The range of an organization’s legal obligations with respect to maintaining the privacy of personal information just got wider according to a recent decision of the Ontario Court of Appeal. The decision is the first in Ontario to recognize the right to sue for invasion of privacy and may result in costly consequences for organizations that use personal information in a way that invades privacy. In Jones v. Tsige, the plaintiff was an employee of the Bank of Montreal, where she also had a personal bank account. Over the course of four years, the defendant, also a bank employee, used her access as a bank employee to view the plaintiff’s personal information and banking activity on almost 200 occasions. Such activity was conducted for entirely personal reasons and against bank policy. Upon discovering that the defendant had gained access to her personal information, the plaintiff sued for breach of fiduciary duty and invasion of privacy. The lower court dismissed both of her claims on the basis that Ontario does not recognize a tort of invasion of privacy.

In reversing this decision, the Ontario Court of Appeal established a new tort of “intrusion upon seclusion,” or, put another way, invasion of privacy, and awarded the plaintiff $10,000 in damages. In reaching its decision, the Court of Appeal referred to the new tort as a necessary “incremental step … consistent with the changing needs of society,” noting, in particular, our ever changing technological environment and the threat it poses to the privacy of personal information. What is required to be successful in a claim for invasion of privacy? According to the Court of Appeal, a plaintiff must prove that:

  • the defendant’s conduct was intentional or reckless;
  • the defendant invaded, without lawful justification, his/her private affairs or concerns; and
  • a reasonable person would regard the invasion as highly offensive causing distress, humiliation, or anguish.

While the Court made it clear that it is not necessary to prove economic loss, it held that where no economic harm is suffered, a range of up to $20,000 in damages would be appropriate “in all but exceptional cases.” What does this mean for organizations? While the full implications of the Court’s decision remain to be seen, this case has significant implications for organizations that collect and use personal information in their business. Activities caught by this new tort could include email, phone, computer monitoring, video surveillance, and the collection and use of personal financial, health, or other information of a personal nature. And although the range of damages for this tort is quite modest where there is no economic loss, in the context of a class action, breaches of privacy have the potential for serious financial repercussions.

What can organizations do to protect themselves? Simply put, organizations should consider:

  • preparing and enforcing a written privacy policy;
  • obtaining consent from individuals for the collection, use, and disclosure of their personal information;
  • limiting investigations and background checks to relevant business related information;
  • ensuring personal information is retained securely and not accessible by unauthorized individuals, as well as establishing systems that record who accesses personal information; and
  • regularly educating and training individuals on the importance of following the organization’s privacy policy.

Organizations that deal with personal information should review their current privacy policies with legal counsel to understand and avoid claims of invasion of privacy. Sotos LLP can guide you through the implications of the options available to you and alert you to any risks.