HR Compliance: PANDEMIC & PRIVACY

Do Your H1N1 Measures Violate Employees’ Privacy Rights?

Some of the things you do to protect your organization from the H1N1 threat will require to collect, use and disclose personal information about your employees. For example, you might have to ask employees if they have a medical condition that increases their vulnerability to flu or find out which employees have kids at home that they might have to stay home and care for if pandemic strikes. In carrying out these and other tasks, you must avoid committing inadvertent violations under personal privacy laws. This article will show you how, based on guidelines just issued by the Privacy Commissioners of Canada, Alberta and BC (the “Guidelines”). What the Law Requires All employees have some right to privacy privacy vis-à-vis their employers. But the extent of those rights differs depending on which law the employer is regulated by: Federal/Alberta/BC/Québec: The federal PIPEDA (Personal Information Protection & Electronic Documents Act) and provincial personal privacy laws in AB, BC and QC specifically limit employers’ rights to collect, use and disclose employees’ personal information. The 10 Other Jurisdictions: The federal PIPEDA law applies in any province or territory that hasn’t adopted its own personal privacy law. But there’s a catch: The limits on employer collection, use and disclosure applies to information of third parties, like customers, but not to employees. In other words, employees in MB, NB, NL, NS, NT, NU, ON, PE, SK and YT, don’t have privacy rights vis-à-vis their employer under PIPEDA. But that doesn’t mean these employees have no privacy rights. Several provinces, including Alberta, Manitoba, Ontario and Saskatchewan have medical privacy laws. (Nova Scotia has just proposed such a law.) Although targeted primarily at hospitals, healthcare providers and insurers, these medical privacy laws may also apply to employers who receive health information about their employees from a regulated entity. Consequently, employers in these provinces need to be on top of these laws if they get information from an employee’s doctor or caregiver during a pandemic. Employees might also have privacy rights under the Charter, the terms of their collective agreements and common law, i.e., non-statutory law made by judges as a result of rulings in court cases. Bottom Line: Employee privacy is a concern not just for employers regulated by Fed, AB, BC and QC law, but all employers no matter what part of Canada they’re from. How Privacy Laws Work The most significant privacy restriction for employers is the requirement that they get employees’ consent to collect, use and disclose their medical and other personal health information. Getting proper consent is an issue unto itself. The consent form must be clearly written so the employee knows what she’s signing; and the decision to sign the form must be totally voluntary. Any signs of trickery or coercion will nullify the consent.  (See, Insider, Vol. 1, Issue 1, for a complete analysis of consent under privacy laws.) There’s also a key exception you need to be aware of: Privacy laws allow employers to disclose personal information about their employees without consent in a public emergency involving a serious and imminent threat to public health. In the event of an official emergency, all bets are off, personal privacy laws will basically go by the board and government health official will have broad power to demand access to your employees’ private health information. But we’re not at that point yet. For an emergency to exist, the provincial (or territorial) government would have to declare it. And at the time of this writing, H1N1 hasn’t been declared a public health emergency in any part of Canada.

HOW TO COMPLY

Unless and until H1N1 becomes a public emergency, employers must follow the privacy laws in what the Guidelines call “the usual way.” What does the “usual way” mean? It basically boils down to four rules: Rule 1: You Must Get Employees’ Consent The first “usual way” privacy requirement is that employers get employees’ consent to collect, use and disclose their private information in connection with your H1N1 preparation and response efforts. The fact that consent is still in play is a key piece of information from the Guidelines. The reason for this is that all four of the personal privacy laws—PIPEDA, AB, BC and QC—give employers leeway to collect, use and disclose employees’ private information without consent when necessary to carry out certain core business or employment-related operations. As explained by an official Alberta information sheet, “an employer has a legitimate need to collect, use and disclose certain types of personal information about employees in order to operate the business and fulfill its obligations to employees.” Examples of legitimate functions that privacy tribunals have actually allowed employers to use private employee information to perform without consent:

• Verifying an employee’s eligibility for sick leave or disability benefits;
• Determining what accommodations to make for disabled employees; and
• Filing workers’ compensation claims.

If you take just one thing from this article, let it be this: Flu preparation and response is not a function that falls into this category—at least according to the Guidelines. “Employers should remember that they will need consent to collect even [limited] personal information from employees,” the Guidelines state. Equally problematic, the Guidelines make it clear that employees don’t have to provide their employers personal information to help in pandemic planning unless they want to. In fact, the Fact Sheet for Employees that accompanies the Guidelines (which we’ll call “Employee Guidelines”), recommends that employees not cooperate with employer requests for personal health information. “We would generally discourage you from sharing your health status, including any diagnosis made by a physician with your manager.” Rule 2: Information Collected Must Be Kept to Minimum Necessary The second key “usual way” privacy rule that applies to pandemic planning in the event that there’s no official state of emergency is that employers must collect, use and disclose only the amount and type of information they need to carry out the pandemic planning or response function involved. Thus, for example, it would be inappropriate to ask employees to undergo a physical exam or submit a complete medical record to assess their vulnerability to infection. Rule 3: Employees Must Be Notified of Information Use The Guidelines also make it clear that you must notify employees that you’ll use the personal information you collect from for planning purposes only and indicate when it will be destroyed. Rule 4: Information Must Be Kept Secure and Properly Destroyed Employers must maintain the security of any personal health information they collect from employees. Security measures could include:

• Physical barriers such as keeping files locked;
• Electronic measures such as password protection and encryption; and
• Administrative controls such as keeping the number of staffers with access to the information limited to the minimum necessary.

Finally, employers will have to ensure that the personal information they collect from employees is properly destroyed after it’s no longer needed.

6 PANDEMIC PRIVACY POINTERS

The Guidelines also discuss some of the specific things employers can and can’t do to  ensure that their H1N1-related activities don’t violate employees’ privacy:

1. 1. Identifying Employees Who May Need Alternative Work Arrangements

Situation: Employers generally have no right to ask employees who they live with. But gathering this information could become important to pandemic planning because it enables employers determine which employees might have to make alternative work arrangements. Wrong: Asking: “Do you have young children or elderly parents at home that you might have to stay home and care for in the event of a pandemic?” Right: The Guidelines suggest distributing a survey asking employees if they may have to make alternative work arrangements to care for kids or elderly parents. “This way,” the Guidelines explain, “employers will be able to estimate how many employees could be absent without collecting detailed personal information.

1. 2. Identifying Employees Who Might Be Susceptible to Infection

Situation: You might want to warn any employees that have asthma, immunity deficiencies or other medical conditions that make them vulnerable to the flu to get vaccinated and take special precautions. But asking about an employee’s general medical condition can be a privacy violation. Wrong: Asking employees to furnish detailed information about their medical condition, e.g., asking them to tell you if they have asthma. Right: The Guidelines say that employers would be better advised to let all employees know that individuals with certain kinds of conditions are at risk and need to consider taking additional precautions.

1. 3. Asking Employees If They’ve Been Vaccinated

Situation: Employers have an obvious interest in ensuring that their employees get vaccinated. But this again is personal information. Wrong: Asking employees: “Have you and your family members gotten your flu vaccine?” Right: Encouraging employees to get vaccinated and giving them information about vaccinations, such as vaccination clinic schedules.

1. 4. Asking Employees for Personal Contact Information

Situation: Assuming they don’t already have this information, employers might want to ask employees for contact information in case they have to provide them updates about a pandemic situation. Of course, this is private information that employees might be loathe to provide. Wrong: Asking—and especially requiring—employees to give you their personal email or phone number. Right: The Guidelines recommend asking employees to advise you how they prefer to be contacted and, if possible, give them alternative ways to get information from you without having to disclose their private contact information, such as having the employee agree to call in to the office at agreed-upon intervals.

1. Asking Employees Who Call In Sick If They Have the Flu

Situation: Employers might want to keep track of how many employees have been diagnosed with H1N1. Wrong: Asking employees who call in sick: “What’s wrong with you? Do you have the flu?” Right: Asking employees who say they’re sick how long they expect to be out and when they plan to return. In short, asking for a prognosis is okay; but asking for a diagnosis is not—whether it’s H1N1 or any other illness.

1. 6. Notifying Other Employees that a Co-Worker Has H1N1

Situation: If managers learn that an employee has the flu, they might want to notify others in the company, including the employee’s co-workers. Wrong: Disclosing an employee’s diagnosis to somebody else in the organization is just as impermissible as asking an employee to furnish his diagnosis to begin with. Right: Letting others at the company know that the employee isn’t available, and if necessary, when he’s expected to return. Conclusion Although it’s between the lines, the message the Guidelines are delivering to employers is clear and very strong: Unless and until there’s a declaration of a public health emergency, you can’t take liberties with your employees’ privacy to implement H1N1 protections. The Guidelines suggest that the proper role for employers in protecting their businesses from flu risk is to tell employees what they need to know, make prevention measures available and trust in employees to look after themselves. But once they start digging for information about the medical information of employees and their family members, they’re subject to the usual privacy laws.