By now most organizations dealing with personal information in Canada are aware that Canada has a federal law that regulates the collection, use and disclosure of personal information. For ten years businesses have been trying to figure out how to comply with the requirements of the Personal Information Protection and Electronic Documents  Act (“PIPEDA”).  Compliance with PIPEDA is often a tricky balancing act. The statute is fairly general in its requirements and leaves much up to the judgement of the organization that is attempting to handle personal information. Clients are understandably nervous about getting it wrong. What if they do get it wrong – after all, mistakes do happen. A recent case suggests that sanctions may be imposed as a way to prod organizations into tightening up their privacy compliance programs, even when a complainant’s damages are not obvious.

Under PIPEDA, if a person has a complaint about the privacy practices of an organization subject to the jurisdiction of PIPEDA, he or she may make a written complaint to the Office of the Privacy Commissioner of Canada (the “OPC”). All complaints must be investigated by the OPC and, subject to limited exceptions, the OPC must issue a report within one year of the filing of the complaint. In addition, the OPC may also initiate a complaint and issue a resulting report.

The OPC’s report will describe the different issues described in the complaint as “well-founded” or “not well-founded” and in those cases where the offending organization has taken acceptable steps to address the problem, the OPC will categorize the complaint as “resolved”. In most cases, that’s where the matter ends. However, there is a right to take the matter further to the Federal Court of Canada.

If a complainant is not satisfied with the results of the OPC’s report in respect of specific sections of PIPEDA, he or she may make an application to the Federal Court of Canada for a trial de novo of the matter, which means that it is a new hearing – it is not an appeal of the OPC’s findings. The OPC may apply to appear at that hearing and also has a right to apply to the Federal Court in respect of any complaint that the OPC has initiated, which presumably would only happen if the investigated organization failed to adhere to the OPC’s recommendations.

Landry v. Royal Bank of Canada 2011 FC 687 was an application in the Federal Court of Canada to compel the Royal Bank to “change its practice of disclosing personal information without the authorization of the person concerned” (translation), and to seek damages totalling $100,000 for injury to the applicant’s “reputation, honour and dignity”, “moral prejudice, pain and suffering” as well as exemplary (punitive) damages resulting from the bank’s actions. The applicant was self-represented and the facts are fairly colourful.

Nicole Landry was involved in divorce proceedings and her bank, (the Royal Bank of Canada) received a subpoena duces tecum from her ex-husband’s lawyer. (A subpoena duces tecum requires the recipient to appear in court with requested documentation.) In this case, the documentation concerned certain bank accounts of Landry held with the bank. The bank dutifully assembled the requested documentation and for reasons that are not entirely clear, a clerk of the bank faxed the documents to Landry’s counsel, in contravention of the bank’s policy which required consent for disclosure of the documents to third parties. The bank’s employee then apparently tried to cover up the mistake.

Upon receipt of Landry’s complaint, the OPC investigated and found that, although the complaint was well founded, the bank had taken corrective measures to prevent such events in the future and that, therefore, the matter was considered resolved. However, the applicant was not satisfied with the OPC’s conclusions and brought the subject application. The Court ultimately awarded $4,500 for the bank failing to follow its own privacy policy and its offending employee attempting to cover up her actions.

One might wonder why the court awarded anything at all since, in the divorce action, that court eventually ordered production of the mistakenly-disclosed documentation to the ex-husband’s counsel anyway – what damages could the applicant have suffered by the disclosure of information that a court ultimately ordered disclosed? In this application to the Federal Court for breach of PIPEDA, Justice Scott even acknowledged that the bank had not commercially benefitted from the breach, had not acted in bad faith (except for the employee cover-up) and the applicant was partially to blame because she was apparently trying to conceal the existence of her personal bank accounts in the divorce action even though she was obliged by law to disclose their existence.

The message that the Federal Court seems to be giving in awarding $4500 to the applicant is that even in these circumstances where the entitlement to actual damages seems dubious, as a policy matter it’s serious business to contravene PIPEDA. To avoid these types of distractions, organizations need to embed privacy principles in their core operating values, be vigilant in maintaining them and constantly train their employees in privacy compliance. That’s just good business!