Company's collection of medical information unnecessary; safeguards are inappropriate

PIPEDA Case Summary #2003-226

[Principles 4.4, 4.7, 4.7.2, and section 5(3)]

Complaint

A former employee of a telecommunications company complained that:

1. the company was unnecessarily collecting employees' personal medical information for the purpose of administering its long-term disability (LTD) plan; and
2. it did not have appropriate security safeguards in place to protect sensitive personal medical information from unauthorized access.

Summary of Investigation

Regarding the collection complaint: With respect to the complainant's LTD claim, the company had instructed her in writing to return the requisite forms and other relevant information, including a birth certificate, to the company itself rather than directly to the insurance company that manages the plan.

The letter sent to the complainant is a standard notification letter sent to any employee who has been on short-term disability. The purpose of the letter is to ensure that the employee is aware of the cutoff for short-term disability and the necessity to apply for LTD, of the procedure for doing so, and of the documentation to be submitted. The company acknowledges that only the insurance company requires the information in question. However, in serving as an intermediary, its intention is to facilitate the application process by ensuring that the applicant has included all the information necessary and that it is promptly sent to the insurance company. The company also pointed out that the insurance company's submission guide, given to employees, specifies that applicants may send claim information either to the employer or the insurance company. Nevertheless, the standard letter sent to employees on short-term disability does not present any such alternative, instead using the word "must," which the employer used to convey a sense of urgency.

Regarding the safeguards complaint: The complainant had a number of concerns regarding the company's security safeguards. First, she objected to the fact that the employer instructs its employees to send medical reports by facsimile to its human resources office — a form of transmission that does not afford an adequate degree of privacy for personal medical information, particularly for reports that contain medical diagnoses. In addition, she was worried that employees who do not have a legitimate need to handle this information, such as human resources staff, might view it.

Second, she was concerned about a rumour to the effect that managers are routinely permitted to receive specific information about the medical conditions of employees on sick leave.

With respect to the fax issue, the company is of the view that the delivery of medical information to the human resources fax machine is a secure method of conveying personal information since the machine is designated for human resources personnel only. The human resources group in the office where the complainant worked occupies one end of a largely empty floor and requires card access (although all employees at this location have cards). Medical files and personnel files are kept separately. The fax machine is located in a room that is only locked when no employees are present. Although difficult to do without human resources staff noticing, it is possible for non human resources employees to access the file room and the fax machine while the room is unlocked.

Human resources staff review the medical information that is submitted and administer the company's short-term disability plan. The coordinator collects medical reports, records the dates received, informs managers of their employees' projected dates of return, and keeps track of all dates and diagnoses in order to determine cutoffs for short-term disability benefits and eligibility for LTD. If there is a problem with a report, the local human resources officer sends it to corporate human resources, which then forwards it to the parent company's corporate health services. While on one page of the company's short-term disability policy, employees are informed that they have the option of sending their medical reports directly to corporate health services, in other instances, the policy speaks only of submitting these reports to human resources.

If the employee sends the report directly to corporate health services, the local human resources office receives a summary indicating the first date of absence, the projected date of return to work, whether the disablement in question is new or recurrent, any modifications or accommodations required, and an opinion whether the absence is supported or unsupported. No diagnostic information is provided. The local human resources office remains responsible for tracking the employee's absence for disability plan purposes. The corporate human resources office, however, does receive a summary that may include a specific diagnosis. It was noted that this unit is composed only of human resources personnel, and does not include qualified medical specialists.

With respect to the complainant's concern that managers could have access to employee medical information, the company denied that this ever occurs as a matter of company policy or practice. Managers are only informed that an employee is on sick leave, the length of the leave, and what, if any, accommodations must be made in the workplace upon the employee's return to work. While the company acknowledged that employees do occasionally give their medical reports directly to their respective managers, the managers are under instruction to provide the reports directly to human resources and keep the information confidential. Both of the complainant's managers denied that they ever received any information about an absent employee, apart from the information they are required to have.

Findings

Issued October 31, 2003

Jurisdiction: As of January 1, 2001, the Act applies to any federal work, undertaking, or business. The Assistant Privacy Commissioner had jurisdiction in this case because the telecommunications company is a federal work, undertaking, or business as defined in the Act.

Application: Principle 4.4 states that the collection of personal information must be limited to that which is necessary for the purposes identified by the organization. Principle 4.7 states that personal information shall be protected by security safeguards appropriate to the sensitivity of the information. Principle 4.7.2 goes on to state that the nature of the safeguards will vary depending on the sensitivity of the information that has been collected, the amount, distribution and format of the information, and the method of storage; more sensitive information should be safeguarded by a higher level of protection. Section 5(3) states that an organization may collect, use, or disclose personal information only for purposes that a reasonable person would consider appropriate in the circumstances.

Regarding the first complaint, the Assistant Privacy Commissioner deliberated as follows:

• Since the company was not required to collect the employee medical information to administer the LTD plan, but rather was doing it to assist with the process, the issue was whether such a purpose was one that a reasonable person would consider appropriate in the circumstances.
• The circumstances in this case include the company's notification to employees that they "must" submit their information packages to the company rather than directly to the insurance company and the lack of explanation of why they "must" do so.
• While a reasonable person might well find nothing objectionable about the company facilitating the application process, the same person might protest the company representing such a collection as a requirement, without explanation.
• The Assistant Privacy Commissioner found that the company was in contravention of Principle 4.4 and of section 5(3).

Regarding the second complaint, the Assistant Privacy Commissioner deliberated as follows:

• Given that medical information is considered to be sensitive information, and specific diagnoses among the most sensitive of medical information, the Assistant Privacy Commissioner was of the view that the safeguards in place were not appropriate.
• In the first place, she did not consider keeping a fax machine that receives sensitive medical information in an unlocked, accessible room appropriate.
• Similarly, she did not think it appropriate for the company to make a practice of receiving employee medical reports by fax, whether at the local human resources office or at the head office. Nevertheless, she recognized that some employees may choose this method of transmission.
• The Assistant Privacy Commissioner also questioned the company's practice of having human resources people receive and process medical reports containing diagnostic medical information about individual employees.
• The Privacy Commissioner's Office has long recognized the employer's legitimate need to collect certain medical information, in order to verify an employee's absence for genuine medical reasons, and to meet employer obligations to accommodate an employee under Canadian Human Rights legislation. The Office has also recognized that collecting specific diagnoses may be appropriate for certain purposes in certain circumstances.
• However, the Assistant Privacy Commissioner stressed that the Office is strongly of the view that any organization that collects medical diagnoses about employees for any purpose must only do so with strict safeguards in place, that is, shared only among qualified medical practitioners.
• In this case, it was determined that it was mainly medically unqualified human resources personnel, both in local offices and at corporate headquarters, who receive, note, interpret and process, for the purpose of administering the company's disability plans, highly sensitive medical diagnoses. While the purpose may be appropriate, the Assistant Privacy Commissioner considered this to be an unacceptable situation on the whole.
• She therefore found the company in contravention of Principles 4.7 and 4.7.2.

The Assistant Privacy Commissioner thus concluded that the complaints were well-founded.

Further Considerations

The Assistant Privacy Commissioner made the following recommendations:

1. The company should revise its policy and procedures for collecting and handling employee medical reports, with particular emphasis on the purposes and practices regarding diagnostic information.
2. In the meantime, the company should:
   1. take appropriate steps to ensure that employees obliged to submit a medical report are explicitly informed that they have a right to ensure that diagnostic information be kept in strict confidentiality, that they have the option of sending the form in strictest confidence directly to medical staff in health services and that the alternative means that human resources staff will receive this information;
   2. ensure that managers, if presented with a medical report, refuse to accept it and instruct the employee to send it as recommended in (a); and
   3. ensure that the corporate human resources unit no longer receive diagnostic information about individual employees.
3. The company should revise its letters of notification to employees on short-term disability so as to clarify that employees have the option of sending LTD information directly to the insurance company.