Employers would be well-advised to review and update their privacy policies and procedures after the Federal Court of Canada's recent decision in Landry v. Royal Bank of Canada.
In Landry, (summarized in more detail here) Royal Bank was ordered to pay damages to a customer under the Personal Information Protection and Electronic Documents Act (PIPEDA) for the humiliation she suffered after a Bank employee disclosed the customer's account information without her consent, in violation of Royal Bank's privacy policy. The damage award was made despite the fact that the Court found that the injury suffered by the complaining customer was, at least in part, "the result of her own actions" and that ultimately the information would have been disclosed pursuant to a subpoena. Even though the error was not found to have been made in bad faith, the seriousness of the mistake was sufficient to support a damage award of $4,500, plus costs.
Our View:
While the damage award in Landry was nominal, the decision demonstrates the Federal Court is willing to award monetary damages for breaches of PIPEDA. This case should serve as a reminder to employers who are subject to PIPEDA to ensure that they not only have privacy policies and procedures in place, but also that employees are aware of the policies and act in accordance with them. Further, when complaints do arise, employers would be well-advised to act on them. Specifically, employers should ensure that complaints are properly investigated and take appropriate corrective measures in response to all complaints.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.