Sepideh Alavi writes:
Many organizations publish a privacy policy as a means of prescribed disclosures and obtaining required informed consent to their personal information practices (e.g. how the organization collects, uses, discloses and corrects personal information). Under Canadian law, an organization is required to protect personal information in the organization’s possession or control by using security safeguards appropriate to the sensitivity of the information, and remaining responsible for personal information that the organization discloses to third parties.
It is important that all organizations and their employees be familiar with its privacy policies and implement them accordingly. Otherwise, the organization may be exposed to claims, such as in the case of Albayate v. Bank of Montreal, 2015 BCSC 69.
Read more on Borden Ladner Gervais The Law of Privacy in Canada.