Breaching privacy more than legal concern

If staff fear health information is revealed, they may not seek needed treatment

Privacy and the protection of personal information are clearly legislated in Canada and there are legal consequences for failing to adhere to government guidelines. But there are also other risks associated with a breakdown in confidentiality that employers need to keep in mind, particularly when dealing with employee health issues.

Regardless of management practices, employees may feel revealing health issues to employers could result in a lack of career opportunities or unfair treatment. They also may think, by revealing their physical or mental health conditions, they could be viewed as a liability to the organization and endanger their employment.

In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) protects personal information managed by private-sector organizations. The act requires all Canadian businesses to comply with several privacy principles, including accuracy, safeguards, consent and limiting use, disclosure and retention.

Government legislation aside, employers would be wise to extend the protection of personal information of employees beyond PIPEDA guidelines. Organizations need to pay attention to casual practices in the workplace such as telephone conversations, e-mail communications and a manager’s treatment of employees, which can all play a role in revealing confidential information, whether intentional or not.

While legal implications may be the main concern for maintaining employee privacy, there are hidden costs to privacy breaches that could affect the business, such as a breakdown of trust, increase in staff turnover and reduction in employee engagement and productivity. These could ultimately result in greater consequences than legal penalties.

An employee’s concerns about revealing health information can be amplified when he is suffering from a mental health issue. Despite the growing awareness of the prevalence of mental illness, the stigma associated with mental impairment remains strong.

It is precisely this fear of workplace exposure that could discourage employees from seeking the very support that could prevent or treat the illness. Even an evaluation of organizational health risks can be rendered meaningless if employees are not confident their personal information will be safeguarded.

Employers can avoid the risks of employees foregoing treatment for health problems by fostering employee confidence that personal information will be properly safeguarded with strong company policies and procedures.

Ensure privacy policies are communicated to all employees on a regular basis. All staff — not just those involved with collecting and storing health-related information — need to know about PIPEDA compliancy requirements, company policies, consequences for non-compliance, the name and contact information of the organization’s privacy officer and how to access their information. Such communication should be sent out regularly and displayed prominently on corporate websites and in corporate mission statements.

Let employees know existing company privacy and confidentiality policies and procedures are audited regularly. This will ensure compliance with both external and internal guidelines at all times.

Include the ability to respond anonymously to surveys, where possible, when seeking employee opinion or health appraisals. When no identifiable information is requested, employees feel free to express themselves honestly.

Consider how and what information is communicated to staff about a co-worker’s leave of absence. If normal practice is to be open about physical health concerns, a manager’s silence may imply the leave is related to a mental health issue. It is a good practice to ask an absent employee what information he would be comfortable sharing with colleagues.

Determine what information staff require when an employee is off for medical reasons. Once an employer has the appropriate medical clearance, does the HR contact or front-line supervisor need to know the diagnosis or can they accommodate the employee just with information about work limitations and present abilities?

Walk the talk. Employees must see that management is enforcing guidelines and keeping personal health information strictly confidential. In the case of any breach of security, communications must be sent to relevant parties explaining what has happened, why and what has been done to correct the situation. If any confidentiality policy is broken, if oversights occur, or if any personal medical information is disclosed without permission, management must be seen to move quickly and effectively to resolve the situation.

Estelle Morrison is director, health management, for Ceridian Canada in Markham, Ont. For more information call (877) 237-4342 or visit www.ceridian.ca

To read the full story, login below.

Not a subscriber?

Start your subscription today!