Privacy Torts + Vicarious Liability: What Can Organizations Do?
Over the last two decades, we have slowly realized that our personal information is not nearly as personal or private as it used to be. It seems that someone or something is attempting to collect and use our personal information at every turn. Both the value of information and the rate at which it can be accessed and shared has grown exponentially, and as a result, legislators and courts have struggled to keep pace.
The increase in the value of information has brought plenty of business interest. In turn, businesses may have attempted to assess their exposure to liability with entry into such a rapidly growing sector. Many businesses have focused on liability related to collection, use and disclosure of personal information by the business itself, but perhaps fewer have turned their attention to related risks posed by employees. Here, we find a point of intersection between privacy law and vicarious liability.
In Alberta, privacy regulation, as it applies to private business, is generally covered by the Personal Information Protection and Electronic Documents Act (Canada) and the Personal Information Protection Act (Alberta). These statutes set out rules for collecting, using and disclosing personal information and certain forms of liability for non-compliance. The recent rise of privacy law torts in Canada, including the tort of publication of private facts in Alberta, inevitably brings questions of vicarious liability for employers. Vicarious liability allows an employer to be held liable for wrongdoings committed by an employee within the scope of employment. Employers will be vicariously liable for the wrongful acts of employees where:
- The employee's act is authorized by the employer; or
- The wrongful act is sufficiently connected with an authorized act such that it may be regarded as an improper mode of performing an authorized act.
The first scenario is pretty straightforward, but the second is more vague, and has been the subject of judicial interpretation, especially in situations where a "rogue" employee has committed the wrongful act.
Canadian courts have said that the test for vicarious liability should focus on whether the employer's enterprise and empowerment of the wrongdoing-employee materially increased the risk of the harm suffered by the complainant. In the context of privacy law, an employee's responsibility for sensitive personal information (e.g., information of clients) could be viewed as empowerment of the employee and may result in vicarious liability for the employer in the event of improper handling of personal information by the employee. This is especially true when the employee is subject to little or no supervision.
Such circumstances arose in a recent case before the Court of Queen's Bench of Manitoba called Roque v Peters, 2022 MBQB 34 ("Roque"). In Roque, the plaintiff, Roque, was attempting to join the Brandon Police Service (BPS). Years before, Roque had been in a relationship with a BPS officer and had sent the officer intimate images. One defendant, Peters, became the officer's common-law partner in the interim. Peters discovered the images and informed the BPS' Deputy Chief Lewis. Deputy Chief Lewis came to Peters' home, and the two viewed the intimate images and copied both the emails and images onto a flash drive. Deputy Chief Lewis then returned to BPS and shared the images with other BPS members involved with Roque's potential hiring.
The Court found both Peters and Deputy Chief Lewis to be liable. Notably, Peters also named the City of Brandon in the claim. The City argued that it should not be liable as the defendants' actions were not authorized by BPS or the City. The Court did not explicitly refer to vicarious liability but found that Deputy Chief Lewis' work to obtain the images and his use of them meant he was a joint offender and, therefore, that the City of Brandon was also liable.
The Supreme Court of British Columbia reached a similar result in Ari v Insurance Corporation of British Columbia, where an employee of the Insurance Corporation of British Columbia (ICBC), Rheume, accessed customers' personal information and disclosed it to a criminal organization. A class action of plaintiffs claimed for vicarious liability on the part of ICBC due to Rheume's unauthorized conduct.
The Court found that ICBC's operations inevitably created a risk for unauthorized use and disclosure of personal information and that Ms. Rheume's conduct was related to her employment. While ICBC had policies that directly addressed its privacy obligations, they were found vicariously liable for Rheume's wrongful actions. These policies did aid ICBC in avoiding punitive damages.
This type of vicarious risk is rarely the focus of a business when assessing its liability, but we anticipate that such claims may become more regular in the near future. As the value of personal information grows, commercial interest will follow, and as the speed of collection and disclosure grows together with the sheer quantum of available information, opportunities for misuse will become ever more present. Businesses should strive to be proactive when it comes to potential privacy breaches by employees.
Instituting a privacy management program with appropriate policies and procedures may be a first step in mitigating risks for businesses. As part of this initial due diligence, businesses should be especially mindful of the "need to know" principle and limit employees' access to personal information available to on a need-to-know basis. Doing so will help minimize any argument that the employer enhanced the risk of wrongful conduct by giving employees unfettered access to information that was not required to fulfill their work responsibilities. This key element will be considered in the analysis of vicarious liability.
Navigating the ever-changing landscape of privacy law can be challenging for businesses of all sizes. Contact Marc Yu or Jarett Schaumberger in Edmonton, Kelly Nicholson in Calgary, or any other member of Field Law's Privacy + Data Management Group for assistance with drafting or reviewing privacy policies and procedures, or any other aspect of regulatory compliance.