Every privacy breach is serious in the eyes of the law

Class Action /
Margaret Waddell
Latest posts by Margaret Waddell (see all)

By Tony Poland, LegalMatters Staff • When it comes to personal information violations, no harm, no foul is not the rule, says Toronto class-action lawyer Margaret Waddell.

Privacy intrusions can be subject to legal action even if there is no tangible damage, says Waddell, a partner with Waddell Phillips Professional Corporation.

“Just because no obvious harm is evident when your privacy has been violated doesn’t mean an invasion of privacy didn’t occur,” she tells LegalMattersCanada.ca. “Personal information is one of our most private possessions. The Supreme Court of Canada has noted that privacy has a ‘quasi-constitutional status.’ When someone invades that privacy, the loss of control over your information is inherently harmful. You don’t have to prove that it was used for anything nefarious.

‘Important area of the law’

“Personal health information breaches are an important area of the law that is developing very quickly, because the breaches are becoming so common.”

Waddell says there are two types of privacy breaches that have been increasingly generating legal attention. Those are third-party cyber-criminal cases, and instances where employees of organizations are accessing users’ private data without authorization.

“In a snooping case, it’s not necessarily that the employee wants to use the information for anything. They want to know private details about you that they are not entitled to know,” she explains. “In these instances, they are poking their nose where it doesn’t belong – that is the harm.”

Waddell says that the court decisions are evolving as these breaches become better understood.

At the beginning of this year, an Ontario Superior Court ruling certifying a data breach class-action lawsuit refined the tort of “intrusion upon seclusion.” 

That tort was first recognized in the 2012 case Jones v. Tsige, when the Ontario Court of Appeal ruled the “right of action for intrusion upon seclusion should be recognized” in this province.

Financial records accessed

In that case, a woman used her position at a bank to access the financial records of the ex-wife of her common-law husband.

In its ruling, the court noted that “privacy has long been recognized as an important underlying and animating value of various traditional causes of action to protect personal and territorial privacy.”

“The right to informational privacy closely tracks the same interest that would be protected by a cause of action for intrusion upon seclusion,” the ruling stated. “It is within the capacity of the common law to evolve to respond to the problem posed by the routine collection and aggregation of highly personal information that is readily accessible in electronic form. “Technological change poses a novel threat to a right of privacy that has been protected for hundreds of years by the common law under various guises and that, since 1982 and the Charter, has been recognized as a right that is integral to our social and political order. Finally, the facts of this case cried out for a remedy.”

Privacy violation

In Stewart v. Demme, which was released in January, the court took the tort further when it examined whether a privacy violation can be “highly offensive” and actionable even if it is fleeting and causes no harm.

In his ruling, Justice Edward M. Morgan says it is important to remember “physical injury or monetary loss is not a necessary ingredient for liability under intrusion against seclusion.”

In quoting an earlier case, he writes privacy is “the claim of persons to ‘determine for themselves when, how, and to what extent information about them is communicated to others.’”

Waddell says the ruling will help further protect victims of privacy intrusion.

“The case is important for the key point that it ultimately makes about the unique nature of personal health information,” she says. “What Justice Morgan says in the judgment is a major step forward in the development of the law. He is saying the intrusion, which is the loss of control over your private information, is the harm.”

Waddell says personal health records are vital to providing care to individuals. “But only those people within what’s referred to as the circle of care are entitled to access those records – the healthcare workers who are doing their jobs,” she says. “Nobody else is supposed to access them.”

‘Adequate safety measures’

Breaches occur because organizations do not have “adequate safety measures in place or employees haven’t been properly trained,” Waddell says.

While it is the individual who commits the intrusion, “it is up to each organization to provide adequate security to limit access to patients’ personal information,” she says.

“There’s only so much the institution can do, but they are still going to be the ones that are going to be held ultimately responsible for their employee’s conduct,” says Waddell.

She adds hospitals are bound by legislation to safeguard personal health information, plus they have a duty to alert patients when there has been a breach.

“Hospitals are keenly aware of their responsibilities to keep this information private. Unfortunately, in many provinces the prosecutorial functions of the privacy commissioners are minimal or non-existent, so we are left with individuals who have been harmed to take on the role of enforcer,” Waddell says. “Absent the threat of class action proceedings, there isn’t a huge incentive on institutions to ensure their systems are the best that they should be.” 

The growing number of privacy breaches makes “class action lawsuits so much more important to not only make people aware of their rights, but to ensure institutions protect those rights,” she says.

“If an employee is doing something they ought not to be doing, the institution will be held vicariously liable because they have created the circumstances that allow it to happen,” Waddell says.