On September 26th, the Federal Court held that PIPEDA does not give employees of federally-regulated employers a right of access to e-mails concerning them that are sent between co-workers in their personal capacity and stored on the employers e-mail system.
The applicant, a former employee, filed a request for all e-mails “concerning” him. At the Federal Court, the primary issue in dispute was about whether “personal” (i.e. non-work related) e-mails about the applicant were subject to the right of access in PIPEDA.
PIPEDA does not include a traditional “custody or control” standard for access. Though the access principle refers to personal information “held” by an organization, the existence of a right of access turns on whether a request is for personal information that is collected used or disclosed by an employer “in connection with the operation of a federal work or undertaking.” PIPEDA also expressly excludes information that an individual collects, uses or discloses for exclusively “personal or domestic purposes.”
Mr. Justice Russel Zinn held that the personal e-mails sought were not collected in connection with the operation of a federal work or undertaking and were also excluded as e-mails collected, used and disclosed for personal or domestic purposes. The core of his reasoning is captured in the following excerpt:
First, in my view, the information is not being “handled” by Bell Canada. Like the bycatch of the cod fisherman, personal e-mail is the bycatch of the commercially valuable information that is being handled by Bell Canada. Secondly, to be information collected in connection with the operation of the business, requires that there be a business purpose for the information. There is none with respect to personal e-mails. In fact, from the viewpoint of organizations like Bell Canada, personal e-mails are refuse that take up valuable space and time. It is for this reason, among others, that organizations discourage or limit employee utilization of their computer systems for personal reasons.
Zinn J. also appears to have been influenced by the rights of the co-workers who sent and received the impugned e-mails and their interest in what has otherwise been called “mixed personal information.” He suggests that these individuals would be deprived of the personal and domestic purposes exclusion if PIPEDA was held to apply to their e-mails, hence framing the exclusion as a form of right. Notably, Zinn J. did not expressly consider whether Bell reserved a right to monitor “personal” e-mails under its computer use policy.
There are other very significant aspects of the judgement that relate to the nature of an organization’s duty to clarify the scope of a request and its duty conduct a reasonable search for responsive information.
On duty to clarify the scope of broad requests, Zinn J. stated:
I am of the view that the position stated by Bell Canada that Mr. Johnson “had a responsibility to focus his request” overstates the responsibility of an applicant making an access request. In my view, and in keeping with the practicality of the application of PIPEDA to a request that may suggest an extensive, costly and time-consuming search, the organization receiving a broad request such as that made by Mr. Johnson has two options open to it: (1) it can inquire of the party making the request if he can be more specific as to the information he is requesting, in which case the requesting party does have an obligation to cooperate in defining his request, or (2) it can conduct a reasonable search of information that it can reasonably expect to be responsive to the request. In this case Bell Canada chose the latter course.
And on the duty to conduct a reasonable search, he stated:
The search [Bell Canada] was required to conduct was a search that could reasonably be expected to produce the personal information of Mr. Johnson that, in the ordinary course, would fall under PIPEDA.
It cannot be seriously suggested that an organization has a responsibility to recover deleted or overwritten data in the absence of compelling evidence that it existed and that it can be recovered at a reasonable cost. Further, in my view, such a Herculean task should only be required to be undertaken, if ever, in circumstances where there is a critical need for the recovered information.
4 thoughts on “Case Report – Fed Ct. minimizes the consequences of the dreaded “all e-mails” access request”