Privacy Breaches Can Be a One-Two Punch for Employers: Arbitrator Awards Damages for Employee Credit Checks that Breached Privacy Legislation
Twenty-six employees of the Alberta Justice and Attorney General’s Maintenance Enforcement Program (“MEP”) were each awarded $1250.00 in damages each after a Peace Officer carrying out a workplace investigation used their personal information to conduct an Equifax credit check without their knowledge or consent (the “AUPE Arbitration”)1.
The MEP has legislative authority to collect and enforce child and spousal support payments. In accordance with its mandate, the MEP has an arrangement with Equifax enabling it to access the Equifax database. Upon discovering that fraudulent MEP cheques were being issued, the Special Investigation Unit (the “SIU”) of the MEP conducted an internal investigation in order to ascertain whether any of its employees were involved with alleged fraud. As part of the investigation, the MEP decided to conduct a credit report on employees working in certain units, based on the assumption that employees who were experiencing financial difficulties may have motive to engage in fraudulent activity. A Peace Officer who was part of the SIU team used the employees’ names, dates of births and Social Insurance Numbers to access the Equifax database. The search performed was a “soft inquiry,” which means that only the employees could see that Alberta Justice had accessed their respective credit files: the search was not otherwise disclosed to lenders or third parties.
Investigation of the Office of the Information and Privacy Commissioner
Upon learning about the Equifax searches, the employees filed 25 separate complaints with the Alberta Office of the Information and Privacy Commissioner (“OIPC”), which were addressed through one Investigation Report. 2 Alberta Justice conceded that the searches were improper and that they contravened the provisions of the Freedom of Information and Protection of Privacy Act (“FOIP”). The Deputy Minister sent each affected employee a letter of apology, and offered to reimburse employees for any expenses arising from the improper credit checks. The OIPC Investigation Report concluded that the credit reports were not disclosed outside the MEP, and acknowledged the employer’s efforts to remedy the situation, which included ensuring more secure access to employee personnel records, conducting FOIP training for MEP staff, and destroying the records resulting from the unauthorized credit checks. The OIPC made no further recommendations for the employer to remedy the situation, and an Inquiry was not recommended because FOIP did not offer any “practical remedy” to the complainants.
However, the matter did not end there. Upon conclusion of the OIPC Investigation, the Alberta Union of Provincial Employees (the “AUPE”) brought a grievance seeking damages to compensate the employees whose privacy had been breached by the improper credit checks. The AUPE claimed that the unauthorized credit checks caused the grievers emotional distress and anxiety, and created a work environment permeated by distrust and suspicion. Recognizing that labour arbitrators have the ability to craft flexible remedies and to award damages, Arbitrator Sims relied on the Ontario Court of Appeal’s decision in Jones v. Tsige to award damages to each employee in the amount of $1250.00. As Field Law reported in a previous publication3, the Jones decision recognized the tort of intrusion upon seclusion, which is committed when an individual’s privacy is intentionally invaded by another without lawful justification, and in a way that would cause distress, humiliation or anguish to a reasonable person.
Implications for Employers
The AUPE Arbitration should catch the attention of employers for three reasons. First, despite the fact that the courts in Alberta have not yet formally recognized the existence of a tort for invasion of privacy, the AUPE Arbitration suggests that arbitrators will nevertheless apply the principles articulated in Jones when awarding damages for a breach of privacy. In finding that the MEP’s conduct was “considerably less egregious” than the conduct in Jones, in which one employee wrongfully accessed another employee’s bank records 174 times, Arbitrator Sims emphasized that a modest damage award was appropriate. The lack of outside disclosure, and the swift and effective action taken by the MEP to address the situation also resulted in modest damages. Nevertheless, Arbitrator Sims found that it was appropriate to award some damages in order to recognize that the MEP’s actions had an adverse impact on the employees’ sense of security and well-being.
Second, the AUPE Arbitration could create a “one-two punch” for employers whereby a finding by the OIPC of a breach of privacy legislation may then be used as the basis for subsequent legal proceedings in which the employees seek monetary damages arising from the breach. As the OIPC Investigation report concluded in this matter, there was no “practical remedy” available to the complainants under the OIPC process as the Privacy Commissioner does not have the jurisdiction to order damages under FOIP or the Personal Information Protection Act (“PIPA”) which applies to private organizations. The AUPE Arbitration therefore paves the way for additional legal proceedings in the form of grievances, lawsuits, or damages awards under s. 60 of PIPA, in which the principles of Jones will likely be applied.
Third, the AUPE Arbitration raises alarming implications for employers conducting internal workplace investigations. Whereas Jones involved the improper access of an employee’s personal banking information by another employee acting for personal reasons and entirely outside the scope of her work duties, in the AUPE Arbitration, the Peace Officer was acting on behalf of the employer by carrying out an investigation into possible fraud. As such, the damages here were awarded against the MEP and not the individual employee. Consequently, this demonstrates that the stakes just got higher for employers trying to find a balance between effectively managing their workplace by conducting necessary investigations and respecting their employees’ privacy interests. Field Law’s Privacy Group can help employers navigate the increasingly complex privacy law issues that arise in the workplace.
1 Alberta and Alberta Union of Provincial Employees (Privacy Rights Grievance),  A.G.A.A. No. 23 (QL).
2 See: F2010-IR-001.
3. Winter 2012 Privacy Press