Many organizations publish a privacy policy as a means of prescribed disclosures and obtaining required informed consent to their personal information practices (e.g. how the organization collects, uses, discloses and corrects personal information). Under Canadian law, an organization is required to protect personal information in the organization’s possession or control by using security safeguards appropriate to the sensitivity of the information, and remaining responsible for personal information that the organization discloses to third parties.

It is important that all organizations and their employees be familiar with its privacy policies and implement them accordingly. Otherwise, the organization may be exposed to claims, such as in the case of Albayate v. Bank of Montreal, 2015 BCSC 69.

In this case, the Bank changed Ms. Albayate’s mailing address in its computer system without her consent and authorization. As a result of this error, three envelopes containing Ms. Albayate’s Bank statements were sent to her ex-husband’s address (the evidence suggested that the letters were not opened by Mr. Albayate). The Bank also reported the inaccurate personal information to two credit bureaus, Equifax and TransUnion. When the Bank learned of its mistake, it promptly corrected the error on its computer system, but failed to advise the credit bureaus of this correction immediately as mandated by the Bank’s privacy policy.

Although many of Ms. Albayate’s allegations were not accepted, she established her claim that the Bank breached her privacy rights under the Privacy Act, RSBC 1996, c 373 and the Bank breached its privacy policy, which formed part of the contract, with Ms. Albayate. Details regarding the Court’s reasoning for each claim are provided below.

The Court having reviewed the evidence and the case law confirmed that when a party, such as Ms. Albayate, is not able to prove damages for a breach of privacy or breach of contract (and where the breaching party has not acted reprehensibly) that nominal damages should be awarded.  For this reason, Ms. Albayate was awarded $2,000 and each party had to bear their own costs.

Tort of Breach of Privacy – The Court provided the following reasoning regarding the breach of Ms. Albayate’s privacy rights by the Bank:

[96] As stated above, the bank employee who made the change could not recall the basis of the change, or what safeguards were employed to guard against the unauthorized alteration of Ms. Albayate’s personal information. As a result, I do not accept the bank’s argument that it has established that it had an honest and reasonable belief it had justification to provide an inaccurate address to the credit bureaus.

[97] The bank did not correct the inaccurate information it had provided to the credit bureaus immediately after learning of the error in accordance with its privacy policy. While the bank argues that it corrected the error as soon as it became aware of it, the evidence is that the bank conducted an investigation after the initial complaint from Ms. Albayate in November 2009. The bank’s privacy policy clearly sets out that after a client reports inaccuracies in their personal information, the bank will use its best efforts to advise others of important amendments to the client’s personal information which the bank may have released to them.

[98] The bank did not provide any explanation as to why that policy was not followed after Ms. Albayate reported the inaccuracy in her records, or why it took over three years for the correction to be made. Ms. Albayate asserts that as a result of the wrong address she has been refused a loan; however there is no direct evidence of any loan refusals flowing from the error. While there is no direct evidence of any loan refusals flowing from the breach of its privacy policy, that does not relieve the bank being found liable for a breach of privacy for providing inaccurate information and failing to correct the inaccuracy in a timely manner.

[99] In the circumstances, I find there was a breach of Ms. Albayate’s privacy by the bank when it provided the credit bureaus with inaccurate information about her address and then failed to make a correction when it became aware her address had been changed without her authorization.

Breach of Contract – The Court provided the following reasoning regarding the breach of contract by the Bank:

[111] However, as stated earlier, the bank concedes that the address change resulted from a mistake by one of its employees. It has also conceded that the bank sent the wrong address to the credit bureaus a result of its mistake. As noted earlier, the bank is in breach of its privacy policy, which provides that personal information will be not be altered without authorization from the bank’s customer. As well, the bank did not take steps to amend the inaccurate information it had provided to the credit bureaus immediately as mandated in its privacy policy. Instead the inaccurate information was not corrected until May 2013.

[112] In my view, the bank was in breach of its privacy policy which formed part of its contract with Ms. Albayate in providing inaccurate information to the credit bureaus and by not correcting the inaccurate information when it became aware the address had been changed in its computer system without her authorization.

[113] As stated earlier, Ms. Albayate has not adduced any evidence that she has been denied credit or suffered any loss as a result of the bank’s breach. As a result, Ms. Albayate has not established that she would be in a different position if the breach of contract had not occurred.

Although the award was nominal in the claim against the Bank, because the plaintiff did not adduce evidence that she suffered damages as a result of the Bank’s conduct, the Court reaffirmed the importance of privacy as a fundamental value in our law that is worthy of protection whether or not damages are established.