“What’s in an employee’s name” you ask? According to a recent decision of the Supreme Court of British Columbia in British Columbia Hydro and Power Authority v British Columbia (Information and Privacy Commissioner), 2019 BCSC 2128 (“BC Hydro”): privacy.
The BC Hydro case arose from a journalist, Bob Mackin, requesting access to certain information related to the “Site C” dam project from BC Hydro. BC Hydro responded to the request but withheld the names of certain employees (and other information which was not at issue before the Court). A delegate of the Commissioner (the “Delegate”) reviewed BC Hydro’s decision to withhold the employees’ names and decided that it was not an unreasonable invasion of privacy to release the names to the journalist. BC Hydro brought an application seeking judicial review of the Delegate’s decision. BC Hydro succeeded and the decision was ultimately sent back to the Information and Privacy Commissioner for reconsideration.
Examining ss. 19 [which addresses disclosure when harmful to individual or public safety] and 22(4)(e) of FIPPA [an exception to the exception not to disclose if disclosure would be an unreasonable invasion of a third party’s personal privacy], as well as the definitions of “personal information” and “contact information”, the Court in BC Hydro confirmed the following:
• employee names constitute personal private information (unless the information fits under the definition of “contact information”); and
• a public body is not required to prove, on a balance of probabilities, that disclosure of the information will actually result in harm or even probable harm: there need only be a reasonable basis for believing that harm will result.
BC Hydro also makes it clear that the purpose for which the information is being sought matters. If information is sought to contact the individuals at their palace of business, an employee’s name falls under “contact information” is therefore not “personal information” and its disclosure by the employer is not unreasonable.
Although BC Hydro deals with a request made under FOIPPA, as the British Columbia Hydro and Power Authority is a public entity, the case is highly relevant when considering similar requests made under the Personal Information Protection Act, SBC 2003, c. 63 (“PIPABC”) since the Acts are substantially similar in what they ultimately aim to accomplish. The relevant difference between them is that FOIPPA governs the public sector while PIPA addresses how all private sector organizations that are located in, or do business in British Columbia, handle the personal information of employees and the public (the customers) and creates rules about collecting, using and disclosing that personal information.
The notable reason why the BC Hydro case is applicable to PIPABC is because the definitions in both acts for what constitutes “personal information” and “contact information”, as well as the sections under each act, which give bodies discretion to refuse to disclose information to an applicant if the disclosure could reasonably be expected to threaten an individual’s “safety or physical or mental health”, are identical (see PIPABC, s. 23(4)(a) and FOIPPA, s. 19).
As public education and awareness of privacy law increases, particularly with decisions as the BC Hydro decision, and such high profile incidents as the most recent Lifelabs cyber-ransom attack, individuals will become more aware that they have a right to privacy in something seemingly innocuous, and in many ways public (at least to some extent), as their name, and employers should be aware of this as well. Unless the employee’s name is requested to contact the employee at work, their name is entitled to privacy protection, much like other sensitive information, and should be treated as such.