Employer and insurer both breached privacy of employee
The Office of the Information and Privacy Commissioner of Alberta has determined that an employer violated the Personal Information Protection Act and the Freedom of Information and Protection of Privacy Act when it disclosed more information than necessary to determine an employee’s eligibility for disability benefits, and that the group insurance provider used the information without consent. Filing separate complaints against both the employer and the insurance provider, the employee was successful in the case against her employer as well as in the case against the insurer. Let’s explore why.
The employee in question was receiving workers’ compensation benefits following a workplace injury. She had also applied to her employer’s group disability insurer for disability benefits. The problem arose when the employer disclosed the medical information in the workers’ compensation reports to the insurer, and the insurer collected and used her personal information, contrary to privacy laws.
The employer argued that the employee consented to the disclosure of her personal information when she signed a consent form as part of her application for disability benefits to be paid by the insurer. The alternative argument was that the employer was permitted to disclose the employee’s personal information pursuant to section 40(1)(l) of the Freedom of Information and Protection of Privacy Act (to determine her eligibility for a program) and that it had disclosed only the amount of information that was necessary to meet that purpose.
However, the adjudicator found that the employee never consented to the employer disclosing to the insurer her personal information found in workers’ compensation board reports. Also, though the employer was authorized to disclose some of the employee’s personal information pursuant to section 40(1)(l) of the Act, it disclosed more information to the insurer than was necessary or reasonable to meet its purpose of determining her eligibility for disability benefits.
The adjudicator ordered the employer to cease disclosing the employee’s personal information to the insurer, and to ensure it did not disclose the employee’s personal information that it was not authorized to disclose by confirming its employees were made aware of the employee’s obligations under the Act.
Along the same lines, the insurer argued that the employee consented to its collection and use of her personal information and that it did not collect or use her medical information.
However, the adjudicator found that, although the employee consented to the insurer’s collection and use of some of her personal information, her consent did not apply to her medical information. She consented to the collection of her medical information only from herself, her treating physician, and her union representative, not the employer. Therefore, the insurer collected and used the employee’s medical information (her personal information) without consent and contrary to the Personal Information Protection Act.
The insurer was ordered to cease collecting and using the employee’s personal information in contravention of the Act and to destroy the workers’ compensation board reports that it collected from the employer.
What do you think? Did the employer and the insurer go too far by exchanging information with each other instead of obtaining the information from the employee?
First Reference Human Resources and Compliance Editor