The Court of Appeal for Ontario recently recognized in Jones v. Tsige (Jones) that breaches of an individual’s privacy can provide the basis for a civil cause of action formally known as the tort of “intrusion upon seclusion”. The decision has implications for employers and underscores the importance of safeguarding sensitive personal information that employees have access to at work.
In Jones, Winnie Tsige, a bank employee, viewed the bank records of Sandra Jones, a fellow bank employee, without authorization at least 174 times over a four‑year period. In doing so, Tsige gained access to Jones’ personal information including her financial transactions, date of birth, marital status, and address. When Jones became aware of Tsige’s actions, she complained to the bank.
Jones brought a civil action against Tsige for, among other things, invasion of privacy. Although Tsige did not transmit or publicize Jones’ private information and Jones did not suffer any economic harm, the unanimous Court of Appeal found that Tsige breached Jones’ privacy by committing the tort of intrusion upon seclusion—which previously had not been recognized as a cause of action in Ontario—and awarded her C$10,000. Further details regarding the facts in Jones and the decision’s significance can be found in our previous Blakes Bulletin on this case.
The New Tort of Intrusion upon Seclusion
The Court outlined the following test for the new tort:
- the defendant’s conduct must be intentional or reckless;
- the defendant must have invaded the plaintiff’s private affairs or concerns without lawful justification; and
- a reasonable person would regard the invasion as highly offensive, causing distress, humiliation, or anguish. For the claim to be successful, the plaintiff is not required to have suffered a financial loss as a result of the intrusion. Further, the plaintiff’s personal information does not have to be published or otherwise disseminated.
New Risks for Employers
Of note is that the Court in Jones specifically identified intrusions into matters such as “employment” as being “highly offensive” and which could give rise to intrusion on seclusion claims. The new tort could open employers to claims on at least two fronts.
First, employers could face claims from current or former employees when they improperly collect, use, or disclose employees’ sensitive personal information. Employers often collect, use, and disclose personal information as a result of routine employment functions (such as hiring and maintaining benefits programs), and other situations like workplace monitoring which has come under increasing judicial scrutiny. While employers often have potentially legitimate reasons for monitoring their employees’ actions, they should be aware that highly sensitive personal information can be obtained through such monitoring, including the financial records of employees who use company computers for online banking, and the private communications of employees who access personal email accounts or instant messaging through workplace computers or smartphones.
Although it is relatively rare to see existing employees bring claims against their employers in non-unionized workplaces, we are likely to see plaintiffs’ counsel include the new tort in the list of claims (such as mental distress and aggravated damages claims) that are commonly added to wrongful dismissal litigation. With intrusion upon seclusion existing as an independent actionable wrong, employers could be liable for additional compensatory and/or punitive damages in wrongful dismissal and other employment-related claims.
Second, the decision also raises the prospect of employers being held vicariously liable for the actions of their employees. In Jones, the Court noted that Tsige acted as a “rogue employee” who violated the bank’s policy by accessing Jones’ personal information. Although this was noted during the Court’s consideration of the federally regulated bank’s potential liability under the Personal Information Protection and Electronic Documents Act, it suggests that, in certain cases, an employer could be held vicariously liable if an employee breaches another person’s right to privacy during the course of his or her employment.
Limiting those Risks
Although the employment-related effects of Jones will not be known fully until further jurisprudence defines the scope of employer liability for intrusion upon seclusion claims, employers should take the following steps in an effort to limit their potential liability for claims brought by their employees or persons affected by the actions of their employees.
- Limit disclosure of employee personal information.
Only authorized personnel should have access to the personal information of employees. Safeguards, such as locks and passwords or encryption, should be used to limit access to hardcopy and virtual employment records. Employers should obtain the consent of employees and former employees before disclosing their employment-related information to third parties. Additionally, appropriate processes should be used to properly dispose of computer equipment or documents containing personal information.
- Implement workplace privacy policies and obtain informed consent. Employers should avoid collecting sensitive personal information unless it is reasonably necessary for employment purposes. Prior to collection, employees and prospective employees should be advised why the information is being collected and how it may be used. Personal information collected from such investigations should be reasonably connected to the employment relationship and safeguarded from inappropriate access or dissemination.
- Implement workplace technology and communication system use and monitoring policies. These policies should clearly stipulate that:
- the technology is available for workplace purposes only;
- employees should have no expectation of privacy with respect to information transmitted over or stored on the system;
- the system may be monitored and recorded for legitimate business purposes; andi
- nformation collected through such monitoring may be disclosed for legitimate business purposes and where there is a suspected breach of workplace policies or the law.
- Implement appropriate safeguards to protect the sensitive personal information. Workplace privacy and data protection policies should expressly prohibit employees from accessing the personal information of others unless they have authorization and a legitimate business purpose to do so. The policies should warn employees that they may be subject to disciplinary action, up to and including termination of employment, for violating the policies.
- Investigate suspected or reported privacy breaches. Employers should take steps to ensure that their employees respect the privacy of others and abide by workplace privacy policies. Where feasible, technological measures could be implemented to bring unauthorized access of personal information to the employer’s attention. Employers should carefully investigate suspected or reported privacy breaches and keep detailed records of such investigations.
- Take disciplinary action when employees violate the privacy rights of others. Employees who violate privacy policies should be subject to disciplinary action appropriate to the circumstances.
As with all workplace policies, the privacy-related policies discussed above should be brought to employees’ attention periodically and their receipt and understanding acknowledged in writing. In addition, training should be provided to ensure that employees understand:
- how the employer may collect, use, and disclose their personal information;
- the nature and scope of workplace monitoring;
- their obligations to safeguard and respect the privacy of others; and
- the consequences of violating the policies and the privacy rights of others.
By taking the above-noted steps, employers may be better equipped to defend intrusion upon seclusion claims by employees or former employees because these steps can provide evidence that the plaintiff has consented to the collection, use, or disclosure of his or her personal information—including sensitive personal information he or she chose to transmit over or store on workplace systems. In addition, employers may be in a better position to defend vicarious liability claims for the acts of their employees if employers can show that they have taken diligent steps to secure sensitive personal information.
However, notwithstanding that there was no claim made against the employer in Jones, it is now much more likely that employers will be exposed to privacy tort claims in dismissal litigation and be exposed to claims based on vicarious liability for the acts of their employees that occur in the course of employment, even where the employee has gone “rogue”.