Privacy commissioner stresses need for updated training, while employment lawyer outlines disciplinary options
Despite years of focus on cases involving unauthorized access to personal information — “snooping” by employees or other insiders — Ontario saw a 34-per-cent increase in this behaviour cases across all sectors in 2023, according to the Ontario Privacy Commissioner.
It’s a “stark increase” and it’s concerning, says Patricia Kosseim, commissioner of the Information and Privacy Commissioner of Ontario (IPC).
“[It’s] quite surprising given all of the efforts our office has made to denounce snooping and to educate employers around the precautions they must take to prevent and curb such behaviour.”
Why people engage in this activity can range from profit motivations, so collecting and selling the data for commercial gain, or being a nosy neighbour, she tells Canadian HR Reporter. Sometimes, it might be out of a misconceived good intention, even though that’s not within their ambit of responsibilities.
“Whatever the motivation, the law is clear – you cannot access people’s records without proper authorization or a need to know. And that applies to all employees,” says Kosseim.
Risks of employee snooping
Given the overall risk, employers should be especially mindful of the need to more actively enforce their policies and to ensure compliance with practices than other types of workplace policies, says Kyle Lambert, partner at McMillan in Ottawa.
Depending on the jurisdiction, there will be risks associated with breach of obligations under privacy legislation, for example. Certain provinces have their own privacy legislation plus there is PIPEDA which applies federally, he says. And in Ontario, there's more specific privacy legislation applicable to the healthcare sector.
Then there are reputational risks, monetary risks and class-action risks, says Lambert — as seen, for example, with LifeLabs or the Canada Revenue Agency — associated with some kind of privacy breach or failure to adequately store individuals’ private information.
“We live in a world in which customers, consumers, private individuals are asked to provide their data all the time. And I do think people are becoming more wary of what they are providing and when. Certainly, you don't want to be an organization that is seen as being flippant or insufficiently cautious with third-party information — especially when it comes to something that is at least expected to be well within your control, that being what information employees can access and when they can access it.”
There’s also the risk of individual actions, including the common law tort of “intrusion upon seclusion.” In a 2023 decision, the Ontario Court of Appeal provided guidance on how that tort should be evaluated and was fairly strict about the circumstances in which there might be that kind of tortious breach of privacy, says Lambert.
“The court did make clear that it has to be essentially a deliberate breach by an individual, and so mere negligence does not qualify as intrusion upon seclusion.”
Updated training key for prevention
Given the risks, and the rise in privacy breaches, how can employers and HR do a better job at containing this unwelcome behaviour by employees?
“There are always improvements to be made,” says Kosseim, citing the need for employers to regularly review their processes and update their policies to ensure that they address snooping.
“They have to regularly train their staff, not only once when they're hired, but on an annual basis, and make sure they update their training. I mean, if they're doing the same old training based on old rules, it really doesn't advance the dial very much. So, they have to make sure their training materials are updated on a regular basis,” she says.
If challenged in court, an employer may be obligated to show its due diligence to comply with the law, so demonstrating a proactive approach will be helpful, says Lambert.
“Along the same lines as having an appropriate policy applicable to snooping or handling sensitive information, having things like training, having things like monitoring practices or spot checks will be helpful.”
Institutions should also have auditing trails in place to catch erratic behaviour and detect unauthorized access, says Kosseim.
“Sometimes, it takes reminding that you don't have an indefinite right or authorization to access a patient's record... Other times, there might be a health provider who wants access to records to conduct so-called quality assurance or to conduct their own sort of study or their own assessment of their patient’s care, and they may see nothing wrong with that — but there are rules around those kinds of purposes as well that have to be respected.”
Employers should also ensure they have identified role-based access to electronic records, she says, so people understand what their role is and why they need access to electronic records, for what purposes, and not to go beyond those purposes. An emergency physician, for instance, will have a much broader span of access to a person's electronic medical record compared to occupational therapy therapist, says Kosseim.
Warning flags, monitoring of privacy breaches
Another preventative measure is to give employees pop-up notices and warning flags right upfront when, for example, they are accessing a record for someone who is not in their care, says Kosseim.
“Now, it may be that they do have the authorization and then they proceed to access the record, but certainly privacy flags can help focus the mind, if you will, of employees to remind them that they're going down an errant path, unless they have proper authorization.”
Employers should also be investing in logging or auditing staff access to records to pick up errant patterns, she says.
“That is... often... how privacy breaches are reported to our offices, when institutions are twigged onto ‘Something's off here,’ and then they conduct a mini audit or review, and then they realize that this individual has not only accessed this one record without authorization, in fact, they've done it dozens and, in some cases, unfortunately, we've seen hundreds of times previous.
“So, having these audit trails to try to identify these unauthorized accesses early on, as early as possible, so they don't repeat, unfortunately, on an ongoing basis, is a really important investment to make.”
Confidentiality agreements combat snooping
Confidentiality agreements are also important, in having staff annually sign an undertaking to respect confidentiality, says Kosseim.
“That really renews the commitment and the seriousness of these types of actions, and when you're reminded once a year to sign your name to an undertaking or an explicit promise to uphold confidentiality, it sure helps remind people of their obligations.”
Further to that, many federally regulated employers are working to meet their obligations under the federal Pay Equity Act, and as part of that, they must establish a Pay Equity Committee which runs various calculations to determine whether there need to be increases in wages for certain job classes, says Lambert.
“To do that, you have to access individual employees’ pay data, and so one thing that a lot of employers are doing in that context is requiring any committee member to sign a confidentiality agreement, just really as a reminder that they have an obligation to keep any private information that they come across, in the context of fulfilling their duties, private or confidential.”
Correcting errant employee behaviour
Also important? Responding appropriately to any breaches. Understanding the ‘why’ behind a privacy breach is important in assessing how to deal with these situations, says Kosseim.
“Is it an inadvertent error? Is it something that an individual just did not realize was wrong? Or is it something that requires a much more serious sanction? So, the motivation will be one of the factors to consider in determining the appropriate response to an employee snooping behaviour.”
In the vast majority of cases, it’s hoped that this errant behavior can be corrected through appropriate guidance, reminders, teaching, course corrections and additional training, she says.
“All of these are softer measures that we want to try to deploy first, and only reserve the more serious consequences for those cases that really warrant it.”
There’s an “escalating spectrum of responses” that are possible for the most serious of cases, and “that sends a strong message of deterrence for others to stand up and take notice,” says Kosseim.
But having clear repercussions or consequences is important for when people, “despite all the all the protections and the safeguards,” proceed to access a record anyway, without authorization, she says.
“My office now has the ability to issue administrative monetary penalties, so we can issue fines against people or institutions in egregious cases where it's warranted; and in the really terrible cases that amount to an offense under the [Personal Health Information Protection] Act, there are much higher monetary consequences — as well as possible imprisonment.”
Last summer, Hamilton Health Sciences (HHS) in Ontario fired eight employees for their role in a privacy breach at the city’s health care system.
Disciplining employee breaches
The appropriate discipline for an employee will depend very much on the type of breach, says Lambert.
“For intrusion upon inclusion, for example, intent is a prerequisite.”
But with other breaches of privacy, intent may not be required, he says, “and something that more closely approximates a negligence standard may be enough to qualify as to call it a failure to satisfy one's obligations under the legislation. Certainly, you would have to look at individual provisions under individual legislation to establish what exactly the standard is.”
Discipline will likely be different for an employee who is intentionally accessing private information for improper purposes, says Lambert, “versus an employee who is either seeing private information because they are being insufficiently cautious with how they search for some other data that's required for their job, or [who] is otherwise being what I would call negligent or not being sufficiently careful.”
If an employee is intentionally accessing third-party information, discipline could range from a formal written warning to suspension or even termination for cause, says Lambert, “but the appropriate discipline in each case will depend on the risk created for the employer.”
