The recent Federal Court of Canada decision in Johnson v. Bell Canada is likely to reduce the burden experienced by Canadian companies when faced with employee requests under the Personal Information Protection and Electronic Documents Act (PIPEDA) for access to personal information allegedly stored on company servers.
In this case, Johnson, a Bell Canada employee, asked Bell for copies of any "e-mails concerning me in this company … from all sources." He subsequently narrowed his request for access to e-mails from a two-year period. Bell provided all business-related e-mails to which Johnson’s direct supervisor had access — close to 600 pages of information.
Johnson asserted that this disclosure was insufficient and sought a court order requiring Bell to provide him with all of his personal information, including all e-mail messages between Bell employees referring to him. He also argued that Bell was obliged to conduct an exhaustive search of all records they had for any e-mails mentioning him.
The issue before the court was whether Bell, in responding to Johnson’s request, had complied with the requirements of PIPEDA.
In Connection with the Operation of a Business
PIPEDA applies to organizations in respect of personal information about an employee that it "collects, uses or discloses in connection with the operation of a federal work, undertaking or business."
Relying on this wording, Bell argued that only business-related e-mails are subject to PIPEDA. It contended that e-mail exchanges of a personal nature between employees are not generated in association with its business operations and, therefore, are not collected "in connection with the operation of" its business.
Johnson contended that non-business-related personal e-mails are collected "in connection with the operation" of Bell’s business because Bell’s computer systems and back-up systems capture these e-mails. Such systems are part of the operation of the business.
The court agreed with Johnson that e-mails about or concerning him met the definition of "personal information" in PIPEDA. However, the court found that the real issue was whether these e-mails were collected, used or disclosed by Bell in connection with the operation of a federal work, undertaking or business.
The court concluded that they were not. It compared the collection of non-business-related personal e-mails by a computer system to the bycatch products that fishermen collect in their nets:
…Organizations put systems and procedures in place deliberately to capture such information as is relevant to the organization and its business needs. The reality is that non-relevant information is also captured. Just as the cod fisherman’s nets will capture whiting, flounder, hake, squid, butterfish, or other species in addition to the cod which is the fisherman’s target, the organization’s data storage system which is intended to capture business e-mail will capture personal e-mails, jokes, spam, family pictures and other nonbusiness data transmitted on the system.
Business Purpose for the Information
The court found that only information collected by the organization "because it has a commercial need for it" is captured by PIPEDA. To be considered "information collected in connection with the operation of a business," there must be a business purpose for the information. In this case, the personal e-mails had no business purpose. As a result, the court determined that the e-mails were not subject to PIPEDA and disclosure by Bell.
The court also found that Bell had conducted a sufficient search in response to Johnson’s request. It noted that Bell was required to conduct a search "that could reasonably be expected to produce the personal information of Mr. Johnson that, in the ordinary course, would fall under PIPEDA." It was reasonably expected that business e-mails about Johnson would be in the hands of his direct supervisor and there was no evidence that other Bell employees would have business e-mails about him.
McCarthy Tétrault Notes:
This decision should reduce the burden of complying with employee PIPEDA requests by significantly reducing the scope of the searches necessitated by such requests.
As a result of this decision, organizations can take comfort in knowing they will only need to search for and provide those records related to the conduct of their business, not those sent between employees for personal reasons.
Furthermore, organizations are only required to conduct a search that could reasonably be expected to produce the personal information of the employee that, in the ordinary course, would fall under PIPEDA. Therefore, they do not need to search records that are not reasonably likely to contain business-related personal information.