Findings under the Personal Information Protection and Electronic Documents Act (PIPEDA)
PIPEDA Case Summary #2004-284
Use and disclosure of health information considered appropriate, but access request was mishandled
(Principles 4.3 and 4.3.5; subsections 5(3), 8(3) and 8(5); and paragraph 9(3)(d))
An employee of a telecommunications company filed two complaints:
- that her employer used and disclosed her personal information without her consent. She alleged that her managers shared information about her with the unit responsible for managing employee absences, and that this unit then disclosed the information to an independent medical examiner, all without her consent; and
- that her employer denied her access to her personal information.
Summary of Investigation
Complaint regarding use and disclosure without consent:
The employer is self-insuring, both for short-term and long-term absences due to illness. Once an employee's absence exceeds the specified period (there is a set annual limit for short-term absences), the employee must have his or her physician complete a doctor's report that contains information about the individual's diagnosis, treatment, and ability to return to work assuming complete or modified duties. On the doctor's form, the employee signs an authorization allowing the physician to release information to the company's health unit. All medical information is sent directly to this unit, where it is assigned to a case manager who reports to the director. The director is a physician, and the case workers all have medical training.
The health unit's mandate is to assess an employee's eligibility for benefits and ability to return to work, and to determine the company's obligations to the employee under human rights legislation. Under such legislation, the employer has the right to seek enough information to determine if it has an obligation to accommodate an individual with a handicap, which may involve consultation with a specialist.
Diagnostic information is held by this unit in strictest confidence. The only information shared with the employee's manager is information relevant to the employee's eligibility for benefits, workplace accommodations necessary to support a return to work, and/or the individual's prognosis. Employees of the unit sign a special confidentiality agreement that recognizes the sensitivity of the medical information they handle.
Regarding the events that led to the complaint, the complainant had had an argument with her immediate supervisor and left work, giving a medical condition as her reason. After the specified time limit for short-term absences expired, she was required to send a doctor's report to the health unit. She signed a consent form authorizing her doctor to disclose all medical information regarding her current absence and to discuss her work capacity with the unit. Upon receipt of the doctor's report, the unit required the complainant to undergo an independent medical examination, which found that the complainant was not totally disabled. Her benefits were then suspended and she was directed to return to work, reporting to a new supervisor.
The complainant obtained a copy of the independent examiner's report, and noted that it made reference to notations regarding interactions with her and her manager and to health records relating to two previous absences for the same reason. In her view, the previous absences were not relevant to her current situation and should not have been disclosed to the physician. She believed that this information negatively influenced the examiner's assessment of her condition. She also felt that her manager should not have shared with the company's health unit any information regarding his interactions with her without her consent.
We determined that one of her supervisors had shared a letter detailing the events that led to the complainant's current absence. This supervisor's manager had also sent the health unit an e-mail that noted that there had been a similar absence of significant length resulting from similar circumstances, and requested that an independent medical examination be arranged.
The company maintained that it was important for an independent examiner to have a complete picture of an employee's medical history. In this case, this included the circumstances surrounding the complainant's current leave, as well as her previous absences with an identical diagnosis. The information regarding the previous absences was already available to the health unit in the complainant's file. According to the unit, the examiner would want to know if previous treatments for the same condition did or did not work.
The health unit does not automatically disclose all of the contents of an employee's medical file to an independent medical examiner. In this case, the case manager followed the unit's customary procedure of screening the information to be sent to the examiner for its relevance and consulting with the director of the health unit regarding the screening.
Complaint regarding denial of access:
With respect to the second allegation, the company stated that it kept three and sometimes four files on each employee. One file is kept with the health unit, while the district office maintains a personnel file that is supposed to include up-to-date information regarding such matters as leave, performance review and compensation. An employee's immediate supervisor also keeps a binder on each employee. Industrial relations consultants may keep a file on an employee where the consultant is providing management with advice regarding an employee's grievance.
The complainant filed an access request with her manager for her personnel file, and received a response 22 days later, indicating that she was receiving a copy of her personnel file, with the exception of some documents that were being withheld pursuant to paragraph 9(3)(d) of the Act. The complainant had filed a number of grievances, and the documents were related to those.
The complainant had also filed requests with the health unit, each of which was provided within the 30-day timeframe set out in the Act. The medical file included a copy of her immediate supervisor's notations regarding interactions with her that took place around the time she left the office following the argument. She also received copies of two e-mails that led her to believe that some information was being withheld by her managers to which she should have access.
The Office concluded that the missing information was a chain of e-mails between the complainant and her immediate supervisor. While the company maintained that the complainant's personnel file included e-mails that she exchanged with the supervisor and e-mails from clients, our Office could not confirm that this was the case because the company had provided the complainant with the original documents in her file and had not kept a copy for its records. When we asked the complainant to review the file she received, she indicated that she only received absence reports and a few other documents that were not particularly useful, which she then threw away.
When employees request access to their personnel files, the company's policy is to provide them with a copy of the immediate supervisor's file, the district file and any e-mails or electronically stored information. We determined, however, that the complainant had not been provided with a copy of her district file and that it was not up to date, contrary to the company's own policy. The company disclosed this information some months after the complaint had been filed with the Office.
Issued November 30, 2004
Application: Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate; Principle 4.3.5 notes that in obtaining consent, the reasonable expectations of the individual are also relevant; and subsection 5(3) states that an organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.
Subsection 8(3) requires an organization to respond not later than thirty days after receipt of an access request; subsection 8(5) states that where an organization fails to respond within the time limit, the organization is deemed to have refused the request; and paragraph 9(3)(d) indicates that an organization is not required to give access to personal information if it was generated in the course of a formal dispute resolution process.
Regarding the use and disclosure complaint, the Assistant Privacy Commissioner deliberated as follows:
- The company collects, uses and discloses employee personal information for the purpose of determining the employee's ability to work (or return to work), the employee's eligibility for employment benefits, and the company's obligations to accommodate the employee under human rights legislation. A reasonable person would likely consider such purposes to be appropriate in the circumstances.
- The managers shared some information regarding the circumstances surrounding the complainant's absence from work with the health unit and informed the unit that, in their opinion, the complainant's previous absences were an important consideration in assessing the next steps to be taken in managing her current absence or potential return to work. In the Assistant Commissioner's view, the information that was shared was directly relevant to the company's determination of the complainant's ability to return to work and her eligibility for continuing employment benefits.
- As for the disclosure to the independent medical examiner, the health unit does not automatically disclose the information it receives from managers or keeps on file to independent examiners. In this case, it followed its usual practice of screening the information to be provided for its relevance. The unit disclosed information about the complainant's previous absences from work under similar circumstances with an identical diagnosis.
- When the complainant attended the independent medical evaluation, she was aware that the purpose of the appointment was to determine her ability to return to work and her eligibility for benefits. While she believed that the unit should not have disclosed information from her managers or information concerning her previous absences without her consent, in the Assistant Commissioner's view, she ought to have known that some information would be provided to the examiner so that he would be aware of the circumstances surrounding the absence and that she had been absent before with an identical diagnosis.
- The Assistant Commissioner thus determined that the company had the complainant's implied consent to its use and disclosure of her personal information. In the Assistant's Commissioner's view, the complainant ought to have expected that information relating to her absence and eligibility for benefits would be used and disclosed. The Assistant Commissioner noted that to require the express consent of an employee on every occasion where information about his or her performance was used or disclosed would impose an unreasonable burden on organizations or might conceivably lead to situations where a company's legitimate purposes are not being met. Organizations should be expected to obtain the express consent of employees where the contemplated use or disclosure might not be reasonably anticipated in the circumstances, or is for a new purpose not previously communicated to employees.
- As that was not the case in the circumstances of this complaint, the Assistant Commissioner found the company in compliance with Principles 4.3 and 4.3.5, and subsection 5(3).
The Assistant Commissioner concluded that the use and disclosure complaint was not well-founded.
Regarding the denial of access complaint, the Assistant Commissioner deliberated as follows:
- The Office could not confirm that the complainant received a copy of the personnel file held by her immediate manager, although we know she received some material, as evidenced by the letter the manager sent to her 22 days after her request. However, we could confirm that the complainant did not receive a copy of her district file until 243 days after the request.
- The Assistant Commissioner found that by exceeding the time limit prescribed in subsection 8(3), the company was deemed to have refused the request, as per subsection 8(5).
- As for the exemption cited, the company could appropriately apply paragraph 9(3)(d) to the documents generated subsequent to the complainant filing her grievances.
- However, as the company applied the same exemption to some material created prior to her grievances, such information could not be deemed to have been generated in the course of a formal dispute resolution process.
- The Assistant Commissioner found that the company incorrectly applied the exemption to this material.
The Assistant Commissioner concluded that the denial of access complaint was well-founded.
The Assistant Commissioner recommended that the company:
- Release the information it had incorrectly withheld under paragraph 9(3)(d); and
- Review its access procedures with the managers who handled the access request.