What’s the Harm in Snooping? More Than You Might Think . . .

What’s the Harm in Snooping? More Than You Might Think . . .

It’s become almost normalized. Flicking through your iPhone while waiting for the bus, you casually click on an item about the status of Rob Ford’s cancer treatment.  There seems little about such a posting that is different or worse than the avalanche of other information in the media about Toronto’s former mayor.

The problem is that Ford’s personal health records were inappropriately accessed by numerous staff at four separate Toronto area health care facilities.  At least three health care professionals were charged with related offences under Ontario’s Personal Health Information Protection Act (PHIPA) in July 2015.

What’s the risk?

It’s difficult for the average doctor’s office or local hospital to connect datasets in their control with the personal information of a public figure notorious for courting the media.  Where there is no motivation such as the intense curiosity or potential financial reward that may draw someone to snoop in a celebrity’s records, who would bother looking and what’s the harm anyway?

Yet people do inappropriately access the personal records of ordinary individuals.  And there is more potential risk to your organization than you might think.  Those ordinary folks are increasingly looking to seek compensation in the courts for inappropriate access to their personal information via private claims and class actions.

Private Claims Alongside Separate Statutory Enforcement

In Ontario, individuals can bring a claim for intrusion upon seclusion.  This tort was recognized in Jones v. Tsige, 2012 ONCA 32, 108 OR (3d) 241.  At a summary level, the claim can be brought for intentional or reckless intrusion, physically or otherwise, upon the seclusion of another or their private concerns if a reasonable person would consider such invasion to be highly offensive causing distress, humiliation or anguish.

The courts have recently decided that a potential class action for intrusion upon seclusion can continue even though the records at issue involve personal health information covered by PHIPA.

On October 29, 2015, the Supreme Court of Canada refused to hear an appeal of the Ontario Court of Appeal decision in Hopkins v. Kay, 2015 ONCA 112 (CanLII).  In that case, 280 individuals received notification under PHIPA of inappropriate access to their records held by the Peterborough Regional Health Center.  The representative plaintiff alleges that she is the victim of spousal abuse which led to her seeking treatment, and fears that her former husband paid to gain access to the records in order to stalk her.

The health care facility argued that the respondent should be precluded from bringing a common law claim because PHIPA creates an exhaustive code for dealing with privacy concerns related to health records.  The Court noted that PHIPA did not contain explicit language stating that it had exclusive jurisdiction over matters within its scope.  The Court further noted that PHIPA empowers the Commissioner with discretion as to whether or not to open a complaint investigation by evaluating, among other factors,  whether a complaint could be more appropriately dealt with by an alternative process to a PHIPA complaint (ss. 57(4)(b)).  The court found this to be inconsistent with finding that PHIPA was intended to be an exclusive dispute resolution mechanism.

The Court relied heavily on submissions by Ontario’s Information and Privacy Commissioner (IPC) that the Commission’s mandate was fundamentally different than that of the courts.  While the IPC can and does make decisions in response to individual claims, its main priority and focus is on remediation of systemic breaches of PHIPA.  The courts are focused on providing remedies to individuals, including compensation.

Private Claims on the Horizon in Nova Scotia

The Nova Scotia courts are watching Ontario developments with interest.  In Hemeon v. South West Nova District Health Authority, 2015 NSSC 287, a class action was certified in a tort of intrusion upon seclusion claim in relation to unauthorized access to health records.   The tort of intrusion upon seclusion has not yet been formally recognized in Nova Scotia; this case is scheduled to go to trial in April, 2016.  While the specific decision relates to dismissal of a motion for production of specific records on discovery, the court took notice of the elements of the tort of intrusion upon seclusion in Jones v. Tsige.

Three Key Learnings About Civil Liability for A Privacy Breach

  • Private Claims Can Run in Parallel to Enforcement Action Under Privacy Laws: The IPC may not have the capacity to issue damages awards for a breach of PHIPA, but the courts can.  Be aware that an individual can bring a private claim against you or your organization separate and apart from the IPC.
  • Be Clear About Obligations and Expectations: Your staff are only human.Changing public attitudes can be very confusing for your staff. Confronted by the media on a daily basis with the most personal details of celebrities, people can become desensitized and start to view unauthorized access to personal information as normal behaviour that seems to be going on everywhere around them.   They may not see the harm in unauthorized access to personal information.  Make sure that your staff clearly understand the importance of privacy and the risks of unauthorized access to personal information.
  • Consider Common Scenarios: Time and time again, we see privacy complaints arising from people who make poor decisions in specific situations.   Consider giving scenarios:
    • “What would you do if somebody offered to pay you to pull a record?”
    • “What would you do if somebody claimed to be a relative / spouse and just needed to see the record?”
    • “What would you do if somebody called up and said they were from the media just calling to check out some facts?”

 

For assistance on developing proactive and practical training materials to help your staff understand their privacy obligations, contact PrivaTech or learn more about our privacy training solutions.