By: Jessica Young
Recently, the Ontario Court of Appeal recognized a new tort related to privacy rights, that is, “intrusion upon seclusion”.
Ms. Sandra Jones found out that her co-worker at the Bank of Montreal (“BMO”), Winnie Tsige, had been looking through her bank records. Tsige was in a common law relationship with Jones’ ex-husband. As a BMO employee at the branch where Jones held her primary bank account, Tsige had full access to Jones’ banking records. Although the two women were colleagues, they had never worked at the same branch. Tsige accessed Jones’ banking records at least 174 times in a four year period through her workplace computer. She had access to details of Jones’ banking transactions as well as personal information including her date of birth, marital status and home address.
BMO had a Code of Business Conduct and Ethics that prohibited this type of behaviour. Tsige admitted that she had viewed Jones’ banking information with no legitimate purpose and understood that this was in violation of BMO’s policy. Tsige was suspended for one week without pay and was denied her annual bonus.
Jones could have made a claim against BMO under the Personal Information Protection and Electronic Documents Act (“PIPEDA”), which applies to all organizations subject to federal jurisdiction. However, the Court found it unfair that Jones would be restricted to a remedy against her employer under PIPEDA where Tsige acted as a rogue employee contrary to BMO’s policies. In addition, the Court commented that remedies under PIPEDA do not include damages, which limits the utility to Jones of bringing such a complaint against BMO.
As a result, the Court recognized a new tort, “intrusion upon seclusion.”
The necessary elements of an action for intrusion upon seclusion are as follows: the intentional intrusion, physically or otherwise, on the seclusion of another individual or his/her private affairs or concerns, to the degree that a reasonable person would find highly offensive. The plaintiff does not need to show proof of actual harm to recover damages. The key features of the tort are:
(f)irst, that the defendant’s conduct must be intentional, within which I would include reckless; second that the defendant must have invaded, without lawful justification, the plaintiff’s private affairs or concerns; and third, that a reasonable person would regard the invasion as highly offensive causing distress, humiliation or anguish.
The Court made clear that only the most “deliberate and significant” invasions of privacy will be captured under this new law. Whether the invasion of privacy is significant is based on an objective standard and will exclude claims from individuals who are particularly sensitive or have an unusual concern about their personal privacy. It is significant to note that this tort does not create a broad cause of action for breach of privacy; it is limited to intrusion upon the seclusion of a person’s private affairs.
Tsige was found liable under this new tort of intrusion upon seclusion and Jones’ was awarded $10,000 in general damages.
Recognizing a common law right to be free from intrusion into one’s private affairs is a significant step in the development of privacy law in Ontario. Although the damages awarded in this case were relatively modest, it opens the door for potentially costly litigation and increased risk for employers Notably, Jones’ apparently did not allege that BMO was vicariously liable for allowing its employee such liberal and unrestricted access to other employees’ private financial information. However, based on the test the Court has set out, it would appear logical that employers may be held vicariously liable where circumstances permit.
Accordingly, employers should assess the potential for employees to access and abuse information pertaining to other employees, customers and the general public. It is important to ensure that privacy and confidentiality policies clearly address access and use of data, and warn employees that breach of these policies could lead to serious discipline up to and including dismissal. It would be prudent to advise employees in those policies that the employer’s systems and documents are the company’s property and that access and related activities may be monitored.
Jones v Tsige was considered in recent a labour arbitration decision, Complex Services Inc. v. Ontario Public Service Employees Union, with respect to requesting medical information in an accommodation case. The arbitrator held that intrusion upon seclusion has no application in the context of disclosure of confidential medical information for a legitimate purpose. However, there are other contexts where this new privacy law may apply to the actions of employers. For instance, it may hinder an employer’s ability to conduct surveillance on an employee absent from the workplace. Depending on the nature of the surveillance, a court or arbitrator may find that an employer’s efforts crossed the line and breached this tort. We will keep you informed, as the case law in this area develops.