APPEAL VOLUME 23
pursuant to the Freed om of Information and Protection of Privacy Act (“FIPPA ”)
is of limited
value to British Columbians a s the statute prohibits actions agains t the Province for good
faith disclosu res. In particular, I suggest t hat British Columbians should have access to a
cause of action in da mages to recover losses arising f rom privacy breaches by the Province.
In Part I of this paper, I look at the scope of the Provi nce’s obligation to protect the personal
information of British Columbian s. en, to illustrate the lack of remedies ava ilable under
FIPPA, I compare it s provisions with the cause of ac tion for damages under the Personal
Information Protection Act (“PIPA”).6 I then consider the Commissioner’s ndings as to
the nature of the breaches at t he Ministry of Health and Minis try of Education and her
ndings about the ma nner in which the breaches occurred.
I also consider whether the Pr ivacy Act would provide a cause of action aga inst the Province
for British Columbians har med by the unauthorized disclosures i n those circumstances,7
though I conclude that bec ause the Privacy Act only gives rise to da mages for intentional
conduct, the Province would likely not be l iable for the privacy breaches in the ab sence
of evidence they were intentional (with in the meaning of the Privacy Act).
In Part II, I argue F IPPA should be amended to include a cau se of action for damages,
even if only to provide access to nominal damages for British Columbians harmed by
privacy breaches. Such a n amendment is necessary to recogniz e the scope of risk British
Columbians take when t hey provide personal information to the Province. To illustrate
the risk taken, I give a n overview of the type of da mages claimed in private law ca ses where
privacy breaches simi lar to those at the Mini stry of Health and Mi nistry of Education
have occurred. W hile some Courts have maintai ned that emotional distress is more tha n
an inconvenience in certain circumsta nces, others have applied Mustapha v Culligan of
to narrow the scope of compensable losses for breach of privac y. Accordingly,
I argue that un authorized acce ss and disclosure under FIPPA shou ld be actionable per se
to allow plainti s to recover nominal damages.
Lastly, in Part III, I ar gue British Columbians should be able to seek da mages in negligence
from the Province when they suer actual harm be cause of the Province’s negligent
protection of personal informat ion. I rely on the Commissioner’s ndings with respec t
to the Ministr y of Health and Ministry of Educ ation breaches to argue that the Province
breached a private law duty of care owed to Brit ish Columbians when it failed to supervi se
and enforce the protection of persona l information at those Ministries.
4 Freedom of Information and Protection of Privacy Act, RSBC 1996, c 165 [FIPPA].
5 In this paper, I focus exclusively on wh ether British Columbians should be ab le to claim damages
from the Province for what I argue is n egligent conduct in relation to pe rsonal information. I do
not address any possible claims fo r breach of contract or breach of ducia ry duty.
6 Personal Information Protection Act, SBC 2003, c 63 [PI PA]. Among other things, PI PA regulates the
collection and use of personal information in the private sector.
7 Privacy Act, R SBC 1996, c 373 [Privacy Act]. My analysis is limite d in the sense that it is based solely
on the facts available i n the investigation reports; however, the Commiss ioner’s ndings would
likely be persuasive in the conte xt of litigation given her authori ty to determine all questions of
fact and law pursuant to sec tion 56 of FIPPA.
8 Mustapha v Culligan of Canada Ltd
, 2008 SCC 27
[Mustapha]. In Mustap ha, the plainti claimed
damages for a psychiatric injur y, which he said was the result of having found a y in a water
bottle delivered to him by th e defendant. Chief Justice McLac hlin, for the Court, held that the
plainti’s psychiatric injur y was not compensable under the ne gligence analysis because a
reasonable person wou ld not have suered the type of injur y he suered as a result of the
alleged breach of the dut y of care. In cases where a person’s psych iatric injuries do not ow from
a physical injury, the alleged inj ury must be a reasonably fores eeable result of the conduct or
negligence at issue.