A recent Ontario court decision clarifies the distinction between personal information and private information and confirms that the wrongful disclosure of personal information may not always amount to a violation of privacy. In Broutzas, 2018 ONSC 6315, the court refused to certify a proposed privacy class action involving the sale of new mother contact information to company sales representatives of Registered Education Saving Plans (RESPs).
This is a case about wrongful disclosure of contact information. In separate incidents, three hospital employees allegedly accessed the names and contact information of patients who had recently given birth at the hospital. The first employee allegedly used the information to contact patients to sell them RESPs. The other two employees sold the contact information to RESP sales representatives. Importantly, the employees did not access or disclose the patients’ confidential medical information, but only their contact information. The employees were terminated and the situation reported to the Information and Privacy Commissioner (IPC), the College of Nurses and the police.
The hospital chose to notify thousands of patients of the incident because it was unable to identify the specific patients who were affected. The incident received significant media attention following the notices. The IPC reviewed the case and ultimately issued findings in PHIPA Order HO-013. Police conducted an investigation that led to criminal charges against the employees and RESP sales representatives. The class action was commenced against the hospital, the employees, the RESP companies, and the RESP sales representatives involved in purchasing patient contact information in 2014.
The Broutzas Decision
The plaintiffs advanced a number of causes of action, but the focus of the case was on the claim for intrusion on seclusion and alleged breach of contract by the hospital.
Intrusion upon Seclusion
In 2012, the Ontario Court of Appeal recognized a new tort intrusion upon seclusion — to provide remedies for significant invasions of personal privacy.
In Broutzas, the hospital accepted there had been wrongful intrusions by its employees into the hospital’s information system, but argued there was no intrusion upon seclusion because the disclosure of contact information about women who had recently given birth was not private information which, if disclosed, would cause embarrassment, humiliation or anguish. While the intrusion was wrongful, it was not something which should be remedied in a class action as a breach of seclusion or privacy where the information was not private.
The court accepted this submission and concluded that there had been no intrusion upon seclusion. The court held that contact information is not information that is objectively private and noted that contact information is routinely and readily disclosed to strangers to confirm one’s identification, age, or address. For example: people readily disclose their address and phone number to bank and store clerks when booking train or plane tickets or when ordering a taxi or food delivery. In fact, all of the proposed representative plaintiffs in Broutzas had, one way or another, previously consented to their contact information being shared with one or more RESP companies by registering at stores or online for maternity and new baby products.
The court also found that the birth of a child is not generally considered private information, but rather news that is celebrated and broadly announced. All of the proposed representative plaintiffs had, in fact, publicly announced the birth of their child — some to hundreds of people on social media.
The decision confirms that the tort of intrusion upon seclusion is concerned with intrusion into private information such as financial records, health records, sexual practices, sexual orientation, employment, a diary or private sensitive correspondence and records. It is not meant for circumstances where there is an intrusion but no seclusion.
Breach of Contract
The plaintiffs also alleged that the various forms they signed at the hospital before giving birth constituted a contract for medical services that included an obligation to protect privacy. They argued the court should conclude there were implied terms in the alleged contracts with respect to the protection of patient confidentiality and privacy. The numerous alleged implied terms simply mirrored key provisions of the Personal Health Information and Protection Act (PHIPA).
The hospital argued that its obligations with respect to patient confidentiality were not contractual in nature, but governed by the law of negligence and by statute, namely PHIPA. The court agreed. It refused to interpret admission and registration forms as creating contracts for medical services. In addition, the court rejected the plaintiffs attempt to reframe the hospital’s statutory obligations under PHIPA as being contractual in nature. The court wrote “damages are not a constituent element of a claim in contract, and to allow the Plaintiffs to frame their action in breach of implied terms of contract that merely adopt PHIPA obligations would allow them to circumvent the statutory conditions and limitations that the Legislature placed on the statutory cause of action, including the requirement that there be actual harm.”
The circumstances of this case and PHIPA Order HO-013 have been the subject of considerable discussion within the health-care community.
PHIPA Order HO-013 has emphasized the importance of audit capabilities in health information systems and the need for enhanced privacy training and security safeguards as the best ways to protect against improper access to health information systems.
In the Broutzas class action decision, while acknowledging that the actions of the former employees were wrong, the hospital was successful in arguing that this does not always mean that a class action for breach of privacy is the appropriate response for every such incident. The nature of the information intruded upon is a crucial consideration.
When faced with the discovery that employees wrongfully accessed or disclosed patient information, health-care institutions should confirm the extent of the information accessed. Notice to patients is required in the circumstances outlined set out in PHIPA. The content of the notices are important and should be specific on the nature of the information accessed. Where only limited information is accessed, as in Broutzas, the notification should clearly state this. Notices can also state what was not accessed (i.e. detailed health information) and what the institution knows was or was not done with the information (i.e. was it viewed only, not printed, etc.).