A health-care worker who spilled the beans about someone’s decision to adopt a baby should undergo training on privacy, Nunavut’s Information and Privacy Commissioner has ruled.
It also recommended that Nunavut’s Department of Health issue a written apology, and remind staff in its public health department about the importance of not sharing confidential medical information with anyone outside the workplace.
Keeping adoption news private
The complainant in this case adopted a baby, but decided not to tell friends or family right away.
During a check-up for the baby at a public-health clinic, a staff member who knew the complainant came over to talk to her. The staff member congratulated her on the adoption — they had viewed the details on the daily appointment list, but this person was not involved directly in the medical appointment.
About a week later, the complainant was congratulated by a co-worker. She asked this person how they knew, as she had not told them about the baby. The co-worker said they had been told by the staff member at the clinic.
The staff member had no work-related reason to share the information, and the co-worker had no reason to know it, Nunavut’s Information and Privacy Commissioner (IPC) said in its ruling.
The complainant reached out to the staff member by text and and told them what her co-worker said, adding that nobody was supposed to know about the adoption.
The staff member replied: “So sorry, I didn’t realize that you weren’t telling people yet.” She also confirmed she had not told anyone else about the baby.
The IPC noted that the complainant in this case had suffered a previous privacy breach of personal health information that was the subject of a review by the IPC.
No question there was a breach: IPC
The IPC quickly concluded there was a breach of the complainant’s privacy.
“That can hardly be disputed. The real issue in this case is what to do about it,” it said.
It noted that anyone who visits a health-care facility has to trust that staff will respect their privacy.
“The adoption of a child can be a particularly sensitive and stressful time for all concerned. There is a statutory revocation period during which consent to the adoption can be revoked,” it said. “For adoptive parents, the question of who to tell, and when to tell them, can be a very delicate matter indeed.”
But that “delicate” life decision was taken out of the complainant’s hands by a staff member at the pubic health clinic.
“To put it in legal terms, the staff member disclosed, without authorization, the Complainant’s personal information. This caused significant stress for the Complainant, who could not know for sure how far the news had spread,” it said.
As a result, the complainant was left scrambling and had to revise her plans about when to inform family and friends, lest the news get to them in some other way.
No malice: Health
While Health said the staff member acted without malice, that was “irrelevant,” the IPC said.
“For an adoptive parent in the midst of a life-changing event, a privacy breach is a privacy breach, regardless of the staff member’s motives and intentions.”
IPC rarely forces workplace discipline
Health said there was no workplace discipline planned for the staff member. The IPC noted, in previous rulings, it said its role was not to recommend workplace discipline — and it maintained that position in this case.
Workplace discipline, done properly, must be informed by an employee’s entire workplace history, the IPC said — which goes far beyond anything “I can or should” consider in a privacy complaint.
“The only exception might be a case in which an employee’s actions are so reprehensible that suspension or termination, regardless of workplace history, is the only appropriate response,” it said. “I have seen a few cases that may fit in that category, but the present case is not remotely one of them.”
It also said a focus on blame and punishment for privacy breaches may be counterproductive.
“A culture of privacy is like a workplace safety culture – everyone is safer if mistakes are quickly acknowledged and corrected. A fear of blame or discipline may drive infractions underground.”
The complainant in this case sought a sincere apology from Health.
Health countered that its staff member had already apologized. But the complainant said a single, in-the-moment text, was not a real apology. There had been no other contact between the two.
The IPC agreed with the complainant. Health, as the public body responsible for Nunavut’s health-care system, had yet to offer an apology. It recommended it do so.
The commissioner also said the situation had been made worse by Health’s written response to the privacy complaint.
“To the Complainant, it appears either that Health is questioning the Complainant’s truthfulness, or that Health has been careless in its investigation. Either way, the Complainant believes Health is downplaying what happened and the serious impact it had on the Complainant’s life,” it said.
Some of what Health wrote was more a question of unclear writing, the IPC said, and it did not believe it was questioning the complainant’s truthfulness. But it also pointed to the fact this was not her first run in with a privacy issue with Health.
“There is a history here. It is understandable if the Complainant is somewhat suspicious of Health’s sincerity,” it said. A written apology would go a long way, the IPC concluded.
Compensation not possible under act
The complainant asked for compensation for the breach, which the IPC understood to be financial in nature.
But under the Access to Information and Protection of Privacy Act (ATIPPA), financial compensation is not available as a remedy.
“Any financial compensation would have to be an ex gratia payment from the GN, or a settlement of a legal action, or an award from a court,” it said.
Preventing future breaches
The real heart of the decision, in the IPC’s eyes, was what can be done by Health to reduce similar privacy breaches.
Staff in health settings have a lot of information at their disposal, some of it highly personal and sensitive, about people they know.
“The goal is for health staff to be so deeply immersed in a culture of privacy that they would not even consider disclosing that personal information to anyone else,” it said.
A good rule is for staff to ask themselves, “How do I know this?” If the answer is they learned it at work, then it must not bs shared with anyone, the IPC said.
“They should make no assumptions about who in the patient’s circle already knows the information – not spouses, parents or other family members; not neighbours, friends or co-workers; and not other health staff,” it said.
To get to that point, it said a good privacy element will include at least the following elements:
- Management that supports and models best privacy practices.
- An emphasis on coaching, mutual support, and encouragement.
- For new hires, an orientation that includes a privacy component.
- For all staff, a written oath to uphold patient privacy.
- For all staff, mandatory privacy training, repeated at regular intervals.
- A set of written privacy policies that are easy to understand, easy to find, regularly updated, and regularly referenced.
To some extent, those measures are in place or are in the process of being put in place at Health, the IPC said.
Notification of privacy breach
The IPC noted that Health was unaware of this privacy breach until it was contacted by the commissioner.
The complainant gave evidence that the situation was brought to the attention of a senior manager. And though this person, and the staff member who committed the breach, were aware it happened it was not reported to Health’s ATIPP co-ordinator.
“The privacy breach reporting provisions of the ATIPPA can only work if privacy breaches are, in fact, reported. The Department of Health is generally very good, perhaps the best in the GN, at reporting privacy breaches. In this case, it appears the Health staff who were aware of the privacy breach either were not aware of their reporting obligation, or chose not to report it,” it said.
The IPC made four recommendations in this case:
- A written apology from Health to the complainant
- A refresher course on privacy for the staff member who committed the breach in this case.
- A memo sent to, or a team meeting held with, public health staff about the importance of not sharing outside the workplace any personal information learned inside the workplace.
- Health remind all staff of the internal process for reporting privacy breaches.
Notably, the IPC did not recommend that all staff undergo training – just the person who committed the breach. That’s because there was no evidence this type of breach was common.
For more information, see Department of Health (Re), 2023 NUIPC 5 (CanLII)