Quantz v. Ontario, 2025 ONSC 90

Court File No.: CV-19-00616893-0000
Date: 2025-01-08
Superior Court of Justice - Ontario

Between:
Douglas Joseph Quantz, Plaintiff
– and –
His Majesty the King in Right of Ontario, Defendant

Before: Edward M. Morgan

Counsel:
Joel Rochon, Aylin Manduric, and Jessica Marshall, for the Plaintiff
Lisa Brost, Matthew Chung, and Marcus Campbell, for the Defendant

Heard: November 18-19, 2024

Certification Motion

I. Overview

[1] The Plaintiff moves for certification of this proposed class action under section 5(1) of the Class Proceedings Act, SO 1992, c 6 (“CPA”).

[2] The action results from an alleged data breach by the province’s Ministry of Children, Community and Social Services (the “Ministry”) in its operation of the Ontario Disability Support Program (“ODSP”). That program provides income support to eligible persons with disabilities.

[3] The criteria for ODSP eligibility are that the clients have serious and ongoing physical or mental impairments of more than one year’s duration, resulting in a substantial restriction in their ability to attend to their personal care or function in the community or workplace. The Plaintiff submits that this clientele is a vulnerable group that is easily stigmatized and that is, and is known to be, highly sensitive to confidentiality about their personal information.

[4] The Amended Statement of Claim states that on December 20, 2018, an ODSP case worker emailed to 103 of the program’s clients a spreadsheet containing some 45,000 ODSP clients’ names, email addresses, and ODSP identification numbers. As described in the pleading, the email was part of a campaign to advise ODSP clients of improvements in the Ministry’s online benefits information portal. The spreadsheet information was sent to all Ministry case workers as part of the process of letting the clients know of the changes and how to use the portal.

[5] Sending the clients’ information in a spreadsheet to the Ministry’s own personnel does not in itself constitute an improper disclosure of confidential data. The caseworkers would, in the ordinary course of their duties, have access to the Ministry’s database and to ODSP clients’ contact information and I.D. numbers, although this information would not ordinarily be collected in spreadsheet format. That much is made clear in the Amended Statement of Claim:

21. To perform this marketing task, the caseworkers would need to know the ODSP recipients’ email addresses. Although each caseworker could retrieve the email addresses from the Ministry’s case management database themselves, the Ministry declined to have them do so.

[6] As indicated above, one of the case workers then further sent the email, with the spreadsheet attachment, to 103 ODSP clients – i.e. to persons outside the organization’s employees. The Plaintiff alleges that this unauthorized dissemination of confidential information outside of ODSP personnel identified the ODSP clients to each other (or, at least, to 103 of them). He further alleges that that action stigmatized him as being on the list of 45,000 ODSP clients, and, in addition, provided information which could potentially be used to access his and all other ODSP clients’ case files. Those files contain personal medical information as well as confidential financial information about the clients.

[7] It is the Plaintiff’s position that the unauthorized disclosure of the client list violated the rights of those who appeared on that list. More specifically, the Plaintiff pleads intrusion upon seclusion, negligence, breach of confidence, and publication of private facts.

[8] The Defendant does not deny that the email, with attached spreadsheet, was sent out to the 103 clients. It submits that the spreadsheet attachment was forwarded to them in error. Defendant’s counsel submit that no actionable tort has occurred as the email was sent without willful intent and no damage resulted from the errant email.

[9] Nearly six years have now passed since the date of the email. In that time, the Plaintiff does not allege, and the record does not contain evidence of, any loss other than the anxiety he says that he felt at being advised of the impugned email. The Plaintiff does not depose that he sought medical advice or counselling, or that he suffered any financial or other material loss. Other than what he describes as his feeling of harm or upset upon being advised of the data disclosure, nothing further has ever come of the matter.

[10] Defendant’s counsel note that the Plaintiff is the sole affiant to attest such harm among a putative class of over 45,000 individuals whose names and addresses are in the Plaintiff’s possession. Plaintiff’s counsel submit that as an inherently vulnerable class of people, the Plaintiff’s testimony as to psychological harm suffices to ground a claim, and that the matter should be certified allowing the class members to then establish their individual losses.

[11] Defendant’s counsel argue that the only harm pleaded in the claim is of a speculative nature – i.e. the risk of various hypothetical future harms. It is the Defendant’s submission that an alleged wrong requires a causal link to corresponding harm or loss in order to be actionable, absent which the claim lacks a cause of action and/or there is no basis in fact on which to certify the action as a class proceeding.

II. The Errant Email

[12] The evidence in the record about how the disclosure of private information came about is provided by two sources: a) the Plaintiff, who describes receiving notification about the impugned email disclosure; and b) Patricia Redmond, the then Director at the MCCSS responsible for oversite of the ODSP, who describes it being sent.

[13] The Plaintiff deposes in his affidavit:

4. On or about January 21, 2019, I received a letter from the Ministry (the ‘Correspondence’). The Correspondence stated that on or about December 20, 2018, a Ministry employee sent an email to 100 recipients attaching a spreadsheet containing the names, email addresses, and ODSP I.D.s of approximately 45,000 ODSP recipients and their dependents (‘Unauthorized Disclosure’). The letter stated that the leak occurred due to an ‘error made by our Mississauga Ontario Support Disability Program (‘ODSP’) office.’

5. It should be noted that I reside in Brockville and have no connection to the Mississauga office of the ODSP.

[14] Ms. Redmond deposes in her affidavit:

35. On Thursday, December 20, 2018, an MCCSS caseworker sent an email (the ‘Email’) to 103 ODSP recipients who were on her caseload. A spreadsheet was attached to the Email that contained personal information for 2,917 ODSP Recipients. The spreadsheet attached to the Email by the MCCSS caseworker (the “Email Sender”) was not intended to be included in the Email, but was attached to the Email by the Email Sender inadvertently.

36. The spreadsheet contained the name, Member I.D., and email address of each of the ODSP Recipients listed. No other personal information was included in the Email. The spreadsheet was not encrypted or password protected.

37. The spreadsheet was prepared by a Ministry staff member as part of an effort to invite ODSP recipients to register for the MyBenefits application. The spreadsheet was intended to provide the Ministry’s caseworkers with a list of recipients to whom the email invitation to use MyBenefits was intended to be sent.

38. Upon subsequent investigation by the Ministry, it was discovered that the spreadsheet had filtering settings activated to limit the initial data display of the spreadsheet to a particular case group intended to receive the MyBenefits invitation, but that an experienced user could manipulate the spreadsheet settings to show information for 45,344 clients (the ‘Listed Recipients’) rather than just the 2,917 who were initially visible upon opening the spreadsheet.

39. On Monday, December 24, 2018, the Assistant Deputy Minister’s office became aware of the data disclosure and the Ministry commenced its investigation and began to take remedial actions.

[15] There are several expert reports submitted by the Plaintiff in respect of the impugned email. But the factual evidence about the response to both receiving and sending this email comes from the same two sources.

[16] The Plaintiff deposes:

6. The fact that my name and ODSP I.D. were included in the Unauthorized Disclosure has caused me considerable distress. The fact that I both live with a disability and am in receipt of ODSP is sensitive and personal. Prior to this proceeding, I did not share this fact with strangers. I did not publicly broadcast to friends that my health issues amount to a disability and make it impossible for me to sustain employment. I have always taken the view that my disability and my receipt of ODSP are personal details that are simply none of anyone else’s business.

7. Throughout my life, I have encountered socially prevalent prejudice and negative attitudes towards people with disabilities and/or people in receipt of social assistance. I have been told personally that people who apply for social assistance do so ‘because they just don’t want to work’, and I am well aware that similar sentiments are commonly held, including by leading politicians.

8. Following the Unauthorized Disclosure, I was concerned for months that persons not known to me could obtain access to detailed financial and medical information about me. I worried that they could publicize it, including through posting it online, and thus reveal intimate details concerning my financial and medical history. Furthermore, I was concerned that the unauthorized recipients of my personal information could use it to impersonate me, thus causing me financial and reputational harm. I continue to be distressed about future risk of identity theft, impersonation and reputational harm the Unauthorized Disclosure may cause.

[17] Ms. Redmond deposes:

40. On December 24, 2018, the same day that the Ministry became aware of the data disclosure, in accordance with the Ministry’s Privacy Breach Protocol, the Ministry’s APO [Access and Privacy Officer] contacted the office of the IPC [Information and Privacy Commissioner] by telephone to advise of the disclosure.

41. The IPC called the APO and directed the Ministry to inform all 45,344 of the Listed Recipients of the potential for their information to have been breached and that they had the right to lodge a complaint with the IPC. Notifying the Listed Recipients of the disclosure was also required by the Ministry’s Privacy Breach Protocol.

42. Accordingly, and in accordance with its protocol, on December 28, 2018, the Ministry began the process of contacting each of the Email Recipients via phone to notify them of the inadvertent disclosure, asked them to delete the Email, and requested that they confirm that they had deleted the Email…

43. By January 7, 2019, the Ministry had received confirmation from 78 of the 103 Email Recipients that they had deleted the Email.

44. After delivery of this [follow-up] letter [on February 13, 2019], additional Email Recipients contacted the Ministry and confirmed that they had deleted the Email. Through these methods, the Ministry was able to confirm that 95 of the 103 Email Recipients had deleted the Email. With regard to the eight Email Recipients who did not confirm that they had deleted the Email:

• one of such Email Recipients was deceased;
• one advised that the email account to which the Email had been sent had been closed;
• one advised that he could not locate a copy of the Email in his account and that the contents of his ‘Junk’ folder were automatically deleted every 30 days; and
• the Ministry was unable to make contact with the other five Email Recipients.

III. The Private Information Risk

[18] The Defendant points out that little information was actually disclosed in the errant email. Although there were over 45,000 names on the spreadsheet, nothing more than the names, email addresses, and ODSP I.D. numbers appeared there. The first two are not exactly private, and the sheer quantity of names on the lengthy list tends to obscure any one of them, at least to the casual viewer.

[19] The ODSP I.D. is not something that would be commonly known or accessible, but on its face it tells the reader very little. The Plaintiff deposes that he uses his I.D. number as one of the means of identifying himself when he calls the ODSP for information, and he assumes that others could do the same. However, there is no evidence that this has ever been done. Otherwise, there is no other identifying information on the spreadsheet, and the I.D. number is not searchable in any way on the Ministry’s website or elsewhere.

[20] What the Plaintiff most emphasizes is his concern that it may become known to his friends, acquaintances, employer and prospective employers that he is a social assistance recipient. The personal humiliation he would feel if his enrollment in the ODSP program were to become publicly known forms a central message in his sworn affidavit:

8. Prior to receiving ODSP, I spent decades working and did not live in poverty. That changed once I began subsisting on ODSP alone. The money I receive from ODSP is simply insufficient to pay for my housing and food. I rely on food banks and have gone without adequate food in the past. This reality is unpleasant and humiliating, and it is an additional reason why I am sensitive about disclosing my status as an ODSP recipient. To my mind, the stigma associated with this poverty and receipt of ODSP are intertwined, and I understand that this is the common lot of many others in receipt of ODSP.

[21] For her part, Ms. Redmond deposes that upon discovering the email and spreadsheet, the Ministry acted promptly to protect against potential risks which might flow from those disclosures. In the first place, they flagged the ODSP file in their database and record keeping system of every one of the 45,000+ clients whose name appeared on the spreadsheet. In this way, there was a heightened security regime imposed on these files. Staff was required to seek additional identifying information from anyone contacting the Ministry about one of these files.

[22] In addition, Ms. Redmond’s evidence is that 95 of the 103 clients that received the email and spreadsheet had deleted it or otherwise never accessed it, and that the Ministry had been unable to contact the other 8 clients. There is no evidence indicating that the email and spreadsheet have ever been further circulated. None of the spreadsheet information has ever surfaced or come back to the Ministry or to any of the ODSP recipients in any way.

[23] Ms. Redmond also deposes that Ministry staff has now enhanced the verification processes used when an individual identifying as an ODSP client contacts the Ministry to inquire about or modify a client file. On January 25, 2019, these security measures were sent out in an email advisory to all staff and users of the Ministry’s database.

[24] In her affidavit, Ms. Redmond also outlines various steps taken by the Ministry to ensure that an inadvertent disclosure of non-public information would not happen again. Staff were directed that all spreadsheets and data printouts containing client information must be password protected and encrypted if sent by email. The Ministry also implemented new data breach training for all staff, and made these training sessions mandatory. In addition, it put in place new protocols in the event of a privacy breach. By July 13, 2019, the Information and Privacy Commissioner had determined that the remedial steps taken by the Ministry were satisfactory and the matter had been fully resolved.

[25] Defendant’s counsel points out that on the same day that he learned of the errant email and spreadsheet, the Plaintiff took to social media to publicize his response. He first commented on X, posting a tweet from his personal account in reply to a journalist covering the data breach on behalf of CTV News. In his message, the Plaintiff identified himself as an ODSP recipient whose name was on the list sent out by the Ministry.

[26] This was not an impulsive, one-time response. The next day, on January 22, 2019, the Plaintiff posted, under his own full name on his public Facebook account, an announcement that he had given an interview on a national news broadcast and invited readers to watch the show. His Facebook posting, and the news broadcast itself, plainly identified him as an ODSP recipient. In addition, in an online article published by CTV that day, the Plaintiff again identified himself as one of the ODSP clients who had received notice of the data disclosure.

[27] Defendant’s counsel contend that the Plaintiff’s public interactions suggest that the supposed humiliation caused by any publicity about his ODSP-receiving status that he describes in his affidavit may have been overstated. In summarizing the evidence, counsel for the Defendant describes the banter found underneath the Plaintiff’s Facebook post about his news media interviews:

The Plaintiff responded to a comment about his celebrity status with a laughing emoji and to another comment with ‘LMAO’.

[28] The evidence in the record indicates that since the date of the errant email, no further dissemination or misuse of the data has occurred. In cross-examination, the Plaintiff conceded that this is the case. Neither the Plaintiff nor, apparently, any other putative class member, is aware of anyone opening the email or its attachment or seeing their name among the 45,000 names listed on the spreadsheet.

[29] As it turns out, the only person that has been publicly revealed as being an ODSP recipient as a result of the data disclosure is the Plaintiff, who identified himself by publicizing on social media and on a televised news broadcast that he had received the notification and apology letter regarding the errant data disclosure. Even that, however, has been a fleeting instance of notoriety, apparently with no further consequences. The only evidence of harm to any potential class member is the Plaintiff’s statement in his affidavit that the disclosure caused him distress; but, as Defendant’s counsel point out, that alleged personal harm is not supported by any medical evidence and is belied by the Plaintiff’s expressly jocular response to the incident.

[30] In fact, on re-examination, the Plaintiff testified that his motivation in publicly speaking about the matter was not exactly his concern for confidentiality, but rather his attitude toward government:

I was angry, really angry that a government, a Crown – yeah, the Government of Ontario with all its resources would release the information [of] over 45,000 people.

[31] The claim, in other words, is about the notional harm of disclosure in a context where actual harm has never materialized. Other than the Plaintiff’s spurt of notoriety, the data disclosure does not appear to have come to anyone’s attention.

[Sections IV–VII: See original for full legal analysis and disposition]

The remainder of the decision contains detailed legal analysis of the causes of action, the gatekeeping function, and the disposition. The Plaintiff’s motion for certification is dismissed.

Date: January 8, 2025
Edward M. Morgan