In Hopkins v Kay,1 the Ontario Court of Appeal concluded that the Personal Health Information Protection Act (PHIPA) is not a "complete code" and therefore did not "oust" the plaintiff's common law tort claim for breach of privacy (the tort of intrusion upon seclusion). Hopkins provides important guidance in the fields of privacy law and class actions, as well as with respect to the sustainability of privacy claims that touch upon areas governed by legislation.

Background

Hopkins v Kay is a proposed class action involving the breach of patients' privacy rights by the Peterborough Regional Health Centre (PHC). The plaintiffs allege that the personal health information of 280 patients had been improperly accessed and disclosed by PHC and its employees. The statement of claim initially pleaded breaches of the PHIPA but was later amended to assert only the common law tort of intrusion upon seclusion.

The defendants brought a motion to strike the plaintiff's claim under Rule 21 of the Rules of Civil Procedure, on the basis that the PHIPA was a complete statutory code with its own administrative and enforcement regime that operated to preclude the plaintiffs' common law tort claim. The defendants' motion was dismissed at the first instance, and that decision was upheld by the Court of Appeal.

The Ontario Court of Appeal decision

Whether a statutory scheme may be relied on to preclude common law claims is determined on the basis of legislative intent. The court must consider whether the legislature intended, expressly or by implication, to occupy the field and exclude all non-statutory remedies.

In concluding that there was no legislative intention to limit common law claims for breach of privacy, the Court of Appeal relied on three primary reasons:

  • The act is "sparse" with respect to the process for enforcing statutory breaches. The process to be followed is effectively at the discretion of the Information and Privacy Commissioner (the Commissioner). In addition, in various sections the PHIPA expressly contemplates the possibility of claims and proceedings outside of the statute, including proceedings seeking damages in the Superior Court.
  • The common law tort of intrusion upon seclusion is more difficult to establish than a breach of the PHIPA. Accordingly, allowing the plaintiff's claims to proceed would not "circumvent" the PHIPA or the requirements it imposes.
  • The Commissioner's investigation powers under the PHIPA are targeted at systemic privacy issues, as opposed to individual claims (this reading of the legislation was supported by the Commissioner himself, who intervened in the appeal). If individuals were required to pursue privacy claims through the Commissioner, it may often be the case that the Commissioner decides not to pursue such claims, thus requiring individuals to engage in the "expensive and uphill fight" that would be a judicial review of the Commissioner's decision.

Conclusion

The decision in Hopkins serves as a timely warning to organizations that are responsible for large stores of personal health information. In the event of a data breach of health information, organizations may be exposed to a risk of liability under both the PHIPA and the common law, which may have significant implications for the conduct of privacy-related class actions.

Footnote

1 2015 ONCA 112.

Norton Rose Fulbright Canada LLP

Norton Rose Fulbright is a global legal practice. We provide the world's pre-eminent corporations and financial institutions with a full business law service. We have more than 3800 lawyers based in over 50 cities across Europe, the United States, Canada, Latin America, Asia, Australia, Africa, the Middle East and Central Asia.

Recognized for our industry focus, we are strong across all the key industry sectors: financial institutions; energy; infrastructure, mining and commodities; transport; technology and innovation; and life sciences and healthcare.

Wherever we are, we operate in accordance with our global business principles of quality, unity and integrity. We aim to provide the highest possible standard of legal service in each of our offices and to maintain that level of quality at every point of contact.

Norton Rose Fulbright LLP, Norton Rose Fulbright Australia, Norton Rose Fulbright Canada LLP, Norton Rose Fulbright South Africa (incorporated as Deneys Reitz Inc) and Fulbright & Jaworski LLP, each of which is a separate legal entity, are members ('the Norton Rose Fulbright members') of Norton Rose Fulbright Verein, a Swiss Verein. Norton Rose Fulbright Verein helps coordinate the activities of the Norton Rose Fulbright members but does not itself provide legal services to clients.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.