Ontario school boards, Municipalities, Colleges and Universities are legally obligated to protect personal information that can be highly sensitive, including education history found in the Ontario Student Record (OSR). Where sensitive information has been compromised it is prudent to consider the effect of the tort on the school system and its students.
A bitter dispute between an estranged wife and her former husband’s common-law partner has finally ended a 120-year debate regarding whether the common law should recognize a cause of action in tort for invasion of privacy. In 2012 the Ontario Court of Appeal concluded a need exists for a tort of “intrusion upon seclusion” to acknowledge modern technological reality.
The dispute between Sandra Jones and Winne Tsige began in their place of employment. The women both worked for the Bank of Montreal (BMO), although at different branches. They did not know one another personally. Tsige had formed a common law relationship with Jones’ former husband. As a bank employee, Tsige had full access to client banking information and used her workplace computer to access Jones’ personal BMO bank account at least 174 times over a period of four years.
Jones suspected Tsige was regularly accessing her personal bank account and complained to the BMO management. When confronted, Tsige admitted she had looked at Jones’ banking information and had no legitimate reason for doing so. With no tort action available a complainant would be forced to file an action against the employer of the intruder for the intruder’s unlawful access to private information or data through the Personal Information and Protection and Electronic Documents Act (PIPEDA). The bank would contend the employee acted as a rogue contrary to BMO policy. This remedy, however, left the intruder without meaningful accountability for her wrongful actions and the complainant without restitution for damages.
As a result, the court established a three-part test for the tort of intrusion upon seclusion:
1. The Defendant’s conduct must be intentional or reckless;
2. The Defendant must have invaded, without lawful justification, the plaintiff’s private affairs or concerns; and
3. A reasonable person would regard the invasion as highly offensive causing distress, humiliation or anguish.
Sharpe J on behalf of the Court of Appeal judges further limited claims to deliberate and significant invasions of personal privacy and excluded claims by individuals who are unusually sensitive or concerned about their privacy. The injured party does not have to show actual loss for a cause of action. Intrusions into matters such as one’s financial or health records, sexual practices and orientation, employment, diary or private correspondence would meet the test if they were highly offensive when, viewed objectively by a reasonable person.
In Jones, the court found the intrusion to be significant (confidential financial records), prolonged (four years) and shocking (new common law partner wanting to find information to hurt the former wife). BMO suspended Tsige for one week without pay and denied her a bonus. If Jones had sued BMO for their employees misconduct the bank may have been found vicariously liable for her actions; however, this would not have responded directly to the wrong committed by Tsige. Sharpe J viewed the possibility of sending Jones away without a remedy to be “sadly deficient’.
To determine the quantum for damages the court set out five useful steps:
1. the nature, incidence and occasion of the defendant's wrongful act;
2. the effect of the wrong on the plaintiff’s health, welfare, social, business or financial position,
3. any relationship, whether domestic or otherwise, between the parties;
4. any distress, annoyance or embarrassment suffered by the Plaintiff arising from the wrong; and
5. the conduct of the parties, both before and after the wrong, including any apology or offer made after by the defendant.
Damages for intrusion upon seclusion cases where the plaintiff has suffered no pecuniary loss would be modest but sufficient to mark the wrong that has been done. In cases where there is no pecuniary loss, such as Jones, the range for damages for intrusion upon seclusion are fixed at up to $20,000; however, Sharpe J did not exclude awards for aggravated or punitive damages in truly exceptional cases.
Even though, Tsige unlawfully accessed Jones’ personal bank account 174 times over four years the court, upon considering the circumstances of the case and the three-part test for intrusion upon seclusion, awarded Jones $10,000 in damages. If Jone’s had been able to show her health was affected, and she lost time from work, or became depressed, the actual losses and the claim could have been far more significant, but that result will await another case with the right facts.
Possible Liability of the Employer Who Permitted Unlawful Access
BMO is subject to the Personal Information and Protection and Electronic Documents Act (PIPEDA) which sets out legal requirements for protection of the privacy of personal information held by federally regulated organizations. These requirements are similar to analogous provisions of the MFIPPA that apply to Ontario School Boards, Municipalities, Colleges and Universities. They are all legally obligated to protect personally identifiable information, information that can be highly sensitive moreover such as Education history. Whether employers of persons who wrongfully access and disclose information will be imposed is unknown, and will depend in part on vicarious liability principles, and whether the employer was negligent in its’ protection of information.
Labour Arbitration Applications of Privacy Rights since 2012
Since, 2012, the tort of intrusion upon seclusion has been considered in several labour relation cases. Recently, in Canada Bank Note Company, Limited and International Union of Operating Engineers Local 772, the arbitrator considered the Company’s right to require employees who are absent from work for more than three consecutive shifts to submit a completed “Medical Certificate of Disability”, and the extent of the information, if any, that employees can be required to provide in that respect. Following previous decisions, the arbitrator upheld that an employer is entitled to request and receive an employer's confidential medical or other information, but only to the extent necessary to answer legitimate employment related concerns and it is in compliance with the collective agreement and legislation.
School Boards hold private information (eg., OSR and IPRC information) and the impact of erroneously disclosing information will not only affect the employer, but may also directly and adversely impact one or more employees. It is prudent to consider the effect of the tort on a school system and its students where sensitive personal information has been compromised to avoid discipline for professional misconduct under the Ontario College of Teachers Act (OCTA).
1. Jones v Tsige  ONCA 32 (CanLii)
2. Canada Bank Note Company, Limited and International Union of Operating Engineers, Local 772 (2012) CanLii 41234 (ONLA)