Employer and insurer both breached privacy of employee

June 29, 2011 Christina Catenacci Human Resources, Privacy and Security

The Office of the Information and Privacy Commissioner of Alberta has determined that an employer violated the Personal Information Protection Act and the Freedom of Information and Protection of Privacy Act when it disclosed more information than necessary to determine an employee’s eligibility for disability benefits, and that the group insurance provider used the information without consent. Filing separate complaints against both the employer and the insurance provider, the employee was successful in the case against her employer as well as in the case against the insurer. Let’s explore why.

The employee in question was receiving workers’ compensation benefits following a workplace injury. She had also applied to her employer’s group disability insurer for disability benefits. The problem arose when the employer disclosed the medical information in the workers’ compensation reports to the insurer, and the insurer collected and used her personal information, contrary to privacy laws.

The employer argued that the employee consented to the disclosure of her personal information when she signed a consent form as part of her application for disability benefits to be paid by the insurer. The alternative argument was that the employer was permitted to disclose the employee’s personal information pursuant to section 40(1)(l) of the Freedom of Information and Protection of Privacy Act (to determine her eligibility for a program) and that it had disclosed only the amount of information that was necessary to meet that purpose.

However, the adjudicator found that the employee never consented to the employer disclosing to the insurer her personal information found in workers’ compensation board reports. Also, though the employer was authorized to disclose some of the employee’s personal information pursuant to section 40(1)(l) of the Act, it disclosed more information to the insurer than was necessary or reasonable to meet its purpose of determining her eligibility for disability benefits.

The adjudicator ordered the employer to cease disclosing the employee’s personal information to the insurer, and to ensure it did not disclose the employee’s personal information that it was not authorized to disclose by confirming its employees were made aware of the employee’s obligations under the Act.

Along the same lines, the insurer argued that the employee consented to its collection and use of her personal information and that it did not collect or use her medical information.

However, the adjudicator found that, although the employee consented to the insurer’s collection and use of some of her personal information, her consent did not apply to her medical information. She consented to the collection of her medical information only from herself, her treating physician, and her union representative, not the employer. Therefore, the insurer collected and used the employee’s medical information (her personal information) without consent and contrary to the Personal Information Protection Act.

The insurer was ordered to cease collecting and using the employee’s personal information in contravention of the Act and to destroy the workers’ compensation board reports that it collected from the employer.

What do you think? Did the employer and the insurer go too far by exchanging information with each other instead of obtaining the information from the employee?

Christina Catenacci
First Reference Human Resources and Compliance Editor

• About
• Latest Posts

Follow me

Christina Catenacci

Christina Catenacci, BA, LLB, LLM, was called to the Ontario Bar in 2002 and has since been a member of the Ontario Bar Association. Christina worked as an editor with First Reference between February 2005 and August 2015, working on publications including The Human Resources Advisor (Ontario, Western and Atlantic editions), HRinfodesk discussing topics in Labour and Employment Law. Christina has decided to pursue a PhD at the University of Western Ontario beginning in the fall of 2015. Read more

Follow me

Latest posts by Christina Catenacci (see all)

• Happy Data Privacy Day! - February 4, 2020
• Privacy Commissioner of Canada releases its annual report - January 6, 2020
• Joint investigation by the Privacy Commissioner of Canada and the Information and Privacy Commissioner for British Columbia – BC company failed to comply with privacy laws - December 2, 2019

Alberta, Breach of privacy, collecting medical information, consent, Disability benefits, Disclosing medical information, eligibility for disability benefits, employment law, Freedom of Information and Protection of Privacy Act, group insurance, Office of the Information and Privacy Commissioner, oipc, personal information, Personal Information Protection Act, using medical information, workers’ compensation, workplace injury

Workplace violence and privacy: what’s the connection? Slaw: Bill C-35 comes into force and new immigration regulator in place