Interview with Jonathan Cocker
March 2005
Interviewee: Jonathan Cocker, Baker
& McKenzie, practice involves advising and representing
employers in the areas of labour law, employment law, and
related regulatory matters, including privacy law. Mr. Cocker
was admitted to practice law in Ontario in 1998.
By: Terry
McQuay, President of Nymity
Subject: Liability for privacy officers
Nymity: Do privacy officers have personal liability arising
out of their role?
Cocker: Yes, Privacy officers, along
with other directors, officers and employees of an organization
can be exposed to personal liability under both federal and
provincial privacy laws.
Nymity: When does personal liability arise?
Cocker: Personal liability arises where
individuals authorize or acquiesce in a violation of privacy
law. As the person charged with responsibility for an organization's
privacy compliance program, the Privacy Officer is particularly
vulnerable to findings of personal liability.
Nymity: Under what circumstance would a privacy officer be
found personally liable for actions and/or inaction associated
with his or her position?
Cocker: Prosecutions may be commenced
when organizations and/or individuals have been found to engage
in any of a number of acts of misconduct related to privacy
compliance. Examples include intentional destruction of records
to avoid access requests, using deception in an organization's
management practices, and reprisal against an individual for
exercising their rights under the privacy laws.
Nymity: When would a Commissioner or individual complainants
take action against a privacy officer personally?
Cocker: Privacy law is remedial, designed
to protect individuals against infringements by organizations
of their privacy rights. The privacy commissions will not
allow those who engage in privacy-related misconduct to hide
behind their organizations, where it is clear that individual
decision-making let to the violation. Individuals, particularly,
privacy officers, will be prosecuted under these laws.
Nymity: Are there other examples of Canadian legislation that
make officers personal liability?
Cocker: In Ontario alone, there are
144 statutes that permit company officers and directors to
be personally liable for the acts or omissions of the corporation.
A clear parallel can be drawn to health and safety legislation,
where individual can, and often are, prosecuted independent
of their company where it can be shown that they failed to
prevent a workplace accident or illness from occurring.
Nymity: If a privacy officer is prosecuted, what is their
defense?
Cocker: Due diligence. The privacy
officer, similar to the organization, must show that they
exercised due diligence in attempting to prevent privacy breaches
from occurring. At a minimum, due diligence would require
evidence of a proper set of privacy policies and proceedings,
an effective privacy compliance program, and rigorous oversight
by the privacy officer.
Nymity: What protections are available to privacy officers
in the event they are prosecuted personally for actions and/or
inaction arising out of their position?
Cocker: Privacy officers should protect
themselves in one of two ways. They should either obtain an
indemnity from their organizations or they should be covered
under an insurance policy similar to those that cover corporate
director and officer liability issues.
Nymity: In closing, do you recommend privacy officers take
one of the two steps you outlined above?
Cocker: In most instances, an indemnity
from the privacy officer's organization should suffice to
protect the individual in the event that they are forced to
defend themselves in a privacy prosecution.
|
