For years now companies have been focused on how to keep internal data from getting into the wrong hands outside their organizations. In the wake of a recent Ontario Court of Appeal decision involving two employees of the same company, concerns have turned to how to better preserve privacy standards internally.
In Jones v. Tsige, the Ontario Court of Appeal recognized for the first time the tort of “intrusion upon seclusion.” In the case, Sandra Jones and Winnie Tsige both worked at the Bank of Montreal, but at different branches and did not know each other. However, Tsige became involved with Jones’ former husband, and used her workplace computer to access Jones’ personal account information at least 174 times. Jones learned of Tsige’s misconduct and sued for invasion of privacy and breach of fiduciary duty, seeking damages of $20,000.
The Court of Appeal allowed the action and awarded Jones $10,000 in “symbolic” or “moral damages” indicating that Tsige’s actions did not cause Jones any financial loss. The decision stipulated that the law had to evolve to recognize the need to protect individuals from unreasonable intrusion into their private lives.
It’s a case that employers should pay close attention to, says employment lawyer Hendrik Nieuwland of Shields O’Donnell MacKillop LLP. Nieuwland predicts there will be more action coming in this area. “I have no doubt you’re going to see more litigation in this realm. It’s almost like Wallace all over again,” he says, referring to “Wallace-type damages.” Before Wallace v. United Grain Growers Ltd., employees were not entitled to compensation for injuries due to a dismissal. Prior to Wallace, it was also extremely difficult for plaintiffs to obtain damages based on the manner in which they had been dismissed.
The Court of Appeal described the tort of “intrusion upon seclusion” as: “One who intentionally intrudes, physically or otherwise, upon the seclusion of another or his private affairs or concerns, is subject to liability to the other for invasion of his privacy, if the invasion would be highly offensive to a reasonable person.”
In his decision, Justice Robert Sharpe explained the limitations of the new tort: 1) the defendant’s conduct must be intentional or reckless; 2) the defendant must have invaded, without lawful justification, the plaintiff’s private affairs; 3) a reasonable person would regard the invasion as highly offensive causing distress, humiliation, or anguish; and 4) the plaintiff can recover damages even if there is no actual financial harm caused by the invasion of privacy, but the court capped damages at $20,000.
“I don’t see it as changing life dramatically; the tort is probably built best for disputes between individuals who are very angry at each other,” says Daniel Michaluk of Hicks Morley Hamilton Stewart Storie LLP. “It’s a little bit like defamation in that sense. It doesn’t shape the actions of a corporation on a day-in, day-out basis but for employers and private investigators it’s key and I think they’ll get claims and I think it will modify the use of private investigators.”
Michaluk says he sees two sets of issues for employers to consider. One relates to the collection of information about employees inside the workplace. “I think employers will be given a wide berth inside the workplace. That has been the experience in the United States where courts have said that inside the workplace employers have to do things like investigate and audit, and your expectation of privacy is limited,” says Michaluk. “I would hope that would be the case here, too.”
One aspect inside the workplace employers should be concerned about is computer audits and related investigations. “The computer system is such a critical source of business risk and source of evidence and information on how the business is operating. So access to that is important,” he says.
An Ontario Court of Appeal decision in 2011 — R. v. Cole — dealt with an employee’s expectation of privacy on a work computer and experts say Cole suggests good policy language is necessary to limit an employee’s expectation of privacy with a device provided by an employer.
In that decision, Richard Cole, a teacher who was responsible for monitoring the computer use of students, accessed a student e-mail account and downloaded nude photos of the student’s girlfriend, saving them on his workplace computer. During a routine IT check, the photos were found and the school principal called the police. The teacher claimed unreasonable search of and seizure of his computer. “Did the employee have a reasonable expectation of privacy with [a] workplace computer? The Court of Appeal said yes because the school allowed personal use of computers and allowed them to take them home,” says Nieuwland.
Given Cole and now Tsige, if you put the two together it’s a smart thing for employers to look at those policies right now, says Michaluk. “[Computer-use policies] used to be very short documents because nobody put a lot of weight into the employee’s privacy expectation. They would typically say that you don’t have an expectation of privacy, period.” But, he notes, Cole suggests employers have to be more specific around wording related to access of employee work systems.
Employers, he adds, should bulk up their computer-use policies so there is no reasonable expectation of privacy whether the computer is used for work or personal use and subject to monitoring without notice.
While Michaluk sees computer monitoring as the most important issue right now, there are also privacy considerations around bag checks to consider, such as at places of employment like warehouses, locker searches, desk searches, and the use of GPS on employee vehicles. “There are arbitration case laws that go way back but it’s never been a civil litigation issue until now. We may see some litigation in a new form now,” he says.
He also thinks a serious issue for employers following Tsige will be investigations conducted outside the workplace such as the hiring of private investigators to look into the actions of employees suspected of insurance or other fraud. “You’re likely to be vicariously liable for the actions of a private investigator because you’ve hired them to go out and investigate for you. It’s going to be hard to divorce yourself from their actions. I do think claims will be inevitable because if you terminate someone based on the strength of out-of-facility video surveillance why wouldn’t that employee allege a wrongful dismissal and a breach of privacy?” says Michaluk.
So how do you keep PIs on the right side of privacy rules? To start with: “Tell PIs not to video record through a living room window because there is a lot of Charter jurisprudence about the sanctity of the home when it comes to privacy. Videotaping activity in the public eye should be fine,” he says.
Determining the tactics PIs use prior to hiring them may also be a good idea, offers Nieuwland. “If they engage in aggressive surveillance, they are your agents and you will be liable for their conduct or misconduct.”
You must also have good cause to suspect the employee of wrongdoing. He cites a 1970 case that dealt with the use of a private investigator in British Columbia. In Davis v. MacArthur, the B.C. Court of Appeal concluded that retaining a PI did not violate B.C.’s Privacy Act because the PI was used for a legitimate purpose, was not motivated by malice, and acted with “circumspection.” To protect against accusations of invasions of privacy, employers are advised to retain PIs for objectively reasonable purposes (like a fraud investigation), and should ensure the PI retained is well-trained and professional since the employer could be liable for the PI’s misconduct. “Weak suspicions could get you into trouble,” says Nieuwland.
The new tort addresses what has been a grey area of employment law, says Catherine Beagan Flood, a partner with Blake Cassels & Graydon LLP in Toronto. “I think previously there had been a real gap in the law. The use of personal information for commercial purposes is protected by federal legislation, and invasion of privacy by the government or police is already governed by the Charter [and] privacy statutes, but in Ontario it wasn’t clear. There wasn’t any law preventing an individual from invading another person’s privacy for non-commercial reasons, so this new tort is primarily intended to fill in that gap.”
It’s not clear though, adds Beagan Flood, whether the tort of “intrusion upon seclusion” is intended to overlap for employers already subject to the federal Personal Information Protection and Electronic Documents Act, or whether it’s only intended to fill in the gaps where PIPEDA doesn’t apply. “I think one concern for employers is the extent to which they could be vicariously liable for torts committed by their employees,” says Beagan Flood. “That’s not an issue the court of appeal addressed at all in this case but it is a potential issue for liability of employers.”
So will Tsige really open the floodgates to new privacy actions? Probably not, but employers are advised to review their current policies and consider the potential holes in their current privacy programs. “I think it’s interesting that the Court of Appeal mentioned in the decision that recognizing a broader invasion of privacy tort could become unmanageable, so they realized there was a potential for the floodgates to open and were quite careful to put limits around the new tort they were recognizing including reckless and intentional behaviour. But at the same time this raises a whole host of questions that simply aren’t dealt with by the Court of Appeal,” says Beagan Flood. She adds it’s important for employers to recognize that the appeal court limited this tort to intentional and reckless actions so having proper policies and procedures and consents in place can help an employer show it wasn’t acting recklessly.
Nieuwland agrees there are some unknowns as a result of the new tort. “So what’s a private affair and what’s a lawful justification? That’s not addressed in the decision. We’re kind of left to guess a bit. Justice Sharpe has broken new ground here so there’s not a lot of guidance, but one can look at privacy legislation in other provinces that talk about justifiable use and distribution of employee information and circumstances under which it is justifiable.”
For example, in B.C. the Personal Information Protection Act allows an employer to collect, use, and distribute information about an employee if the collection is reasonable for an investigation or a proceeding. “That’s a relatively broad exception and I think a court would take some guidance from that in deciding what is a lawful justification for the purposes of tort law,” he says.
This is particularly applicable in the case of video surveillance. “If you’re an employer and have reasonable grounds to suspect disability fraud, if you sought consent from the employee to observe them they would just continue their charade of being unable to work,” says Nieuwland. “Surreptitious observation is necessary for that type of work.”
In Jones v. Tsige, the Ontario Court of Appeal recognized for the first time the tort of “intrusion upon seclusion.” In the case, Sandra Jones and Winnie Tsige both worked at the Bank of Montreal, but at different branches and did not know each other. However, Tsige became involved with Jones’ former husband, and used her workplace computer to access Jones’ personal account information at least 174 times. Jones learned of Tsige’s misconduct and sued for invasion of privacy and breach of fiduciary duty, seeking damages of $20,000.
The Court of Appeal allowed the action and awarded Jones $10,000 in “symbolic” or “moral damages” indicating that Tsige’s actions did not cause Jones any financial loss. The decision stipulated that the law had to evolve to recognize the need to protect individuals from unreasonable intrusion into their private lives.
It’s a case that employers should pay close attention to, says employment lawyer Hendrik Nieuwland of Shields O’Donnell MacKillop LLP. Nieuwland predicts there will be more action coming in this area. “I have no doubt you’re going to see more litigation in this realm. It’s almost like Wallace all over again,” he says, referring to “Wallace-type damages.” Before Wallace v. United Grain Growers Ltd., employees were not entitled to compensation for injuries due to a dismissal. Prior to Wallace, it was also extremely difficult for plaintiffs to obtain damages based on the manner in which they had been dismissed.
The Court of Appeal described the tort of “intrusion upon seclusion” as: “One who intentionally intrudes, physically or otherwise, upon the seclusion of another or his private affairs or concerns, is subject to liability to the other for invasion of his privacy, if the invasion would be highly offensive to a reasonable person.”
In his decision, Justice Robert Sharpe explained the limitations of the new tort: 1) the defendant’s conduct must be intentional or reckless; 2) the defendant must have invaded, without lawful justification, the plaintiff’s private affairs; 3) a reasonable person would regard the invasion as highly offensive causing distress, humiliation, or anguish; and 4) the plaintiff can recover damages even if there is no actual financial harm caused by the invasion of privacy, but the court capped damages at $20,000.
“I don’t see it as changing life dramatically; the tort is probably built best for disputes between individuals who are very angry at each other,” says Daniel Michaluk of Hicks Morley Hamilton Stewart Storie LLP. “It’s a little bit like defamation in that sense. It doesn’t shape the actions of a corporation on a day-in, day-out basis but for employers and private investigators it’s key and I think they’ll get claims and I think it will modify the use of private investigators.”
Michaluk says he sees two sets of issues for employers to consider. One relates to the collection of information about employees inside the workplace. “I think employers will be given a wide berth inside the workplace. That has been the experience in the United States where courts have said that inside the workplace employers have to do things like investigate and audit, and your expectation of privacy is limited,” says Michaluk. “I would hope that would be the case here, too.”
One aspect inside the workplace employers should be concerned about is computer audits and related investigations. “The computer system is such a critical source of business risk and source of evidence and information on how the business is operating. So access to that is important,” he says.
An Ontario Court of Appeal decision in 2011 — R. v. Cole — dealt with an employee’s expectation of privacy on a work computer and experts say Cole suggests good policy language is necessary to limit an employee’s expectation of privacy with a device provided by an employer.
In that decision, Richard Cole, a teacher who was responsible for monitoring the computer use of students, accessed a student e-mail account and downloaded nude photos of the student’s girlfriend, saving them on his workplace computer. During a routine IT check, the photos were found and the school principal called the police. The teacher claimed unreasonable search of and seizure of his computer. “Did the employee have a reasonable expectation of privacy with [a] workplace computer? The Court of Appeal said yes because the school allowed personal use of computers and allowed them to take them home,” says Nieuwland.
Given Cole and now Tsige, if you put the two together it’s a smart thing for employers to look at those policies right now, says Michaluk. “[Computer-use policies] used to be very short documents because nobody put a lot of weight into the employee’s privacy expectation. They would typically say that you don’t have an expectation of privacy, period.” But, he notes, Cole suggests employers have to be more specific around wording related to access of employee work systems.
Employers, he adds, should bulk up their computer-use policies so there is no reasonable expectation of privacy whether the computer is used for work or personal use and subject to monitoring without notice.
While Michaluk sees computer monitoring as the most important issue right now, there are also privacy considerations around bag checks to consider, such as at places of employment like warehouses, locker searches, desk searches, and the use of GPS on employee vehicles. “There are arbitration case laws that go way back but it’s never been a civil litigation issue until now. We may see some litigation in a new form now,” he says.
He also thinks a serious issue for employers following Tsige will be investigations conducted outside the workplace such as the hiring of private investigators to look into the actions of employees suspected of insurance or other fraud. “You’re likely to be vicariously liable for the actions of a private investigator because you’ve hired them to go out and investigate for you. It’s going to be hard to divorce yourself from their actions. I do think claims will be inevitable because if you terminate someone based on the strength of out-of-facility video surveillance why wouldn’t that employee allege a wrongful dismissal and a breach of privacy?” says Michaluk.
So how do you keep PIs on the right side of privacy rules? To start with: “Tell PIs not to video record through a living room window because there is a lot of Charter jurisprudence about the sanctity of the home when it comes to privacy. Videotaping activity in the public eye should be fine,” he says.
Determining the tactics PIs use prior to hiring them may also be a good idea, offers Nieuwland. “If they engage in aggressive surveillance, they are your agents and you will be liable for their conduct or misconduct.”
You must also have good cause to suspect the employee of wrongdoing. He cites a 1970 case that dealt with the use of a private investigator in British Columbia. In Davis v. MacArthur, the B.C. Court of Appeal concluded that retaining a PI did not violate B.C.’s Privacy Act because the PI was used for a legitimate purpose, was not motivated by malice, and acted with “circumspection.” To protect against accusations of invasions of privacy, employers are advised to retain PIs for objectively reasonable purposes (like a fraud investigation), and should ensure the PI retained is well-trained and professional since the employer could be liable for the PI’s misconduct. “Weak suspicions could get you into trouble,” says Nieuwland.
The new tort addresses what has been a grey area of employment law, says Catherine Beagan Flood, a partner with Blake Cassels & Graydon LLP in Toronto. “I think previously there had been a real gap in the law. The use of personal information for commercial purposes is protected by federal legislation, and invasion of privacy by the government or police is already governed by the Charter [and] privacy statutes, but in Ontario it wasn’t clear. There wasn’t any law preventing an individual from invading another person’s privacy for non-commercial reasons, so this new tort is primarily intended to fill in that gap.”
It’s not clear though, adds Beagan Flood, whether the tort of “intrusion upon seclusion” is intended to overlap for employers already subject to the federal Personal Information Protection and Electronic Documents Act, or whether it’s only intended to fill in the gaps where PIPEDA doesn’t apply. “I think one concern for employers is the extent to which they could be vicariously liable for torts committed by their employees,” says Beagan Flood. “That’s not an issue the court of appeal addressed at all in this case but it is a potential issue for liability of employers.”
So will Tsige really open the floodgates to new privacy actions? Probably not, but employers are advised to review their current policies and consider the potential holes in their current privacy programs. “I think it’s interesting that the Court of Appeal mentioned in the decision that recognizing a broader invasion of privacy tort could become unmanageable, so they realized there was a potential for the floodgates to open and were quite careful to put limits around the new tort they were recognizing including reckless and intentional behaviour. But at the same time this raises a whole host of questions that simply aren’t dealt with by the Court of Appeal,” says Beagan Flood. She adds it’s important for employers to recognize that the appeal court limited this tort to intentional and reckless actions so having proper policies and procedures and consents in place can help an employer show it wasn’t acting recklessly.
Nieuwland agrees there are some unknowns as a result of the new tort. “So what’s a private affair and what’s a lawful justification? That’s not addressed in the decision. We’re kind of left to guess a bit. Justice Sharpe has broken new ground here so there’s not a lot of guidance, but one can look at privacy legislation in other provinces that talk about justifiable use and distribution of employee information and circumstances under which it is justifiable.”
For example, in B.C. the Personal Information Protection Act allows an employer to collect, use, and distribute information about an employee if the collection is reasonable for an investigation or a proceeding. “That’s a relatively broad exception and I think a court would take some guidance from that in deciding what is a lawful justification for the purposes of tort law,” he says.
This is particularly applicable in the case of video surveillance. “If you’re an employer and have reasonable grounds to suspect disability fraud, if you sought consent from the employee to observe them they would just continue their charade of being unable to work,” says Nieuwland. “Surreptitious observation is necessary for that type of work.”