By Esther Shainblum

Employee snooping poses a serious privacy risk to all organizations, including charities and not-for-profits. Institutional training about privacy is essential for organizations that deal with sensitive personal information, as demonstrated by the findings of the Information and Privacy Commissioner of Ontario (“IPC”) in PHIPA Decision 147, released on June 18, 2021. Employees and managers should recognize which behaviour is and is not acceptable, so as to prevent snooping.

This case originated with a patient who made a complaint after she attended at the emergency department of a hospital following a motor vehicle accident where she was treated for her injuries, then released. A physician who was not involved in providing health care to the patient during her stay in the hospital called her a few days later at her home. According to the patient’s report, the physician stated he was conducting a courtesy follow-up call to see how she was doing. Over the course of the call, he arranged to have a physiotherapy clinic contact the patient and book an appointment. When the patient went to the clinic, she was met by a personal injury lawyer, who asked her if she was interested in a lawsuit and spent 30 minutes discussing the lawsuit process and compensation with her. After this meeting, the patient contacted the hospital because of concerns about the appropriateness of the physician’s access to and use of her personal information.

During its investigation into the patient’s complaint, the hospital discovered that the physician and a hospital clerk had, over two years, accessed hundreds of charts of patients to whom the physician was not providing care. The hospital also discovered that the physician’s wife was the personal injury lawyer the patient had met. While the clerk was dismissed, and subsequently pled guilty to offences under the Personal Health Information Protection Act (“PHIPA”), the physician was not because he maintained his actions were justified by virtue of him undertaking “quality audits.” He also maintained that his wife’s presence at the clinic was a coincidence and that he did not disclose any of the patient’s personal information to her. The hospital referred the matter to the Attorney General and the investigation was taken up by the IPC.

The IPC had serious concerns about the physician’s “quality audits” and potential disclosures of personal health information to his wife both in this instance and on prior occasions. However, due to a lack of cooperation from witnesses, the IPC was unable to determine whether the physician disclosed personal health information to his wife in contravention of PHIPA. Instead, the IPC found that the hospital’s policies and training of physicians regarding quality audits were not sufficient to comply with its safeguarding obligations under PHIPA. The applicable policies, practices, and procedures regarding quality audits were lacking in clarity and detail, and privacy training was not provided to physicians. As a result, the IPC found that the hospital did not take reasonable steps to protect the personal health information of its patients as required by subsection 12(1) of PHIPA. Nevertheless, it was satisfied with the steps that the hospital had taken since then to update its policies and provide annual privacy training for all staff and physicians.

While many charities and not-for-profits are not governed by PHIPA, this case serves as a reminder that any organization holding personal information must educate and train its staff about their privacy obligations. There can be strong incentives to “snoop” and serious reputational and financial consequences for organizations that do not prevent snooping. Charities and not-for-profits holding personal information must establish clear training requirements for employees, ensure that access is restricted on a “need to know” basis, monitor compliance, and ensure that employees are aware that there will be consequences for inappropriate access to personal information.

Read the August 2021 Charity & NFP Law Update