More Than One Way To Skin A Privacy Breach: The Ontario Court of Appeal ‘s Decision in Hopkins v. Kay
Earlier this year, the Ontario Court of Appeal released its decision in Hopkins v. Kay, 2015 ONCA 112, in which it held that the mere existence of a legislative scheme to address privacy-related breaches of personal health information does not preclude a private action from being brought to address said breaches.
In this case, a plaintiff started a class action against the Peterborough Regional Health Centre (“PRHC”), claiming that several patients’ health records were improperly accessed. PRHC unsuccessfully tried to strike the claim, arguing that the Personal Health Information Protection Act, S.O. 2004, c. 3, Sch. A (“PHIPA”) provided an exhaustive scheme to address any invasion of privacy based on personal health information being improperly disclosed.
The Court of Appeal dismissed PRHC’s appeal. While the Court acknowledged that PHIPA provides Ontario’s Privacy Commissioner with broad powers to investigate complaints related to personal health information being improperly disclosed or accessed and make appropriate orders, this was not determinative of the issue. Since “there is nothing explicit in PHIPA dealing with exclusivity”, the Court applied the common law test from Pleau v. Canada (A.G.), 1999 NSCA 159, leave to appeal refused,  SCCA No 83, to determine whether it should infer that PHIPA was meant to be an exhaustive code with respect to privacy breaches related to personal health information. This three prong test asks whether (i) the process for dispute resolution established by the legislation at issue is consistent with exclusive jurisdiction, (ii) the nature of the dispute is, in substance, regulated by the legislation at issue, and (iii) the legislation provides an effective means of addressing the concern at issue.
On the first prong, the Court held that notwithstanding PHIPA’s comprehensive set of rules, standards, and procedures around personal health information, s. 57(4)(b) contemplates complaints brought under the act being dealt with in alternative procedures, which was “difficult to reconcile with the proposition that the complaint procedure under PHIPA is exhaustive and exclusive.” Moreover, if a health information custodian makes good faith efforts to comply with PHIPA, s. 71 provides immunity in an “action or other proceeding for damages”.
On the second prong, the Court rejected PRHC’s argument that the essential character of the class action at issue was regulated by the PHIPA, since the action was based on the tort of intrusion upon seclusion, rather than a breach of PHIPA. The test for intrusion upon seclusion, set out in the landmark Jones v. Tsige case, is distinguishable from and more difficult to establish than a breach under PHIPA.
On the third prong, the Court held that there are likely many individual complaints that could result in a proper action at common law, but which may not attract an order from the Privacy Commissioner. The Court hypothesized that there could be many scenarios where a complaint that does not raise systemic issues, and the Commissioner would decline to conduct a review or make an order, but where a court may grant damages. Consequently, the Court disagreed with PRHC that PHIPA provided effective redress for the action at issue.
This case is of great significance to any organizations that collect, use, or disclose personal health information for several reasons:
Firstly, the Court of Appeal’s decision confirms that notwithstanding PHIPA, and any measures taken (or not taken) by the Privacy Commissioner as a result of a healthcare related privacy breach, complainants in Ontario may launch private actions for these breaches as well. Since Jones v. Tsige allows for a plaintiff to collect up to $20,000 for damages without proof of actual harm, intrusion upon seclusion remains the likely cause of action for complainants. However, depending on the circumstances, there may also be viable individual or class actions based on other torts such as negligence, if damages can be proven.
Secondly, this decision may serve as a precedent in other provinces, assuming their legislative schemes for personal health information similarly lack the hallmarks of legislative intent to create an exhaustive code for dealing with privacy breaches, and assuming their courts agree with the Ontario Court of Appeal’s reasoning in this case.
Hopkins v. Kay, 2015 ONCA 112
Court File No: C58403
Date of Decision: February 18, 2015
class action intrusion upon seclusion personal health information privacy-related breach