I’m Kate Dewhirst.

My team and I write about legal issues affecting healthcare in Canada.

Kate Dewhirst Health Law - bringing the law to life. Meet Kate (in 13 seconds)

How much is enough: meeting the threshold for the tort of intrusion upon seclusion

Posted by

On March 24, 2022, the Ontario Divisional Court released its decision in Stewart v Demme (2022 ONSC 1790), a class action case against William Osler Health System and one of its ex-nurses (Demme). The case deals with the tort of intrusion upon seclusion, which is a claim that can be advanced by individuals affected by a significant privacy breach.

Demme was a nurse at William Osler Health System. She suffered from an opioid addiction, which she fueled by stealing Percocet pills from one of the automated dispensing units at the hospital. In order to access the medication, she would randomly choose a patient’s name from the screen on the automated dispensing unit. The screen would then display the patient’s ID number, which unit of the hospital they had visited, any allergy information as well as any medications that had been administered to them in the previous 32 hours. Hospital records show that on each occasion, Demme accessed the patient information for a matter of seconds. Her access of the info was the “key” to unlocking the dispensing unit.

When the hospital learned what was going on, Demme was criminally convicted of theft and lost her license to practice as a nurse. The hospital also notified all affected patients, who in response, initiated a class action lawsuit seeking damages for negligence and the tort of inclusion upon seclusion.

The judge responsible for certifying the class action did not feel that the elements of a claim of negligence were made out. However, the class was certified for the tort of intrusion upon seclusion.

The elements that need to be proven for the tort of intrusion upon seclusion were set out in Jones v Tsige (2012 ONCA 32). They are:

  1. That there has been a deliberate and significant invasion of privacy;
  2. That the information involved is highly personal in nature; and
  3. That the invasion would be highly offensive to a reasonable person.

At trial, the court found that the elements had been met on the basis that Demme’s actions were deliberate and the information accessed was health information, which is inherently sensitive. However, Demme and the hospital appealed. On appeal, the Divisional Court overturned the trial decision and concluded that the “highly offensive” criteria had not been satisfied.

The Divisional Court offered this rationale: “Not every intrusion into privacy amounts to a basis to sue for the tort of intrusion upon seclusion.” The intrusion must, objectively, be so offensive that it cries out for a remedy. In this case, the access to health information was limited, fleeting and incidental to Demme’s main objective, which was to access the opioids. While falling into the category of health information, the information she accessed was not particularly sensitive and she did not retain or share the information with anyone.

The Divisional Court also clarified that when analyzing an intrusion upon seclusion case, the significance of the intrusion is to be assessed individually for each affected person. The fact that there were over 11,000 intrusions in this case does not mean that each one was significant and highly offensive.

The takeaways from this case are:

  • Not every privacy breach is sufficient to give rise to the tort of intrusion upon seclusion. The intrusion must be an affront to privacy such that it “cries out for a remedy”;
  • The fact that the information accessed was health information is insufficient to satisfy the “highly offensive” criteria. The nature of the information, the factual circumstances around how it was accessed (for how long, with what motive, and whether it was retained or disclosed) all contribute to whether or not an invasion of privacy is sensitive enough to meet the threshold to be characterized as “highly offensive”; and
  • The number and scope of individuals affected is irrelevant to the outcome of the case. The significance of the intrusion is to be assessed on the impact on each individual – a large number of invasions does not equal a highly offensive intrusion.

This case adds insight to a growing body of law that is shaping how and when we use the tort of intrusion upon seclusion.

Contact us for more information about managing privacy breaches or training your organization on privacy best practices.


If you enjoyed this article please share it:


Previous and next posts from Kate:

Some of Kate’s recent and upcoming events

Free healthcare privacy webinar - ask me anything!
the first Wednesday of every month

Free webinars - advance registration needed

Whether you're an experienced privacy officer or new in the field, pick Kate’s brain for free for an hour, in this live webinar. No charge, but you’ll need to register in advance.

Primary care webinars: Employment Law Update & Legal Issues for EDs and Board members

Part of Kate’s monthly webinar series.

Our 2025 program is now live.
Full details of the 2025 webinar series and registration here.

Mental Health webinars: Legal issues for mental health and addictions agencies and teams
Annual membership 2025

For managers and other leaders from mental health and addictions agencies, hospitals, CMHAs, CHCs, school boards, FHTs and Indigenous health services

This is an annual membership program with monthly webinars.
Full details and registration here.

Health Privacy Officer Foundations training
starts Spring 2025

For Privacy Officers within healthcare organizations.

This course focuses on how to become a more confident privacy officer and gives you the tools to document your privacy program. Full details and registration here...

Join the Shush: a collective of health privacy officers
Annual membership 2025

For Privacy Officers within healthcare organizations

This is an annual membership program that takes theory into practice and tackles real life scenarios to build Privacy Officer skills.
Full details and registration here.

Team Privacy Training Events

For Primary Care clinics, Hospitals, Community Agencies, Mental Health Teams, Public Health Units, School Boards, Police departments

Scheduled to your team's needs for comprehensive or refresher training More details...

Free summary of all PHIPA IPC decisions

Want to read privacy breach stories to learn how to improve your work? We have summarized all the Information and Privacy Commissioner's health privacy decisions for you Download here...

Kate Dewhirst Health Law

Kate says:

My mission is bringing the law to life. I make legal theory understandable, accessible and fun! I’m available and love to work for all organizations in the healthcare sector across Ontario and beyond.

Subscribe to my mailing list and keep up to date with news:

Latest Tweets

  • Our twitter feed is unavailable right now. Follow us on Twitter
  • contact details

    P.O. Box 13024, RPO Bradford Centre
    Bradford, ON, L3Z 2Y5

    (416) 855 9557

    .