The British Columbia Court of Appeal has confirmed the grounds for imposing vicarious liability on an employer as a result of a rogue employee’s breach of privacy.
The Supreme Court of BC in Ari v. Insurance Corporation of British Columbia (ICBC) had previously found ICBC was vicariously liable for its employee’s unlawful disclosure of ICBC’s customer information. (The link to our post on this decision can be found here.) ICBC appealed the decision of the BC Court arguing that the judge erred in concluding that the customer information was private, in imposing vicarious liability, and in finding that general damages could be determined on a class basis.
In dismissing the appeal, the Court canvassed recent case law on the interpretation of personal information and the reasonable expectation of privacy in the context of privacy class actions. The decision provides confirmation of the takeaways from our previous post and provides further insight for organizations.
Key Takeaways
- Organizations should review and update their data privacy protection policies that are in force both internally and externally. Organizations’ policies can dictate an employee or customer’s reasonable expectation to privacy, which the Court considered in finding a breach of privacy.
- Organizations are responsible for safeguarding the personal information collected and stored within their control. Organizations should implement practices such as limiting data access to employees, employee screening and privacy training for employees to demonstrate compliance with these responsibilities in the event of a breach.
- Organizations can be held responsible for their employee’s privacy violation even if such contraventions were not specifically foreseeable by the organization. Organizations should monitor employees’ access to personal information and enforce standardized disciplinary penalties for employees’ privacy breaches.
- Organizations may be held liable in a class proceeding without proof of individualized damages for breach of the statutory right to privacy under the Privacy Act.[1]
Facts
An employee of ICBC disclosed the personal information of ICBC customers, including their residential addresses, to criminals who targeted some customers’ houses and vehicles in arson and shooting attacks. A class action was brought in the BC Court. In the summary trial, the judge decided that the employee had breached the class members’ privacy under the Privacy Act, by accessing their personal information willfully and without a claim of right. The judge also found ICBC vicariously liable for its employee’s privacy violation as ICBC had created the foreseeable risk of wrongdoing.
Personal Information & Reasonable Expectation of Privacy
ICBC argued that the customer information accessed was contact information that individuals regularly provide to others and was not private. ICBC further argued that the judge did not properly consider the reasonable expectation of privacy under the Privacy Act to find a breach of privacy.
The Court of Appeal found that the trial judge had correctly considered ICBC’s own policies and conduct in determining what was personal information and what the reasonable expectations of their customers were. ICBC’s internal policies excluded residential addresses of customers from the definition of business contact information. Their policies also emphasized the employees’ responsibilities in protecting the customers’ personal information from unlawful disclosure. The judge had also considered ICBC’s evidence where they indicated that there was a privacy breach in their press release, notification to the affected customers and the reasons for terminating the employee. The Court of Appeal stated that these factors were correctly considered as part of the entire context to determine the breach of privacy.
Vicarious Liability
ICBC argued that vicarious liability was unfounded as ICBC only provided the mere opportunity for the employee to access the information and the judge should have considered other factors including policy reasons against imposing vicarious liability.
The Court of Appeal reiterated the test of vicarious liability as laid out in Bazley v Curry[2]: An employer is vicariously liable for (1) employee acts authorized by the employer; or (2) unauthorized acts so connected with authorized acts that they may be regarded as modes (albeit improper modes) of doing an authorized act.
In determining vicarious liability for an employee’s unauthorized act, the Court will consider:
- Whether liability should lie against the employer; and
- Whether the wrongful act is sufficiently related to conduct authorized by the employer to justify the imposition of vicarious liability.
The Court of Appeal agreed with the trial judge that the employee’s disclosure of ICBC’s customer information was directly connected to her employment and the employer’s entrusted duties had caused a material increase in the risk of the wrongdoing. The Court of Appeal provided that in this case the employee’s position and the fact that she specifically had access to database was akin to the employee who was put responsible for the care of the children and sexually assaulted the children in Bazley. An employer’s decision to grant specific duties and responsibilities on an employee can be consequential in the finding of vicarious liability.
Furthermore, there is no need for the employer to foresee the specific wrong that occurs for vicarious liability to be imposed. It was sufficient in this case that ICBC knew that the information available to the employee was vulnerable to abuse. ICBC did not need to know that the employee would sell the information to individuals with criminal motives.
Class Action Aggregated General Damages
ICBC argued that the judge erred in its conclusion that the class members were entitled to general damages on a class-wide basis without individual proof of damages. ICBC provided that section 29 of the Class Proceedings Act[3] requires proof by individual class members and section 1 of the Privacy Act requires the circumstances of an individual’s breach of privacy and the context of the wrongful act to be considered.
The Court of Appeal found that the Privacy Act does not limit the Class Proceedings Act’s ability to grant aggregate awards based on non-individualized evidence shown by the plaintiff. The violation of privacy under the Privacy Act can be determined on a class-wide basis and so can general damages for breach of privacy. As to the differences across the class, the Court of Appeal stated that the trial judge had correctly made the assessment of the aggregate general damages based on the lowest-common denominator circumstances of the class, which was the violation of privacy. Finally, the Court of Appeal agreed with the trial judge’s decision to allow subclass members to prove additional damages on an individual basis at the later phase of the trial which aligned with the requirements under the Class Proceedings Act.
For more information on privacy policies and breaches, please reach out to Kelly Osaka and Melika Mostowfi.
[1] R.S.B.C. 1996, c. 373.
[2] 1999 CanLII 692 (SCC), [1999] 2 SCR 534, at para 10.
[3] RSBC 1996, c 50.