Case shines light on the consequences of not protecting employees’ personal information
Most Canadian employers are aware they need to put reasonable security arrangements in place to prevent unauthorized access to employee personal information in their custody or control. But what happens if these arrangements are insufficient or if an employer ignores or neglects its obligations? A recent decision by the Ontario Court of Appeal suggests employers who don’t safeguard personal information may face more than a slap on the wrist from the privacy commissioner and could end up on the wrong end of a significant damage award.
The Ontario case, Jackson v. Canada (Attorney General), arose out of a flood at the Joyceville penitentiary in Kingston, Ont. Prison inmates were assigned to clean up the administration offices after the flood. While cleaning an office in the HR department, the inmates found a list in an unlocked filing cabinet containing the names and home addresses of the prison’s employees. The list circulated among the prison population for several months and, when it was finally recovered, several of the names and addresses had been highlighted.
The plaintiffs, a prison guard and the wife of another guard, commenced a $7.5-million class-action lawsuit on behalf of roughly 400 to 600 of their fellow employees and spouses, claiming they had suffered “stress, anxiety and worry” after learning inmates knew where they lived. The plaintiffs framed their claims in negligence, breach of statutory duty, breach of privacy, breach of fiduciary duty, and breach of their right to life, liberty and security under section 7 of the Charter of Rights and Freedoms.
The Jackson case has not yet been certified as a class action. The decisions issued to date have concerned the employer’s attempt to have the claims thrown out in advance of trial because it has argued there is no reasonable cause of action. The most interesting product of this preliminary wrangling is a clear indication of the court’s willingness to entertain various and unique claims for damages based on invasion of privacy.
In a June 2005 decision, Justice Charbonneau of the Ontario Superior Court recognized that a claim based on a breach of the right to privacy and the protection of personal information was a novel cause of action. However, he allowed this aspect of the claim to proceed, commenting that privacy rights are “presently undergoing rapid evolution in the law of torts,” and bringing this claim to trial would provide an opportunity for the “useful evolution in the law.”
Justice Charbonneau also found the plaintiffs had pleaded facts that could establish the elements of a duty of care, a breach of that duty and damages sufficient to ground a claim in negligence. However, he dismissed the claims based on an alleged breach of statutory duty, fiduciary duty and the plaintiffs’ charter rights. The plaintiffs appealed this decision, although they did not pursue their claim based on breach of statutory duty.
The Court of Appeal preferred to leave to trial questions concerning the existence and alleged breach of a fiduciary duty, and the alleged breach of the plaintiffs’ charter rights. Accordingly, the claims based on these grounds were restored. In this respect, the court noted the fiduciary concept is a flexible one and, in the right circumstances, a fiduciary relationship could be established based on employees’ reasonable expectation that their employer would act in their best interests in collecting, storing and safeguarding personal information.
The Court of Appeal in Jackson noted that the law on section 7 of the charter is also evolving. It concluded the question of whether or not the unauthorized disclosure of employees’ telephone numbers and addresses could engage the plaintiffs’ section 7 rights was also a matter best left for trial.
The Court of Appeal’s ruling should provide a wake-up call for employers, as it shows that failing to properly safeguard employee data could lead to liability based on grounds never before contemplated by the courts. Privacy rights are continuing to evolve in Canada, and a willingness on the part of the judiciary to be both creative and aggressive in this area may translate into hefty price tags for unsuspecting employers. At a minimum, employers have been put on notice that Canadian courts are prepared, if not eager, to entertain lawsuits that push the boundaries of privacy rights.
What can employers do to reduce potential liability in this area? The key is to make sure effective security measures are in place to protect employee data by preventing unauthorized access, collection, use, disclosure, copying, modification, disposal or similar risks. These measures include:
•designating someone within the organization to be responsible for privacy and confidential employee information issues;
•conducting a privacy audit, with questions on the nature of the employee information that is collected and stored, how sensitive it is, where it is stored, who might have access to it and how it is protected;
•developing an effective privacy policy that includes specific security requirements;
•training personnel on appropriate security procedures and the importance of safeguarding personal information;
•using appropriate safeguards to protect the security of employee personal information, including physical measures (such as alarm systems, secure locks, access card systems, locked filing cabinets and file rooms and paper shredders), and organizational controls such as security training, access limitations and confidentiality agreements;
•for information that is stored electronically, identifying potential vulnerabilities and then putting the necessary protective measures into place (such as monitor positioning, screensavers, passwords, encryption devices, firewalls, anti-virus software, anti-hacking tools and hard drive erasure); and
•reviewing and updating security measures on a regular basis.
Colin G.M. Gibson is a partner with Harris & Company in Vancouver. He can be reached at [email protected] or (604) 891-2212.
Privacy Breach
Employee files found at auction
Statistics Canada spent months reassuring Canadians that personal information would be treated with the utmost confidentiality but, early this month, 75 census workers discovered their own data had been found in a file cabinet at an Edmonton auction. The records of these employees in the Prairies included their names, social insurance numbers and earnings. The head of the auction house told the press he receives used government furniture by the truckloads and, occasionally, there are files. Statistics Canada said it intends to apologize to everyone named in the files. The federal privacy commissioner is also investigating.
The Ontario case, Jackson v. Canada (Attorney General), arose out of a flood at the Joyceville penitentiary in Kingston, Ont. Prison inmates were assigned to clean up the administration offices after the flood. While cleaning an office in the HR department, the inmates found a list in an unlocked filing cabinet containing the names and home addresses of the prison’s employees. The list circulated among the prison population for several months and, when it was finally recovered, several of the names and addresses had been highlighted.
The plaintiffs, a prison guard and the wife of another guard, commenced a $7.5-million class-action lawsuit on behalf of roughly 400 to 600 of their fellow employees and spouses, claiming they had suffered “stress, anxiety and worry” after learning inmates knew where they lived. The plaintiffs framed their claims in negligence, breach of statutory duty, breach of privacy, breach of fiduciary duty, and breach of their right to life, liberty and security under section 7 of the Charter of Rights and Freedoms.
The Jackson case has not yet been certified as a class action. The decisions issued to date have concerned the employer’s attempt to have the claims thrown out in advance of trial because it has argued there is no reasonable cause of action. The most interesting product of this preliminary wrangling is a clear indication of the court’s willingness to entertain various and unique claims for damages based on invasion of privacy.
In a June 2005 decision, Justice Charbonneau of the Ontario Superior Court recognized that a claim based on a breach of the right to privacy and the protection of personal information was a novel cause of action. However, he allowed this aspect of the claim to proceed, commenting that privacy rights are “presently undergoing rapid evolution in the law of torts,” and bringing this claim to trial would provide an opportunity for the “useful evolution in the law.”
Justice Charbonneau also found the plaintiffs had pleaded facts that could establish the elements of a duty of care, a breach of that duty and damages sufficient to ground a claim in negligence. However, he dismissed the claims based on an alleged breach of statutory duty, fiduciary duty and the plaintiffs’ charter rights. The plaintiffs appealed this decision, although they did not pursue their claim based on breach of statutory duty.
The Court of Appeal preferred to leave to trial questions concerning the existence and alleged breach of a fiduciary duty, and the alleged breach of the plaintiffs’ charter rights. Accordingly, the claims based on these grounds were restored. In this respect, the court noted the fiduciary concept is a flexible one and, in the right circumstances, a fiduciary relationship could be established based on employees’ reasonable expectation that their employer would act in their best interests in collecting, storing and safeguarding personal information.
The Court of Appeal in Jackson noted that the law on section 7 of the charter is also evolving. It concluded the question of whether or not the unauthorized disclosure of employees’ telephone numbers and addresses could engage the plaintiffs’ section 7 rights was also a matter best left for trial.
The Court of Appeal’s ruling should provide a wake-up call for employers, as it shows that failing to properly safeguard employee data could lead to liability based on grounds never before contemplated by the courts. Privacy rights are continuing to evolve in Canada, and a willingness on the part of the judiciary to be both creative and aggressive in this area may translate into hefty price tags for unsuspecting employers. At a minimum, employers have been put on notice that Canadian courts are prepared, if not eager, to entertain lawsuits that push the boundaries of privacy rights.
What can employers do to reduce potential liability in this area? The key is to make sure effective security measures are in place to protect employee data by preventing unauthorized access, collection, use, disclosure, copying, modification, disposal or similar risks. These measures include:
•designating someone within the organization to be responsible for privacy and confidential employee information issues;
•conducting a privacy audit, with questions on the nature of the employee information that is collected and stored, how sensitive it is, where it is stored, who might have access to it and how it is protected;
•developing an effective privacy policy that includes specific security requirements;
•training personnel on appropriate security procedures and the importance of safeguarding personal information;
•using appropriate safeguards to protect the security of employee personal information, including physical measures (such as alarm systems, secure locks, access card systems, locked filing cabinets and file rooms and paper shredders), and organizational controls such as security training, access limitations and confidentiality agreements;
•for information that is stored electronically, identifying potential vulnerabilities and then putting the necessary protective measures into place (such as monitor positioning, screensavers, passwords, encryption devices, firewalls, anti-virus software, anti-hacking tools and hard drive erasure); and
•reviewing and updating security measures on a regular basis.
Colin G.M. Gibson is a partner with Harris & Company in Vancouver. He can be reached at [email protected] or (604) 891-2212.
Privacy Breach
Employee files found at auction
Statistics Canada spent months reassuring Canadians that personal information would be treated with the utmost confidentiality but, early this month, 75 census workers discovered their own data had been found in a file cabinet at an Edmonton auction. The records of these employees in the Prairies included their names, social insurance numbers and earnings. The head of the auction house told the press he receives used government furniture by the truckloads and, occasionally, there are files. Statistics Canada said it intends to apologize to everyone named in the files. The federal privacy commissioner is also investigating.
