employees.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.