Disclosure of diagnosis was inappropriate, but insurance company considered to be open about its privacy policies and practices

PIPEDA Case Summary #2006-348

[Principles 4.3, 4.8 and 4.8.2]

One day, when sitting in the office of a co-worker, who happened to be the benefits administrator for the complainant’s employer, the complainant learned that highly sensitive medical information about her had been left in a voice mail message to the Benefits Administrator by an employee of insurance company.  The insurance company provides benefits for the complainant’s employer.  The insurance company employee immediately realized her mistake and the insurance company wrote to the complainant to apologize for the error and to outline the steps it had taken to address the situation.  The complainant, however, felt that she should have been told to bring the matter to the attention of the company’s privacy officer and claimed that the company was not being open about its privacy policies and practices. 

The Assistant Privacy Commissioner agreed that the disclosure was inappropriate but noted that the company had taken several steps to address the issue.  She did not however share the complainant’s view that the company was not being open about its privacy policies and practices.

The following is a detailed overview of the investigation and the Assistant Commissioner’s findings.

Summary of Investigation

When the complainant was in the office of her employer’s Benefits Administrator, she was asked to listen to a voice message, concerning a claim she had made a month earlier.  The Benefit Administrator had found the message difficult to understand and the message appeared to concern dates that did not coincide with the dates of the complainant’s latest claim.  Since the complainant happened to be in her office at the time, she asked the complainant to listen to the message.  The caller appeared to be referencing a claim made a year earlier.  Both the complainant and the Benefit Administrator had difficulty understanding it.  Eventually, they realized that the caller had referred to a diagnosis related to an earlier claim.  Both were shocked that the caller had revealed such information.  The Benefits Administrator apologized to the complainant, told her that she would address the matter with the insurance company, and promised not to divulge the information to anyone else.  She notified a contact of hers at the insurance company by e-mail the next working day.  Since the Benefits Administrator’s contact did not need to hear the message, the Benefits Administrator did not produce a transcript of the message and erased it.  She confirmed that only she and the complainant had heard the phone message.

According to the Benefits Administrator, communications between the insurance company and the complainant’s employer typically involve the Benefits Administrator providing the insurance company with details such as employee hire dates, disability dates or return to work dates.  Phone conversations do not generally involve discussion of diagnoses, treatments, or medications. 

The complainant brought the matter to the attention of a senior manager at work.  This individual contacted a senior official at the insurance company.  This insurance company official wrote to the complainant to apologize for the incident, noting that the staff member, while well intentioned, realized her mistake right after making the call.  The official informed the complainant that the employee fully understood the serious nature of her error.  The official outlined the steps that the insurance company had taken to ensure that such an incident did not recur.  She referred to the company’s Privacy Policy and Code, which is reviewed with staff in the disability claim area at various points throughout the year.  She noted that, because of the error, the insurance company was reviewing the policy again through direct discussion with all staff.  In addition, the training program for support staff was enhanced so that training on the Privacy Policy and Code is reviewed earlier and more thoroughly than in the past

Shortly afterward, the complainant wrote to insurance company’s Chief Privacy Officer concerning the seriousness of the disclosure.  She was concerned that she had not been told that she should have contacted the company’s Chief Privacy Officer about the situation. 

The insurance company’s Chief Privacy Officer wrote to the complainant to apologize for the disclosure.  He admitted that the medical information should not have been mentioned at any point on the voice mail message and that “in attempting to explain the reason for needing clarification on the dates, diagnostic information was revealed in error.” 

We asked for additional information on how the insurance company addressed the incident internally.  The employee in question met with her manager, who reinforced the significance of privacy and the severity of the breach.  This was followed with a meeting with all members of the team involved in the incident.  The company’s privacy guidelines were reviewed.  The question of who they could rightfully speak to regarding claims and what information would be revealed was stressed.  Later in the same month, the meetings were held with those responsible for the disability claims unit and training to discuss the training materials to ensure that they addressed privacy requirements, regardless of the topic of the actual training package.  A follow-up meeting between representatives of these two groups confirmed that trainers are reinforcing the privacy guidelines. 

The Office reviewed some of the training material that was related to the nature of the complaint.  These covered consent, handling privacy incidents (how to escalate concerns and how issues are handled once escalated), and the company’s code of business conduct, which employees must review and sign off annually.  The code reinforces the 10 privacy principles set out in Schedule 1 of the Personal Information Protection and Electronic Documents Act.  Employees are provided with information on privacy, including privacy tips, and interactive e-learning opportunities to assess learning. 

The insurance company noted that its privacy policy and code is available on its web site; also on its web site are its telephone contact information and e-mail address for the Privacy Officer.  A privacy brochure has been made available to customers since 2003, either directly from its head office or through the insurance company’s distribution partners.  Should an individual call the company’s general phone number regarding a specific privacy issue, the individual will be directed to the privacy officer of the business unit in question.  If the caller asks for the Chief Privacy Officer, he or she will be directed to the Office of the Privacy Officer. 

The insurance company also provides privacy information (including its toll-free number, postal, e-mail and web site addresses) in member booklets.  These booklets serve as reference manuals for benefit plans, and plan sponsors are required to deliver a booklet to every member of the plan.  The complainant’s employer had provided the complainant with a copy of the booklet.

Findings

Issued August 14, 2006

Application: Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.  Principle 4.8 stresses that an organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.  Principle 4.8.2 specifies what information should be made available and that it should include the name or title and the address of the person who is accountable for the organization’s policies and practices and to whom complaints or inquiries can be forwarded.

In making her determinations, the Assistant Commissioner deliberated as follows:

• On the matter of the disclosure, there was no dispute that the complainant’s personal information was disclosed, in contravention of Principle 4.3.  Upon learning of the disclosure, the insurance company wrote to the complainant (two letters were sent) and apologized for what had occurred.  In these letters, the complainant was informed of the steps the organization would take to ensure that this type of incident did not recur.  In the letter from the senior official (not the Chief Privacy Officer), she was invited to contact her if the complainant had any further concerns. 
• The Assistant Commissioner reviewed the company’s various training materials and policies, and was satisfied that the training for front-line staff stresses the significance of keeping claimant information, particularly sensitive medical information, confidential.
• She was of the view that the disclosure was an isolated error made by the employee when she was attempting to clarify claim dates.  The disclosure was limited to one individual, and the phone message was erased and no transcript exists.  Furthermore, upon leaning of the inappropriate disclosure, the company immediately understood the significance of the disclosure and offered a written apology.  The company’s internal privacy processes appear to be sound, and it took appropriate steps to prevent a recurrence. 

Given the above, the Assistant Commissioner concluded that the disclosure complaint was well-founded and resolved.

• Regarding the complaint that the insurance company was not open about its privacy policies and practices, the Assistant Commissioner respectfully disagreed.  The company’s web site contains its privacy policy and code, and both e-mail and telephone contact information for its Privacy Officer. 
• The complainant was given the opportunity to discuss her concerns with the senior official and was provided with her telephone number to discuss the matter further.  There were clearly many ways to find out about the company’s privacy policies, and the information to contact individuals within the organization was made available to her.  By contacting the senior official or by calling the number listed, the complainant could have learned more the complaint handling process and how to escalate her concerns to the company’s Privacy Officer.
• In the Assistant Commissioner’s opinion, the company met its obligations under Principles 4.8 and 4.8.2. 

Accordingly, she concluded that the openness complaint was not well-founded.