Вы находитесь на странице: 1из 26

New

Tort of Intrusion
Upon Seclusion and
Electronic Health
Records

Prepared and Presented by Omar Ha-Redeye

Contents
Part 1 - Introduction .................................................................................................................................... 2
Part 2 Overview of Jones v. Tsige .............................................................................................................. 4
Part 3 Sensitive Information and Anonymization ..................................................................................... 9
Special Treatment of Information (STIs) .................................................................................................. 9
Anonymization of Health Information ................................................................................................... 12
Part 4 Employment Law and Vicarious Liability ...................................................................................... 14
Part 5 Implication of Class Proceedings .................................................................................................. 16
A Survey of Types of Intrusions Possible ................................................................................................ 16
Class Action Intrusions The Next Stage of Privacy Protections ........................................................... 18
The Health Records Class Actions .......................................................................................................... 21
Part 6 - Conclusions ................................................................................................................................... 23
Appendix A: Ontario damage awards ........................................................................................................ 24
Appendix B: Damage awards under provincial privacy legislation ............................................................ 25

1 of 24

New Tort of Intrusion Upon Seclusion and


Electronic Health Records

Omar Ha-Redeye*
Part 1 - Introduction
Justice Binnie stated in R. v. Tessling1 at para 25, Privacy is a protean concept, and the
difficult issue is where the reasonableness line should be drawn. The concept of
reasonableness in privacy is one that has evolved considerably over time, but has become one of
paramount importance in the era of technology and digital records. At the core of this notion of
privacy are the rights to be free from intrusive searches or surveillance and the right to bodily
integrity.2 Whereas historically the state or third-parties were limited in their ability to search
health facilities or observe the provision of health services, the digital era has allowed for the
access of sensitive and confidential far more easily than in the past. The importance of
preserving the privacy of patients in the modern era is directly related to the concept of patient
dignity, but it is also a concept that allows for broader societal benefits including research and
public health activities.3 Without properly protecting patient privacy, individuals would be far
less likely to participate in the health care system. They may withhold important information
from health services providers, resulting in inaccurate or incomplete diagnoses, and could result
in delays in proper treatment. In a publicly-funded health care system, this apprehension over

* AAS,

BHA (Hons.), PGCert, J.D., LLM(c),CNMT, RT(N)(ARRT). Special thanks to Lester Tong and Farrah Rajan for
their assistance.
1

[2004] 3 SCR 432.


Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research, Institute of
Medicine (US) Committee on Health Research and the Privacy of Health Information: The HIPAA Privacy Rule;
Nass SJ, Levit LA, Gostin LO, editors. Washington (DC): National Academies Press (US); 2009, available at:
http://www.ncbi.nlm.nih.gov/books/NBK9579/
3
Ibid.
2

2 of 24

confidentiality could affect tax payers a significant amount of money which could otherwise be
spent on preventative health and health research.
The importance of privacy today is not something that has been entirely ignored by
legislatures or Canadian Parliament, and a number of statutes exist across Canada that provides
some protection. Federally, the Privacy Act4 governs how personal information is handled by
government departments and agencies, whereas the Personal Information Protection and
Electronic Documents Act (PIPEDA)5 governs how federal private-sector organizations collect,
use, and disclose personal information through their commercial activities. Provincially,
Alberta,6 British Columbia7 and Quebec,8 all have private-sector statutes which are deemed
substantially similar to PIPEDA, meaning the provincial statutes take precedence. PIPEDA will
still apply where a province has passed privacy legislation which is not deemed substantially
similar to PIPEDA.9 Additionally, several provinces have passed privacy legislation specifically
focusing on the health sector, in particular in Ontario,10 New Brunswick11 and Newfoundland
and Labrador.12 This complex statutory scheme reflects the economic and policy priorities of
governments across Canada, but provides limited recourse for civil remedies by an individual
against other individuals for violations of privacy.13 Whereas an employer can be governed by
PIPEDA, the statute does not allow for a complaint directly against an employee and does not

SC 1985, c P-21.
SC 2000, c 5.
6
Personal Information Protection Act, SA 2003, c P-6.5.
7
Personal Information Protection Act, SBC 2003, c 63.
8
An Act respecting the Protection of Personal Information in the Private Sector, CQLR c P-39.1.
9
Office of the Privacy Commissioner of Canada, Privacy Legislation in Canada, May 2014, available at:
https://www.priv.gc.ca/resource/fs-fi/02_05_d_15_e.asp
10
Personal Health Information Protection Act, 2004, SO 2004, c 3, Sch A [PHIPA].
11
Personal Health Information Privacy and Access Act, SNB 2009, c P-7.05.
12
Personal Health Information Act, SNL 2008, c P-7.01.
13
Jones v. Tsige, 2012 ONCA 32 at paras 47, 50-51 [Jones].
5

3 of 24

provide damages as a result of these complaints.14 In British Columbia,15 Manitoba,16


Saskatchewan17 and Newfoundland,18 private privacy acts have been enacted which create a
limited right of action. All of these jurisdictions except Manitoba require willful and unlawful
actions, and is subject to reasonableness of the circumstances.19 The absence of such a statute led
on the Ontario Court of Appeal to create a similar cause of action in Ontario for a private tort of
intrusion upon seclusion in the 2012 case of Jones v. Tsige.20 This paper explores the
implication of this new private tort in the context of medical records.

Part 2 Overview of Jones v. Tsige



Jones is considered one of the most interesting changes to the common law in recent
years.21 The following summary of the case in Jones is modified from a post shortly after the
decision was released.22
The action arose between two employees in a bank who did not know or work with each
other. The plaintiff had a common law relationship with the former husband of the defendant,
and the defendant acknowledged looking at the plaintiffs bank information without just cause or
reason on multiple occasions. The plaintiff claimed $70,000 for invasion of privacy and breach
of fiduciary duty, and punitive damages of $20,000. The plaintiff moved for summary judgment,
but the action was dismissed when the defendant was successful on the motion in claiming that

14

Ibid. at para 50.


Privacy Act, RSBC 1996, c 373.
16
The Privacy Act, CCSM c P125.
17
The Privacy Act, RSS 1978, c P-24.
18
Privacy Act, RSNL 1990, c P-22
19
Jones, supra note 13, at para 52.
20
Ibid.
21
Tony Drake and Fidelia Ho, The Year in Review 2012, University of Toronto Faculty of Law Review, 2013,
71:2, 113165, at para 5.
22
Omar Ha-Redeye, Tort of Invasion of Privacy in Ontario, Slaw, January 18, 2012, available at:
http://www.slaw.ca/2012/01/18/tort-of-invasion-of-privacy-in-ontario/
15

4 of 24

there was no tort for breach of privacy in Ontario. The Court of Appeal reversed the decision in
part and awarded $10,000, recognizing a right of action for intrusion upon seclusion to reflect the
changing needs of society.
Justice Sharpe wrote for the court, and accepted the proposition by William L. Prosser in
his 196023 that the common law actually developed four different types of related torts for breach
of privacy:
1.
2.
3.

4.

Intrusion upon the plaintiffs seclusion or solitude, or into his private affairs.
Public disclosure of embarrassing private facts about the plaintiff.
Publicity which places the plaintiff in a false light in the public eye.
Appropriation, for the defendants advantage, of the plaintiffs name or likeness

Justice Sharpe determined that this case fell into the first category and restricted commentary on
this cause to avoid deciding on issues beyond the facts before the court. After reviewing the case
law on the subject, he concluded that Ontario courts were not far from recognizing a common
law right to privacy and had been moving in that direction for some time. In particular, he
considered Euteneier v. Lee,24 which was relied upon heavily by the motions judge. Any
references to privacy interests by the plaintiff in Euteneier were particulars of other causes of
actions or consequences of the actions by the defendant, and for that reason it was considered an
error to treat those allegations as causes of action that could stand alone. Justice Sharpe also
discussed s. 8 Charter rights and identified three distinct privacy interests:
1.
2.
3.

personal privacy
territorial privacy
informational privacy


23
24

William L. Prosser, Privacy, California Law Review, 1960 48:3.


Euteneier v. Lee, 2005 CanLII 33024 (ON CA), available at: http://canlii.ca/t/1lm3d

5 of 24

Although the Charter would not necessarily apply to actions between private parties, Justice
Sharpe referenced a McGill law review article25 and stated that it was consistent to develop the
common law to reflect Charter values.
Finally, the court reviewed privacy legislation such as the PIPEDA, the PHIPA,
the Freedom of Information and Protection of Privacy Act (FIPPA),26 the Municipal Freedom of
Information and Protection of Privacy Act (MFIPPA),27 the Consumer Reporting Act,28 and
privacy law and legislation in other jurisdictions. The discussion about the pace of technology
and the needs of the law to keep up with change was worth highlighting,
[67] For over one hundred years, technological change has motivated the legal protection of the
individuals right to privacy. In modern times, the pace of technological change has accelerated
exponentially. Legal scholars such as Peter Burns have written of the pressing need to preserve privacy
which is being threatened by science and technology to the point of surrender: The Law and Privacy: the
Canadian Experience at p. 1. See also Alan Westin, Privacy and Freedom (New York: Atheneum, 1967).
The internet and digital technology have brought an enormous change in the way we communicate
and in our capacity to capture, store and retrieve information. As the facts of this case indicate,
routinely kept electronic data bases render our most personal financial information vulnerable. Sensitive
information as to our health is similarly available, as are records of the books we have borrowed or
bought, the movies we have rented or downloaded, where we have shopped, where we have travelled, and
the nature of our communications by cell phone, e-mail or text message.
[68] It is within the capacity of the common law to evolve to respond to the problem posed by the routine
collection and aggregation of highly personal information that is readily accessible in electronic form.
Technological change poses a novel threat to a right of privacy that has been protected for hundreds
of years by the common law under various guises and that, since 1982 and the Charter, has been
recognized as a right that is integral to our social and political order.
[emphasis added]

In developing the elements of the new tort, the court adopted the wording of the
American Restatement29 652B to define intrusion of seclusion, which was itself imported from
Prosser,

25

John D.R. Craig, "Invasion of Privacy and Charter Values: The Common-Law Tort Awakens" (1997), 42 McGill
LJ 355.
26
RSO 1990, c F.31.
27
RSO 1990, c M.56.
28
RSO 1990, c C.33.
29
The American Law Institute, Restatement of the Law, Second, Torts, 652, 1977, available at:
http://cyber.law.harvard.edu/privacy/Privacy_R2d_Torts_Sections.htm

6 of 24

One who intentionally intrudes, physically or otherwise, upon the seclusion of another or his private affairs
or concerns, is subject to liability to the other for invasion of his privacy, if the invasion would be highly
offensive to a reasonable person.

The court also referenced the comments to the Restatement to emphasize that non-physical forms
of investigation were also included,
Comments:
a. The form of invasion of privacy covered by this Section does not depend upon any publicity given to the
person whose interest is invaded or to his affairs. It consists solely of an intentional interference with his
interest in solitude or seclusion, either as to his person or as to his private affairs or concerns, of a kind that
would be highly offensive to a reasonable man.
b. The invasion may be by physical intrusion into a place in which the plaintiff has secluded himself, as
when the defendant forces his way into the plaintiffs room in a hotel or insists over the plaintiffs objection
in entering his home. It may also be by the use of the defendants senses, with or without mechanical aids,
to oversee or overhear the plaintiffs private affairs, as by looking into his upstairs windows with binoculars
or tapping his telephone wires. It may be by some other form of investigation or examination into his
private concerns, as by opening his private and personal mail, searching his safe or his wallet, examining
his private bank account, or compelling him by a forged court order to permit an inspection of his personal
documents. The intrusion itself makes the defendant subject to liability, even though there is no publication
or other use of any kind of the photograph or information outlined.

The court lay out the elements of this cause of action:


1.
2.
3.

the defendants conduct must be intentional, including recklessness;


the defendant must have invaded, without lawful justification, the plaintiffs private affairs or concerns; and,
a reasonable person would regard the invasion as highly offensive causing distress, humiliation or anguish.

To ensure that intrusion of seclusion was not applied to broadly, the court defined the type of
privacy interests that would be affected:

financial or health records


sexual practices and orientation
employment
diary or private correspondence that could be reasonably considered highly offensive

The court also noted that protections of freedom of expression and freedom of the press could
provide valid defences where communication of facts are in the public interest.
In assessing damages, the court noted that harm to an economic interest would not be
required for this cause of action, but the court noted that because of the intangible interest being

7 of 24

protected here that any damages would be modest. The court provided a helpful table of damages
related to privacy interests in Ontario.30


30

This table has been included as Appendix A and B as laid out by the court.

8 of 24

Part 3 Sensitive Information and Anonymization


Special Treatment of Information (STIs)
Although medical issues in their entirety are of special privacy interest, there are some
health issues even more sensitive than others. Sexually Transmitted Infections (STIs) are a
highly stigmatized medical condition, independent of perceived seriousness. STIs attract privacy
concerns as they relate to two of the different types of privacy interests protected by the court in
Jones, both health records and of sexual practices. Of greater concern is the finding that stigma
around STIs operate as a distinct barrier to receiving treatment.31 Out of all STIs, HIV is
generally perceived to be the one with the greatest stigma attached.32
The perception and sensitivities in Canadian law around HIV have shifted dramatically
over the years. In the 1998 decision of R. v. Cuerrier,33 the Supreme Court of Canada held that if
a person knowingly exposes others to HIV through unprotected sex without disclosure it could
be constituted as assault or sexual assault vitiated by fraud under s. 265(3)(c) of the Criminal
Code. Justice Cory stated,
142 Where public health endeavours fail to provide adequate protection to individuals like the
complainants, the criminal law can be effective. It provides a needed measure of protection in the form of
deterrence and reflects societys abhorrence of the self-centered recklessness and the callous insensitivity of
the actions of the respondent and those who have acted in a similar manner. The risk of infection and death
of partners of HIV-positive individuals is a cruel and ever present reality. Indeed the potentially fatal
consequences are far more invidious and graver than many other actions prohibited by the Criminal
Code. The risks of infection are so devastating that there is a real and urgent need to provide a measure of
protection for those in the position of the complainants. If ever there was a place for the deterrence
provided by criminal sanctions it is present in these circumstances. It may well have the desired effect of
ensuring that there is disclosure of the risk and that appropriate precautions are taken.


31

Fortenberry et al., Relationships of Stigma and Shame to Gonorrhea and HIV Screening , Am J Public Health,
2002 March; 92(3): 378381.
32
Bronwen Lichtenstein, Neal Tess, The Stigma of Sexually Transmitted Infections: Knowledge, Attitudes, and
Educationally-Based Interventions, The Health Education Monograph Series, 2008, 25:2.
33
[1998] 2 SCR 371 [Cuerrier].

9 of 24

The Ontario Superior Court of Justice in applying these principles in R. v. Aziga34 emphasized
the traumatic nature of non-disclosure of HIV status.35 This position shifted in 2012 with R. v.
Mabior,36 given that the risk of HIV transmission was lowered with the advent of highly
effective antiretroviral drugs. When combined with consistent condom use, HIV status does not
necessarily pose a significant risk of serious bodily harm as there is a less realistic possibility
of transmission. However, the court in Aziga heard evidence that the susceptibility to trauma
varies between individuals, and may exist independently of the actual risk of transmission.37
Instead, the trauma appears to be related to the perception that a person close to them have not
been fully forthcoming and has betrayed their trust.38 Where this disclosure is made to a sexual
partner or becomes available to them through a third-party, the detrimental effect on the
relationship and the perceived invasion is likely to be significant. As cultural and societal views
around HIV continue to evolve, this may or may not be perceived by a court to be as
stigmatizing as it has in the past.
The Mabior decision has been criticized by those who perceive HIV-positive individuals
as a vulnerable and marginalized group who indicate that the additional requirement that a
barrier be used, even when the viral load is negligible. The Supreme Court actually made the
requirement that both components, low viral load and use of a condom, more stringent than the
lower court, which conceded that either measure would be sufficient in mitigating the risk of
transmission. These advocates on behalf of HIV-positive individuals suggest that any forced


34

2011 ONSC 4592 [Aziga].


Ibid. at paras 31-33.
36
[2012] 2 SCR 584 [Mabior].
37
Aziga, supra note 34 at para 34.
38
Ibid. at paras 33, 126.
35

10 of 24

disclosure will actually result in discouraging active testing.39 Other critics on behalf of sexual
assault complainants suggest that any risk of HIV transmission, given the potential to threaten
life, should always require informed consent. They emphasize that the majority of complainants
in such case indicate they would not have consented to sexual relations had this information been
provided. The requirement for additional safeguards such as condoms reflect an appropriate and
responsible risk reduction strategy.40 Both of these camps highlight the particular sensitivities
around HIV status which health care practitioners and medical facilities may have access to, and
the perceived intrusion that disclosure may present for the patient.
The court in Jones clearly indicate at para 72 that disclosures of health information could
qualify as a violation of privacy. Disclosure of bank records, even around sensitive financial
information, would appear to normally attract the same type of stigma or privacy protections as
STIs. The basis for the tort of intrusion upon seclusion need not demonstrate actual harm, simply
distress, humiliation, or anguish.41 As many individuals do not necessarily disclose their HIV
status to family members or friends, and do not appear to be even required to disclose by law to
their sexual partners, such violation would appear to qualify requirements set out by the court.
However, there may be some circumstances where such disclosure would not fit in to the
definition of invasion, but this would have to be fully explored by the court.42 Where such
disclosure is required by law it would not fit the requirements of the tort, namely without lawful
justification. Anonmyzation of STI status, which is routinely done for public health tracking


39

Don Stuart, Vagueness, Inconsistency and Less Respect for Charter Rights of Accused at the Supreme Court in
2012-2013, The Supreme Court Law Review, Part VI: Criminal Law, Procedure and Evidence (2013), 63 S.C.L.R.
(2d) 441 459 at para 3.
40
Ibid. at para 4.
41
Jones, supra note 13, at para 89.
42
Lang, Rene. Ontario Court of Appeal recognizes new privacy tort. HIV/AIDS Policy and Law Review Vol.16,
No.1 (2012) at para 8.

11 of 24

purposes without identifying the individual involved, would also appear to be a proper
disclosure.
Anonymization of Health Information
One of the best ways to protect the privacy interests in health information is through the
anonymization of data, by removing personal identifiers in information which would prevent the
ability of locating which specific individual this information is derived from. Anonymization is
an important practice consistently employed in the health sector, in particular in public health
practices and research. However, simply because the names have been removed from medical
information does not necessarily mean that a patients privacy interest is removed entirely. The
new analysis under Jones considers the invasion of privacy as harmful in itself, instead of the
previous regime which looked exclusively to the harassment created by the invasion. Therefore,
the proper question for whether a privacy interest exists is whether it could create for the patient
distress, humiliation, or anguish from knowing that this information has been disclosed to
others. An important consideration in this would be how easily it is to access original source
data, or to re-identify individuals based on anonymized data.43 Data sets that appear to be
anonymized, often by simply removing a patients name, may still contain other information
such as phone number, address, or demographic information, which may still allow for
individuals to be identified. More complicated is metadata and geolocation of information, which
can often be hidden in files, but can still be used for the purposes of identification.


43

Gibson, Elain. Health Law in the 21st Century: Is There a Privacy Interest in Anonymized Personal Health
Information? Health Law Journal (2003). 97-112.

12 of 24

Best practices in medical research make efforts to strip data of all of this additional
information as well, through true anonymization is still difficult to achieve.44 Where this is not
done, it may meet the reckless component of the test for intrusion upon seclusion. Yet,
different conceptions of anonymity provide some uncertainty as to how the intrusion upon
seclusion will treat it. Non-research applications of such data include use by pharmaceutical
companies for targeted physician marketing, genetic mapping, and other miscellaneous for-profit
ventures.45 Anonymized data still leaves patients alone, in that it is not readily linked back to the
individual, and although there may be a commercial advantage, this advantage is not based on
the likeness of the person in particular.46 In contrast, a patient may feel as if their solitude is
violated even if their information is anonymized, as the disclosure occurs without their consent.47
The subjective nature of this privacy experience appears can be differentiated from the Supreme
Courts comment in Mustapha v. Culligan,48
[9]
This said, psychological disturbance that rises to the level of personal injury must be distinguished
from psychological upset. Personal injury at law connotes serious trauma or illness: see Hinz v. Berry,
[1970] 2 Q.B. 40 (C.A.), at p. 42; Page v. Smith, at p. 189; Linden and Feldthusen, at pp. 425-27. The law
does not recognize upset, disgust, anxiety, agitation or other mental states that fall short of injury. I would
not purport to define compensable injury exhaustively, except to say that it must be serious and prolonged
and rise above the ordinary annoyances, anxieties and fears that people living in society routinely, if
sometimes reluctantly, accept. The need to accept such upsets rather than seek redress in tort is what I take
the Court of Appeal to be expressing in its quote from Vanek v. Great Atlantic & Pacific Co. of
Canada (1999), 48 O.R. (3d) 228 (C.A.): Life goes on (para. 60). Quite simply, minor and transient
upsets do not constitute personal injury, and hence do not amount to damage.

Rather than focusing on the damage that occurs from a plaintiffs actions to quantify damages,
intrusion upon seclusion provides damages simply because the intrusion occurs. How an
intrusion is defined is still uncertain. The American Restatement appears to require concerns

44

Clete A. Kushida et al., Strategies for De-identification and Anonymization of Electronic Health Record Data for
Use in Multicenter Research Studies, 2012, Medical Care, 50:S82-S101
45
Gibson, supra note 43, at para 23.
46
Ibid. at paras 25-26.
47
Ibid. at paras 27-28.
48
[2008] 2 SCR 114.

13 of 24

which are secluded in order to attract liability, meaning public affairs and information in the
public domain would appear not to be protected. Despite adopting the Restatement into the tort,
Justice Sharpe did not reiterate the seclusion requirement, and simply focuses on private affairs
or concerns which are intruded upon.49 This omission may have been deliberate, and could lead
to a different application of this tort in Canada than in the U.S. The appropriate scope of what is
considered to be an intrusion will continue to be explored in the years to come.

Part 4 Employment Law and Vicarious Liability


Absent specific legislation or common law principles, employers in the non-unionized
environment are allowed to collect and use information about their employees. Courts have
generally recognized an employers right to know what transpires in the workplace and control
it, including some limited use of surveillance. However, there has been growing jurisprudence
recognizing that employees even in these contexts have some privacy interests against their
employer.50 The new tort of intrusion upon seclusion may potentially be used by an employee
against and employer for a violation of privacy, but this is likely to only be observed in particular
egregious situations where the conduct is reasonably considered highly offensive.51
Of greater concern to employers is where an employer incurs vicarious liability for the
actions of its employees. Where an employee commits an action in the course of their
employment the employer can be held liable, including for the use of Internet and e-mail use,


49

Chris DL Hunt, Privacy in the Common Law: A Critical Appraisal of the Ontario Court of Appeal's Decision in
Jones v. Tsige, 2012, Queen's Law Journal, 665 695, at paras 14-15.
50
Charles Morgan, Employer Monitoring Employee Electronic Mail and Internet Use. McGill Law Journal
Vol.44 (1999). 849-902.
51
Pnina Alon-Shenker & Guy Davidov, Applying the Principle of Proportionality in Employment and Labour Law
Contexts, 2013 McGill Law Journal 59(2):375-423 at para 27.

14 of 24

posting or downloading illegal material, or accessing private information.52 The court in Jones
did not explicitly discuss vicarious liability, but analyzed the employees actions at para 50 in the
context of a PIPEDA claim. Justice Sharpe could not find PIPEDA because the employee acted
explicitly against the employers policies and instructions and was acting as a rogue employee.
Although intrusion upon seclusion has emerged in Ontario in the context of a statutory regime
which focused on employer conduct and provided inadequate recourse against an employee, this
does not mean that the new tort could not be used against the employer itself directly. Rahool P.
Agarwal and Pamela Sidey state,53
As a general matter, however, the Supreme Courts decision in Bazley v. Curry54 makes clear that
employers can be held responsible for a broad range of their employees activities, including intentional
wrongful conduct that is outside of the scope of their employment. The central holding in Bazley was that
vicarious liability will be imposed on an employer for the wrongful conduct of an employee where a nexus
exists between the wrongful act and the risk created by the employers enterprise. In the context of the tort
of invasion of privacy, the Bazley test creates a serious risk of liability that is significant for corporate
employers who, as part of their business, hold large volumes of personal information. Their employees
have regular and ready access to that information, and could feel compelled or encouraged to abuse their
access to advance the companys business objectives.


An example of how this apply could be the seminal privacy case of R v Dyment,55 where a
physician obtained a blood sample from an unconscious person for emergency purposes without
the patients knowledge or consent. The physician discovered from this blood sample that
alcohol and medications were present in the blood, and this information was mentioned to law
enforcement and used to convict the patient for driving under the influence under s. 237(2) of
the Criminal Code. Although the Courts focus was on the s. 8 privacy interests against the
police, the physicians actions today could attract liability in tort for the hospital as well. Had the
information been conveyed to law enforcement in writing, or if the physician had passed on the
lab reports instead of simply mentioning it to the police, this form of communication could not

52

Morgan, supra note 50 at para 124.


Rahool P Agarwal & Pamela Sidey, "Jones v. Tsige: Ontario Court of Appeal Recognizes Tort for the Invasion of
Privacy," 2012, Commercial Litigation and Arbitration Review, 1(2):17 at 21.
54
Bazley v. Curry, [1999] SCJ No 35, [1999] 2 SCR 534 at para 37.
55
[1988] 2 SCR 417, 73 Nfld & PEIR 13 [Dyment].
53

15 of 24

only provide more substantial evidence of the patients activities prior to admission, but could
constitute an even greater violation of privacy. If employees are required to provide such
information by law enforcement, through use of warrant, this would provide the necessarily legal
justification to avoid liability. Following Dyment, law enforcement will typically seek such
warrants regardless to avoid an acquittal on the basis of an unreasonable search and seizure.
Employers should attempt to shield themselves from liability for privacy intrusions by creating
strong workplace policies over how medical records and information should be handled, institute
a system of safety checks and balances, and ensure that all employees receive training on how to
respect patient privacy.

Part 5 Implication of Class Proceedings


A Survey of Types of Intrusions Possible
The modest quantum of damages awarded by the court in Jones has minimized the
perceived risk for many health institutions, even when vicarious liability is a concern. The
situation is different with class actions, where an aggregate number of plaintiffs, each seeking
relatively low amounts of damages, collectively make a suit for a significant amount. There are a
variety of ways in which this type of operational threat can occur which can be illustrated by preJones jurisprudence.56

In Cole v. Prairie Centre Credit Union Ltd.,57 the Saskatchewan Queens Bench
considered an application to certify a class of individuals who communicated
confidential information that was disposed in a landfill. The plaintiffs alleged


56

Wendy Matheson, Patrick Flaherty & Krista Stout, "Privacy Class Actions Are Here, But Do We Need Them?",
2011 Canadian Privacy Law Review 8(2) at 13-20.
57
2007 SKQB 330.

16 of 24

emotional distress and economic loss as a result of the disclosure. Ultimately the class
was not certified, but the case illustrates the types of issues raised during the disposal
of medical records, which also contain sensitive medical information and can create
similar types of distress. The new tort may make such applications more feasible and
in fact a preferable means to proceed with class litigation.

In Jackson v. Canada,58 an employee of a correctional facility discovered that an


internal document which listed employees and provided their address had made its
way to the prison population, who circulated it amongst their members. When it was
discovered, the list had certain names and addresses highlighted. The employee
advanced a number of claims, including negligence, breach of statutory duty, privacy
rights, fiduciary duty, and s. 7 rights under the Charter. In considering the privacy
claim on a motion to strike the pleadings, Justice Charbonneau stated,59
Paragraphs in a statement of claim should not be struck simply because they allege a
cause of action which is novel. Here the rights being asserted are rights which are
presently undergoing rapid evolution in the law of torts. It would not be fair to strike such
claims at the pleading stage unless the law is utterly clear. Otherwise, the court would
prevent useful evolution in the law. The law is not finally settled in this area.

Given the established cause of action created in Jones, and the fact that its application
will continue to evolve in Ontario, these types of privacy claims are now even less
likely to be struck at the motion level.

A class action was launched in Quebec when personal information saved on a


portable computer disc drive was lost by a bank employee when travelling between
Montreal and Markham, Ontario in 2006.60 Health professionals are increasingly
mobile and providing services in home and in the community, and medical


58

[2005] O.J. No. 2691 (ON SC); revd in part [2006] O.J. No. 3737 (ON CA).
Ibid. (ONSC) at para 6.
60
Bordoff v. Gestion d'actifs CIBC inc./CIBC Asset Management Inc., [2010] Q.J. No. 10334.
59

17 of 24

information and documents are routinely stored electronically. Misplacing a device


storing this information could be a significant grounds for liability.

Even where information is not misplaced, inadequate security measures on a server


may result in a liable privacy breach. In 2006, hackers accessed computer systems in
the U.S. which contained the personal information of over 300 Canadians, including
drivers license and addresses.61 Part of the settlement proposal agreed to by the court
included credit monitoring and identity theft insurance provided by the defendants,
addressing or at least mitigating some of the harm created by the breach. Where the
information disclosed is health, and not financial, creative remedies of this type may
more challenging.

Class Action Intrusions The Next Stage of Privacy Protections


Ontario became the first common law jurisdiction in Canada in 1992 to enact class
proceedings.62 The majority of the litigation in these class proceedings centers around
certification, where a representative class and common issues are identified. Where a
certification motion is lost, most cases fail to proceed further, meaning this threshold is typically
where both sides expend the majority of their resources.63 The application of the intrusion upon
seclusion tort to class actions is not entirely theoretical. In the short time following the decision,
there have already been actions commenced on this basis this year. The first is Condon v.
Canada,64 dealing with compensation for the loss of an external hard drive containing the
information of 583,000 Canadian Student Loan Program participants. The causes of action listed

61

Wong v. TJX Companies, Inc., 2008 CanLII 3421 (ON SC).


See Class Proceedings Act, SO 1992.
63
Jon J. Foreman & Genevieve Meisenheimer, The Evolution of the Class Action in Ontario, 2014, Western
Journal of Legal Studies, 4(2) at 2-3.
64
[2013] F.C.J. No. 1402; [2014] F.C.J. No. 297.
62

18 of 24

include breach of contract and warranty; commission of the tort of intrusion upon seclusion
(invasion of privacy); c) negligence; d) breach of confidence; and e) violation of Quebec law.
The defendants unsuccessfully opposed the inclusion of intrusion upon seclusion on the
certification motion, claiming there was no invasion of private affairs without justification, and
the base biographical information contained in this hard drive could not create embarrassment or
humiliation. The inconvenience, frustration and anxiety claimed by the plaintiffs could not create
the distress, humiliation or anguish described in Jones.65 Justice Gagn rejected these
arguments, stating that the information was still disclosed in an unlawful way and was not
disposed of as required by statute. She also stated that this was not just biographical information
disclosed, but financial records indicating a debt obligation and its amount. Finally, she
concluded that frustration and anxiety could indeed be forms of distress, and said that such a
distinction could simply be semantics.66 The nominal nature of the damages for this tort actually
makes the likelihood of success more reasonable than not.
The second significant intrusion upon seclusion class action is Evans v. The Bank of Nova
Scotia,67 which addresses the situation of a mortgage administration officer who deliberately
provided sensitive financial information to his girlfriend. This information was then provided to
third-parties who used the information for improper and fraudulent purposes, resulting in identity
theft and a negative effect on the customers credit ratings. The plaintiffs claimed that the
employer was negligent because it failed to properly supervise the employee and provide
appropriate safeguards to protect the customers private financial information. A class action was
a preferred approach to proceeding, according to the plaintiffs, because of the modest amount of


65

Ibid. at paras 55-57.


Ibid. at paras 58-61
67
Evans v. The Bank of Nova Scotia [sub nom. Evans v. Wilson], 2014 ONSC 2135.
66

19 of 24

recovery. The efficiencies in proceeding with a class action would enhance access to justice.68
Justice Smith discussed the application of vicarious liability applications in the certification
motion,
22 In this case, the Bank created the opportunity for Wilson to abuse his power by allowing him to
have unsupervised access to customers' private information without installing any monitoring
system. The release of customers' confidential information by Wilson to third parties did not further the
employer's aim of generating profits on good loans. Also, Wilson's wrongful acts were not related to
friction, or confrontation inherent in the Bank's enterprise, but they were related to his necessary intimacy
with the customers' personal and financial information. Wilson was given complete power in relation to the
victims' (customers) confidential information, because of his unsupervised access to their confidential
information. Bank customers are entirely vulnerable to an employee releasing their confidential
information. Finally, there is a significant connection between the risk created by the employer in this
situation and the wrongful conduct of the employee.
23 The plaintiffs have pleaded, and the Bank has acknowledged, a complete lack of oversight by the
Bank of its employees, including Wilson, with regard to improper access to personal and financial
customer information. While the Bank itself was not directly involved in the improper access of
customer information, vicarious liability "is strict, and does not require any misconduct on the part
of the person who is subject to it"
30 While Wilson was an employee of the Bank and not a partner of a law firm, I find that it is not plain
and obvious in these circumstances that the Bank would not be held vicariously liable for the serious
wrongful conduct of its employee in these circumstances considering the five factors set out in Bazley and
especially because of the connection between the risk created by the Bank and the wrongful conduct of its
employee. I further find that it is not settled law that damages awarded for the tort of intrusion upon
seclusion are treated in the same manner as an award of punitive damages where an employer, such as the
Bank, gives an employee unsupervised access to customers' private information.
[emphasis added, citations omitted]

This certification signals that intrusion upon seclusion will likely be applied expansively, in
particular in the class action context. Suzanne Chiodo of Rochon Genova LLP stated in the Law
Times,69
[It] combines the law that was laid down in Jones v. Tsige with the low bar for certification.
Its a very generous interpretation of privacy law in Canada, so I think its good news for privacy
lawyers.

As a practical matter, once a large class action is certified, the economics of going to trial usually
result in settlement.70 What this means is that very few of these intrusion upon seclusion class

68

Ibid. at para 7.
Yamri Taddese, Court certifies class action under tort of intrusion upon seclusion, Law Times, June 16, 2014,
available at: http://www.lawtimesnews.com/201406164029/headline-news/court-certifies-class-action-under-tort-ofintrusion-upon-seclusion
69

20 of 24

actions can be expected to be decided on the merits, and instead they will typically form one of
the heads of damages advanced in class proceedings. The nominal form of damages in these
claims may actually enhance the likelihood of certification rather than detracting from its
success.71

The Health Records Class Actions


This year has seen the launch of two distinct class actions involving intrusion upon
seclusion around medical records. Hopkins v. Kay72 deals with 280 patient records at a hospital
which were accessed and disseminated to third parties without the patients consent. The
plaintiffs here claimed a breach of PHIPA, confidentiality agreements, contract, trust and
fiduciary duty; negligence; and misfeasance and mismanagement. The claim was then amended
to proceed solely only the basis of intrusion upon seclusion. The defendant opposed certification
on the basis that PHIPA was a comprehensive code of a Federal nature, and sought to limit Jones
to its facts as it focused on PIPEDA instead. Justice Edwards began his decision in the
certification motion stating,
1

With the click of a mouse, personal health records can be accessed by those who have a legitimate
interest in properly treating a patient - or they can be accessed for an improper purpose

He reviewed the decision in Jones and noted that Justice Sharpe had conducted a comprehensive
review of the legislative scheme, including PHIPA. He concluded,
30

I am not satisfied from a review of Jones that it should be, as suggested by counsel for the Hospital,
restricted to the facts of that case. Rather, I am of the view that the Court of Appeal in Jones has
determined that the common law right to proceed with a claim, based on the tort of breach of privacy, as
alleged in the plaintiff's statement of claim is a claim that should be allowed to proceed. This is not a case
that, in my view, is so plain and obvious that the court should strike out the claim. If the position of the
Hospital is to be sustained, it will require a decision of the Court of Appeal, which as the British Columbia
Court of Appeal has done, determines that there is no claim for breach of privacy and that the claim must


70

Note, however, that this trend has been reversing in recent years, with an increase in class action trials. See
Foreman & Meisenheimer, supra note 63 at 1.
71
Tamara Hunter, The Court of Appeal for Ontario's decision in Jones v. Tsige: A cause clbre?, 2012, The
Advocates' Society Journal, 1:10-12 at 15.
72
2014 ONSC 321.

21 of 24

rest on the provisions of PHIPA. The defendants' motion is therefore dismissed with costs.

The advantage from the perspective of plantiffs counsel is that intrusion upon seclusion does not
require proof of actual harm, while PHIPA does, and the modest damages with the tort are still
higher than what the statute provides.73 Absent a trial decision indicating otherwise, we can
expect further certifications of class actions which prefer intrusion upon seclusion rather than a
claim based in PHIPA.
The second major class action involving intrusion upon seclusion for medical records has
yet to be certified, but is a claim for $412 million against a hospital for two employees who sold
patient information to a private Registered Education Savings Plan. The information included the
name, address and phone number of parents who recently had a child in the hospital.74 The class
action has since been expanded to include patients at other locations, whose information these
employees were also able to access. The proposed class could include as many as 14,450 people,
primarily new mothers who gave birth at one of the hospitals in the health system.75 Whereas
the quantum of these damages initially provided some comfort to employers and institutions,
the efficiencies provided by class proceedings and the quantum of damages in the aggregate
cannot be so easily dismissed. When dealing with such a large class, even relatively small
damages can amount to a sizeable claim from a risk management perspective.


73

Roland Hung and Rachel Ries, Ontario Superior Court Revisits and Broadens Jones v Tsige, snIP/ITs,
McCarthy Tetrault, March 18, 2014, available at: http://www.canadiantechlawblog.com/2014/03/18/hopkins-v-kayjones-v-tsige-revisited-and-broadened/
74
Jennifer Brown, Hospital class action informed by intrusion upon seclusion case, Canadian Lawyer, July 7,
2014, available at: http://www.canadianlawyermag.com/5196/Hospital-class-action-informed-by-intrusion-uponseclusion-case.html
75
Joel Eastwood, Rouge Valley hospital privacy breach expands to affect 14,450 patients, Toronto Star, August
27, 2014, available at:
http://www.thestar.com/news/gta/2014/08/27/rouge_valley_hospital_privacy_breach_affects_6000_more_patients.ht
ml

22 of 24

Part 6 - Conclusions
The excitement in the bar around the new tort of intrusion upon seclusion is well
warranted, and we are already observing a flurry of litigation around it. The full implications of
this new tort is unlikely to be realized in the immediate future, but in the meantime it does pose
a significant risk to health institutions who do not properly monitor their employees and protect
patient information. Although the court did not find vicarious liability in Jones for the actions of
the rogue employee, subsequent cases have already plead liability on these grounds. To
minimize risk, health facilities should review and adopt best practices in data security, including
appropriate policies, training, education of employees, and controls to ensure compliance. The
relatively low amount of damages discussed in Jones, typically $20,000 or less, suggests that
intrusion upon seclusion is unlikely to appear as the basis for a claim by itself, and will normally
be combined with other heads of damages to advance a claim. However, the modest damages
expected in this tort also makes it more appealing for both plaintiffs and the courts to proceed
on a class action basis. In large-scale privacy breaches at health facilities, this poses the most
significant risk of liability for the new tort. Class actions may ultimately be the process in which
intrusion upon seclusion is utilized the most, and could be a viable tool in fostering greater
privacy compliance and better security measures around patient information in health facilities.

23 of 24

Appendix A: Ontario damage awards


Saccone v. Orr(1981), 34 O.R.
(2d) 317, (Ont. Co. Ct.)

Provincial Partitions Inc. v.


Ashcor Inplant Structures
Ltd.(1993), 50 C.P.R. (3d) 497,
(Ont.Gen. Div.)
Palad v. Pantaleon,

Facts

Details

Remedy

Played tape of private telephone


conversation aloud at municipal
council meeting without counsel.

Cause of action: Invasion of privacy

$500 General Damages

Held: Defendant did not act with


malice and proven damages were
minimal.
Persistent crank calls to rival business. Cause of action: Nuisance by invasion $1000 General Damages
of privacy.

Harassment of borrower in an attempt Cause of action: Invasion of privacy


to collect on a debt.

$2,500 General Damages

[1989] O.J. No. 985, (Ont. Dist.


Ct.)
Lipiec v. Borsa(1996), 31
Surveillance of backyard.
Causes of action: Trespass and
$3,000 General Damages
C.C.L.T. (2d) 294, (Ont.Gen.
nuisance by deliberate invasion of
Div.)
privacy
S. & A. Nagy Farm v.
Malicious attempt to persuade
Causes of action: Defamation and
$4,000 General Damages
Repsys, [1987] O.J. No. 1987,
borrowers to amend mortgage
invasion of privacy.
(Husband and Wife)
agreement by embarrassing and
harassing them.
(Ont. Dist. Ct.)
Roth v. Roth(1991) 9 C.C.L.T.
Interference with access to cottage and Causes of action: Harassment,
$20,000 General Damages
(2d) 141, (Ont. Gen. Div.)
with enjoyment of property.
statutory breach, trespass and invasion
of privacy`
$5,000 Exemplary Damages
Garrett v. Mikalachki [2000]
Man harassed neighbour, reducing
Causes of action: Defamation,
$25,000 General Damages
O.J. No. 1326, (Ont. S.C.)
neighbours enjoyment of property,
intentional infliction of emotional
and spread rumours about the
distress, nuisance, invasion of
neighbours alleged criminal past.
privacy, harassment.
Tran v. Financial Debt Recovery Repeated abusive calls to debtor and Causes of action: Defamation,
$25,000 General Damages
Ltd.(2000), 193 D.L.R. (4th) 168 his work colleagues regarding
intentional interference with
(Ont. S.C.)
repayment.
economic interests, intentional
infliction of emotional harm, invasion
of privacy
MacKay v. Buelow(1995), 24
Stalked former spouse.
Causes of action: invasion of privacy, $25,000 General Damages
C.C.L.T. (2d) 184 (Ont. Gen.
trespass to person and intentional
Div.)
infliction of mental suffering and
$15,000 Aggravated Damages
emotional distress
Held: Defendants actions were
calculated, devilishly creative and
entirely reprehensible.

$15,000 Punitive Damages


$6,248 Special Damages
$44,000 Costs of future care

24 of 24

Appendix B: Damage awards under provincial privacy legislation


Pateman et. al. v. Ross (1988), 68
Mr. R. (2d) 181 (Man. Q.B.)
Insurance Corp of British
Columbia v. Somosh (1983), 51
B.C.L.R. 344 (B.C.S.C.)

Facts
Woman harassed ex-boyfriend and his new wife with threatening
phone calls, letters and visits.
Insurance company investigator asked invasive questions about car
driver after accident, although the insurance company had no claim
at law against driver

Wasserman v. Hall, 2009 BCSC Claim for breach of privacy and nuisance; breach was described as
1318, 87 R.P.R. (4th) 184
relatively minor.
Heckert v. 5470 Investments
Landlord placed a video camera in the hallway of the building. Held
Ltd.2008 BCSC 1298, 299 D.L.R. that there was no legitimate reason for close-up imaging people
th
(4 ) 689.
immediately outside their apartment doors.
Hollinsworth v. BCTV (1996), 34 Defendant released videotape of plaintiff having hair transplant
C.C.L.T. (2d) 95 (B.C.S.C.), affd surgery and media aired video.
1998 B.C.C.A. 304.
F. (J.M.) v. Chappell, (1998) 45 Defendant published the name of complainant in sexual assault case
B.C.L.R. (3d) 64 (B.C.C.A.),
in breach of publication ban. Jury awarded $19,000 in damages, but
leave to appeal to SCC refused, the judge countenanced a defence of publication privilege and
(1998), 231 N.R. 400.
reduced this to $1,000.

Lee v. Jacobson; Weber v.


Jacobson(1992), 87 D.L.R. (4th)
401 (B.C. S.C.), revd
(1994), D.L.R. (4th) 155
(B.C.C.A).
Watts v. Klaemt2007 BCSC 662,
71 B.C.L.R. (4th) 362.
Malcolm v. Fleming, [2000]
CarswellBC 1316, (B.C.S.C.)
Nesbitt v. Neufeld,2010 BCSC
1605, [2011] B.C.W.L.D. 407.

Court of Appeal reinstated the jury award.


Landlord drilled a secret hold to spy on tenant.

Remedy
Interlocutory injunction
$1,000 General Damages
$1,000 Punitive Damages
$3,500 General Damages
$3,500 Nominal Damages

$15,000 General Damages

$3,000 General Damages


$15,000 Punitive Damages
$1,000 Non-pecuniary Damages
$2,000 General Damages

Note: Findings of fact were overturned.

$22,500 Punitive Damages

Defendant recorded the plaintiffs telephone conversations and the


reported the content to the plaintiffs employer. Plaintiff was then
fired.

$30,000 Actual damages

$5,000 Punitive Damages


Defendant landlord secretly videotaped plaintiff while she was in her $15,000 General Damages
bathroom and bedroom.
Family dispute: defendant published private documents, started
websites, Facebook groups, sent letters to friends / colleagues /
professional associations accusing her of drug abuse, suicide
attempts, mental illness and sexual promiscuity.

$35,000 Punitive Damages


$40,000 General Damages

25 of 24

Вам также может понравиться