Canada: Privacy, PIPEDA and Personal E-Mails At Work

This article originally appeared in the July 2009 issue of the 2009 Lexpert Guide to the Leading US/Canada Cross-Border Corporate Lawyers.

In light of issues that arise under PIPEDA, how far does access to personal information go?

Canada's federal private sector privacy legislation, the Personal Information Protection and Electronic Documents Act(S.C.2000, c.5 [PIPEDA]), has been described as a compromise between two competing interests:

  • the privacy rights of individuals; and
  • an organization's commercial need for personal information (Englander v. Telus CommunicationsInc., [2005] 2 F.C.R. 572 (C.A.)[Telus]).

The commercial focus of PIPEDA is reflected in its scope.It applies to personal information that is handled by an organization "in the course of commercial activities" or "is about an employee of the organization and that the organization collects,uses or discloses in connection with the operation of a federal work, undertaking or business" (PIPEDA,s.4(1)(a)).Personal information under PIPEDA means "information about an identifiable individual," such as personal, health and financial information, with few exceptions (PIPEDA, s. 2(1)).

Given its focus on commercial activities, most of the issues that arise under PIPEDA relate to personal information collected, used or disclosed for commercial purposes, such as customer information. However, in the recent Federal Court decision of Johnson v. Bell Canada(2008), 70 C.P.R. (4th) 1 [Bell Canada], the court confronted the reality that every business has in is possession not only information relevant to its business but also information of an entirely personal nature, unrelated to its commercial activities, that happens to also be in its computer systems. For example, employees exchange e-mails with friends and relatives while at work. Employees have friendships within the workplace and e-mail one another about personal matters. All these e-mails are in the company's possession, in its computer systems, in e-mail boxes, on laptops and servers, and could be retained in routine backups, either for a defined time period or indefinitely.

An individual has the right to request access to his or her personal information that is in the possession of a business subject to PIPEDA. What was less clear before the Bell Canada case was whether a person could also seek access to e-mails between co-workers about himself or herself that are of a personal nature only. For example, can a person ask a business for personal information about himself or herself because the person's ex-spouse works there, on the expectation that the ex-spouse has been e-mailing others about their marital breakdown or their financial disputes? What are the limits?

In the Bell Canada case, the Federal Court examined this issue in the context of a request by an employee for access to e-mails about him in the possession of his employer. Although PIPEDA does not apply to all employee information, it applies to employee information in the hands of federal works, undertakings and businesses such as Bell Canada. The main issues in the case, arising from a conflict of privacy interests, could equally arise outside the realm of employee information.

The Bell Canada Case

Johnson, an employee of Bell Canada, made an access request under PIPEDA seeking "e-mails concerning me in this company ... from all sources." He later limited his request to only include e-mails from the previous two years.

In the face of Johnson's broad request, Bell Canada focused its search on e-mails that were accessible to Johnson's direct supervisor, limiting the search to the e-mails in the supervisor's e-mail box. Bell Canada did not search data on its servers, backups or every hard drive in the organization, nor did it search anyone else's e-mail.

Bell Canada sought an extension of time to fulfill Johnson's request, and before the extended time period had elapsed, Johnson filed a complaint with the Office of the Privacy Commissioner of Canada claiming that his access request had not been fulfilled.

Initially, Bell provided Johnson with more than 500 pages of e-mails. Some e-mails were withheld on the basis that their disclosure was likely to reveal personal information about a third party or threaten the security of another, two exemptions under PIPEDA. Ultimately, those e-mails were also produced in redacted form.

With respect to the applicability of PIPEDA to personal e-mails, the commissioner referred to an earlier decision of her office (Case Summary #346) in which the vice president of a business had sent an office-wide e-mail requesting information about the complainant, who was not an employee and did not do business with that company. The complainant believed that the vice president was seeking the information for the vice president's sister (a family law lawyer) regarding the complainant's family issues. The vice president initially denied sending the e-mail, and ultimately the commissioner concluded that the e-mail was not sent for business reasons. The commissioner found that the vice president had a "cavalier attitude" toward the complainant's right to privacy, even though no personal information was actually collected as a result of the e-mail.

The privacy regime under PIPEDA does not apply to people in respect of the information they collect for "personal or domestic purposes" (PIPEDA, s. 4(1)(b)). However, the commissioner noted in her findings that this exemption "is not intended to absolve an organization of responsibility for an employee who uses their position within the organization to collect, use or disclose personal information for their own purposes." According to the commissioner, since the vice president used the company's e-mail and computer systems in his capacity as vice president, he was not acting as an "individual" when he sent the e-mail. This decision left open the possibility that in certain circumstances personal e-mail may be subject to PIPEDA and accessible through an access request.

The commissioner concluded that Bell's request for an extension of time was reasonable, but it ought to have given Johnson a reason for the requested extension and advised him of his right to complain about it. On the main issue – access to the e-mails – the commissioner concluded that Bell Canada had met its obligations to Johnson since, by the time of her decision, it had produced all the e-mails located as a result of its focused search. The commissioner concluded that further searches need not be conducted.

Federal Court Decision

Dissatisfied with the commissioner's findings, Johnson applied to the Federal Court seeking an order requiring Bell Canada to provide his personal information, including all e-mail messages referring to him, as well as damages. He made three main complaints:

  1. Bell Canada had denied him access to the personal e-mails concerning him that were sent between Bell Canada employees;
  2. Bell Canada had carried out an inadequate search in response to his access request; and
  3. Bell Canada had deleted personal e-mails in breach of PIPEDA.

Before considering these issues, the court noted that PIPEDA is a "compromise between the commercial interests of business and the privacy rights of individuals," and its interpretation should be guided by "flexibility, common sense and pragmatism," as the Federal Court of Appeal had previously determined in Telus. The court then addressed the above issues and dismissed Johnson's application.

1. When Are Personal E-mails Subject to PIPEDA?

The court observed that there could be no issue that e-mails sent in the course of business are accessible through PIPEDA. The issue arose only for personal e-mails. Johnson claimed he had a right of access to all e-mails on Bell Canada's computer systems that contained information about him, whether or not the e-mails were personal. The only exceptions were those expressly provided for in PIPEDA (such as exceptions for solicitor-client privilege or threats to security). He submitted, and the court agreed, that an electronic message about or concerning him met the definition of "personal information" in section 2(1) of PIPEDA. Bell Canada argued that personal e-mails between employees were not subject to PIPEDA even if they resided on the Bell Canada computer systems and contained personal information about Johnson. They were "exchanges of a personal nature between colleagues" and not part of business operations.

The court recognized the "reality of our electronic world" and that computer systems store e-mail and other data in many locations (such as inboxes, deleted items boxes, servers, backups and various computers) for varying periods of time. The storage systems intended to capture business e-mails also incidentally capture personal e-mails and other non-business-related information (para. 31).

As stated by the court, the reality is that non-relevant information is captured by business computer systems. Likening it to a fisherman's net, the court observed that a business's data storage systems, which are intended to capture business e-mail, will also capture "personal e-mails, jokes, spam, family pictures and other non-business data" (para. 31).

The court noted that the section 4(2)(b) exception for information collected for personal use applies only to individuals, and not to companies or other business organizations. If exempt personal e-mails are communicated at work "it would be contrary to the purposes of the act if [the personal e-mails], once stored on the organization's backup system, would then not also be exempt from production by the organization" (para. 32).

Since section 4(2)(b) did not apply, the court looked to section 4(1) of PIPEDA to resolve the issue. Section 4(1) provides that the privacy regime in PIPEDA applies to personal information that an organization collects, uses or discloses in the course of "commercial activities" or is about an employee of the organization and that the organization collects, uses or discloses "in connection with the operation of a federal work, undertaking or business." The court observed that the emphasized phrases must have meaning and should be interpreted with reference to the business realities of the commercial world. The court held that only information collected because the organization has a commercial need for it is captured by PIPEDA:

Like the bycatch of the cod fisherman, personal e-mail is the bycatch of the commercially valuable information that is being handed by Bell Canada. ... [T]o be information collected in connection with the operation of the business, requires that there be a business purpose for the information. There is none with respect to personal e-mails. In fact, from the viewpoint of organizations like Bell Canada, personal e-mails are refuse that take up valuable space and time. (para. 35, emphasis in original)

Johnson next claimed that even if the personal e-mails did not serve a business purpose, they were not exempt since the employees used Bell Canada's systems to send the messages, and therefore his personal information was used only by virtue of the employees' employment with Bell Canada. The court considered the findings of the commissioner in Case Summary #346 (discussed above) but concluded that the exemption for personal information used solely for personal purposes is not lost simply because an individual uses his or her employer's computer equipment. He explained, "To hold otherwise would strip subsection 4(2)(b) of any meaning, as virtually any use of the employers' computer systems would result in the loss of the subsection 4(2)(b) exemption and bring within the ambit of PIPEDA personal information that has no value or use to the organization" (para. 39). The court therefore concluded that personal e-mails were not subject to PIPEDA and not subject to disclosure in response to the request for access by Johnson.

2. Adequacy of Search

In considering whether Bell Canada's focused search was sufficient, the court held that an organization is only required to conduct a search that could reasonably be expected to produce the personal information that would, in the ordinary course, fall under PIPEDA. Further, the court held that there was no need to assume that personal information only used for personal purposes, otherwise exempt under section 4(2)(b), may have lost its exempt status.

The court found that Bell Canada's search of e-mail that was accessible to Johnson's direct supervisor was sufficient, and observed that there was no evidence that other Bell Canada employees would have business e-mails related to Johnson. If Johnson claimed that there was additional information that the search did not find, the burden lay on him to make the case that the search was insufficient.

Bell Canada had also argued that Johnson was required to "focus" his broad access request. The court concluded that an organization receiving a broad request had two options open to it: (1) it could ask the requester if he or she could be more specific, in which case the requesting party had an obligation to cooperate in defining his or her request; or (2) it could conduct a reasonable search of information that it could reasonably expect to be responsive to the request, as had been done by Bell Canada (para. 46).

In the absence of evidence to the contrary, Bell Canada did not need to assume that there was any reason to search messages other than those it reasonably believed were collected, used or disclosed "in the course of its business operations." The court concluded that Bell Canada's approach met its obligations under PIPEDA.

3. Document Retention Obligations

Finally, Johnson argued that Bell Canada breached its obligation to retain his personal information for as long as needed to permit him to exhaust all recourses available to him under PIPEDA. The court disagreed, noting that there was no evidence of e-mails that should have been provided to him and were not, observing as follows:

It cannot be seriously suggested that an organization has a responsibility to recover deleted or overwritten data in the absence of compelling evidence that it existed and that it can be recovered at a reasonable cost. Further, in my view, such a Herculean task should only be required to be undertaken, if ever, in circumstances where there is a critical need for the recovered information. (para. 51)

The court concluded that an organization cannot be expected to suspend its document retention procedures for each access request. Rather, PIPEDA requires that an organization retain the personal information that its search produced until all recourse is exhausted. Bell Canada met this standard. This result was very favorable to Bell Canada, given the focused nature of the original search.

All told, Bell Canada was found not to have violated PIPEDA and no remedies were therefore necessary. Johnson's application was dismissed.

Implications of Decision

Most significantly, Johnson v. Bell Canada confirms that personal communications in the workplace may still remain personal, at least for the purpose of access to personal information requests under PIPEDA. However, exceptions may be made, particularly where there is a blurring of business and personal roles and responsibilities.

There are, of course, other contexts outside PIPEDA in which personal e-mails may not be treated as private in the workplace. For example, it is commonplace for businesses to have an e-mail policy that makes it clear that the company itself is entitled to access all personal e-mail that resides on its own computer systems. Employees ought to take these policies into account when using workplace computers for personal e-mail.

Although the United States has analogous practices with respect to internal company e-mail policies, it has no federal privacy legislation of broad application analogous to PIPEDA. Instead, there is a patchwork of laws arising from sectoral privacy regulation, which means that some types of information are heavily regulated, while others may escape regulation altogether. There is no general right of access to personal information, and this lack of uniformity gives rise to problems.

In certain sectors in the United States, information is obtainable on request. For example, certain credit information is obtainable under the Fair Credit Reporting Act (15 U.S.C. § 1681). In other consumer information contexts, the existence of a right of access to one's personal information and the scope of such right can vary from state to state. For example, California has legislation that requires businesses to disclose to a customer, on request, third-party organizations to which it has given the individual's personal information for direct marketing by the third party, such as when the business sells mailing lists (The Civil Code of the State of California, section 1798.83).

In contrast to the Canadian trend toward increased privacy protection through legislation, the United States has – through legislation such as the USA PATRIOT Act (Pub.L. 107-56, 115 Stat. 272 (2001)) – seen an increase in governmental access to personal information held by private sector organizations. Initiatives toward more privacy regulation, including more uniformity, appear to be coming, instead, from the private sector. Some companies, notably those that do business on the Internet, have joined voluntary self-regulating bodies and taken on voluntary codes of conduct regarding privacy. In October 2008, a joint initiative of members of the technology and communications sector, human rights groups and academics launched the Global Network Initiative, aimed at "protecting and advancing freedom of expression and privacy in information and communications technologies" (

More recently, a group of technology industry heavyweights, including Microsoft and Hewlett-Packard, which had prepared recommendations for a federal privacy law in the United States that was to be proposed at a widely attended privacy conference, decided to instead propose self-regulation, postponing the development of comprehensive legislation to focus on the underlying issues. Peter Cullen, chief privacy strategist at Microsoft, noted, "To provide effective privacy protection, it's going to potentially require good legislation. But more importantly, it will require good business processes and good accountability" (Alexei Alexis, "Industry Group Drops Effort to Craft Principles for Data Privacy Legislation," Electronic Commerce and Law Report, 14 ECLR 279).

The reluctance to introduce general privacy legislation is also seen in the reactions from the US Senate Commerce Committee to presentations on online privacy issues by major technology companies. Continuing with the sectoral approach, the US Senate Commerce Committee held hearings regarding online privacy issues, including data breaches and the use of behavioral advertising (Frank Davies, "Senate wary of regulating personal data," San Jose Mercury News, July 10, 2008). In response, the director of consumer protection at the Federal Trade Commission (FTC) offered support for industry self-regulation to meet FTC principles, saying that compared with stronger regulation, self-regulation was "more appropriate, especially because the technology is changing so swiftly." One senator expressed the view that regulation beyond self-regulation would likely inhibit free enterprise.

Thus, the issues in Johnson v. Bell Canada are unlikely to be at the forefront of the debate in the United States, given the absence of broad rights of access to personal information in the hands of private business. In Canada, however, this decision reinforces the compromise contemplated by PIPEDA between access rights to one's personal information and the commercial focus of the legislative regime.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

In association with
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:
  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.
  • Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.
    If you do not want us to provide your name and email address you may opt out by clicking here
    If you do not wish to receive any future announcements of products and services offered by Mondaq you may opt out by clicking here

    Terms & Conditions and Privacy Statement (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

    Use of

    You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.


    Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

    The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.


    Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

    • To allow you to personalize the Mondaq websites you are visiting.
    • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
    • To produce demographic feedback for our information providers who provide information free for your use.

    Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

    Information Collection and Use

    We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

    We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to with “no disclosure” in the subject heading

    Mondaq News Alerts

    In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.


    A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

    Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

    Log Files

    We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.


    This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

    Surveys & Contests

    From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.


    If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.


    From time to time Mondaq may send you emails promoting Mondaq services including new services. You may opt out of receiving such emails by clicking below.

    *** If you do not wish to receive any future announcements of services offered by Mondaq you may opt out by clicking here .


    This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to

    Correcting/Updating Personal Information

    If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to

    Notification of Changes

    If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

    How to contact Mondaq

    You can contact us with comments or queries at

    If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at and we will use commercially reasonable efforts to determine and correct the problem promptly.

    By clicking Register you state you have read and agree to our Terms and Conditions