Privacy law update: Court of Appeal
opens the door to invasion of
In an environment where sensitive personal information can be accessed easily, such as in a hospital, invasion of privacy is a concern for employers, employees and the public. The amount of personal information available within the hospital setting, whether about patients, employees or general members of the public, is vast. While health care professionals, hospital employees and volunteers require personal health information, contact details and insurance to be at their fingertips in order to provide a high standard of patient care, it is essential that such information be handled with the utmost care. To do otherwise puts both the hospital and the individual accessing the information at risk of an invasion of privacy claim.
The regulation of privacy is not new in Canada. Several provinces already have legislation which recognizes invasion of privacy. In Ontario, within the health care sector, the Personal Health Information Protection Act, 2004 (PHIPA) governs the collection, use and disclosure of personal health information, and applies to health information custodians and/or their agents. However, there are situations, such as conduct occurring between private individuals or where individuals are acting outside the scope of their employment, which may not be captured by PHIPA. Furthermore, damages under PHIPA are limited.
In the recent decision of Jones v. Tsige, 2012 ONCA 32, the Court of Appeal for Ontario (the highest court in the province) recognized a new cause of action: invasion of privacy, or intrusion upon seclusion. Ms. Jones and Ms. Tsige were both employees of a bank, however, they did not know each other. Ms. Jones was also a client of the bank, where she did all of her personal banking. The bank found that Ms. Tsige had accessed and reviewed Ms. Jones’ personal banking records 174 times over a four year period. When asked for an explanation, Ms. Tsige said that she had reviewed the banking records to determine whether Ms. Jones’ ex-husband (who was Ms. Tsige’s common-law partner) was paying child support. The bank disciplined Ms. Tsige for her misconduct. While the discipline addressed Ms. Tsige’s misconduct within her employment, it did not address the wrong she had done to Ms. Jones.
Ms. Jones sued Ms. Tsige for invasion of privacy. After being denied her claim at the trial level, Ms. Jones appealed to the Court of Appeal. The Court of Appeal determined that the existing legislation, the Personal Information Protection and Electronic Documents Act, 2000 (PIPEDA), could not provide an adequate remedy for three reasons:
1. PIPEDA only applies to organizations, rather than individuals, requiring Ms. Jones to bring a complaint against her employer, the bank, instead of Ms. Tsige;
2. The bank could defend any complaint under PIPEDA by arguing that Ms. Tsige was not acting in the course of her employment duties; and
3. Damages are not available under PIPEDA.
All of these factors led the Court to find that there was a need for a common law remedy for invasion of privacy. Ms. Jones was awarded $10,000 in damages, without needing to prove that the invasion of her privacy caused a monetary loss. The Court made it clear that a claim for invasion of privacy will not be common. Claims will arise only for deliberate and significant invasions of personal privacy, thereby excluding claims from overly sensitive individuals or those unusually concerned about their privacy. Only intrusions into matters such as one’s financial or health records, sexual practices and orientation, employment, diary or private correspondence will give rise to a claim. The Court deemed damages to be capped at $20,000 in the majority of cases.
An individual, the plaintiff, making a claim for the tort of invasion of privacy must prove that:
1. The defendant’s conduct was intentional or reckless;
2. The defendant invaded, without lawful justification, the plaintiff’s private affairs or concerns; and
3. A reasonable person would regard the invasion as highly offensive causing distress, humiliation or anguish.
Whereas PHIPA only applies to personal health information, an invasion of privacy claim may be made with respect to health information or any other personal information. For example, an employee of a hospital who accesses another employee’s personal health, employment or other records without legitimate reason could be found in breach of privacy. This conduct could give rise to a claim not only against the individual employee who accessed the information, but also against the hospital, depending on the circumstances.
It remains to be seen how PHIPA and the new common law tort of invasion of privacy will co-exist. The Court did not specify whether individuals will have to use the statutory remedy (i.e. PHIPA) where one exists. It appears that in some circumstances, individuals making invasion of privacy claims will have a choice between making a claim under PHIPA on the one hand, and initiating litigation, on the other. What is clear is that hospitals, and individuals involved in providing health care, must exercise extreme care in handling sensitive personal information in order to protect themselves from claims of invasion of privacy.