Charities and not-for-profits often publish privacy policies on their websites as a way to inform the
public of their practices regarding the handling of personal information. It is important that charities and
not-for-profits properly implement their privacy policies and ensure that all individuals within the
organization are familiar with the privacy policy, in order to avoid the exposure to liability, as was the
case in Albayate v Bank of Montreal (“Albayate”).
In this case, the Bank of Montreal (the “Bank”) changed Ms. Albayate’s address without her consent,
which resulted in letters being mistakenly sent to her ex-husband, as well as inaccurately reported Ms.
Albayate’s address to two credit reporting agencies. Although the British Columbia Supreme Court did
not accept all of Ms. Albayate’s claims, the Court did conclude that the Bank breached Ms. Albayate’s
privacy rights under British Columbia’s Privacy Act when it released her information to the credit
bureaus, and also breached its privacy policy, which formed part of the contract between Ms. Albayate
and the Bank.
Although Ms. Albayate was unable to prove any damages, the Court awarded her nominal compensation
in the amount of $2000, which was based on case law before the Court in which compensation had been awarded for breach of privacy or contract where applicants had not established they suffered a pecuniary
loss. It is important to note that the case law also established that such awards can often be much
greater, in some cases up to $20,000, despite the ability to prove any damages.
Prior to advancing the current claims, Ms. Albayate had filed two complaints, based on the current facts,
with the Office of the Privacy Commissioner of Canada. In each case, the Privacy Commissioner
conducted a complaint review. It determined that in the first complaint the Bank had contravened the
principles of PIPEDA related to collecting personal information and that the second complaint was wellfounded and the issue had been sufficiently resolved.
Although this case relied upon British Columbia’s Privacy Act, for jurisdictions in Canada which have
not adopted a cause of action by statute for breach of privacy, some provincial jurisdictions provide
recourse at the common law for a cause of action concerning breach of privacy. For example, in Ontario,
the Court of Appeal recently recognized a cause of action identified as “intrusion upon seclusion” (for
more information on this newly recognized tort, see Charity Law Bulletin No. 277).
Despite the relatively low damage award in this case, charities and not-for-profits should be aware that
breaching an individual’s privacy can result in various causes of action, complaints to the Office of the
Privacy Commissioner of Canada, loss of reputation to the organization, and legal costs. As Albayate
illustrates, simply enacting a privacy policy without allocating sufficient resources to properly
implement the privacy policy will render it meaningless and may expose charities and not-for-profits to
the sanctions and penalties available under various laws. Accordingly, charities and not-for-profits
should take steps to appropriately implement the terms of their privacy policies at the operational level,
and ensure that employees, staff and volunteers know how to recognize potential privacy issues.
Bank Required to Pay Nominal Damages for Breaching its Privacy Policy
By Sepal Bonni
Published on
