British Columbia Appeal Court Finds Employer Vicariously Liable for Employee’s Willful Violation of Customers’ Privacy



  • Even when they establish rules and policies prohibiting the improper use of their customers’ private information, employers may be found vicariously liable when their employees violate s. 1 of British Columbia’s Privacy Act, which provides that it is a statutory tort for a person, wilfully and without a claim of right, to violate the privacy of another.
  • For a finding of vicarious liability, the employee’s conduct must be “sufficiently related” to conduct authorized by the employer. 

In Insurance Corporation of British Columbia v. Ari, 2023 BCCA 331, the British Columbia Court of Appeal (BCCA) confirmed that an employer may be found vicariously liable when its employee violates of s. 1 of the province’s Privacy Act (Act).  Section 1 of the Act provides that it is a statutory tort for a person, wilfully and without a claim of right, to violate the privacy of another.


As the provider of a universal, compulsory insurance plan for vehicles in British Columbia (BC), ICBC acquires and retains personal information about almost everyone who owns or drives a vehicle in BC, including drivers’ names, addresses, license numbers, vehicle descriptions and identification numbers, and license plate numbers.

An ICBC claims adjuster improperly accessed and then sold to a third party the personal information of 78 ICBC customers, linking their vehicle license plates to their names and home addresses.  The third party used this information to engage in criminal acts, which included targeting the homes and vehicles of 13 of the 78 customers through arson, shootings, and vandalism.

ICBC’s customers whose personal information was improperly accessed brought a class action against ICBC.  In the trial of the common issues, ICBC was found vicariously liable for its employee’s breach of s. 1 of the Act, and general damages were awarded on a class-wide basis.      

ICBC’s Position

In appealing the summary trial judge’s finding that it was vicariously liable, ICBC argued that the information accessed by the claims adjuster was not private information but contact information that people regularly provide to others, and therefore not private; it provided only the opportunity for the employee to access the information; and it had properly put workplace privacy policies in place.  In the alternative, ICBC argued that the judge erred in concluding that general damages could be awarded on a class-wide basis.

BCCA’s Decision

Breach of the Act

Section 1 of the Act provides:

(1) It is a tort, actionable without proof of damage, for a person, wilfully and without a claim of right, to violate the privacy of another.

(2) The nature and degree of privacy to which a person is entitled in a situation or in relation to a matter is that which is reasonable in the circumstances, giving due regard to the lawful interests of others.

(3) In determining whether the act or conduct of a person is a violation of another’s privacy, regard must be given to the nature, incidence and occasion of the act or conduct and to any domestic or other relationship between the parties.

(4) Without limiting subsections (1) to (3), privacy may be violated by eavesdropping or surveillance, whether or not accomplished by trespass.

The BCCA stated that to analyze whether a person’s right to privacy under the Act has been breached, the following factors must be considered:  the context, including the nature, incidence, and occasion of the act; the relationship of the parties; and the degree of privacy to which the person is entitled.  The court also stressed that the breach of privacy must be wilful and without claim of right, and that these factors limit the scope of potential liability.

The court noted that ICBC conceded that the claims adjuster “accessed the information wilfully and without claim of right,” and that the summary trial judge “correctly observed the context-specific nature of the analysis.”

The BCCA agreed with the trial judge’s observation that ICBC acknowledged the contact information was “personal information” entitled to “privacy” protection in ICBC’s code of ethics, policies, its letter to class members, a press release issued by its chief executive officer, its senior personnel’s affidavit evidence, and a letter providing the claims adjuster notice of termination of her employment. 

The BCCA concluded that the class members had a reasonable expectation of privacy in the personal information they gave to ICBC, i.e., an expectation that it would be used only for ICBC’s legitimate operational purposes; ICBC’s employee accessed the class members’ personal information for a purpose that was not a legitimate ICBC purpose, i.e., to sell some of it to third parties who had a criminal purpose; and the trial judge did not make any extricable error of law by finding that ICBC’s employee wilfully violated the class members’ privacy within the meaning of s. 1 of the Act.

Vicarious Liability

In response to ICBC’s argument that the trial judge erred in his approach to the question of vicarious liability, the BCCA noted it has been found in judicial precedent that the degree of connection between the wrongdoing and the wrongdoer’s employment is highly relevant to the question of when vicarious liability should be imposed, as is the full context of the wrongdoing and employment relationship.  The court also referred to Bazley v. Curry, [1999] 2 S.C.R. 534, in which the Supreme Court of Canada focused on whether the employee’s conduct was “sufficiently related” to conduct authorized by the employer to justify imposing vicarious liability on the employer.

The BCCA acknowledged that the abuse the employee engaged in was closely connected to her employment as a claims adjuster, and concluded that the trial judge applied the correct legal principles and considered relevant factors when he determined that ICBC was vicariously liable for its employee’s breach of privacy.

General Damages

Finally, the BCCA determined that the trial judge did not err when he determined that class members were entitled to general damages, with quantum yet to be determined.

Bottom Line for Employers

The decision of the BCCA in Insurance Corporation of British Columbia is a reminder for employers in BC that even when they establish rules and policies prohibiting the improper use of their customers’ private information, they can be found vicariously liable for an employee’s improper use of it, provided the employee’s conduct is “sufficiently related” to conduct authorized by the employer.  This may also be the case in provinces that have privacy statutes with statutory torts similar to the one in BC, and in Ontario, which recognizes the common law intrusion upon seclusion tort, which is similar to the statutory tort in BC.  

Employers in these jurisdictions are encouraged to permit only employees who need access to customers’ private information for legitimate business purposes to have such access, and only under close supervision and when accompanied by another employee.  Furthermore, employers are encouraged to require employees who are permitted such access to consistently record when they had access and the duration of their access in an official “access register.”  Finally, employers are encouraged to remove personal information when it is no longer required for legitimate business purposes and only in accordance with applicable privacy legislation, such as, for example, the British Columbia Personal Information Protection Act.  In all cases, employers should seriously review their obligations pursuant to applicable privacy legislation in the province of employment, including having an appropriate privacy policy that addresses all statutory requirements and ensuring that the requirements are followed in practice. By taking these steps, employers may reduce but not eliminate their risk of being found vicariously liable for an employee’s improper use of their customers’ private information. 

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Littler | Attorney Advertising

Written by:


Littler on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide