Arbitration Decision Rules Employer Not Vicariously Liable for Employee’s Privacy Breach
A recent decision of the Ontario Grievance Settlement Board raises the interesting question of an employer’s vicarious liability for an employee’s privacy breach.
Vicarious liability was described in the leading Supreme Court of Canada case of 671122 Ontario Ltd v. Sagaz Industries Canada Inc.  2 S.C.R. 983 as the event when the law holds one person responsible for the misconduct of another because of their relationship. The most common relationship giving rise to vicarious liability is the employer and employee relationship.
In Ontario Public Service Employees Union v. Ontario 2015 CanLii 19325 [ON GSB] one employee (“Employee X”) inappropriately accessed the employment insurance file of a co-worker (“Ms. M”) who was away from the workplace due to sickness. The inappropriate access took place during work hours and Employee X discussed Ms. M’s personal information with other employees. There was no work reason for Employee X to be accessing Ms. M’s EI file. The Employer had appropriate policies in place that prohibited the use of the Employer’s IT resources for unacceptable activities and was proactive when hiring new employees to instruct them in connection with their obligations to keep information private.
Upon being made aware of the unauthorized accesses to Ms. M’s EI file the Union representing Ms. M filed a grievance. During the hearing of the grievance the Union put the Employer on notice that it would bring a motion before the Grievance Settlement Board to determine the effect of the tort of intrusion upon seclusion to the disposition of the grievance.
The Grievance Settlement Board considered two questions in relation to the motion:
- did the Board have the jurisdiction to determine the tort of intrusion upon seclusion as set out by the Ontario Court of Appeal in the case of Jones v. Tsige (2012) ONCA 32; and
- if so, is the Employer vicariously liable for the actions of Employee X?
On the first question the Grievance Settlement Board accepted jurisdiction in the case. The Board held that FIPPA (the Freedom of Information and Protection of Privacy Act) was an employment related statute and that the substantive rights and obligations found therein were implicit in the collective agreement and accordingly the Board had jurisdiction to hear and determine the motion during the grievance.
The more interesting question was that of whether the Employer was vicariously liable for the actions of Employee X who snooped in Ms. M’s EI file.
After reviewing the law in relation to vicarious liability in the employment context and the evidence pertaining to the incident, including the Employer’s hiring practices and the Employer’s privacy policies, the Board concluded that the Employer was not vicariously liable for the actions of Employee X. The Board was of the view that the “wrongful act” of snooping in Ms. M’s EI file was not sufficiently related to conduct authorized by the Employer to attract vicarious liability. Employee X’s actions were viewed by the Board as being the actions of a rogue employee who, for her own purposes accessed Ms. M’s EI file. It was not an action that could be seen to “further the employer’s aims”. The actions were done without the employer’s sanction or knowledge.
The Board accepted the Employer’s evidence that it knew nothing of the intrusion until being told of it by a co-worker of Ms. M. Upon learning of the intrusion the Employer took immediate action to investigate and manage the issue. The evidence indicated that Employee X had received a significant suspension.
The decision, although good news for the Employer, did not leave Ms. M without a remedy. Like the plaintiff in Jones v. Tsige, Ms. M would still be permitted to sue Employee X at common law for damages for the tort of intrusion upon seclusion as a result of her unauthorized snooping.
For employers certain takeaways are immediately apparent:
- it is important to act swiftly to investigate and sanction, if required, whenever the employer is notified of conduct of an employee that is in violation of established privacy policies;
- leading evidence of the rogue nature of the offending employee’s actions will be important; and
- having clear privacy policies defining acceptable and unacceptable conduct are extremely important.
We have not heard whether the Union will challenge the decision on judicial review. We will continue to follow this case.
Finally, we would caution that the existence of the tort of intrusion upon seclusion as formulated by the Ontario Court of Appeal in Jones v. Tsige has not been endorsed by the Courts of Appeal of all Canadian jurisdictions nor by the Supreme Court of Canada. An action for damages for the tort of intrusion upon seclusion may not be available in all Provinces.