On January 18, 2012, the Ontario Court of Appeal decided the case of Jones v. Tsige (2012 ONCA 32). This case has essentially outlined a new tort for Ontario called Intrusion upon Seclusion. For those of you not familiar with legal terms, a “tort” is a wrongful act or an infringement of a right (other than under contract) leading to legal liability.
Details of the new Tort
Individuals can sue for breach of privacy based on proof of (all of the following):
- an intentional unauthorized intrusion;
- which is an intrusion upon private affairs or concerns (i.e. that breaches a reasonable expectation of privacy); and
- that is made in circumstances that are highly offensive to the reasonable person, causing distress, humiliation or anguish.
If these elements are proven, harms that justify an award of moral damages will be presumed. Such damages will be awarded in an amount that does not ordinarily exceed $20,000, with the amount being set based on:
- the nature, incidence and occasion of the defendant’s wrongful act;
- the effect of the wrong on the plaintiff’s health, welfare, social, business or financial position;
- any relationship, whether domestic or otherwise, between the parties;
- any distress, annoyance or embarrassment suffered by the plaintiff arising from the wrong; and
- the conduct of the parties, both before and after the wrong, including any apology or offer of amends made by the defendant.
This new tort is actionable without any economic harm (i.e. you can sue even if you suffered no financial damages) and does not require that the information be made public in any way.
To ensure that intrusion of seclusion was not applied to broadly, the court defined the type of privacy interests that would be affected:
- financial or health records
- sexual practices and orientation
- employment
- diary or private correspondence that could be reasonably considered highly offensive
How would this apply in Charities
The facts of this particular case arose between two employees in a bank who did not know or work with each other. The plaintiff had a common law relationship with the former husband of the defendant, and the defendant looked at the plaintiff's bank information without any reason on multiple occasions. The Court of Appeal awarded $10,000 to the plaintiff, recognizing the right of action for intrusion upon seclusion.
As the fundraising arm of an organization (or a fundraising organization), you likely keep records on all of your constituents that involve their financial information (donation history, gift agreements, etc.), sexual practices (information on spouse and children), and private correspondence between fundraisers and donors. This means that if you or a colleague wants to, say, “check” on the giving of their ex-spouse or decides to go through the contact reports of a friend to find out what they are doing at the university, this type of unjustified breach of privacy is actionable. You and everyone you work with should be made aware of this potential liability.
Impact on Privacy Policies
In addition, you need to ensure that your charity’s privacy policies make it clear that such actions are not allowed. Unauthorized access to personal information by employees is an all too common phenomenon, and if you don’t already have privacy policies in place that address this, the charity could also be held to account for a misusing employee or volunteer through a vicarious liability claim (vicarious liability is the assignment of legal responsibility to a third party, such as the employer in this case, who had the "right, ability or duty to control" the activities of the violator). Such claims should be defensible if proper controls are in place, as in the specific Jones v. Tsinge case, BMO was not held accountable as they had policies that clearly made such behaviour against company policy.
If you are a charity already subject to PIPEDA or FIPA, you likely already have privacy policies in place that will protect your charity from this kind of claim. That having been said, many charities have never been subject to this legislation and, even if you have been, you likely have not updated your privacy policy in a long time. Give it a review with a mind to this specific tort to make sure your organization is adequately protected.
The best defence against such claims is to prepare and enforce reasonable, effective privacy policies. Organizations that were already subject to privacy legislation, such as PIPEDA or provincial health privacy legislation, may be better prepared to defend against this new cause of action, but should still be mindful of whether their privacy policies address this new source of potential liability.
Application outside Ontario
Although of particular importance for charitable organizations in Ontario, this decision has implications for charities across Canada. Courts outside of Ontario are not bound by an Ontario judgment, but courts in provinces outside of Ontario have not disclaimed the intrusion upon seclusion tort and are likely to be influenced by the Court of Appeal for Ontario’s pronouncement. Moreover, four provinces already have statutory privacy torts that could be revitalized based on the new attention bound to be given to privacy actions: : British Columbia, Privacy Act, R.S.B.C. 1996 c. 373; Manitoba, Privacy Act, R.S.M. 1987 c.P125; Saskatchewan, Privacy Act, R.S.S. 1978, c. P-24; and Newfoundland, Privacy Act, R.S.N. 1990, c.P-22. All four Privacy Acts are similar. They establish a limited right of action, whereby liability will only be found if the defendant acts wilfully (not a requirement in Manitoba) and without a claim of right.
Shelly Steenhorst-Baker is the Manager, Research and Records for Carleton University. Shelly came to the nonprofit world following work as a lawyer. She has a Postgraduate Certificate in Fundraising and Volunteer Management from Humber College, an LL.B. from the University of Ottawa and an Honours B.A. (in Women's Studies and Classical Studies) from Trent University.