‘Need-to-Know’ in the Workplace: When is it Crossing the Line?
Here at the IPC, we deal with a lot of phone calls from the public about various topics. Lately there seems to be a reoccurring pattern that we feel needs to be addressed:
- managers/supervisors requesting too much information when an employee is away from the office due to illness (or other medical-related reasons).
Situations like this are very sensitive, and the answers that we give to these callers often vary depending on the situation.
Organizations must only collect, use and disclose personal information and personal health information in accordance with the applicable privacy law. In Saskatchewan, the applicable privacy law may be The Freedom of Information and Protection of Privacy Act (FOIP), The Health Information Protection Act (HIPA), and/or The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP).
Organizations subject to FOIP and LA FOIP must only collect personal information that relates to an existing or proposed program or activity of the government institution or local authority. In the case of employee leave, the organization must ensure that it only collects the necessary information that is related to its human resources function. Then, the organization must ensure it only uses the personal information for the purpose of the leave. For example, if an employee’s absences exceed the allowable limit for uncertified sick leave, then the organization may collect the necessary personal information in order to certify the sick leave.
Organizations subject to HIPA must collect, use or disclose only the personal health information that is reasonably necessary for the purpose for which it is being collected, used or disclosed. In the case of employee leave, the organization must ensure it restricts what personal health information it collects from the employee to what is necessary for the leave. Organizations subject to HIPA should be aware that subsection 26(3) of HIPA says that employers must have an individual’s consent to use or obtain access to the individual’s personal health information for any purpose related to the individual’s employment.
Need-to-Know and Data Minimization Rules
The need-to-know rule is that personal information and personal health information should only be available to those employees in an organization that have a legitimate need to know that information for the purpose of a program or activity of an organization.
The data minimization rule means that an organization should always collect, use and disclose the least amount of personal information or personal health information necessary for the purpose.
It is important to abide by these two rules since they underlie section 28 of FOIP, section 27 of LA FOIP, and sections 23 and 26 of HIPA.
Let’s think of some examples, to put everything into perspective:
An individual has been sick from her office for five consecutive days, and has a history of taking sick days more often than most employees. Her employer requests that she provide a doctor’s note, as well as a diagnosis in order to account for her absence.
Has the line been crossed? In this case, yes. If an employee is absent from the office for reasons not pertaining to their job, and is not hindered from doing their job upon their return, then to ask for a diagnosis is not within an employer’s ‘need-to-know’. A signed doctor’s note should suffice.
An individual works for a Crown corporation as a Millwright and receives a workplace injury; after a month away from work, he comes back on a return-to-work program. His employer requests a doctor’s note as well as a medical evaluation.
Is this overreaching? In this case, no. An employer must maintain that all of their employees are fit for work—both for the affected employee’s safety, as well as the safety of others. If the return-to-work employee is able to work, but not in the same capacity as before, it is an employer’s job to attempt to find a suitable alternative for that employee. Therefore, a medical evaluation would be within the ‘need-to-know’ parameters.
Know your rights, as well as the policies of your workplace.
At the same time, employees need to understand that their employers may ask for a doctor’s note, and in some cases a medical diagnosis or assessment, in order to maintain that an employee is fit for duty. If ever an employee feels uncomfortable or does not understand why an employer is requiring medical information other than a doctor’s note—ask.
Know your boundaries.
Each workplace is different, so a supervisor must take into account the type of work an employee is doing—sitting at a desk is far different from handling heavy machinery—and assess what is the appropriate need-to-know. Regardless of the situation, an employer should be sure to have legal authority to disclose an employee’s circumstances before doing so.