Snooping employees could put employers at risk of mass torts
Fredericton litigator Matthew Pearn says the case of a Moncton doctor who was fired after he snooped into the medical files of more than 100 women should be a wake-up call for businesses and institutions that handle people’s sensitive information.
CBC reports Dr. Fernando Rojas recently had his privileges at the Dr. Georges-L.-Dumont Hospital in Moncton revoked and his employment terminated after it was discovered the radiation oncologist "accessed the personal health information of 141 females between the ages of 13 and 39 years without their authorization during a two-year period,” the CBC reports. “Some of the females work or worked at the hospital while others were servers at a restaurant where Rojas was a regular customer.”
A report by New Brunswick Privacy Commissioner Anne Bertrand in July 2014 confirmed the women were not the doctor's patients, the article states. Rojas told Bertrand he was "looking at these patient files out of personal interest and to find out their age."
Pearn, an insurance lawyer with Foster & Company, says if this type of private information was disclosed broadly, it clearly could be the subject of a civil action.
“But then there are these other things that happen — as in the case of the Moncton doctor — where the person is looking at this sensitive information for the purposes of snooping. Some people might call the behaviour discomforting or creepy,” he tells AdvocateDaily.com. “Incidents like this happen and those whose information was accessed are left wondering if this is a civil wrong and if so, what will remedy that wrong?
“The tort of intrusion upon seclusion is a newish vehicle for addressing this type of issue,” he adds.
The tort of intrusion upon seclusion was incorporated into Ontario law in the case of Jones v. Tsige, 2012 ONCA 32 (CanLII). In that matter, the plaintiff and the defendant didn’t know each other but they worked for different branches of the same bank. The defendant was in a common-law relationship with the plaintiff's ex-husband.
Over the course of four years, the defendant used her work computer to access the plaintiff's personal bank accounts at least 174 times, but didn’t publish, distribute or record the information in any way.
At appeal, the court ruled a right of action for intrusion upon seclusion should be recognized in Ontario and awarded the plaintiff $10,000 in damages.
Pearn says Jones opened the door for privacy torts in Canada.
“Again, the plaintiff wasn’t exposed to financial harm as a result of this information being accessed but it was an invasion of her privacy,” he says. “It’s a similar scenario to the Moncton doctor. He didn’t expose these women to financial harm but their privacy interests were engaged and that is now an actionable wrong.”
He says the bottom line is, if you are setting up a business or you are evaluating a business for the purpose of insuring it under a commercial general liability policy, this is a new risk that should be factored into the calculation of the premium.
“For employers and business owners, it’s an interesting development because if you’re handling people’s sensitive information you should be waking up to the possibility of mass torts and class actions,” Pearn says. “Alternately, there’s always the chance of a larger breach by someone who is outside of the organization because you haven’t created enough security to protect somebody’s information.”