In a significant decision released this week, the Ontario Court of Appeal ruled in Hopkins v. Kay that a private plaintiff may bring a class proceeding for damages in tort against Peterborough Regional Health Centre (PRHC or the Hospital) for the unauthorized access to personal health information, even in circumstances where the Information and Privacy Commissioner of Ontario has closed his investigation. The Court rejected the argument that Personal Health Information Protection Act (PHIPA) was a comprehensive code that precluded tort claims, and in so doing, the Court has signalled that health information custodians may face significant civil exposure in damages for future incidents involving unauthorized access to personal health information by a rogue employee or third party. The decision also suggests that private plaintiffs might be able to pursue class proceedings for privacy breaches in other provinces that have comprehensive privacy statutes, as well in regulated sectors and industries where the legislature has created a separate regulatory and enforcement regime.
The PHIPA Regime
Across Canada, there is wide recognition that individuals have a unique privacy interest in respect of their personal health information and their communications with medical health care professionals. In recognition of this interest, legislatures across Canada have passed specific legislation that establishes a regime for protecting such records. For example, in Ontario, PHIPA establishes a regime that governs the collection, use and disclosure of personal health information and generally provides that a “custodian” of personal health information shall not access or disclose such information absent the patient’s consent or where expressly permitted or required by PHIPA. PHIPA also established a regulatory regime that is enforced by the Information and Privacy Commissioner of Ontario, and under that regime, a patient can only seek compensation for a breach of PHIPA in certain limited circumstances.
More specifically, a patient who suspects that there has been a breach of PHIPA by another person may file a formal complaint with the Commissioner. In response to a complaint, the Commissioner has broad compulsive powers of investigation, including the ability to demand production of records and to inspect premises. Upon the completion of his or her investigation, the Commissioner may issue a range of prospective remedial orders, including orders requiring the custodian to cease or to implement practices related to the use, collection or disclosure, of personal health information. In addition, if the Attorney General determines that there was a willful breach of the provisions of the Act, the Attorney General can prosecute the violation as a regulatory offence. If a court finds that the person or custodian committed an offence, PHIPA provides that individuals can be fined up to $50,000 and organizations up to $250,000. However, any prosecution for such conduct is in the hands of the Attorney General, and the Commissioner’s remedial powers are generally limited to prospective orders designed to ensure future compliance.
In the event that the Commissioner issues a remedial order, PHIPA permits a limited remedy for damages. More specifically, a person affected by the order may commence a proceeding in the Superior Court of Justice for damages for “actual harm” that the person has suffered as a result of a contravention of PHIPA or its regulations. In event that the Superior Court finds that the defendants engaged in wilful or reckless behaviour and that the plaintiff’s “actual harm” was caused by a contravention of PHIPA, the Court may issue an award of damages for actual pecuniary losses as well as damages for mental anguish. However, PHIPA expressly provides that a plaintiff’s claim for damages for mental anguish shall not exceed $10,000.
On its face, the private action regime under PHIPA is deliberately circumscribed as a matter of policy, and reflects a careful legislative balancing of the interests of health information custodians and individual patients. First, under PHIPA, a plaintiff may only seek damages in circumstances where the Commissioner has already conducted an investigation and issued a remedial order. Second, a plaintiff must demonstrate wilful and reckless conduct to recover damages. Third, a plaintiff must demonstrate actual harm. Fourth, a plaintiff’s claim for damages for mental anguish is limited to $10,000. Finally, PHIPA also incorporates an immunity provision which creates a defence for custodians and their agents for any act or omission done in the course of exercising powers or duties under PHIPA, if made in good faith and reasonable in the circumstances.
Given the legislature’s careful balancing of interests under PHIPA, it was widely assumed that the private damages remedy under PHIPA was exhaustive (i.e., it specifically precluded claims by individual plaintiffs in tort, since this careful legislative balancing of interests would arguably be completely undermined if an individual could circumvent a Commissioner’s investigation through a private claim in tort that sought damages in excess of the statutory maximum).
The Tort of Intrusion Upon Seclusion
At the time of the passage of PHIPA in 2004, the possibility of private claims in tort was not a significant concern since the courts were divided as to whether there was a distinct tort remedy for a breach of privacy, particularly in the absence of actual harm. However, over time, a line of authority developed in the jurisprudence that suggested that there might be a distinct tort for an intrusion of privacy, particularly in light of parallel jurisprudence under the Canadian Charter of Rights and Freedoms that recognized the constitutional value of privacy.1 The Ontario Court of Appeal finally resolved that debate in 2012 in a watershed decision that revisited the foundation for the private enforcement of privacy rights in Canada.
In short, in its decision in Jones v. Tsige, the Ontario Court of Appeal recognized a new common law tort for “intrusion upon seclusion.” To establish the tort, a plaintiff must demonstrate, on the balance of probabilities, that (i) the defendant’s conduct was intentional; (ii) the defendant must have invaded, without lawful justification, the plaintiff’s private affairs or concerns; and (iii) a reasonable person would regard the invasion as highly offensive causing distress, humiliation or anguish. In its decision in Jones, the Court of Appeal stressed that “proof of actual loss is not an element of the cause of action for intrusion upon seclusion.” Moreover, the Court provided some general guidance on the assessment of damages, and held that in cases that did not involve any pecuniary loss, a plaintiff would be entitled to damages up to $20,000.
In rendering its decision in Jones, the Court of Appeal removed some of the historical obstacles to the private enforcement of privacy rights, particularly in respect of proof of loss. Under traditional tort law, a plaintiff would be normally be expected to demonstrate an actual pecuniary loss arising from a privacy breach, but in Jones, the Court of Appeal eliminated that requirement in respect of the new tort. In addition, while the tort still required proof of “intentional” conduct, it arguably remained open for a plaintiff to pursue claims based on recklessness as well as willfulness. In so doing, the Court arguably created a more accessible remedy than certain remedies under statute given the potential flexibility in proving intention. And in contrast to the certain remedies under statute (such as the private remedy under PHIPA), a plaintiff that pursues a claim in tort does not have to wait for the regulator to complete its investigation before pursuing a claim in damages. Moreover, a plaintiff that files a claim in tort is not subject to any statutory maximums or any immunity provisions. But perhaps most importantly, by establishing a regime for enforcement that did not require individual inquiries into pecuniary losses, the Court of Appeal in Jones laid the foundation for a private damages remedy that appeared to be much more amenable to certification as a class proceeding, since it arguably removed any individualized issues relating to individual loss. (See our January 2012 Osler Update for more on the Jones decision)
The Breach at the Peterborough Regional Health Centre
In 2011, the Peterborough Regional Health Centre discovered that a number of employees, including a supervising nurse, appeared to have accessed the personal health information of up to 280 patients without their advance knowledge or consent. Based on media reports, the breach included unauthorized access to the records of a victim of domestic violence who was in hiding and unauthorized access to hundreds of therapeutic abortion files by a records clerk that was an anti-abortion activist.
The PRHC took prompt remedial action, including disciplinary action against the employees in question. As required by PHIPA, the PRHC also provided notice to the patients whose records appeared to have been improperly accessed. Based on public reports, the Commissioner commenced an investigation in May 2011 focused on the Hospital’s conduct. However, the Commissioner did not take further action against the Hospital, on the basis that the Hospital “responded reasonably” to the incident by notifying the affected patients, firing the employees involved and conducting a Hospital-wide privacy campaign. As a result, the Commissioner determined that “no further action was warranted” against the Hospital and appears to have formally closed its file.
The Class Action Against the PRHC
A group of affected patients was not satisfied with the outcome of the Commissioner’s investigation and determined to seek their own relief from the Court. In spite of the provisions of PHIPA that suggested that the legislature had adopted a comprehensive regulatory regime for addressing privacy issues in the health care system, the affected patients launched a class action against the Hospital that sought over $5 million in damages for breach of PHIPA, breach of contract, breach of confidentiality, negligence and the tort of intrusion upon seclusion.
In response to this claim, the Hospital brought a motion that sought to strike the proposed class action on a preliminary basis, on the grounds that the legislature did not preclude the possibility of a private action for breach of privacy, or the possibility of a class proceeding, by adopting the regulatory regime in PHIPA. In so doing, the Hospital relied on a similar decision by the B.C. Court of Appeal from 2009 that suggested that there was no common law claim for breach of privacy in light of the legislature’s adoption of a regulatory regime under the Privacy Act (B.C.).
By the time that the motion was argued before Justice Edwards of the Ontario Superior Court in 2013, the affected patients had limited their claims for damages for the tort of the intrusion upon seclusion. At first instance, the Court dismissed the Hospital’s motion in January 2014. Given the state of the law, the Court found that it was not plain and obvious that the plaintiffs could not succeed in their proposed class proceeding. The Court further indicated that given the Court of Appeal’s decision in Jones, the Hospital would likely require direction from the Court of Appeal to succeed in its argument.2 In light of that direction, the Hospital appealed to the Court of Appeal.
The appeal was argued in December 2014. In an interesting development, the Commissioner intervened on the appeal and argued that PHIPA does not prevent private plaintiffs (and class plaintiffs) from pursuing actions for damages in tort, even in cases where the Commissioner did not take regulatory action.
The Court of Appeal’s Decision
The Court of Appeal unanimously found that PHIPA was not an exhaustive code, and did not preclude a private plaintiff (or a class plaintiff) from pursuing an action in tort against a health care institution for a privacy breach.3 In its decision, the Court placed considerable deference to the views of the Commissioner regarding the scope of the statute. The Court also noted that the Commissioner might not pursue an investigation for a number of reasons that should not impair the ability of a plaintiff to seek personal compensation.
As the Court noted, “[the Commissioner’s] primary objective in achieving an appropriate resolution will not be to provide an individual remedy to the complainant, but rather to address systemic issues.”
The Court also distinguished the law of Ontario from the law in B.C. – in short, the Court reasoned that in B.C., the legislature appeared to have created a distinct statutory cause of action for breach of privacy, whereas in Ontario, the legislature had not gone that far. In light of that void in Ontario, the Court determined that the plaintiffs in the proposed class action were entitled to pursue their claims based on the “distinct common law tort” that had been recognized in Jones.
Implications of the Court of Appeal’s Decision
The Court of Appeal’s decision was highly anticipated by the health, privacy and class actions bar, and by health information custodians across Canada, and there are a number of key implications to take from the case:
- Private plaintiffs may pursue claims in tort for privacy breaches in the health care sector. The Court clearly ruled that PHIPA is not an exhaustive code and that private plaintiffs may bring damages claims in tort against health information custodians for privacy breaches.
- Private plaintiffs may pursue claims in tort for privacy breaches even if the Commissioner has taken no regulatory action. In the appeal proceedings, the Commissioner took a clear position that his statutory duties are focused on investigating and redressing systemic issues, not pursuing compensation claims. As a result, even if the Commissioner determines that a health information custodian acted responsibly and reasonably, the custodian may still be subject to ongoing private action and class action claims from patients – even if those patients did not suffer actual or pecuniary harm beyond embarrassment, humiliation and mental anguish.
- The legal exposure of health information custodians for privacy claims has increased. While PHIPA permits damages claims in certain limited circumstances, the potential legal exposure of health information custodians to damages under the common law tort of intrusion upon seclusion is substantially larger. Under the tort, a plaintiff does not have to demonstrate actual harm as a predicate to a claim. Moreover, under the tort, a plaintiff can seek damages up to $20,000 (i.e., double the statutory limit under PHIPA), as well as potentially punitive damages. Finally, given the absence of a requirement of individual harm, a group of private plaintiffs may be in a stronger position to pursue a collective claim for relief under class proceedings legislation.
- The Court’s reasoning may extend to other provinces and other industries. Finally, the Court’s framework of analysis suggests that private plaintiffs may be able to pursue damages claims in respect of privacy breaches in other sectors or industries including heavily regulated sectors and industries where the legislature has already created a separate enforcement and damages regime. For example, the Court’s reasoning might apply to the financial services, telecommunications or transportation sectors, and might apply to unionized environments that provide for exclusive remedies under a grievance procedure set out in a collective agreement. In addition, while the Court’s decision was limited to the legislative environment in Ontario, the Court’s reasoning arguably extends to other provinces that have similar comprehensive legislation in the health care sector.
- The Court’s decision may lay the groundwork for more privacy class actions in Canada. It is important to stress that the Court of Appeal was only seized with a motion to strike, and the Court did not consider whether the plaintiff’s claims were suitable for class certification. Moreover, the Court did not make any finding of liability, and did not conduct any assessment of the plaintiff’s claim for over $5 million in damages. However, in an earlier decision in February 2014 in Evans v. The Bank of Nova Scotia, the Ontario Superior Court certified a class action against a financial institution for an alleged privacy breach, and as part of its decision, the Court certified the representative plaintiff’s claims for the tort of intrusion upon seclusion as part of the common issues. Given the evolving law on class certification relating to privacy claims, it remains to be seen whether the plaintiffs in Hopkins v. Kay will also be able to achieve class certification, particularly given the arguably individualized nature of the consequences of a privacy breach. But the Court of Appeal’s decision in Hopkins v. Kay, coupled with the Superior Court’s decision in Evans v. The Bank of Nova Scotia, appears to invite a fertile landscape for the class actions bar to pursue collective claims of relief for significant aggregate claims of damage against organizations in the health care sector.