Here’s something readers might want to know about: the Federal Court has awarded damages in a case based on the Personal Information Protection and Electronic Documents Act (PIPEDA). Why is that special? Well, it’s the first damages award in the 10-year history of the Act.
When the Royal Bank rejected Mirza Nammo’s loan application to start a business, Nammo cried foul. Upon investigation, it turned out that Transunion, the credit reporting agency that provided the bank with Nammo’s credit information, had supplied another person’s information, including a different name, date of birth, Social Insurance Number and address history. Transunion had failed to maintain personal information in its database “as accurate, complete and up-to-date as is necessary for the purposes for which it is to be used” (as per Schedule 1, Section 4.6 of PIPEDA).
- Collecting inaccurate personal financial information concerning the applicant
- Transmitting inaccurate personal financial information concerning the applicant to third parties, including to the Royal Bank of Canada
- Failing to promptly correct the inaccurate personal financial information concerning the applicant that it held in its database
- Failing to transmit the amended personal financial information concerning the applicant to third parties, including to the Royal Bank of Canada
Transunion argued that it had fulfilled its duty to Nammo by correcting its information when it became aware of the error (per Schedule 1, Section 4.9.5). But the judge disagreed, stating, “Just because an organization has taken steps to correct a breach does not mean that the breach did not occur. Rectification of the breach is something that is more properly a factor to consider when determining what remedy, if any, this Court should award.” Consequently, Transunion could not use clause 4.9.5 “as an escape hatch” to free it from its obligation to maintain accurate information.
Although the applicant, Nammo, incurred no financial loss, the Court awarded him damages of $5,000.
Take note! While somehow perpetrators had previously managed to escape financial penalties under PIPEDA, the Federal Court has broken the ice with this precedent, and future judges may not feel so timid about awarding damages for similar offences.
Finance and Accounting PolicyPro from First Reference discusses Records Management and Retention in the Governance volume, and Information Technology PolicyPro provides guidelines and principles on Confidentiality and Privacy with respect to PIPEDA. The Human Resources PolicyPro also offers valuable information for employers on their obligations with respect to PIPEDA. All of these publications also include customizable sample policies.
In addition, The Human Resources Advisor provides a clear and easy way to grasp the essence of the principles and factors stemming from key court cases, as well as accepted and approved best practices.
First Reference Human Resources and Compliance Editor