Skip To Navigation Skip To Content

Employer’s Liability for Employee’s Breach of Privacy Act

If an employee willfully violates the privacy of another, is the employer liable under BC’s Privacy Act? The liability of the employer is called “vicarious liability”. What if the employee works at ICBC and accesses the personal information of many ICBC customers?

The BC Court of Appeal released reasons for judgment earlier this month concluding that employers may be vicariously liable under the Privacy Act. In this case Ari v. ICBC 2015 BCCA 468 the plaintiff commenced a proposed class action against ICBC alleging improper conduct by an employee, including improperly accessing the personal information of about 65 ICBC customers. A chambers judge had dismissed all but one of the claims, and both parties appealed portions of the decision.

Under section 1 of the Privacy Act “it is a tort …. for a person, willfully, and without a claim of right, to violate the privacy of another”. Since the tort is created by the statute, it is a “statutory tort”.  At issue before the Court was whether an employer could be vicariously liable for this willful, statutory tort. ICBC argued that they should not be vicariously liable for the willful wrongdoing of an employee, saying that the statute restricted liability to the personal wrongdoer. The Court rejected this argument, finding that it is an open ended question whether vicarious liability can be found in the wording of this statutory tort. The Court didn’t actually determine whether ICBC is vicariously liable, they were only asked to determine whether the chambers judge was wrong in concluding that ICBC could be liable. Providing the following reasons, the Court affirmed the chambers judge’s finding, and allowed the potential class action to survive this challenge:

[24]        In Nelson, the “operative language” was “person who contravened this Act”. The wording of the applicable provision directly limited the class of persons from whom the appellant could recover aggravated damages to those who had personally contravened the statute. The requirement that such a contravention be done “knowingly” or with “wanton disregard” did not itself dictate the availability of vicarious liability; rather, it acted to support an interpretation of the provision that necessitated a personal breach of the Human Rights Code as a precondition for recovery.

[25]        It is not clear that s. 1 of the Privacy Act should be interpreted as limited in the same fashion as the relevant provisions in Nelson. Section 1(1) states that “[i]t is a tort, actionable without proof of damage, for a person, wilfully and without a claim of right, to violate the privacy of another”. There is no language (as there was in Nelson) that clearly limits a plaintiff to recovery of damages from the person identified in s. 1(1). While, as the chambers judge observed, vicarious liability for acts of intentional and deliberate wrongdoing has generally been rejected, it is not unheard of (see: Lewis Klar, Tort Law, 5th ed. (Toronto: Carswell, 2012) at 682). To the extent that s. 1(1) of the Privacy Act requires deliberate wrongdoing, it is not per se incompatible with vicarious liability.

[26]        Although Nelson may provide, by analogy, a basis for denying the availability of vicarious liability, I cannot conclude that the chambers judge erred in finding the appellant’s claim is on this basis, not bound to fail.

[27]        Alternatively, ICBC says that there is a policy argument which supports its position that there is no cause of action in vicarious liability. For policy reasons ICBC says, employers should not be held vicariously liable for wilful breaches of privacy under the Privacy Act.

[28]        ICBC also contends that the question before the chambers judge was whether vicarious liability should be imposed due to policy considerations. It says that the appropriate question to ask is: should liability lie against a public body for the wrongful conduct of its employee, in these circumstances? The question necessarily demands some exploration of the evidence about the connection between ICBC’s security procedures and the security lapse that occurred, as well as a weighing of the policy considerations involved. It is reasonable to conclude that a factual matrix is necessary in order to fairly address whether ICBC’s conduct materially enhanced the possibility of committing the breach of privacy, and to determine the connection between the impugned conduct and ICBC’s conduct. In other words, to clearly determine how public policy considerations affect the viability of the vicarious liability claim, some evidence is required.

[29]        ICBC submits in the further alternative that ss. 73 and 79 of the Freedom of Information and Protection of Privacy Act bar recovery for vicarious liability. Section 79 provides that the Act prevails where it conflicts with the provisions of other legislation. Section 73(a) prohibits proceedings against a public body for damages resulting from good faith disclosure or non-disclosure of all or part of a record under the Act.

[30]        As the disclosure alleged was not a good faith disclosure, s. 73 has no application to the circumstances of this case.

[31]        I am of the view that the question of vicarious liability on the facts of this case cannot be resolved on a pleadings motion. It is not plain and obvious the claim would fail. The chambers judge considered that the appellant ought to have the opportunity to develop and argue this aspect of his claim. I see no error in her conclusion.

[32]        For these reasons I would dismiss ICBC’s cross-appeal.