The recent Federal Court of Canada decision in Johnson
v. Bell Canada is likely to reduce the burden experienced
by Canadian companies when faced with employee requests under the
Personal Information Protection and Electronic Documents
Act (PIPEDA) for access to personal information
allegedly stored on company servers.
In this case, Johnson, a Bell Canada employee, asked Bell for
copies of any "e-mails concerning me in this company ... from
all sources." He subsequently narrowed his request for access
to e-mails from a two-year period. Bell provided all
business-related e-mails to which Johnson's direct supervisor
had access — close to 600 pages of information.
Johnson asserted that this disclosure was insufficient and
sought a court order requiring Bell to provide him with all of his
personal information, including all e-mail messages between Bell
employees referring to him. He also argued that Bell was obliged to
conduct an exhaustive search of all records they had for any
e-mails mentioning him.
The issue before the court was whether Bell, in responding to
Johnson's request, had complied with the requirements of
In Connection With The Operation Of A Business
PIPEDA applies to organizations in respect of personal
information about an employee that it "collects, uses or
discloses in connection with the operation of a federal work,
undertaking or business."
Relying on this wording, Bell argued that only business-related
e-mails are subject to PIPEDA. It contended that e-mail
exchanges of a personal nature between employees are not generated
in association with its business operations and, therefore, are not
collected "in connection with the operation of" its
Johnson contended that non-business-related personal e-mails are
collected "in connection with the operation" of
Bell's business because Bell's computer systems and back-up
systems capture these e-mails. Such systems are part of the
operation of the business.
The court agreed with Johnson that e-mails about or concerning
him met the definition of "personal information" in
PIPEDA. However, the court found that the real issue was
whether these e-mails were collected, used or disclosed by Bell in
connection with the operation of a federal work, undertaking or
The court concluded that they were not. It compared the
collection of non-business-related personal e-mails by a computer
system to the bycatch products that fishermen collect in their
...Organizations put systems and procedures in place
deliberately to capture such information as is relevant to the
organization and its business needs. The reality is that
non-relevant information is also captured. Just as the cod
fisherman's nets will capture whiting, flounder, hake, squid,
butterfish, or other species in addition to the cod which is the
fisherman's target, the organization's data storage system
which is intended to capture business e-mail will capture personal
e-mails, jokes, spam, family pictures and other nonbusiness data
transmitted on the system.
Business Purpose For The Information
The court found that only information collected by the
organization "because it has a commercial need for it" is
captured by PIPEDA. To be considered "information
collected in connection with the operation of a business,"
there must be a business purpose for the information. In this case,
the personal e-mails had no business purpose. As a result, the
court determined that the e-mails were not subject to
PIPEDA and disclosure by Bell.
The court also found that Bell had conducted a sufficient search
in response to Johnson's request. It noted that Bell was
required to conduct a search "that could reasonably be
expected to produce the personal information of Mr. Johnson that,
in the ordinary course, would fall under PIPEDA." It
was reasonably expected that business e-mails about Johnson would
be in the hands of his direct supervisor and there was no evidence
that other Bell employees would have business e-mails about
McCarthy Tétrault Notes:
This decision should reduce the burden of complying with
employee PIPEDA requests by significantly reducing the
scope of the searches necessitated by such requests.
As a result of this decision, organizations can take comfort in
knowing they will only need to search for and provide those records
related to the conduct of their business, not those sent between
employees for personal reasons.
Furthermore, organizations are only required to conduct a search
that could reasonably be expected to produce the personal
information of the employee that, in the ordinary course, would
fall under PIPEDA. Therefore, they do not need to search
records that are not reasonably likely to contain business-related
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).