Public Sector Privacy Breaches: should British Columbians have a cause of action for damages under the Freedom of Information and Protection of Privacy Act?

AuthorNaomi J. Krueger
Naomi J. Krueger
CITED: (2018) 23 Appeal 149
e provincial government (“Province”) is oblig ated to protect the personal information
it collects from British Columbia ns, though sometimes it fails to fulll that obligation.
Recent failures include privacy breaches at the Mini stry of Health and Mi nistry of
Education. In June 2013, there were three unauthoriz ed data disclosures at the Minist ry
of Health. Following those bre aches Elizabeth Den ham, then the Information and Privac y
Commissioner for British Columbia (“Commis sioner”), released an investigation report
highlighti ng signicant deciencies i n the Ministry of Hea lth’s privacy and securit y
safeguard s for personal information.
In September 2015, the Ministry of Education
reported the loss of an unencr ypted hard drive contai ning the personal information of
millions of students and te achers from British Columbia and Yukon.2 After investigating
the loss, the Commis sioner determined that several Min istry of Education employees had
violated the privacy and security safeguards aimed at preventing t he unauthorized use,
access, and disclosure of private records.3 roug h those failures, the Prov ince expos ed
millions of British Columbia ns (and Yukoners) to risk, including the risk s of identity theft
and loss of reputation—and t he mental distress and economic losses t hat can accompany
those risk s.
In this paper, I argue t hat the Province’s obligation to make reasonable sec urity arrangements
against un authorized access, c ollection, use, and disclosure of personal information
1 British Columbia, Oce of the I nformation and Privacy Commissio ner, Investigation Report
F13- 02: M inistry of Health, 2013 BCIPC No 14 [Investigation Report: Ministry of Health]. Th e Oce
of the Information and Priva cy Commissioner for British Columbi a was established in 1993 to
oversee and enforce British Co lumbia’s privacy laws. The Commission er is tasked with, among
other things, investigating rep orted privacy breache s. After investigating a privac y breach, the
Commissioner may choose to publ ish an investigation report set ting out any ndings of law
or recommendations for rem edying a breach or complaint or to prevent f uture breaches: for
moreabout the OIPC, se e Oce of the Information and Privac y Commissioner, “Home”, online:
archived at .
2 Oce of the Information and Pr ivacy Commissioner, News Release, “St atement from BC
Information and Privacy Commissioner regarding a Ministry of Education Privacy breach”
(22September 2015).
3 British Columbia, Oce of the I nformation and Privacy Commissio ner, Investigation Report
F16-01: Ministry of Education, 2016 BCIPC No 5 at 4 [Investigation Report: Ministry o f Education].
pursuant to the Freed om of Information and Protection of Privacy Act (“FIPPA ”)
is of limited
value to British Columbians a s the statute prohibits actions agains t the Province for good
faith disclosu res. In particular, I suggest t hat British Columbians should have access to a
cause of action in da mages to recover losses arising f rom privacy breaches by the Province.
In Part I of this paper, I look at the scope of the Provi nce’s obligation to protect the personal
information of British Columbian s. en, to illustrate the lack of remedies ava ilable under
FIPPA, I compare it s provisions with the cause of ac tion for damages under the Personal
Information Protection Act (“PIPA”).6 I then consider the Commissioner’s ndings as to
the nature of the breaches at t he Ministry of Health and Minis try of Education and her
ndings about the ma nner in which the breaches occurred.
I also consider whether the Pr ivacy Act would provide a cause of action aga inst the Province
for British Columbians har med by the unauthorized disclosures i n those circumstances,7
though I conclude that bec ause the Privacy Act only gives rise to da mages for intentional
conduct, the Province would likely not be l iable for the privacy breaches in the ab sence
of evidence they were intentional (with in the meaning of the Privacy Act).
In Part II, I argue F IPPA should be amended to include a cau se of action for damages,
even if only to provide access to nominal damages for British Columbians harmed by
privacy breaches. Such a n amendment is necessary to recogniz e the scope of risk British
Columbians take when t hey provide personal information to the Province. To illustrate
the risk taken, I give a n overview of the type of da mages claimed in private law ca ses where
privacy breaches simi lar to those at the Mini stry of Health and Mi nistry of Education
have occurred. W hile some Courts have maintai ned that emotional distress is more tha n
an inconvenience in certain circumsta nces, others have applied Mustapha v Culligan of
Canada Ltd
to narrow the scope of compensable losses for breach of privac y. Accordingly,
I argue that un authorized acce ss and disclosure under FIPPA shou ld be actionable per se
to allow plainti s to recover nominal damages.
Lastly, in Part III, I ar gue British Columbians should be able to seek da mages in negligence
from the Province when they suer actual harm be cause of the Province’s negligent
protection of personal informat ion. I rely on the Commissioner’s ndings with respec t
to the Ministr y of Health and Ministry of Educ ation breaches to argue that the Province
breached a private law duty of care owed to Brit ish Columbians when it failed to supervi se
and enforce the protection of persona l information at those Ministries.
4 Freedom of Information and Protection of Privacy Act, RSBC 1996, c 165 [FIPPA].
5 In this paper, I focus exclusively on wh ether British Columbians should be ab le to claim damages
from the Province for what I argue is n egligent conduct in relation to pe rsonal information. I do
not address any possible claims fo r breach of contract or breach of ducia ry duty.
6 Personal Information Protection Act, SBC 2003, c 63 [PI PA]. Among other things, PI PA regulates the
collection and use of personal information in the private sector.
7 Privacy Act, R SBC 1996, c 373 [Privacy Act]. My analysis is limite d in the sense that it is based solely
on the facts available i n the investigation reports; however, the Commiss ioner’s ndings would
likely be persuasive in the conte xt of litigation given her authori ty to determine all questions of
fact and law pursuant to sec tion 56 of FIPPA.
8 Mustapha v Culligan of Canada Ltd, 2008 SCC 27 [Mustapha]. In Mustap ha, the plainti claimed
damages for a psychiatric injur y, which he said was the result of having found a  y in a water
bottle delivered to him by th e defendant. Chief Justice McLac hlin, for the Court, held that the
plainti’s psychiatric injur y was not compensable under the ne gligence analysis because a
reasonable person wou ld not have suered the type of injur y he suered as a result of the
alleged breach of the dut y of care. In cases where a person’s psych iatric injuries do not ow from
a physical injury, the alleged inj ury must be a reasonably fores eeable result of the conduct or
negligence at issue.

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT