The Landscape Of Protection Of Privacy And Personal Information In British Columbia
The Internet and digital technology have brought an enormous change to the way we communicate and to our capacity to capture, store and retrieve information.
Routinely kept electronic databases render our most personal financial information vulnerable. Sensitive information about our health is similarly available, as are records of the books we have borrowed or bought, the movies we have rented or downloaded, where we have shopped, where we have travelled and the nature of our communications by cellphone, e-mail or text message (Jones v. Tsige, 2012 ONCA 32). In this climate, it is understandable that many people have concerns about their privacy, and the protection of their personal information.
We often receive questions from clients respecting their rights and obligations with respect to private information, both generally and while involved in litigation. This issue can be a complicated one, given the myriad sources of those rights and obligations in BC, and in Canada as a whole.
Rights and obligations respecting privacy in BC are governed by legislation, but there are several pieces of legislation that all play a different role in protecting the privacy rights of the individual and balancing them with rights to information. Several factors determine which laws apply and who oversees them. Among them are:
- the nature of the organization handling the personal information, including whether it is:
- an individual;
- a federal government institution;
- a provincial or territorial government institution;
- an organization in the private sector;
- engaged in commercial activities; or
- a federally regulated business;
- where the organization is based;
- what type of information is involved; and
- whether the information will cross provincial or national borders.
In this paper, we provide an overview of the sources of the right to privacy in BC, the parties governed by each source, and the rights and obligations created by each source, with a focus on obligations on private sector organizations for the protection of personal information. We will also touch on what a party to litigation should expect with respect to his or her privacy rights and the rights of the other parties to litigation to receive information.
Federal Privacy Laws
Canada has two pieces of federal privacy legislation, both of which are enforced by the Office of the Privacy Commissioner of Canada:
- the Privacy Act, which addresses how the federal government is required to handle personal information; and
- the Personal Information Protection and Electronic Documents Act (PIPEDA), which addresses how businesses are required to handle personal information.
The Privacy Act relates to a person’s right to access and correct personal information that the government of Canada holds about him or her. “Personal Information” is defined as any recorded information about an identifiable individual. The Act also applies to the government’s collection, use and disclosure of personal information in the course of providing services such as old age security pensions, employment insurance, border security, federal policing and public safety and tax collection and refunds.
The Privacy Act only applies to federal government institutions listed in the Privacy Act Schedule of Institutions. It applies to all of the personal information that the federal government collects, uses, and discloses.
PIPEDA, on the other hand, applies to how private-sector organizations collect, use, and disclose personal information in the course of for-profit, commercial activities across Canada. It also applies to the personal information of employees of federally-regulated businesses such as banks, airlines and telecommunications companies. Unless the personal information crosses provincial or national borders, PIPEDA does not apply to organizations that operate entirely within BC, because BC has the Personal Information Protection Act, which has been deemed substantially similar to PIPEDA.
Provincial Privacy Laws
BC also has two pieces of legislation that govern an individual’s right to request records and the protection of personal information:
- the Freedom of Information and Protection of Privacy Act (FIPPA), which applies to public bodies such as ministries, crown corporations, local governments, schools, hospitals, local police forces and governing bodies; and
- the Personal Information Protection Act (PIPA), which applies to private organizations like corporations, non-profit societies, and professional associations.
FIPPA and PIPA provide the guidelines public bodies and organizations must follow when handling personal information, including:
- who can collect personal information, how it can be collected, and when and how an individual must be informed of collection;
- the individual’s right to know how and why personal information is being used by an organization or a public body. The general rule is that it must only be used for the same purpose for which it was collected;
- situations in which personal information can be shared. This is only permitted in very particular circumstances and requires lawful authority;
- protection of personal information against unauthorized access. Under this legislation, individuals have the right to know who is responsible for protecting their personal information;
- the individual’s right to ensure that his or her personal information in the possession of organizations and public bodies is correct, and to request a correction.
FIPPA is the privacy legislation for the public sector. It establishes the public’s right to access records, subject to limited exceptions to disclosure. In addition to establishing an individual’s right to access records, FIPPA also sets out the terms under which a public body can collect, use and disclose the personal information of individuals.
Personal information is defined as any recorded information that uniquely identifies an individual, such as name, address, telephone number, age, sex, race, religion, sexual orientation, disability, fingerprints or blood type. It includes information about health care, educational, financial, criminal or employment history. It also includes anyone else’s opinions about an individual and an individual’s own views or opinions.
Public bodies are held accountable for their information practices; FIPPA requires that public bodies protect personal information by making reasonable security arrangements against unauthorized access, collection, use, disclosure or disposal.
PIPA governs privacy in the private sector in BC. PIPA describes how all private sector organizations must handle the personal information of their employees, customers and other members of the public, and includes rules respecting collecting, using and disclosing that personal information.
Personal information means information that can identify an individual (for example, a person’s name, home address, home phone number or ID number). It also means information about an identifiable individual (for example, physical description, educational qualifications or blood type). Personal information includes employee personal information but does not include business contact information or work product information. Personal information need not be “confidential” or “private” in order to fall within the definition of personal information. The fact that information is generally known to the public, available from a public source, or has not been maintained in confidence does not render the information unprotected by PIPA.
PIPA attempts to balance an individual’s right to protect his or her personal information, and an organization’s need to collect, use or disclose personal information for reasonable purposes.
PIPA applies to all organizations and to all personal information held by organizations, unless specifically excluded. Some examples of organizations governed by PIPA include:
- a corporation, including a strata corporation;
- a partnership;
- an association that is not incorporated;
- a co-operative association, including a housing co-op;
- a society,
- a church or other religious organization;
- a charity; and
- a sports club.
An organization does not include a person who is acting in a personal or domestic way, for purposes related solely to family or home activities.
Organizations should consider the following principles when developing secure information practices:
- limit the collection of personal information to that which is necessary and reasonable for the organization’s purposes, and identify those purposes to the individual before the information is collected;
- only collect, use or disclose personal information if it is reasonable, having regard to the sensitivity of the personal information in the circumstances;
- collect all personal information fairly and lawfully with consent from the individual;
- collect all personal information directly from the individual, unless consent is obtained from the individual for another source to provide the required information;
- do not disclose personal information unless it is for a reasonable purpose, and with the consent of the individual. Organizations may disclose personal information without consent in only limited and specific circumstances.
The Office of the Information and Privacy Commissioner
The Office of the Information and Privacy Commissioner for British Columbia (OIPC) oversees the enforcement of PIPA and FIPPA, and generally oversees the application and enforcement of BC’s information and privacy laws. Individuals may complain to OIPC if they believe that an entity has not met its obligations under PIPA or FIPPA with respect to their personal information. The Commissioner has the power to:
- make legally binding orders;
- investigate and attempt to resolve complaints regarding the collection, use, and disclosure of personal information by organizations;
- initiate investigations if the Commissioner is satisfied that there are reasonable grounds to believe an organization is not complying with PIPA or FIPPA;
- require an organization to produce documents;
- if the Commissioner is satisfied that there are reasonable grounds to believe that an organization is not complying with PIPA or FIPPA, initiate investigations and audits to ensure compliance;
- require that a duty imposed by PIPA or FIPPA be performed; and
- require an entity to destroy personal information collected in contravention of PIPA or FIPPA.
When an individual initiates a complaint, OIPC will generally require the individual to first try to find a solution directly with the organization without OIPC involvement. If OIPC accepts an individual’s complaint, an OIPC investigator will attempt to mediate a settlement. Under limited circumstances, OIPC may hold a formal inquiry if a complaint does not settle.
If an organization is given an order by the Commissioner, it must comply with the order within 30 days unless an application for judicial review of the order is brought before the expiration of the 30 days. Failure to comply with an order of the Commissioner will constitute an offence under PIPA and is punishable by a fine of up to $10,000.00 for individuals and $100,000.00 for organizations. If the Commissioner makes an order against an organization, or the organization is convicted of an offence under PIPA in respect of a breach of obligations, an individual affected by the order is entitled to bring a claim against the organization for damages for “actual harm” that the individual suffered as a result of the breach.
Tort of Invasion of Privacy
In BC, no common law action for breach of privacy exists. Legislation has been enacted in five provinces, making it a “tort, actionable without proof of damage, for a person, willfully and without a claim of right, to violate the privacy of another.” In BC, this is found in section 1 of the Privacy Act, RSBC 1996, c 373. The Privacy Act covers disputes between private citizens and is not overseen by OIPC.
The most obvious question arising from this legislation is, what constitutes a violation of privacy? The Act merely states that the nature and degree of privacy to which a person is entitled is that which is reasonable in the circumstances, giving due regard to the lawful interests of others. In determining whether the act or conduct of a person is a violation of another’s privacy, regard must be given to the nature, incidence and occasion of the act or conduct and to any domestic or other relationship between the parties. The Act gives the examples of eavesdropping and surveillance as potential violations of privacy. Courts have also found it to be a violation of privacy, under the Act, to steal another person’s private communications and publish them or provide them to a third party (Nesbitt v. Neufeld, 2010 BCSC 1605).
The Act also makes it a tort, actionable without proof of damage, for a person to use the name or portrait of another for the purpose of advertising or promoting the sale of or trade in property or services, unless that other person consents to the use for that purpose.
Privacy in Litigation
The rights to privacy of parties to litigation are somewhat truncated in order to facilitate the parties’ rights to information and the administration of justice. Defendants, particularly those sued in a professional capacity, are often disturbed to know that pleadings filed in court are part of the public record and are accessible to anyone who chooses to look for them. Personal information in court documents or documents created by judges and the courts are not covered by PIPA. Anyone can attend open court, as well.
Parties to legal proceedings have a right to access certain information by law. PIPA does not change that right and does not affect solicitor-client privilege. For example, production of relevant documents in litigation is required by all parties, despite the fact that documentation might have private or personal information in it. Text messages, social media posts and emails are all producible. Parties are required to answer questions put to them at examinations for discovery respecting matters at issue in the litigation, a scope that can be quite wide. Parties can also be compelled to provide names and contact information for witnesses, regardless of how that witness might feel about his or her identity and contact information being shared. Fortunately, information shared for the purposes of litigation may not be used for any other purpose.
There are steps that can be taken in litigation in order to protect an individual’s privacy, such as sealing orders and special document agreements, but litigants should be aware that, in the course of litigation, they may be required to share information they would rather keep secret.
The landscape of legislation governing privacy in BC can be confusing, but several trends emerge. While individuals should expect that both government and private entities require some personal information from them in order to carry out their intended purposes, individuals should also be able to expect that information to be treated with respect and care. Similarly, in all areas of privacy legislation, people and organizations are expected to act reasonably in their dealings, including in how they obtain, store, and share information about each other.
Finally, while the requirements to exchange documents and information that form part of litigation can be necessarily intrusive for litigants, there are procedures in place to protect particularly sensitive people and information, and strict rules respecting the use of information produced for litigation purposes.
It may be some relief to know that, while information is easier to exchange now than ever before, there are mechanisms in place in BC to protect it.
This paper provides only a brief overview of this area of law. For more information respecting privacy rights and obligations in BC, please contact one of our lawyers.