A recent ruling by the British Columbia Court of Appeal (BCCA) in Insurance Corporation of British Columbia v. Ari, 2023 BCCA 331, clarified the potential liability employers may face when employees improperly access or disclose customer information, even if workplace policies prohibit such actions. This outcome underscores the importance for employers to take robust measures to safeguard customer privacy.

Key implications from this case include:

• Employers must implement rigorous data security safeguards and employee training programs, as company policies alone are insufficient to avoid potential vicarious liability for privacy breaches.
• Access to customer data should be restricted only to employees who require the information to perform job duties. Supervised access, accompanied by another employee, can help prevent misuse.
• Maintaining a formal record of all employee access to customer data, including dates/times and duration, supports compliance and accountability.
• Customer information should be deleted when no longer required for legitimate business purposes, in adherence with applicable laws like the BC Personal Information Protection Act.
• Employers must be familiar with relevant provincial and federal privacy legislation, and develop comprehensive policies that meet all statutory privacy requirements. Diligent compliance with these policies is crucial.

Next steps

In light of this ruling, employers should review their privacy policies and procedures to mitigate risks of liability for potential employee privacy breaches. Is your privacy policy up to date? If you’re not sure, our expert team can help review and update accordingly. Get in touch with us today!