In its June 2012 decision in Jones v. Tsige, the Ontario Court of Appeal established the tort for the invasion of personal privacy – “intrusion upon seclusion”. One employee sued another for having accessed her personal information over a period of four years. Jones and Tsige both worked for the Bank of Montreal but at different branches. Tsige was in a common-law relationship with Jones’ ex-husband. Over four years, Tsige used her workplace access to look at Jones’ personal bank accounts.  Tsige tried to justify her conduct by arguing that she needed access to Jones’ financial records to see whether Jones was receiving child support payments from her ex-husband.

In its decision, the Court of Appeal set out the following elements of the tort for invasion of personal privacy:

  • The conduct must be intentional;
  • There must be an “invasion” without lawful jurisdiction of a person’s private affairs or concerns;
  • A reasonable person would consider the event as highly offensive causing anguish, humiliation or distress.

The Court also cautioned that although the right to privacy must be recognized, intrusion upon seclusion would only arise for deliberate and significant invasions of privacy. Individuals who are sensitive or unusually concerned for their privacy are to be excluded from bringing this cause of action.

Jones was awarded $10,000 in damages, but was not awarded any aggravated or punitive damages. The Court also commented that damages arising out of this tort were to be fixed at the upper end at $20,000.

A recent Ontario Superior Court decision, McIntosh v. Legal Aid of Ontario (October 31, 2014), considered the tort of intrusion upon seclusion. Oddly enough, this case also involved access of personal information in a common-law relationship setting.

Patrice McIntosh sued Legal Aid Ontario when she learned that her ex-boyfriend’s new girlfriend (Cassandra Reddick), who worked for Legal Aid Ontario, had accessed McIntosh’s legal aid file. Reddick had not only reviewed the file: she telephoned McIntosh and threatened to call the Children’s Aid Society to have her children taken away from her.

The Court found that Legal Aid was liable for Reddick’s conduct. The Court did not set out its reasoning for reaching its conclusion, other than to make the bald statement that the mere fact that Reddick had improperly accessed information rendered Legal Aid liable. “The breach of her privacy rights is sufficient to establish liability based upon the tort of intrusion upon exclusion”.

The next question was to determine the appropriate damages.  McIntosh sought lost wages, tuition fees, loss of benefits, aggravated damages, damages for invasion of privacy, and punitive damages.

McIntosh argued that Legal Aid’s actions had led her to develop anxiety, which had resulted in her losing her job. In support of her position, McIntosh produced various medical records. After a review of the evidence, the Court found that there was insufficient evidence to show that McIntosh’s job loss was connected to the breach of her privacy.

The Court then considered “intrusion upon seclusion” and what damages ought to be awarded for this tort. The main focus of the Court’s efforts was to assess what damages arose from the improper access to the McIntosh’s private information.

In reaching its conclusion, the Court found that the invasion of McIntosh’s privacy had affected her emotional state – albeit in a minor fashion – and awarded her general damages of $10,000.  The Court did not award aggravated damages or punitive damages. The language of the decision is quite telling, “The tone of the original complaint to Legal Aid itself is more consistent with irritation rather than devastation”.

When the Jones case was first decided, there was much debate about how this new right to privacy would play itself out.  Federally regulated industries or undertakings (e.g. banking, telecommunications) have been subject to the Personal Information Protection and Electronic Documents Act, 2000 (PIPEDA) for at least a decade.  But it was not until Jones v. Tsige that a specific civil tort was established as part of the common law for invasion of privacy.

What is not clear is where this leaves employers when it comes to monitoring employees’ private information. What liability will an employer face in accessing their own employees’ private information? In what instances will an employer be held liable for the conduct of their employees?

Legal Aid was held responsible for the conduct of one of its employees. But one question which comes to mind is, “what could Legal Aid have done differently?” The facts of both Jones and McIntosh are unique.  In essence, the accused in both cases was cyberstalking the plaintiff. How much control could Legal Aid have exercised over the conduct of the employees?

In the end, the damages in McIntosh were limited because the plaintiff was not able to show that the breach caused her sufficient distress.  The evidence showed that she was more irritated than devastated. While the legal threshold for invasion of privacy is onerous, this case is a reminder that privacy rights are gaining momentum.

Here are a few lessons which arise from the McIntosh case.

  1. Employers should think about the type of access their employees have to personal and/or confidential information of other employees or clients. One of the main themes of PIPEDA has been to limit the use and collection of personal information and to tie the collection of the personal information to a legitimate business purpose.
  2. Employers need to think about who has access to this personal and/or confidential information and whether the access is as limited as it needs to be to serve a legitimate business purpose.
  3. Employers are also encouraged to make sure employees understand under what circumstances it is appropriate to access personal and/or sensitive information held by the employer.
  4. Employees should also be educated about what consequences flow from improperly accessing and or disseminating personal/confidential information. Employees need to be aware that discipline can be implemented for improperly accessing private information up to and including termination. In more extreme circumstances, employees should also be warned that termination for cause may be justified.
  5. Employers should also think about establishing procedures for the handling and storing of personal and/or confidential information.