A decision by the Ontario Court of Appeal has opened the door to lawsuits for invasion of privacy — and employers should take notice, according to Mary Beth Currie, co-leader of Bennett Jones’ employment services practice in Toronto.
In a unanimous decision, the court recognized the right of an Ontario woman to sue for damages for the anguish and suffering caused by an intrusion into her bank records by a fellow employee.
Sandra Jones and Winnie Tsige both worked at the Bank of Montreal (BMO) although they did not work together. Tsige was involved in a relationship with Jones’ former husband and, against bank policy, looked into Jones’ bank records at least 174 times over a four-year period. Tsige was suspended without pay for one week and denied a bonus.
That addressed the employment issues in the case but not the human side, said Lisa Stam, an employment lawyer at Baker & McKenzie in Toronto.
“It’s fine that the employee was disciplined and sent home, but the employee had no remedy for herself,” she said. “It’s not enough to know that someone was punished. You want something, too.”
The decision closes a privacy gap in Ontario, said Stam. While the Personal Information and Protection of Electronic Documents Act (PIPEDA) covers federally regulated employers, it does not cover privacy rights related to actions between two individuals, explained the court.
And although the bank is governed by PIPEDA, the legislation would not apply in this case for a number of reasons. First, Jones would have been forced to lodge her complaint against the employer, not the wrongdoer. Second, Tsige acted as a “rogue” employee, said the court, contrary to BMO policies. Finally, remedies under PIPEDA do not include damages.
PIPEDA does not apply to provincially regulated employers when it comes to personal information collected about employees, nor does it give them a right to sue, said Currie.
Several provinces have privacy legislation but only British Columbia, Manitoba, Saskatchewan and Newfoundland and Labrador have a tort of invasion of privacy that would allow employees to sue. But no provincial legislation provides a precise definition of what constitutes an invasion of privacy, said the court.
Ontario’s privacy legislation, meanwhile, pertains only to freedom of information and the protection of certain private information with respect to governments and other public institutions.
The court’s ruling exposes private sector employers in Ontario to some risk, said Currie.
“It’s important for them because, until now, if they’ve monitored email or conducted video surveillance, there’s been little to challenge their authority,” she said. “Suddenly, there will be some boundaries.”
Without appropriate privacy and technology policies in place, employers will also leave themselves vulnerable to a lawsuit, said Currie.
Privacy policies should alert employees to what information is collected and for what purpose, while an IT usage policy should explain the technology belongs to the employer, is to be used for business purposes only and, if an employee uses it for private use, there can be no expectation of privacy.
The risk is when companies don’t have a policy or apply it inconsistently by turning a blind eye to minor personal use, said Currie.
“Then there may be an expectation of privacy and they may expose themselves.”
But it’s not enough to create a policy, said Stam. It must be communicated clearly and on an ongoing basis.
“You’ll want to lay out who to go to with concerns, the process for handling a complaint — with examples — and in the case of medical information, you’ll want to state it expressly,” she said.
There’s also the threat of vicarious liability — being responsible for one employee spying on another, as in the BMO case. While it’s always a risk, the claim is diminished when the employee is not acting on the employer’s behalf or outside the scope of employment, as was the case here, said Stam.
“Had the bank not applied policy consistently, then it may have had a claim against it as well,” she said.
Non-unionized private sector employers are most at risk, said Currie. Privacy is often covered within collective agreements for unionized workers, although arbitrators in Ontario have been divided over whether there’s a common law right to privacy. This ruling will likely have an impact on future arbitrations and the question will be what constitutes an invasion of privacy, she said.
“Am I invading someone’s privacy when I look at that information when they leave for the day, or leave for good?”
The three-part test laid out by the court may limit the number of lawsuits employers face, said Dan Palayew, an expert on employment and workplace privacy law at Heenan Blaikie in Ottawa. It would require employees prove the employer intentionally invaded their personal space, did so without lawful justification and a “reasonable” person would see the privacy invasion as “highly offensive causing distress, humiliation or anguish.”
Only intrusions into highly sensitive information — financial or health records, sexual practices and orientation, employment, or diary or private correspondence — will be protected, said the court. This makes it unlikely routine business surveillance, such as email monitoring, will result in an invasion-of-privacy lawsuit, said Palayew.
“That comes full circle back to the employer’s policies.”
The court limited damages to $20,000, although it awarded Jones only one-half of that amount. While it’s likely there will be few claims for invasion of privacy alone, Stam expects to see this tort added onto other lawsuits in future.
“The risk is that this can be tacked onto a regular wrongful dismissal claim,” she said. “It’s expensive on its own but it might be worth it to tack it onto this. Before, there was no way to take on privacy.”
© Copyright Canadian HR Reporter, Thomson Reuters Canada Limited. All rights reserved.