Information collected for disability management program in B.C.
A British Columbia employer breached its collective agreement and a worker’s privacy when it shared information collected under a disability management program in its opposition to the worker’s appeal of a rejected claim, an arbitrator has ruled.
The worker was a social worker employed with the Vancouver Island Health Authority (VIHA) at the Campbell River Hospital in BC.
VIHA developed an Enhanced Disability Management Program (EDMP) that it incorporated into its collective agreement with the co-operation of the union. THE EDMP addressed all phases of the disability management process and replaced prior provisions related to early intervention, long-term disability (LTD), and return-to-work processes, and stated that the goal was a “more seamless” and “employee-centred” process for employees returning to work or requiring LTD support as well as reducing the cost of sick leaves, LTD leaves, and workers compensation leaves.
The EDMP included a privacy policy that stipulated that personal information was collected for specific purposes to effectively deliver the EDMP “and other purposes permitted or required by law.” Individuals who collected personal information under the EDMP were required to identify and explain it to the person for which the information was being collected.
Employees had to sign authorization forms consenting to the collection and disclosure of personal information for the purposes of the EMDP.
Employee personal information is a sensitive area for employers, according to an expert.
Required enrolment after five absences
All bargaining unit employees who were absent for work because of a work-related injury or illness, or absent for five consecutive shifts or more because of any injury or illness, were required to enroll in the EDMP so VIHA could manage their medical absence.
The worker went on a medical leave in September 2018. After she missed five shifts, VIHA reached out to her and asked her to contact a disability management consultant. She enrolled in the EDMP in February 2019, advising that her work environment precipitated mental health issues for which she would need counselling. The worker signed an authorization form on Feb. 7.
The worker also made a WorkSafeBC claim related to her illness, but WorkSafeBC denied the claim. The worker filed an appeal.
On Feb. 3, a disability management consultant who was managing the worker’s case forwarded a copy of her EDMP chart notes to Morneau Shepell, a third-party company that VIHA contracted to represent it in the worker’s appeal of her WorkSafeBC claim.
The union learned of the disclosure of the worker’s information to Morneau Shepell and inquired as to what policy superseded the EMDP privacy policy. VIHA replied that employers were part of the WorkSafeBC claims appeal process and the worker’s appeal was related to an EDMP matter.
Data from employee assistance programs can provide useful information regarding what employees are using, but sensitive data must be protected, according to an expert.
Union disagreed with use of information
The union disagreed and filed a grievance regarding VIHA’s submission of the worker’s EDMP information to Morneau Shepell for the purposes of challenging the worker’s appeal.
The union argued that the worker signed the authorization form for the purposes of return-to-work and support services and the form was specific for the collection and use of personal information for the operation of the EDMP. VIHA’s opposition to the worker’s WorkSafeBC appeal was not part of “helping processing disability benefits,” said the union.
VIHA countered that the EDMP privacy policy required consent to disclose personal information “except as permitted or required by law.” BC’s Freedom of Information and Protection of Privacy Act (FIPPA) allowed the use and disclosure of personal information without consent in certain circumstances such as this, it argued.
VIHA also argued that the authorization form contemplated the collection of information “to help process any disability benefits,” which included WorkSafeBC benefits and any judicial decisions relating to the entitlement of such benefits.
The arbitrator found that there was no dispute that the worker’s information was collected for the purposes of the EDMP and it was personal information as defined by FIPPA.
Staff training on privacy and data security can help employers reduce the risk of privacy breaches, says an expert.
Intentions of parties
The arbitrator also found that the intentions of VIHA and the union, as expressed in the purposes and privacy policy of the EDMA, was to collect, use, and disclose employee personal information for the purposes and operation of the EDMP only. While WorkSafeBC could be a third party involved in providing a return-to-work plan or accommodations, the EDMC had no role in administering a workers compensation claim.
The arbitrator also found that the use of personal information for “an adversarial process” such as an appeal of a claim rejection did not fall within the EDMC’s purpose of helping with processing disability benefits or providing an employee-centred disability management process.
In addition, the parties expressed an intention to reduce the cost of sick leaves, LTD leaves, and workers compensation leaves. This was related to the idea of supportive disability management, not an adversarial process, said the arbitrator, adding that the authorization form did not refer to the use or disclosure of the information for WorkSafeBC appeals.
The arbitrator determined that VIHA’s use and disclosure of the worker’s information in relation to the WorkSafeBC appeal was not for the original purpose of its collection and the worker had no reasonable basis to expect her information to be used in that way. As a result, VIHA breached the collective agreement and FIPPA, said the arbitrator.
VIHA was ordered to pay the worker $3,000 in damages for the breach of her privacy and the distress it caused her “at a vulnerable time” when she was on medical leave. See Vancouver Island Health Authority and HSABC (Curts), Re, 2022 CarswellBC 3755.
