The BC Court of Appeal has affirmed the Chambers Judge's
decision in Ari v. ICBC 2015 BCCA 468.
In this case, the putative plaintff advanced a proposed class
action claim, alleging an ICBC employee misused personal
information of 65 customers.
The plaintiff alleged vicarious liability for breach of the
statutory tort of invasion of privacy under the Privacy Act, as
well as statutory negligence for failure to protect personal
information pursuant to FOIPPA.
ICBC sought to have the claim for vicarious liability under the
Privacy Act dismissed. The BCCA agreed with the Chambers
Judge and did not dismiss that part of the claim. A claim
based on vicarious liability under s. 1 of the Privacy Act remains
open. In this case, the Court decided there was sufficient
connection between ICBC and the alleged wrongdoing, taking into
account ICBC's alleged role in the creation or enhacement of
the risk of unauthorized access.
The BCCA also upheld the Trial Judge's decision to strike
the FOIPPA claim. The Court reviewed Saskatchewan Wheat Pool,
where the SCC declined to recognize a nominate tort of statutory
breach. Applied to FOIPPA, any civil liability arising as a
result of a breach of statute should be considered in the context
of the law of negligence, and there is no action for negligent
breach of a statutory duty.
The Court discussed the implications of the duties imposed by
FOIPPA and said:
"Section 30 does not legislate a specific standard of care.
The duty is to "make reasonable security arrangements".
"Reasonableness" denotes a range of acceptable conduct.
This suggests a public body may make its own policy decisions as to
the manner in which it fulfills this statutory obligation. The duty
is therefore a contextual one, and would no doubt vary depending on
the nature of the business of the particular body. Furthermore,
there is nothing in the broad wording of the section that suggests
it should found a new private law duty of care to an individual, as
opposed to the public at large."
As there is no common law privacy tort in BC, the
plaintiff's claim now depends entirely on the statutory cause
of action. Whether the Court will ultimately determine
whether vicarious liability should flow to ICBC as a result of its
role in creating or enhancing the risk of breach of privacy remains
to be explored.
It is interesting that in discussing the Saskatchewan Wheat Pool
case, the BCCA noted that (although a nominate tort of statutory
breach should be rejected) proof of statutory breach, causative of
damages, may be evidence of negligence; and a statutory formulation
of a duty may afford a useful standard of reasonable conduct.
In other words, in considering a breach of the Privacy Act, a Court
may look to FOIPPA (in the case of public bodies) as a
Evans v. Bank of Nova Scotia, and other emerging cases, Ari
serves as a stark warning to organizations about the prospective
exposure to vicarious liability related to access and disclosure of
personal information by employees. Organizations ought to be
working diligently to put appropriate procedures, security and
training in place to reduce the risks associated with the actions
of their employees.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).