February 22, 2012

Breach of privacy in Ontario and BC

Professional Regulation

In the world of legal journalism, nothing makes headlines like the recognition of a new tort. Thus, our more well-informed readers may have already heard of the case of Jones v. Tsige, 2012 ONCA 32, in which the Ontario Court of Appeal recognized a common law right of action for intentional breach of privacy. For professional regulators who regularly conduct investigations into the conduct of their members, and who may be worried about how this new development affects the exercise of their powers, this may seem like a potential cause for concern. However, there is no cause for alarm; in B.C., private damages for breach of privacy are old news.

Unlike Ontario, B.C. has chosen to guard against private violations of a person’s privacy through legislation which rectifies the absence, in B.C., of any common law claim for breach of privacy: “[13] … There is no common-law claim for breach of privacy.” (Mohl v. UBC, 2009 BCCA 249) Accordingly, in B.C., the Privacy Act, R.S.B.C. 1996 c. 373, provides that “[i]t is a tort, actionable without proof of damage, for a person, wilfully and without a claim of right, to violate the privacy of another” (s. 1(1)). Further, the amount of privacy to which a person is entitled under the Act is “that which is reasonable in the circumstances” (s. 1(2)). This wording is potentially broader than the cause of action identified in Jones v. Tsige, which is triggered only if “the invasion would be highly offensive to a reasonable person” (para. 70).

How does the Act affect regulators? To begin with, it is worth noting that damages have been awarded in B.C. for an overly intrusive investigation instigated by a statutory body. In Insurance Corporation of British Columbia v. Somosh, [1983] B.C.J. No. 2034, an investigator hired by ICBC contacted the employer of a driver who had been in an accident. The investigator asked personal questions about the driver’s “character and his morals and his moods”, including whether or not the driver was known to drink (para. 41). The court ultimately found that, on the facts of the case, ICBC “had no business hiring an investigator to make any investigation” of the driver (para. 45). The court also noted that, under the Act, an invasion of privacy is actionable without proof of damage, and awarded nominal damages of $1,000 (para. 59).

However, regulators who act within the legitimate bounds of their authority can most likely justify their actions as being “authorized or required under a law in force in British Columbia” (s. 2(2)(c)), or as being an act of “a public officer engaged in an investigation in the course of his or her duty under a law in force in British Columbia (s. 2(2)(d)).

Last year, a B.C. court rejected a privacy claim by a patient who alleged a breach of privacy when a dentist forwarded the patient’s charts to the College of Dental Surgeons in Pearlman v. Critchley, 2011 BCSC 1479. The court found that privacy was not engaged: “I cannot find that any potential core element of a right to privacy, which has been broadly defined as the right to be free from unwarranted publicity or to withhold oneself from public scrutiny, are engaged by a dentist forwarding a patient’s file to the dentist’s own regulatory authority….” [28] The court further held that, “More fundamentally, the College had the statutory right, in discharging its responsibilities to the public to regulate the practice of dentistry in British Columbia, to have a designated person at any time inspect and copy Dr. Cofman’s records at any time in relation to any patient….” [30] Logically, if a professional cannot breach privacy by complying with his regulatory body’s power to regulate, the regulator itself cannot breach privacy by properly carrying out that function.

Similarly, in Bracken v. Vancouver (City) Police Board, 2006 BCSC 189, where a police officer obtained a woman’s address from a Ministry of Human Resources official, the court rejected the woman’s claim of a breach of privacy under the Privacy Act on the basis that the officer was carrying out a duty of investigation under the Police Act, within the meaning of s.2(2)(d) of the Privacy Act.

Statutory authority as an exception to privacy was also considered in Law Society of Manitoba v. Pollock, 2007 MBQB 51, aff’d 2008 MBCA 61. In that case, a private investigator hired by the Law Society of Manitoba tape-recorded a number of conversations with the defendant, who was not authorized to practice law in the province. The defendant sought to exclude the evidence from being used against him by citing section 7 of the Manitoba Privacy Act, which provides that “[n]o evidence obtained by virtue or in consequence of a violation of privacy in respect of which an action may be brought under this Act is admissible in any civil proceedings” (note that no similar provision exists in the B.C. Act). The court found that the evidence was admissible, reasoning as follows:

48     I am not satisfied that Mr. Pollock has shown a violation of his privacy right under [the Manitoba Privacy Act]. The recording of conversations by an individual participating in those conversations may not necessarily be a breach of the provisions of s. 3(b) of the Privacy Act. Furthermore, the Law Society may have a valid defence by showing that it was acting in the public interest pursuant to its statute. If so, under s. 5(c) of the Privacy Act the investigator (who was instructed by the Law Society) was engaged in conduct which was incidental to the exercise of the Law Society’s proper role.

49     For these reasons, I am not ready to find a violation of the Privacy Act or that s. 7 requires its inadmissibility.

While legitimate statutory authority is a complete defence to an action for violation of privacy under the B.C. Act, regulators should take care to ensure that their actions conform to the restrictions set out in their enabling statute. For example, the Health Professions Act authorizes an inspector to inspect the premises and records of a registrant “[d]uring regular business hours”, without a court order (s. 28(1)). However, a court order is required in order to enter a registrant’s home, or to inspect their personal property (s. 29(1)). If a regulator should attempt to exercise one of its powers without first obtaining the necessary authorization, liability may result.

A claim under B.C.’s Privacy Act must be brought within two years of the alleged breach: see s.3(2)(f) of the Limitation Act, RSBC 1996, chapter 266.