• Privacy Breached By Sharing EFAP Information
  • June 4, 2008 | Authors: Vicki L. Giles; Thomas W. R. Ross; Glenn D. Tait
  • Law Firms: McLennan Ross LLP - Edmonton Office ; McLennan Ross LLP - Calgary Office ; McLennan Ross LLP - Yellowknife Office
  • In April 2008, the Privacy Commissioner released an Investigation Report which underscores the importance of providing employees with clear information as to the purposes for which their personal employee information will be used and with whom that information will be shared; especially when sensitive information is involved.

    TransAlta Corporation contracted with a service provider, KLA, for occupational health services (OHS) and employee and family assistance program services (EFAP). The Complainant voluntarily entered an alcohol and drug treatment program and reported to the OHS group at KLA that he would require a three-month absence from work to complete the program. The KLA OHS group referred the Complainant to an EFAP counselor. As part of the process the following information was shared:

    • EFAP advised OHS that the Complainant was participating in a treatment program, but that he was unwilling to comply with return to work conditions;
    • OHS advised TransAlta senior HR advisor of the same information but also that the program was a "voluntary drug and alcohol program"; he was seeking counseling; and that he would have to sign a Return to Work Agreement which included requirements of abstinence and random testing;
    • HR advisor advised various TransAlta managers the Complainant was not compliant with TransAlta policies and that he had not signed the required contract for continued care when receiving short term disability benefits.

    Although this type of information sharing may sound familiar to your organization, the Complainant alleged that each of EFAP, OHS, and TransAlta had breached the privacy legislation. The investigator agreed.

    The investigator found that:

    • it was reasonable, and consent was not required, for EFAP to advise OHS of treatment program participation and status of return to work conditions;
    • it was reasonable, and consent was not required, for OHS to advise the HR advisor whether the Complainant was fit to return to work and the status of return to work conditions.

    However, she also found that:

    • the Complainant had not been advised that his personal information would be shared between KLA and TransAlta - in fact, he believed the process was confidential (and TransAlta/KLA documentation reinforced this belief);
    • it was unreasonable for OHS to advise the HR advisor that the Complainant was participating in a voluntary drug and alcohol program and seeking counseling because it was unnecessary to share this much information.

    With respect to the unreasonable sharing of information between OHS and the HR advisor, the investigator stated:

    "The Complainant's leave was being managed by health specialists who knew enough about his situation to recommend treatment and establish conditions for his return to work. In my view, all TransAlta management needed to know was whether or not the Complainant had successfully completed treatment and would comply with return to work conditions."

    Finally, the investigator found that:

    • although various TransAlta managers needed information about the process, the HR advisor had shared too much information with too many different individuals - they did not all need all of the information. The investigator suggested that the HR advisor should have sent separate letters to each of the individual managers with only the information each required.

    It is easy to sympathize with the employer in this instance as it took many precautions in dealing with the information, and there are legitimate management reasons to share this information. It is important to note that many of the breaches would not have occurred had appropriate documentation been in place advising the Complainant of the purposes for which his personal employee information would be collected, used, and disclosed, and to whom those disclosures would be made. This report emphasizes the importance of providing employees with detailed, specific information, particularly when they enter into a process which is somewhat "out of the ordinary." It may not simply be enough to provide employees with information about the collection, use, and disclosure of their personal information at the time of hiring. Employees should be reminded of these things when they enter into a process which may be new or unfamiliar. The report also reminds employers of the importance of reviewing internal policies as to when it is appropriate to share information with supervisors and managers and what type of information should be shared. Sensitive information should only be shared on a "need to know" basis.

    As greater numbers of employees start to understand their privacy rights, employers can expect greater scrutiny of their information use and sharing processes. Ensure that your policies and procedures meet privacy requirements.