[Dennis Harms / Theispot.com] Click here to see full sized version.

The Insurance Corporation of British Columbia (ICBC) is facing an audit after admitting that lawyers working for the Crown company obtained the insurance claims histories of jurors in at least three separate ICBC court cases. The audit will be conducted by the B.C. Information and Privacy Commissioner, David Loukidelis.

The ICBC recently admitted that one of its employees improperly obtained the claims histories of members of a jury, and now the company says there were two earlier instances of similar conduct. The ICBC says the disclosure of the information was absolutely wrong and has taken several steps to address the issue, in addition to asking for the audit.

The incident has set off alarm bells at the corporation, in the government, in the judiciary and at the Law Society of British Columbia as a seemingly egregious violation of the jurors’ privacy.

The case is strikingly different from other recent privacy breaches, of which there have been many in B.C. In an annual report last summer, Commissioner Loukidelis noted 96 investigations of privacy breaches, almost triple the number from three years earlier. Loukidelis said the constant theme of the breaches was employee error.

However, the ICBC cases go well beyond simple mistakes or carelessness. So far, they appear to involve conscious, deliberate attempts to violate jurors’ privacy to serve the corporation’s own ends.
The incident came to light on April 30, the fourth day of a civil trial. Victoria lawyer Kathleen Birney, who was hired by the ICBC to represent the defendants, informed Justice Malcolm Macaulay that a settlement had been reached. She went on to say that when the jury was picked, her office sent the jurors’ names to an ICBC adjuster and asked for information on their claims histories. Birney received information that one juror had an open claim with ICBC and another had a previous claim.

Macaulay demanded an explanation as to why the claim history of jurors was improperly disclosed during the two lawsuits. Macaulay said he was concerned about trial fairness, given that the plaintiff did not have the same information as the defence and the jury did not know defence had looked at their personal information. If the plaintiff had called for a mistrial, Macaulay said he likely would have granted one. He further stated that the B.C. Bar may need to consider whether changes to the rules are needed to ensure fairness to all parties.

The president and CEO of the ICBC has said that the actions taken by the defence counsel were contrary to the ICBC’s policy and code of ethics. The disclosures also violated the B.C. Freedom of Information and Protection of Privacy Act (FIPPA). There are certainly rules restricting who has access to the personal information stored in large government and quasi-government databases. However, as electronic information banks proliferate and search engines become more sophisticated, it’s becoming harder to guard against their improper use.

The threat clearly comes not only from information leaking outside the agency or accessed by government departments that don’t have a right to it, but from misuse by staff. Educating staff about the sanctity of private information, along with regular auditing, random checks and the threat of severe penalties to those who violate the rules help to protect people’s privacy.

As always, the principal deterrent is the risk of being caught. It’s just as easy to track and monitor access abuse as it is to abuse one’s access rights. Audit functions that can reveal who accessed what information and when are simple to build into databases.

Loukidelis’s audit of the insurance corporation’s data management is expected to be completed by mid-October. The audit will focus on court proceedings involving juries since the B.C. FIPPA was introduced.

Fazila Nurani is the president of PrivaTech Consulting. She is a privacy lawyer and information management consultant, as well as a certified information privacy professional. She advises organizations in a wide range of industries on privacy best practices, compliance with data protection laws and managing information security risks.