Following the creation of the tort of intrusion upon seclusion in 2012, we have seen numerous cases that have clarified the application of same. In the most recent pronouncement, Oliveira v. Aviva Canada Inc., the Court of Appeal dealt with whether the duty to defend extends to an employee who allegedly improperly accessed the Plaintiff’s confidential information.
The facts of the underlying claim were as follows. The Plaintiff, J.L., was admitted to the emergency department of a hospital because of postpartum psychosis. Ms. Oliveira was a nurse at the hospital. The Plaintiff was treated there and at another hospital for approximately 18 days. Following her return home, the neighbour’s son began asking pointed questions about her health. J.L.’s health status, however, had never been shared with the neighbour. The Plaintiff became suspicious after she realized that the neighbour was a relative of Ms. Oliveira. When J.L. complained to the hospital, an investigation revealed that Ms. Oliveira had repeatedly accessed the Plaintiff’s hospital record without any valid reason.
J.L. commenced a claim and alleged that Ms. Oliveira’s actions amounted to a breach of privacy, a breach of the hospital privacy policy and a breach of the practice standards of the Ontario College of Nurses. The Plaintiff specifically plead the tort of intrusion upon seclusion.
Ms. Oliveira brought an Application for coverage under the hospital’s insurance policy. In this decision, the Court noted that the Hospital was insured by Aviva pursuant to a “Professional and General Liability and Comprehensive Dishonesty, Disappearance and Destruction Insurance Policy.” Hospital employees, like the Applicant, were additional insureds under the policy. Aviva argued that they did not owe a duty of care to Ms. Oliveira because the policy only applied where employees were “acting under the direction of” the Hospital and “only in respect of liability arising from the operations of” the Hospital. Since the Applicant was not doing either, then there was no duty to defend.
Specifically, Aviva alleged that Ms. Oliveira was a “lone wolf, deliberately engaging in activities that [were] not in any way related to her employment at the Hospital, and in fact [were] contrary to her obligations as an employee of the Hospital.” As she abused her position to access private information, she could not be acting under the direction of the Hospital. The Application judge rejected this argument because the policy specifically provided coverage for “invasion or violation of privacy” and for “invasion or violation of the right of privacy.” The policy did not limit coverage for privacy breaches or other torts to Hospital employees within a patient’s circle of care. The only qualification was that the employee had to be acting under the direction of the Hospital. The Judge held that whether an employee was acting under the direction of a named insured (in this case the Hospital) did not turn on whether there was actual personal control at the moment of the incident. Rather, control flowed from the relationship generally and from the employer’s ability to terminate the employee’s employment. The Court found that Ms. Oliveira was acting under the direction of the Hospital for the purposes of determining whether Aviva owed her a duty of care.
The second component that needed to be satisfied in order for the duty of care to be extended was that it only covered employees of the Hospital in respect of liability “arising from the operations” of the Hospital. On this point, Aviva argued that since Ms. Oliveira was not within the patient’s circle of care, her conduct did not arise from the Hospital’s operations. The Judge noted that in a hospital setting, intrusion upon seclusion captured inappropriate access to medical records. As a result, Aviva sought to use the very act that they agreed to insure against as an excuse to deny the duty to defend. The Court held that to accept Aviva’s argument would nullify a significant portion of the privacy coverage that the policy purported to afford. This was improper.
Aviva’s appeal was dismissed by the Court of Appeal who found that the language of the policy clearly covered claims for the invasion of privacy which included intrusion upon seclusion. Specifically, the Court of Appeal held:
The applicant was employed by the hospital as a nurse and while on duty, in the course of the hospital’s operations, to use the language of the policy (which would include the maintenance of patient’s health records), she accessed the records that she had apparently no business doing because she was not involved in J.L.’s care. The applicant was employed by the hospital, (she was essentially an employee 24/7) but was only acting under the direction of the hospital when she was on duty as such.
The Court of Appeal held that the common sense interpretation of the language supported a finding that Ms. Oliveira was entitled to a duty to defence. It was plain that the policy, in covering invasion of privacy, intended to cover the type of conduct alleged by the Plaintiff.
In light of this decision, in instances where the policy provides for broadened privacy coverage, the insurer is unlikely to be able to rely on those same provisions to deny a duty to defend. It remains to be seen, however, whether a duty to indemnify will be ordered in similar circumstances.
See Oliveira v. Aviva Canada Inc., 2018 ONCA 321 (CanLII).
Superior Court decision at Oliveira v. Aviva Canada Inc. et al, 2017 ONSC 6161 (CanLII).
