Individual accuses employer of disclosing personal information to co-workers

PIPEDA Case Summary #2003-237

[Principles 4.5, 4.7.2 of Schedule 1]

Complaint

An individual complained that her employer, a transportation services corporation, disclosed her personal information without consent concerning the individual's health at the time of her regular health examination.

Summary of Investigation

The individual went to the clinic for a regular health examination with two co-workers who also had appointments for their regular health examinations. While the two co-workers were waiting in the clinic's reception area with the individual, they said they were able to read information about the individual, which appeared on paper attached to the form to be given to the doctor.

The investigation established that the employees' medical documents are delivered directly to the clinic in sealed envelopes. When patients arrive at the clinic, they are usually seen by a receptionist one at a time, and the receptionist usually has the file of the patient she is interviewing open in front of her. The files of other patients with an appointment during the same period are on her desk, stacked and closed so that no information about them is accessible.

Findings

Issued November 20, 2003

Jurisdiction: Since January 1, 2001, the Personal Information Protection and Electronic Documents Act (the Act) applies to any federal work, undertaking, or business. The Assistant Privacy Commissioner had jurisdiction in this case because the company in question is a federal work, undertaking, or business as defined in the Act.

Application: Principle 4.5 of Schedule 1 of the Act states that personal information shall not be used or disclosed for purposes other than those for which it was collected. In addition, Principle 4.7.2 indicates that the nature of the safeguards will vary depending on the sensitivity of the personal information that has been collected, the amount, distribution and format of the personal information, as well as the method of storage. More sensitive information should be safeguarded by a higher level of protection.

The Assistant Commissioner determined that, by arriving at the clinic's reception area with co-workers, the individual had consented to being accompanied by co-workers and, by extension, to their seeing personal information intended for the doctor. The Assistant Commissioner is also of the opinion that the procedure the employer followed in submitting its employees' medical information to the clinic is consistent with the requirements of the Act.

The Assistant Commissioner concluded that the complaint was not well-founded.

Date modified: