Background
During their operations, local governments collect a wide variety of personal information – this may include individuals’ names, addresses, telephone numbers, and financial information. As public bodies under the Freedom of Information and Protection of Privacy Act (“FIPPA”), local governments have a responsibility to:
- protect any personal information in their custody or control by making reasonable security arrangements; and
- ensure that personal information is used only for the purposes for which it was collected by the local government.[1]
Once a local government has collected personal information, it may only be disclosed in limited circumstances authorized under FIPPA.[2] A privacy breach occurs where there has been unauthorized access, use, or disclosure of personal information within the local government’s custody and control. Pursuant to FIPPA, where a local government commits a privacy breach, the local government may be subject to fines and enforcement by the Office of the Information and Privacy Commissioner (“OIPC”). However, until recently, the BC courts had not affirmed an individual’s ability to bring a claim for breach of privacy against a public body where their personal information was disclosed without authorization.
The BC Court of Appeal Decisions
The BC Court of Appeal recently released a decision which greatly expands the potential liability for local governments in the wake of a privacy breach: G.D. v. South Coast British Columbia Transportation Authority[1] (“Translink”).
In Translink, hackers accessed payroll and benefit folders containing considerable personal information of Translink employees. Translink reported the breach to the OIPC and notified the affected employees. The affected employees sought certification for a class action proceeding against Translink. The Notice of Civil Claim alleged that Translink had a duty to protect the personal information of its employees that it had collected and to not disclose that information without authorization. The Plaintiffs argued that Translink’s duty arose from its obligations as a public body under FIPPA. The Plaintiffs noted that Translink had been the subject of cyberattacks and data breach incidents in the past and therefore Translink should have exercised heightened vigilance and safeguarding of personal information in its possession. The Chambers judge interpreted the Privacy Act as meaning that data custodians who store private information cannot be liable for a privacy breach committed by a third party who hacks into that private information, even where the hacker’s success was due to the custodian’s reckless security measures. The plaintiffs appealed.
The issue before the Court of Appeal was whether a person could have a cause of action against a collector of personal data, for a privacy breach under the Privacy Act or in negligence, where due to inadequate security a third-party hacker accessed the person’s private information in the data custodian’s possession. The Court commented that the loss of privacy in personal information due in part to inadequate security measures taken by data custodians is an emerging problem in Canadian society. The Court of Appeal affirmed that it is at least arguable to claim that where a data custodian has collected plaintiffs’ personal information but failed to safeguard it from an unrelated cyber attacker, the data custodian has committed the statutory tort of willful violation of privacy.
Takeaways
While Translink did not involve a privacy breach by a local government, the Court of Appeal held that this framework applies to public bodies under FIPPA. As a result, the expansion of liability in this case likely applies to local governments as data custodians.
In the context of this Court of Appeal decision, local governments have heightened legal risk following any unauthorized access, use, or disclosure of personal information under their custody and control. This decision changes the legal landscape such that a public body may now be sued by an affected individual personally for violation of their privacy even where the breach was perpetrated by a nefarious third party.
In light of this Court of Appeal decision, local governments should:
- increase training for elected officials and staff on their privacy obligations under FIPPA;
- regularly evaluate the adequacy of safeguards in place to protect personal information within the local government’s custody and control from unauthorized access, use, and disclosure; and
- act quickly to contain and address any privacy breaches to mitigate the potential damage to affected individuals.
If you have questions, contact a member of our experienced Local Government Team.
[1] FIPPA ss. 30 and 32.
[2] FIPPA s. 33.
[3] 2024 BCCA 252.