Data Protection Report - Norton Rose Fulbright

In a recent case involving a breach of patients’ privacy rights — Hopkins v Kay,[i] — the Ontario Court of Appeal ruled that a proposed class action could proceed based on allegations of violation of patients’ common law privacy rights, concluding that those rights were not preempted by the Personal Health Information Protection Act (PHIPA). Specifically, the court determined that PHIPA is not a “complete code” and therefore did not “oust” the plaintiff’s common law tort claim for breach of privacy (the tort of intrusion upon seclusion). Hopkins provides important guidance in the fields of privacy law and class actions, as well as with respect to the sustainability of privacy claims that touch upon areas governed by legislation.

Background

Hopkins v Kay is a proposed class action involving the breach of patients’ privacy rights by the Peterborough Regional Health Centre (PHC). The plaintiffs allege that the personal health information of 280 patients had been improperly accessed and disclosed by PHC and its employees. The statement of claim initially pleaded breaches of the PHIPA but was later amended to assert only the common law tort of intrusion upon seclusion.

The defendants brought a motion to strike the plaintiff’s claim under Rule 21 of the Rules of Civil Procedure, on the basis that the PHIPA was a complete statutory code with its own administrative and enforcement regime that operated to preclude the plaintiffs’ common law tort claim. The defendants’ motion was dismissed at the first instance, and that decision was upheld by the Court of Appeal.

The Ontario Court of Appeal decision

Whether a statutory scheme may be relied on to preclude common law claims is determined on the basis of legislative intent. The court must consider whether the legislature intended, expressly or by implication, to occupy the field and exclude all non-statutory remedies.

In concluding that there was no legislative intention to limit common law claims for breach of privacy, the Court of Appeal relied on three primary reasons:

  • The act is “sparse” with respect to the process for enforcing statutory breaches. The process to be followed is effectively at the discretion of the Information and Privacy Commissioner (the Commissioner). In addition, in various sections the PHIPA expressly contemplates the possibility of claims and proceedings outside of the statute, including proceedings seeking damages in the Superior Court.
  • The common law tort of intrusion upon seclusion is more difficult to establish than a breach of the PHIPA. Accordingly, allowing the plaintiff’s claims to proceed would not “circumvent” the PHIPA or the requirements it imposes.
  • The Commissioner’s investigation powers under the PHIPA are targeted at systemic privacy issues, as opposed to individual claims (this reading of the legislation was supported by the Commissioner himself, who intervened in the appeal). If individuals were required to pursue privacy claims through the Commissioner, it may often be the case that the Commissioner decides not to pursue such claims, thus requiring individuals to engage in the “expensive and uphill fight” that would be a judicial review of the Commissioner’s decision.

Conclusion

The decision in Hopkins serves as a timely warning to organizations that are responsible for large stores of personal health information. In the event of a data breach of health information, organizations may be exposed to a risk of liability under both the PHIPA and the common law, which may have significant implications for the conduct of privacy-related class actions.

[i]        2015 ONCA 112.