The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Friday, February 06, 2004
Handle With Care, If At All: Employers and Medical Information
In one of the first decisions related to the collection and use of medical information, the Office of the Privacy Commissioner has provided some guidance to employers who are subject to the federal privacy law and to others who routinely handle medical information.
In PIPEDA Case Summary #226, the Assistant Privacy Commissioner of Canada considered a complaint brought by a former employee of a telecommunications company. In this case, the former employee alleged that that the employer was unnecessarily collecting personal medical information and had not implemented appropriate security safeguards to protect that information. In this specific complaint, the former employee said that the company was assisting with the administration of its long term disability program and required employees to file claim forms and medical reports with the employer’s Human Resources office. With respect to safeguards, the complainant objected to the employer’s practice of collecting medical reports by facsimile to the Human Resources office.
The federal privacy law, the Personal Information Protection and Electronics Documents Act (or “PIPEDA”, as it is often called), contains ten mandatory principles, taken from the Canadian Standards Association Model Code for the Protection of Personal Information. Principle 4 requires that all affected organizations limit their collection of personal information to that which is reasonably necessary for the purposes they have identified. Principle 7, also drawn from the Model Code, requires that an organization protect personal information with “security safeguards appropriate to the sensitivity of the information”. In short, the former employee was complaining that the organization was collecting more information than was necessary and was not safeguarding it appropriately.
The Assistant Privacy Commissioner, in the published summary of her decision, concluded that the company was in violation Principle 4 because the collection of employee medical information was not reasonably necessary. The disability plan was managed by a third-party insurance company and the employer was simply assisting with the processing of claims. Employees should have been able to submit their information directly to the insurer. The Assistant Commissioner also noted that while some people might find the practice adopted by the company to be innocuous, the company did not give employees any options. For that reason, the Assistant Commissioner determined that the company was in contravention of Principle 4 and also determined that the collection was not reasonable, as is required under Section 5(3) of PIPEDA, which reads:
(3) An organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.
With respect to the complaint about safeguards, the Assistant Commissioner made some very important determinations. First of all, she concluded that medial information is considered to be “sensitive information” and that “specific diagnosis [are] among the most sensitive of medical information”. Principle 7 requires safeguards that are appropriate in light of the sensitivity of the information. The organization was in violation of Principle 7, the Assistant Commissioner found, by receiving sensitive medical information on a facsimile machine that was in an unlocked, accessible room. In the circumstances, receiving the information by fax was not appropriate, regardless of whether it occurred at the local human resources office or at the company’s head office. Allowing general human resources staff to receive and process reports containing such sensitive medical information was not appropriate. While employers may have a legitimate need to collect certain medical information (for purposes of verifying an employee’s medical absences and to meet employer obligations to accommodate employees under human rights legislation), stringent safeguards must be put in place. Specifically, the Assistant Commissioner said that such medical diagnosis should only be shared among qualified medical practitioners.
The Assistant Commissioner concluded that while the purposes for the collection by the employer might have been legitimate, the practices were unacceptable “on the whole”.
In conclusion, the Assistant Commissioner made the following specific recommendations to the employer, all of which provide useful lessons for similarly situated organizations:
This finding reinforces the fact that any health information requires special handling. Employers may, from time to time, have a legitimate need to know about specific diagnoses, procedures must be put in place to make sure that only necessary information is collected, that employees know how and for what purposes it will be used and, finally, extremely stringent safeguards must be put in place to protect that sensitive information.
This publication contains a general discussion of certain legal and related developments and is not intended to provide legal or other professional advice. Readers should not act on the information contained in this publication without seeking specific advice on the particular matter with which they are concerned. If you require legal advice, we would be pleased to discuss the issues in this document with you in the context of your particular circumstances.
The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.