Improperly Accessing Confidential Data Under the Direction of Employer?
What do you do at work that is considered ‘under the direction’ of your employer?
The answers to this question are endless. A more interesting question: what do you have to be doing at work not to be ‘acting under the direction’ of your employer? That question is at the heart of the decision in Oliveira v. Aviva , a Court of Appeal decision released this week. The applicant sought coverage and a defence for claims brought against her by a hospital patient for damages as a result of applicant’s alleged accessing the hospital records of a patient who was not under her care. The crux of the case turned on whether the applicant (defendant in the lawsuit) was an insured under the policy issued by Aviva. The policy would provide coverage if the allegations in the underlying Statement of Claim alleged conduct took place while the applicant was acting under the direction of the named insured but only with respect to liability arising from the operations of the named insured.
Because the policy provided coverage for ‘invasion or violation of privacy’, also referred to as the tort of intrusion upon seclusion (which would include accessing records in an unauthorized manner) the court held that the policy was by definition intended to cover offensive conduct that would presumably not be authorized by the insurer. In that case, how can coverage be denied for conduct that on the face of it would appear to be covered?
Acting under the direction of the employer relates not to control how the work is done or actual oversight at the moment of the incident (in this case when records were improperly accessed) but rather flows from the relationship generally and ‘control’ over incidental features of the of the employment such as directing when and where to work and having the right to terminate the employment.
Whether the alleged misconduct arose out of the operations of the named insured was also in issue. The insurer argued that hospitals operations are to provide care and because the employee was not within the patient’s circle of care, her conduct did not fall within the operations of the hospital. The court rejected this argument, noting that the ‘operations’ of the hospital included creating, collecting and maintaining medical records. The underlying claim against the applicant (defendant) for which coverage was sought related to allegations about the unauthorized access to those medical records.
Ultimately however, in reading the decision, the irresistible inference is that the court accepted that because the policy covered ‘intrusion upon seclusion’, it could only be read to cover the alleged misconduct. As a result to deny coverage for the very conduct that the policy was intended to cover would be perverse. It is also consistent with the underlying interpretive imperative of insurance policies – coverage should be interpreted broadly and exclusions should be interpreted narrowly.