Over the last two years, courts have repeatedly addressed a new form of workplace violation. With these decisions they have begun transforming the face of privacy law in the workplace.
Technology being a tool at the forefront of many workplaces, personal information has become vulnerable data requiring protection. In Pottruff v. Don Berry Holdings Inc.1, the Ontario Superior Court of Justice recognized this vulnerability along with the existence of the tort of invasion of privacy in Ontario. No less than a week later, the Court of Appeal for Ontario confirmed the same in Jones v. Tsige2. This new tort was based upon an actionable “intrusion upon seclusion”. The Court defined this intentional tort as being one where the intrusion into the seclusion of another person’s “private affairs or concerns” would be found as “highly offensive to a reasonable person”3.
In terms of changes to employment law, these decisions added the welcomed caveat to an employer’s obligation to protect its employees’ privacy in the workplace. For employers, this change means that a breach of this obligation could potentially expose them to punitive damages up to $20,000. For employees, it means among other things, that they can have a “reasonable expectation of privacy” in their workplace while using technological tools provided by their employers in the course of their employment.
Following Jones v. Tsige, the Supreme Court of Canada addressed similar issues in R. v. Cole4. Although this case was being prosecuted criminally, it discussed the reasonable expectation of privacy of an employee when using a work-issued laptop. The Court explained that although the School Board in this case had policies in this regard, those policies were not determinative of the employee’s expectation of privacy.
Arbitrators have also embraced the new tort of intrusion upon seclusion. In Alberta v. Alberta Union of Provincial Employees (Privacy Rights Grievance), Arbitrator Sims applied Jones v. Tsige, and found the employer liable for a breach of privacy by its internal investigator. He applied almost identical factors to assess the quantum of damages. Importantly, and much like the damages awarded in Jones v. Tsige or damages awarded under PIPEDA5, the employer’s mitigation efforts post-breach were confirmed as being an attenuating factor in the assessment.
In terms of putting this new information into practice, what employers can do to minimize their risk, either as the tortfeasor or through vicarious liability, is to put in place policies that will address these privacy concerns. These policies need to be detailed and applied consistently; however, as stated in R. v. Cole, they will not be determinative or a guaranteed shield against liability. As for the employee, this new recourse will help protect their personal use of the employer’s technology as well as define the reasonable expectation of privacy in the workplace.
1Pottruff v. Don Berry Holdings Inc., 2012 ONSC 311
2Jones v. Tsige, 2012 ONCA 32
3Jones v. Tsige, 2012 ONCA 32 at para 70.
4Alberta v. Alberta Union of Provincial Employees (Privacy Rights Grievance),  A.G.A.A. No. 23
5Personal Information Protection and Electronic Documents Act, SC 2000, c 5, s 14.