Intrusion Upon Seclusion - When Your Privacy is Violated

by Kris Bonn

This past week Quinte Healthcare (QHC) fired a nurse for the unauthorized accessing of hundreds of patient records. As reported by the Intelligencer and Quinte News the nurse was at Belleville General Hospital (BGH). As QHC’s President and CEO Mary Clare Egberts told reporters, QHC’s privacy office in September detected the nurse’s activity at BGH.

As recognized by Ms. Egberts, “You only have the right to access a chart if you are providing care directly to that patient.” She said that the nurse in question had no such right, yet over a matter of months viewed patients’ personal information – possibly including their names, home addresses, birthdates, health card numbers, and health information. QHC believes that no records were printed or shared. QHC has notified those patients whose records the nurse had improperly accessed. Many of the patients and the public in general are now wondering about the potential for legal action arising from the privacy breach. There is indeed a potential legal remedy for the patients whose records the nurse improperly accessed.

In Ontario, there is a relatively new cause of action, or tort, known as “intrusion upon seclusion”. The cause of action was first recognized in the 2012 Ontario Court of Appeal decision of Jones v. Tsige, 2012 ONCA 32. In that case, the plaintiff and the defendant both worked for the same bank, but in different branches. The defendant had formed a common law relationship with the plaintiff’s ex-husband. For about four years, the defendant used her workplace computer to access the plaintiff’s personal bank records. She did not publish, distribute, or record the information in any way. When the plaintiff discovered the conduct, she brought an action for damages for invasion of privacy. The judge who first heard the case dismissed the plaintiff’s action concluding that there was no right to sue for invasion of privacy at common law in Ontario. The Court of Appeal disagreed and confirmed that there is a freestanding right to sue for invasion of privacy. The new cause of action is called “intrusion upon seclusion”. The Court of Appeal emphasized the importance of privacy rights in Canada, writing:

A right of action for intrusion upon seclusion should be recognized in Ontario. The case law supports the existence of such a cause of action. Privacy has long been recognized as an important underlying in animating value of various traditional cause of action to protect personal and corporeal privacy. Charter [Canadian Charter of Rights and Freedoms] jurisprudence recognizes privacy as a fundamental value in our law and specifically identifies, as worthy of protection, a right to informational privacy that is distinct from personal and territorial privacy. The right to informational privacy closely tracks the same interest that would be protected by the cause of action for intrusion upon seclusion. It is within the capacity of the common law to evolve to respond to the problem posed by the routine collection and aggregation of highly personal information that is readily accessible in electronic form. Technological change poses a novel threat to the right of privacy that has been protected for hundreds of years by the common law under various guises and that, since 1982 and the charter, has been recognized as a right that is integral to our social and political order. Finally, the facts of this case cried out for the remedy.

The Court of Appeal awarded $20,000 in damages to the plaintiff.

At first blush, the Jones v. Tighe decision appears different from the QHC case. However, the defendant in the Jones v. Tighe decision did not do anything with the information she accessed, which is similar to the QHC case.

A more difficult question to consider is not whether the victims are entitled to compensation, but who should pay the compensation? In order to provide patient care, QHC must allow healthcare professionals to access patient records. Having the patient records in digital form enhances patient care as there is a timely and accurate record of treatment that is preserved. It would be next to impossible to prevent the intentional acts of a rogue nurse without diminishing the ability to provide timely care to all patients. There is no evidence to suggest that anyone from QHC knew that this nurse was improperly accessing patient records and turned a blind eye or were willfully blind to this happening. Indeed, the news reports suggest that QHC took the proactive step of notifying the patients whose records the rogue nurse accessed on their own accord. QHC should be commended for how they have handled this difficult situation. QHC immediately fired the nurse and reported the breach to the police and Ontario Privacy Commissioner.

I agree with the following comment from the comments section to the Intelligencer article:

As privacy training is completed annually and nurses are aware that failure to abide may result in disciplinary action or termination, hospital administration, patients expect that privacy is protected. It is hard to believe the news reports the curiosity may have been the motivation. As there are so many victims with unanswered questions, it is hoped that more information will be revealed as the investigation continues. QHC (Bancroft, Belleville & Trenton) have friendly, caring staff that are resourceful, offering superior care with the limited funding received; the hospital is also a victim in this breach. Focus on the Hospital’s Heroes instead of one nurse that made bad choices.

While litigation seems likely in this case, this may be a situation that is better served with an open and public investigation that doesn’t look to assign blame, but rather focuses on how to prevent this from happening again in the future.