First Reference company logo

First Reference Talks

News and Discussions on Payroll, HR & Employment Law

decorative image

PHIPA fines in the workplace

PHIPAThis spring the largest penalty to date was issued under Ontario’s Personal Health Information Protection Act (PHIPA). A social work student was convicted of accessing personal health information without authorization, and ordered pay a $20,000 fine and a $5,000 victim fine surcharge after pleading guilty to “willfully accessing the personal health information of five individuals.”

The breach took place in Goderich, Ontario’s prettiest town, where the student was completing a placement with a family health team. The student also admitted that she had accessed the personal health information of 139 individuals, including that of her family, friends, local politicians and the staff of the clinic. No doubt she had an interesting time doing so, but this fine sends a strong message that employees must keep their curiosity in check. Previous fines include two in the amount of $2,505, which were issued 2016 to two hospital workers in connection with breaches of former Toronto Mayor Rob Ford’s health information during his cancer treatment.

In our digitizing and digitized workplace privacy is always a hot topic, but privacy laws in Canada remain spotty. Currently broad privacy legislation only applies to the federal sector workplaces (banks, tele-com, shipping, mail, etc.) via the Personal Information Protection and Electronic Documents Act and the Privacy Act. In Ontario, health information is governed by PHIPA, but most other workplace related information is not subject to any regulation.

Despite the lack of clear legislative guidance in many arenas, employers should have privacy policies in place with respect to private employee and customer information. Policies should also specify consequences in the case of a privacy breach, or inappropriate employee snooping. Remember, there is now a common law tort of invasion of privacy, “intrusion upon seclusion,”  and clear policies and appropriate employee training will go a long way in protecting employers from the potential for vicarious liability.

As always, a balance must be struck between an organization’s need to collect, use and disclose personal information and an individual’s right to privacy.

Examples of good practices are:

  • Designating one person as responsible for personal information
  • Clearly identifying the purpose for the collection of information
  • Obtaining consent before information is collected
  • Collecting only necessary information
  • Disclosing and retaining information only as necessary
  • Employees must be permitted to access their own information

Millennial employees, who have grown up with social media, may have a different conception of privacy than that expected by the culture of the organization. Clear communication, and documentation, around what is expected is crucial.

Follow me

Lisa Stam

Founder of Spring Law, Employment and Labour Lawyer at Spring Law
Lisa Stam is founder of Spring Law, a virtual law firm advising exclusively on workplace legal issues for employers and executives. She practices all aspects of employment, labour, privacy, and human rights law, with a particular interest in legal issues arising from technologyinthe workplace. Lisa’s practice includes a wide range of entrepreneurs in the tech space, as well as global companies with smaller operations in Canada. In addition to the day to day workplace issues from hiring to firing, Lisa frequently blogs and speaks on both the impact, risks and opportunities of social media andtechnology issues in (and out of) the workplace, as well as the novel ways in which changing expectations of privacy continues to evolve employment law. Read more here.
Follow me

Latest posts by Lisa Stam (see all)

Kindle

, , , , , , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.