Public Sector Privacy Breaches: should British Columbians have a cause of action for damages under the Freedom of Information and Protection of Privacy Act?

• Author: Naomi J. Krueger
• Pages: 149-164

APPEALVOLUME 23

n

149

ARTICLE

PUBLIC SECTOR PRIVACY BREACHES:

SHOULD BRITISH COLUMBIANS HAVE A

CAUSE OF ACTION FOR DAMAGES UNDER

THE FREEDOM OF INFORMATION AND

PROTECTION OF PRIVACY ACT?

Naomi J. Krueger

CITED: (2018) 23 Appeal 149

INTRODUCTION

e provincial government (“Province”) is oblig ated to protect the personal information

it collects from British Columbians, though sometimes it fails to fulll that obligation.

Recent failures include privacy breaches at the Ministry of Health and Ministry of

Education. In June 2013, there were three unauthoriz ed data disclosures at the Minist ry

of Health. Following those bre aches Elizabeth Den ham, then the Information and Privac y

Commissioner for British Columbia (“Commissioner”), released an investigation report

highlighting signicant deciencies in the Ministry of Health’s privacy and security

safeguards for personal information.

1

In September 2015, the Ministry of Education

reported the loss of an unencrypted hard drive containing the personal information of

millions of students and te achers from British Columbia and Yukon.2 After investigating

the loss, the Commis sioner determined that several Min istry of Education employees had

violated the privacy and security safeguards aimed at preventing the unauthorized use,

access, and disclosure of private records.3 rough those failures, the Province exposed

millions of British Columbia ns (and Yukoners) to risk, including the risk s of identity theft

and loss of reputation—and t he mental distress and economic losses t hat can accompany

those risk s.

In this paper, I argue t hat the Province’s obligation to make reasonable sec urity arrangements

against unauthorized access, collection, use, and disclosure of personal information

1 British Columbia, Oce of the I nformation and Privacy Commissio ner, Investigation Report

F13-02: M inistry of Health, 2013 BCIPC No 14 [Investigation Report:Ministry of Health]. Th e Oce

of the Information and Priva cy Commissioner for British Columbi a was established in 1993 to

oversee and enforce British Co lumbia’s privacy laws. The Commission er is tasked with, among

other things, investigating rep orted privacy breache s. After investigating a privac y breach, the

Commissioner may choose to publ ish an investigation report set ting out any ndings of law

or recommendations for rem edying a breach or complaint or to prevent f uture breaches: for

moreabout the OIPC, se e Oce of the Information and Privac y Commissioner, “Home”, online:

archived at .

2 Oce of the Information and Pr ivacy Commissioner, News Release, “St atement from BC

Information and Privacy Commissioner regarding a Ministry of Education Privacy breach”

(22September 2015).

3 British Columbia, Oce of the I nformation and Privacy Commissio ner, Investigation Report

F16-01: Ministry of Education, 2016 BCIPC No 5 at 4 [Investigation Report: Ministry o f Education].

150

n

APPEALVOLUME 23

pursuant to the Freed om of Information and Protection of Privacy Act (“FIPPA”)

4

is of limited

value to British Columbians a s the statute prohibits actions agains t the Province for good

faith disclosu res. In particular, I suggest t hat British Columbians should have access to a

cause of action in da mages to recover losses arising f rom privacy breaches by the Province.

5

In Part I of this paper, I look at the scope of the Provi nce’s obligation to protect the personal

information of British Columbian s. en, to illustrate the lack of remedies ava ilable under

FIPPA, I compare it s provisions with the cause of ac tion for damages under the Personal

Information Protection Act (“PIPA”).6 I then consider the Commissioner’s ndings as to

the nature of the breaches at t he Ministry of Health and Minis try of Education and her

ndings about the ma nner in which the breaches occurred.

I also consider whether the Pr ivacy Act would provide a cause of action aga inst the Province

for British Columbians har med by the unauthorized disclosures i n those circumstances,7

though I conclude that bec ause the Privacy Act only gives rise to da mages for intentional

conduct, the Province would likely not be liable for the privacy breaches in the absence

of evidence they were intentional (with in the meaning of the Privacy Act).

In Part II, I argue FIPPA should be amended to include a cause of action for damages,

even if only to provide access to nominal damages for British Columbians harmed by

privacy breaches. Such a n amendment is necessary to recogniz e the scope of risk British

Columbians take when t hey provide personal information to the Province. To illustrate

the risk taken, I give a n overview of the type of da mages claimed in private law ca ses where

privacy breaches similar to those at the Ministry of Health and Ministry of Education

have occurred. W hile some Courts have maintai ned that emotional distress is more tha n

an inconvenience in certain circumstances, others have applied Mustapha v Culligan of

Canada Ltd

8

to narrow the scope of compensable losses for breach of privac y. Accordingly,

I argue that un authorized acce ss and disclosure under FIPPA shou ld be actionable per se

to allow plainti s to recover nominal damages.

Lastly, in Part III, I ar gue British Columbians should be able to seek da mages in negligence

from the Province when they suer actual harm because of the Province’s negligent

protection of personal information. I rely on the Commissioner’s ndings with respect

to the Ministr y of Health and Ministry of Educ ation breaches to argue that the Province

breached a private law duty of care owed to Brit ish Columbians when it failed to supervi se

and enforce the protection of persona l information at those Ministries.

4 Freedom of Information and Protection of Privacy Act, RSBC 1996, c 165 [FIPPA].

5 In this paper, I focus exclusively on wh ether British Columbians should be ab le to claim damages

from the Province for what I argue is n egligent conduct in relation to pe rsonal information. I do

not address any possible claims fo r breach of contract or breach of ducia ry duty.

6 Personal Information Protection Act, SBC 2003, c 63 [PIPA]. Among other things, PI PA regulates the

collection and use of personal information in the private sector.

7 Privacy Act, R SBC 1996, c 373 [Privacy Act]. My analysis is limite d in the sense that it is based solely

on the facts available i n the investigation reports; however, the Commiss ioner’s ndings would

likely be persuasive in the conte xt of litigation given her authori ty to determine all questions of

fact and law pursuant to sec tion 56 of FIPPA.

8 Mustapha v Culligan of Canada Ltd, 2008 SCC 27 [Mustapha]. In Mustap ha, the plainti claimed

damages for a psychiatric injur y, which he said was the result of having found a  y in a water

bottle delivered to him by th e defendant. Chief Justice McLac hlin, for the Court, held that the

plainti’s psychiatric injur y was not compensable under the ne gligence analysis because a

reasonable person wou ld not have suered the type of injur y he suered as a result of the

alleged breach of the dut y of care. In cases where a person’s psych iatric injuries do not ow from

a physical injury, the alleged inj ury must be a reasonably fores eeable result of the conduct or

negligence at issue.