Handle With Care, If At All: Employers and Medical Information

David T.S. Fraser

In one of the first decisions related to the collection and use of medical information, the Office of the Privacy Commissioner has provided some guidance to employers who are subject to the federal privacy law[1] and to others who routinely handle medical information.

In PIPEDA Case Summary #226, the Assistant Privacy Commissioner of Canada considered a complaint brought by a former employee of a telecommunications company. In this case, the former employee alleged that that the employer was unnecessarily collecting personal medical information and had not implemented appropriate security safeguards to protect that information. In this specific complaint, the former employee said that the company was assisting with the administration of its long term disability program and required employees to file claim forms and medical reports with the employer’s Human Resources office. With respect to safeguards, the complainant objected to the employer’s practice of collecting medical reports by facsimile to the Human Resources office.

The federal privacy law, the Personal Information Protection and Electronics Documents Act (or “PIPEDA”, as it is often called), contains ten mandatory principles, taken from the Canadian Standards Association Model Code for the Protection of Personal Information. Principle 4 requires that all affected organizations limit their collection of personal information to that which is reasonably necessary for the purposes they have identified. Principle 7, also drawn from the Model Code, requires that an organization protect personal information with “security safeguards appropriate to the sensitivity of the information”. In short, the former employee was complaining that the organization was collecting more information than was necessary and was not safeguarding it appropriately.

The Assistant Privacy Commissioner, in the published summary of her decision, concluded that the company was in violation Principle 4 because the collection of employee medical information was not reasonably necessary. The disability plan was managed by a third-party insurance company and the employer was simply assisting with the processing of claims. Employees should have been able to submit their information directly to the insurer. The Assistant Commissioner also noted that while some people might find the practice adopted by the company to be innocuous, the company did not give employees any options. For that reason, the Assistant Commissioner determined that the company was in contravention of Principle 4 and also determined that the collection was not reasonable, as is required under Section 5(3) of PIPEDA, which reads:

With respect to the complaint about safeguards, the Assistant Commissioner made some very important determinations. First of all, she concluded that medial information is considered to be “sensitive information” and that “specific diagnosis [are] among the most sensitive of medical information”. Principle 7 requires safeguards that are appropriate in light of the sensitivity of the information. The organization was in violation of Principle 7, the Assistant Commissioner found, by receiving sensitive medical information on a facsimile machine that was in an unlocked, accessible room. In the circumstances, receiving the information by fax was not appropriate, regardless of whether it occurred at the local human resources office or at the company’s head office. Allowing general human resources staff to receive and process reports containing such sensitive medical information was not appropriate. While employers may have a legitimate need to collect certain medical information (for purposes of verifying an employee’s medical absences and to meet employer obligations to accommodate employees under human rights legislation), stringent safeguards must be put in place. Specifically, the Assistant Commissioner said that such medical diagnosis should only be shared among qualified medical practitioners.

The Assistant Commissioner concluded that while the purposes for the collection by the employer might have been legitimate, the practices were unacceptable “on the whole”.

In conclusion, the Assistant Commissioner made the following specific recommendations to the employer, all of which provide useful lessons for similarly situated organizations:

• The company should revise its policies and procedures for collecting and handling employee medical reports;
• Employees need to be notified that for those who may be required to submit a medical report, they have the option of sending the form in strictest confidence directly to medical staff in the employer’s health services office and that if they choose the usual route, it will be received and processed by the usual human resources staff; and
• Managers must be trained to refuse to accept any medical report from an employee, and should instead direct the employee to submit it directly to Health Services.
• The corporate Head office should no longer receive detailed medical information related to any employees.

This finding reinforces the fact that any health information requires special handling. Employers may, from time to time, have a legitimate need to know about specific diagnoses, procedures must be put in place to make sure that only necessary information is collected, that employees know how and for what purposes it will be used and, finally, extremely stringent safeguards must be put in place to protect that sensitive information.

The author, David T.S. Fraser, is a Canadian privacy lawyer and chair of the privacy law practice group of McInnes Cooper, Atlantic Canada's largest single law partnership.

This publication contains a general discussion of certain legal and related developments and is not intended to provide legal or other professional advice. Readers should not act on the information contained in this publication without seeking specific advice on the particular matter with which they are concerned. If you require legal advice, we would be pleased to discuss the issues in this document with you in the context of your particular circumstances.