Information contained in this publication is intended for informational purposes only and does not constitute legal advice or opinion, nor is it a substitute for the professional judgment of an attorney.
In Insurance Corporation of British Columbia v. Ari, 2023 BCCA 331, the British Columbia Court of Appeal (BCCA) confirmed that an employer may be found vicariously liable when its employee violates of s. 1 of the province’s Privacy Act (Act). Section 1 of the Act provides that it is a statutory tort for a person, wilfully and without a claim of right, to violate the privacy of another.
As the provider of a universal, compulsory insurance plan for vehicles in British Columbia (BC), ICBC acquires and retains personal information about almost everyone who owns or drives a vehicle in BC, including drivers’ names, addresses, license numbers, vehicle descriptions and identification numbers, and license plate numbers.
An ICBC claims adjuster improperly accessed and then sold to a third party the personal information of 78 ICBC customers, linking their vehicle license plates to their names and home addresses. The third party used this information to engage in criminal acts, which included targeting the homes and vehicles of 13 of the 78 customers through arson, shootings, and vandalism.
ICBC’s customers whose personal information was improperly accessed brought a class action against ICBC. In the trial of the common issues, ICBC was found vicariously liable for its employee’s breach of s. 1 of the Act, and general damages were awarded on a class-wide basis.
In appealing the summary trial judge’s finding that it was vicariously liable, ICBC argued that the information accessed by the claims adjuster was not private information but contact information that people regularly provide to others, and therefore not private; it provided only the opportunity for the employee to access the information; and it had properly put workplace privacy policies in place. In the alternative, ICBC argued that the judge erred in concluding that general damages could be awarded on a class-wide basis.
Breach of the Act
Section 1 of the Act provides:
(1) It is a tort, actionable without proof of damage, for a person, wilfully and without a claim of right, to violate the privacy of another.
(2) The nature and degree of privacy to which a person is entitled in a situation or in relation to a matter is that which is reasonable in the circumstances, giving due regard to the lawful interests of others.
(3) In determining whether the act or conduct of a person is a violation of another’s privacy, regard must be given to the nature, incidence and occasion of the act or conduct and to any domestic or other relationship between the parties.
(4) Without limiting subsections (1) to (3), privacy may be violated by eavesdropping or surveillance, whether or not accomplished by trespass.
The BCCA stated that to analyze whether a person’s right to privacy under the Act has been breached, the following factors must be considered: the context, including the nature, incidence, and occasion of the act; the relationship of the parties; and the degree of privacy to which the person is entitled. The court also stressed that the breach of privacy must be wilful and without claim of right, and that these factors limit the scope of potential liability.
The court noted that ICBC conceded that the claims adjuster “accessed the information wilfully and without claim of right,” and that the summary trial judge “correctly observed the context-specific nature of the analysis.”
The BCCA agreed with the trial judge’s observation that ICBC acknowledged the contact information was “personal information” entitled to “privacy” protection in ICBC’s code of ethics, policies, its letter to class members, a press release issued by its chief executive officer, its senior personnel’s affidavit evidence, and a letter providing the claims adjuster notice of termination of her employment.
The BCCA concluded that the class members had a reasonable expectation of privacy in the personal information they gave to ICBC, i.e., an expectation that it would be used only for ICBC’s legitimate operational purposes; ICBC’s employee accessed the class members’ personal information for a purpose that was not a legitimate ICBC purpose, i.e., to sell some of it to third parties who had a criminal purpose; and the trial judge did not make any extricable error of law by finding that ICBC’s employee wilfully violated the class members’ privacy within the meaning of s. 1 of the Act.
In response to ICBC’s argument that the trial judge erred in his approach to the question of vicarious liability, the BCCA noted it has been found in judicial precedent that the degree of connection between the wrongdoing and the wrongdoer’s employment is highly relevant to the question of when vicarious liability should be imposed, as is the full context of the wrongdoing and employment relationship. The court also referred to Bazley v. Curry,  2 S.C.R. 534, in which the Supreme Court of Canada focused on whether the employee’s conduct was “sufficiently related” to conduct authorized by the employer to justify imposing vicarious liability on the employer.
The BCCA acknowledged that the abuse the employee engaged in was closely connected to her employment as a claims adjuster, and concluded that the trial judge applied the correct legal principles and considered relevant factors when he determined that ICBC was vicariously liable for its employee’s breach of privacy.
Finally, the BCCA determined that the trial judge did not err when he determined that class members were entitled to general damages, with quantum yet to be determined.
Bottom Line for Employers
The decision of the BCCA in Insurance Corporation of British Columbia is a reminder for employers in BC that even when they establish rules and policies prohibiting the improper use of their customers’ private information, they can be found vicariously liable for an employee’s improper use of it, provided the employee’s conduct is “sufficiently related” to conduct authorized by the employer. This may also be the case in provinces that have privacy statutes with statutory torts similar to the one in BC, and in Ontario, which recognizes the common law intrusion upon seclusion tort, which is similar to the statutory tort in BC.