Findings under the Personal Information Protection and Electronic Documents Act (PIPEDA)
PIPEDA Case Summary #2003-120
Employer's policy and practices regarding the collection of personal medical information deemed appropriate
[Principles 4.4 and 4.4.1 of Schedule 1; section 5(3)]
An employee of a telecommunications complained that her employer is collecting more personal information about employees than is necessary.
Summary of Investigation
According to the company's policy on extended sick leave, the employee is requested to sign a consent form authorizing his or her physician to disclose medical information related to the employee's illness to the company's occupational health professionals and to discuss the matter directly with them. The form contains the company's purposes for collecting this information, namely, consideration for eligibility benefits and establishment of fitness to work. The form asks for information about the employee's medical condition, treatment, and prognosis. If the employee's absence continues beyond the projected date of return indicated on the form, the manager asks the employee to fill out a second form.
The company's occupational health staff, doctors and nurses who are bound by their respective codes of ethics, review the form and provide managers only with information relating to the abilities and limitations of the employee. Detailed information about the company's policy is available to all employees via its Web site and in a brochure.
The company has policies and procedures in place to safeguard employee medical information. Specifically, health information is kept in a separate file and stored in secure areas. Computerized health information is also protected.
At the time of filing the complaint, the complainant was not on extended sick leave and had not been asked to have her physician fill out a form. Nevertheless, she objected to the amount of information physicians are asked to supply when an employee goes on extended leave.
Issued February 17, 2003
Jurisdiction: As of January 1, 2001, the Personal Information Protection and Electronic Documents Act (the Act) applies to any federal work, undertaking, or business. Moreover, as of January 1, 2002, the Act applies to personal health information. The Commissioner had jurisdiction in this case because a telecommunications company is a federal work, undertaking, or business as defined in the Act and because the complaint pertained to the company's management of health information in the year 2002.
Application: Principle 4.4 establishes that the collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Principle 4.4.1 goes on to state that the organization shall not collect personal information indiscriminately. Both the amount and type of information collected shall be limited to that which is necessary to fulfil the purposes identified. Organizations shall specify the type of information collected as part of their information-handling policies and practices. Section 5(3) states that an organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.
The Commissioner considered the company's purposes for collecting the personal information of employees to be legitimate, appropriate and in keeping with section 5(3) of the Act. The Commissioner was further satisfied that the company limited its collection of employee personal information to that which was necessary for those purposes, as per the requirements of Principle 4.4. He also determined that the company had in place policies and procedures that outlined these purposes, how the personal information was handled and by whom, and the respective roles of the parties involved, and that they were available to all employees, thus satisfying the company's obligations under Principle 4.4.1.
Accordingly, he concluded that the complaint was not well-founded.