Two employees were working together in a government department. One employee ("Employee X") looked at employment insurance file of a co-worker who was on sick leave ("Ms. M") during working hours but without a work-related reason. In reviewing the file, Employee X found out that Ms. M had exhausted her entitlement to employment insurance.
Employee X also disclosed this information to a fellow employee who then reported the matter to the employer. After an investigation, the Employer determined that Employee X had accessed Ms. M's records twice on the same day and on no other occasions. Employee X was then given a 15-day suspension.
The Union representing Ms. M brought a grievance seeking damages from the Employer for the tort of intrusion upon seclusion, which was recognized by the Ontario Court of Appeal in its 2012 decision in Jones v. Tsige, and a breach of the Freedom of Information and Protection of Privacy Act ("FIPPA"). In Jones v. Tsige, the Court of Appeal awarded Ms. Jones, who was employed by the Bank of Montreal, damages of $10,000 after a fellow employee, Ms. Tsige, looked at Ms. Jones' bank account records over 100 times in four years without a work-related reason of doing so.
The grievance came before Felicity Briggs, Vice-Chair of the Ontario Grievance Settlement Board, who rendered a decision on March 16, 2015.
Arbitrator Briggs was required to decide two issues:
- Does the Board have the jurisdiction to determine whether the tort of intrusion upon seclusion occurred?
- If so, is the employer vicariously liable for the actions of Employee X?
The identity of the government department, the geographic location of the government office, and the names of the participants were anonymized by the arbitrator.
Issue 1: Jurisdiction
The Employer argued that the Board did not have the jurisdiction to decide this grievance, as the issues arose out of a dispute between two employees. Moreover, this dispute did not relate directly or indirectly to a breach of the collective agreement by the Employer.
On the other hand, the Union argued that it was an implied term of the collective agreement that all employees' statutory rights under FIPPA would be protected by the Employer and that Employee X's actions are a presumed invasion of privacy under s. 21.3 of FIPPA.
Arbitrator Briggs determined that the Board did have jurisdiction on the basis that FIPPA is an employment-related statute and its provisions on the protection of privacy are implicitly included in the collective agreement.
Issue 2: Vicarious Liability
It was not in dispute that Employee X had violated the privacy of Ms. M. The issue was whether the Employer was vicariously liable for her actions. The Union's position was that the Employer was responsible for compensating Ms. M.
The Arbitrator heard evidence from the Employer and the Union on the workplace policies, training, and the importance of protecting privacy to the culture of the workplace.
Arbitrator Briggs determined that the Employer had "clear and sufficient policies regarding the protection of private information" and that all employees were reminded of these policies via pop-up windows when logging in. Moreover, there had not been any previous incidents involving breaches of privacy in the office, and employees were aware of the importance of protecting privacy.
On the basis of the above, the Arbitrator concluded that while Ms. M had been the victim of the tort of intrusion upon seclusion, the Employer was not vicariously liable. She characterized Employee X's actions as those "of a rogue employee who, for her own purposes accessed the grievor's EI file"—actions that were not condoned by the Employer or for its benefit.
Whether employers are vicariously liable for the tort of intrusion upon seclusion is an unresolved issue. To date, there has not been an authoritative judicial decision on whether, or in what circumstances, employers will be vicariously liable. Employers, however, will likely reduce the risk that they will be vicariously liable if they (1) have clear policies and procedures, which have been communicated to employees, and (2) establish a workplace culture in which the protection of privacy is a core value.
This blog entry is a reprint of an article originally published in the Canadian Privacy Law Review.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
