This spring the largest penalty to date was issued under Ontario’s Personal Health Information Protection Act (PHIPA). A social work student was convicted of accessing personal health information without authorization, and ordered pay a $20,000 fine and a $5,000 victim fine surcharge after pleading guilty to “willfully accessing the personal health information of five individuals.”
The breach took place in Goderich, Ontario’s prettiest town, where the student was completing a placement with a family health team. The student also admitted that she had accessed the personal health information of 139 individuals, including that of her family, friends, local politicians and the staff of the clinic. No doubt she had an interesting time doing so, but this fine sends a strong message that employees must keep their curiosity in check. Previous fines include two in the amount of $2,505, which were issued 2016 to two hospital workers in connection with breaches of former Toronto Mayor Rob Ford’s health information during his cancer treatment.
In our digitizing and digitized workplace privacy is always a hot topic, but privacy laws in Canada remain spotty. Currently broad privacy legislation only applies to the federal sector workplaces (banks, tele-com, shipping, mail, etc.) via the Personal Information Protection and Electronic Documents Act and the Privacy Act. In Ontario, health information is governed by PHIPA, but most other workplace related information is not subject to any regulation.
Despite the lack of clear legislative guidance in many arenas, employers should have privacy policies in place with respect to private employee and customer information. Policies should also specify consequences in the case of a privacy breach, or inappropriate employee snooping. Remember, there is now a common law tort of invasion of privacy, “intrusion upon seclusion,” and clear policies and appropriate employee training will go a long way in protecting employers from the potential for vicarious liability.
As always, a balance must be struck between an organization’s need to collect, use and disclose personal information and an individual’s right to privacy.
Examples of good practices are:
- Designating one person as responsible for personal information
- Clearly identifying the purpose for the collection of information
- Obtaining consent before information is collected
- Collecting only necessary information
- Disclosing and retaining information only as necessary
- Employees must be permitted to access their own information
Millennial employees, who have grown up with social media, may have a different conception of privacy than that expected by the culture of the organization. Clear communication, and documentation, around what is expected is crucial.