How much is enough: meeting the threshold for the tort of intrusion upon seclusion
On March 24, 2022, the Ontario Divisional Court released its decision in Stewart v Demme (2022 ONSC 1790), a class action case against William Osler Health System and one of its ex-nurses (Demme). The case deals with the tort of intrusion upon seclusion, which is a claim that can be advanced by individuals affected by a significant privacy breach.
Demme was a nurse at William Osler Health System. She suffered from an opioid addiction, which she fueled by stealing Percocet pills from one of the automated dispensing units at the hospital. In order to access the medication, she would randomly choose a patient’s name from the screen on the automated dispensing unit. The screen would then display the patient’s ID number, which unit of the hospital they had visited, any allergy information as well as any medications that had been administered to them in the previous 32 hours. Hospital records show that on each occasion, Demme accessed the patient information for a matter of seconds. Her access of the info was the “key” to unlocking the dispensing unit.
When the hospital learned what was going on, Demme was criminally convicted of theft and lost her license to practice as a nurse. The hospital also notified all affected patients, who in response, initiated a class action lawsuit seeking damages for negligence and the tort of inclusion upon seclusion.
The judge responsible for certifying the class action did not feel that the elements of a claim of negligence were made out. However, the class was certified for the tort of intrusion upon seclusion.
The elements that need to be proven for the tort of intrusion upon seclusion were set out in Jones v Tsige (2012 ONCA 32). They are:
- That there has been a deliberate and significant invasion of privacy;
- That the information involved is highly personal in nature; and
- That the invasion would be highly offensive to a reasonable person.
At trial, the court found that the elements had been met on the basis that Demme’s actions were deliberate and the information accessed was health information, which is inherently sensitive. However, Demme and the hospital appealed. On appeal, the Divisional Court overturned the trial decision and concluded that the “highly offensive” criteria had not been satisfied.
The Divisional Court offered this rationale: “Not every intrusion into privacy amounts to a basis to sue for the tort of intrusion upon seclusion.” The intrusion must, objectively, be so offensive that it cries out for a remedy. In this case, the access to health information was limited, fleeting and incidental to Demme’s main objective, which was to access the opioids. While falling into the category of health information, the information she accessed was not particularly sensitive and she did not retain or share the information with anyone.
The Divisional Court also clarified that when analyzing an intrusion upon seclusion case, the significance of the intrusion is to be assessed individually for each affected person. The fact that there were over 11,000 intrusions in this case does not mean that each one was significant and highly offensive.
The takeaways from this case are:
- Not every privacy breach is sufficient to give rise to the tort of intrusion upon seclusion. The intrusion must be an affront to privacy such that it “cries out for a remedy”;
- The fact that the information accessed was health information is insufficient to satisfy the “highly offensive” criteria. The nature of the information, the factual circumstances around how it was accessed (for how long, with what motive, and whether it was retained or disclosed) all contribute to whether or not an invasion of privacy is sensitive enough to meet the threshold to be characterized as “highly offensive”; and
- The number and scope of individuals affected is irrelevant to the outcome of the case. The significance of the intrusion is to be assessed on the impact on each individual – a large number of invasions does not equal a highly offensive intrusion.
This case adds insight to a growing body of law that is shaping how and when we use the tort of intrusion upon seclusion.
Contact us for more information about managing privacy breaches or training your organization on privacy best practices.