Immigration and Refugee Board of Canada wrongly disclosed intimate and medical information to an employee’s management team via a fitness to work report
Complaint under the Privacy Act
March 31, 2023
An employee who underwent a Fitness to Work (“FTW”) evaluation complained that the entirety of the FTW report, which contained their intimate personal and sensitive medical information, was shared with the employee’s management team at the Immigration and Refugee Board of Canada (“IRB”) by the IRB’s human resources without their consent and for no reasonable purpose.
- An HR professional who receives a document or correspondence which they know could contain sensitive personal information must use their judgement and ensure they do not further disclose personal information without either the individual’s documented consent, or a permissible exception under subsection 8(2) of the Act.
- A use or disclosure of personal information without an individual’s consent, and that is contrary to an applicable standard, policy or guidance, is not considered a use that is consistent with the purpose of collection under paragraph 8(2)(a) of the Act.
- The test for a “consistent use” under paragraph 8(2)(a) of the Act is that there must be a sufficiently direct connection between the purpose of the initial collection and the proposed use or disclosure, such that an individual would reasonably expect that their personal information could be used that way. An individual would not reasonably expect their personal information to be used or disclosed in a manner inconsistent with applicable standards, policies or guidance.
Report of findings
- The complainant, a previous employee with the Immigration and Refugee Board of Canada (“IRB”), alleged that IRB contravened the disclosure provisions of the Act when a Human Resource Advisor (“HR”) disseminated a ten-page report (the “report”) provided by an Independent Medical Examiner (“IME”) in response to a FTW evaluation, which contained their sensitive medical information in addition to fitness to work information, to the complainant’s management team without their consent.
- At issue therefore is whether the IRB respected section 8 of the Act, in this case, paragraphs 8(1) which permits disclosures with consent, and 8(2)(a), which permits the disclosure of information without the consent of the individual where the disclosure is “for the purpose for which the information was obtained or compiled by the institution or for a use consistent with that purpose.” As per jurisprudence, and Treasury Board Secretariat (TBS) guidance, “consistent uses” must have a sufficiently direct connection to the original purpose for which the information was originally obtained such that an individual would reasonably expect it to be used in this mannerFootnote 1.
- With respect to the IRB’s position that the disclosure of the report in its entirety by HR to the management team was a consistent use, after consideration of the facts, we found that the disclosure of certain information to the managers was a consistent use. However, we determined that the disclosure of other information, such as highly intimate personal and sensitive medical information, was not a consistent use. Accordingly, we find that the IRB contravened the Act by disclosing information internally that fell outside what is permissible in section 8.
- Since the incident occurred in 2018, IRB indicated it has adopted the use of the Treasury Board Secretariat’s disability management toolkit, including the “Letter to the Treating Physician on the Functional Abilities Form” and “Functional Abilities Form,” which stipulate “do not include any diagnostic or treatment information (including medication)” and “do not provide medical diagnosis, treatment or medication information,” respectively, and offers related training.
- These new tools and processes go some way toward reducing the risk of recurrence of a similar incident. However, as described in our report below, IRB did not demonstrate that it followed the previous TBS standard in place, and IRB’s representations to our office did not, in our view, acknowledge ownership for any wrongdoing by IRB.
- We consequently recommended to IRB: (i) that within six months of the issuance of this report, it provide training to staff involved in fitness to work assessments and staff involved in providing privacy advice, on the importance of medical confidentiality and how to handle situations where they receive information that should consequently not be circulated; (ii) as the complainant requested, it issue an apology to them; and (iii) that IRB delete medical and other sensitive information contained in the report from IRB systems.
- In response, IRB did not expressly agree to implement the training we recommended, though it noted it was committed to ensuring compliance with the new standards and ensuring all staff responsible for employee medical information and FTW assessments receive “appropriate” training. It also agreed to offer an apology to the complainant, but not for any wrongdoing on their part, only for any “misunderstanding or lack of clarity” regarding the consent form that it contends, without substantiation, the complainant signed. Finally, it did not agree to delete the information in question.
- In this context, we find the complaint well founded and not resolved. We urge IRB to reconsider and take meaningful action to fulfil the recommendations.
Issue 1: No evidence provided that the complainant consented to the disclosure
- During the investigation, the IRB represented to the OPC that the complainant signed a consent form expressly permitting IRB human resources to disclose medical information in the report to their manager. The complainant alleges that they did not. IRB did not produce a copy of the alleged consent form and we therefore do not accept that IRB obtained consent for the disclosure.
- In response to our draft report of findings, the IRB alleged that it had obtained consent from the complainant to “discuss and share the results of the assessment… with the referring source [IRB management]” and that it had submitted the consent form in question to our office early in the investigation. We note that during the investigation, we spent a significant amount of time trying to obtain the form in question from IRB when it was apparent that the consent form referred to in its written submissions was not in fact appended to correspondence to us as apparently intended. Despite repeated requests IRB failed to provide the form in question and did not submit it to our Office in its response to the draft report of findings.
Issue 2: Disclosure of medical information in the report to managers was not a consistent use in the circumstances
- The FTW report in question included both recommendations from the IME with respect to the complainant's fitness to work and appropriate accommodation measures, and detailed intimate personal and sensitive medical information. The complainant does not dispute that it was reasonable for IRB’s HR to disclose the IME’s recommendations that were “specifically related to [their] ability to perform [their] responsibilities in the workplace.” However, they contend that it was not reasonable for the other detailed medical information to have been disclosed to any of the complainant’s management team.
- IRB contended that the disclosures were permitted under paragraph 8(2)(a) of the Act because the information had been collected by the IME, on behalf of IRB to determine whether the complainant “was able to continue working without detriment to [their] health and safety and to establish the conditions under which [they] could continue working.” It argued that the disclosure to the management team on January 9, 2018 was made for a use consistent with this purpose. In support of its position, it pointed to the description of the Standard Personal Information Bank (“PIB”) “Occupational Health and Safety,” which specifies that the information in the bank is used for a range of purposes including to establish the conditions under which certain individuals with identified illnesses or disabilities are able to continue to work under controlled conditions, and that the personal information in the bank may include medical information.
- However, IRB also indicated that its practices with respect to fitness to work assessment information was guided by the TBS Occupational Health Evaluation Standard (the “Standard”) in place at the timeFootnote 2. This TBS Standard, which outlined “requirements for departments and agencies,” specified, in section 8.1, that “[t]he assessing health professional discloses to the employer only information that enables the employer to take appropriate measures, e.g. information on limitations related to the health requirements of the position. Confidential medical information is not provided unless it is required to determine appropriate accommodation strategies or options and is provided with the written consent of the individual.” [emphasis added]
- The only consent form that the IRB submitted to our Office was signed by the complainant on November 15, 2017, to authorize the disclosure of their personal medical information to [emphasis added] the IME conducting the FTW evaluation.
- In our view the facts demonstrate that in this case the IME did not comply with the obligations set out in this mandatory standard. This is because: (i) to date, IRB has provided no evidence that the complainant consented to the disclosure of medical information to the employer, and (ii) at least some of the medical information contained in the report cannot reasonably be said to be information that could “enable the employer to take appropriate measures." To that end, in our view, IRB should not have further disclosed information where a mandatory standard expressly prohibits its collection by employers in the first place.
- IRB indicated that the HR advisor who made the disclosures in question no longer works for the IRB and we therefore did not interview them. However, IRB indicated it is its practice that “before disclosing an individual’s medical information an Advisor will verify whether consent to disclose was obtained and whether there are any limits to that consent.” [emphasis added]. An advisor will also consider the reason for which the information was collected, the purpose of the disclosure and whether it was intended for the recipient. As noted above, IRB has not been able to demonstrate that they obtained consent for the disclosure that occurred in this instance before the report was disclosed to the complainant’s management team.
- As mentioned above, the Standard prohibits disclosure of confidential medical information to the employer without the written consent of the individual. Therefore, the disclosure of such information to an employee’s managers cannot be considered to be a use consistent with the original purpose, and therefore is not permitted under paragraph 8(2)(a) of the Act.
- In response, IRB stated that determining appropriate accommodation measures is “highly complex.” It argued that HR professionals are not medical professionals and are not best placed to second guess the information doctors choose to include in reports in the first place. This might be true if the purpose of such reports was to diagnose or treat a medical condition, but it is not. If a human resources professional cannot understand and explain why a particular intimate or medical detail would be necessary for a manager to accommodate an employee, a manager likely would not either. The role of HR advisors is important and complex and one that requires careful application of judgement. In our view it is inappropriate for IRB to simply defer responsibility to a doctor, who is a medical professional, not a labour relations professional, to determine what information a manager needs to know in a fitness to work context.
- Further, the Standard above, which IRB says it was guided by, calls for health evaluations to be arranged through Health Canada and that “following all health evaluations, Health Canada occupational health professional will forward to the department an assessment report indicating whether the individual meets the health requirements of the job as well as to the individual if the requirements are not met or limitations are indicated.” Section 8.3 further stipulates that Health Canada would maintain “all medical information, forms and records transmitted or used in connection with these health evaluations.”
- The original collection of the personal information by IRB from the IME is outside the scope of the complaint, and we therefore did not examine why the health evaluation (and subsequent receipt of the report) was contracted by IRB. However, in directly contracting with the IME, in our view IRB effectively took on a responsibility for what it received from the IME, including responsibility for reviewing the content of the report before further dissemination – a responsibility that would normally have fallen to professionals at Health Canada.
- IRB did not provide any specific justification for how providing the detailed intimate personal and sensitive medical information supported the purpose of accommodating the individual in the workplace, despite their knowledge of the limitations in the Standard.
- We are concerned that this suggests that IRB’s human resources and privacy staff do not have an adequate awareness of the potentially harmful effect on employees’ sense of well-being in the workplace of having multiple individuals being privy to such intimate details without the individual’s consent.
- The Standard referenced above has been archived and since May 2019, IRB has been using new tools and forms, and providing related training, as a part of “Disability Management in the Federal Public Service,” under the Policy on People Management. The fitness to work processes include that physicians completing fitness to work forms should not include diagnostic or treatment information in the reports provided to employers.
- These new tools and processes go some way toward reducing the risk of recurrence of a similar incident. However, as described above, IRB did not demonstrate that it followed the previous TBS standard in place and did not acknowledge ownership for any wrongdoing by IRB.
- We recommended, that, within six months of the issuance of this report, IRB implement the following recommendations:
- Ensure the medical and other sensitive information in the report is deleted from IRB’s systems (both with HR and anywhere it has been saved by the managers).
- Ensure that any of its staff empowered to take decisions in relation to fitness to work assessments or provide advice about privacy considerations related to fitness to work assessments take comprehensive training on understanding the reasons for and importance of medical confidentiality in the workplace and the actions to take if they receive information that falls outside of what is required to be collected in the context; and
- Issue an apology for the disclosure to the complainant, as requested.
- In response to recommendation (a), the IRB declined to accept this recommendation, noting that disposing of the records prematurely could prejudice the IRB if legal proceedings are taken. It confirmed that the managers in question have left IRB and that copies of the records are only retained by Human Resources, Legal Services and the Access to Information and Privacy Branch, confirming that the records will be disposed of in accordance with Government of Canada standards. We accept this response to recommendation (a) and remind IRB to appropriately limit internal disclosure of the sensitive personal and medical information contained in the report.
- In response to recommendation (b) IRB did not expressly agree to implement the training we recommended, though it noted it was committed to ensuring compliance with the new standards and ensuring all staff responsible for employee medical information and FTW assessments receive appropriate training. We invite IRB to demonstrate that it will provide training that includes the elements highlighted in our recommendation – in recognition of the impact that the disclosure of intimate medical details can have on workplace well-being, and the responsibility staff have for identifying and not circulating such information without documented consent as required by policy.
- In response to recommendation (c), IRB agreed to offer an apology to the complainant, but not for any wrongdoing on their part, only for any “misunderstanding or lack of clarity” regarding the consent form that it contends, without substantiation, that the complainant signed authorizing the disclosure of highly intimate details to their management team.
- Labor relations is complex, important, and potentially high impact work. In this context, errors, including high impact ones as in this case, can occasionally occur. Acknowledging such errors, committing to learn from them and apologizing in a meaningful way to individuals harmed by such errors are key steps to demonstrating commitment to privacy compliance. In light of the above, we do not consider the contraventions in this matter to be adequately addressed. We urge IRB to carefully review and take meaningful action to fulfil the recommendations within six months.
- Date modified: