A Nunavut government employee failed to prove privacy violations when independent medical examination reports were shared among HR and departmental officials, but the territory’s privacy commissioner found fault with how the sensitive documents were stored and handled.
The case involved an employee from the Department of Education who was on extended leave and required to undergo two independent medical examinations as part of developing a return-to-work plan. The Department of Human Resources managed the process in consultation with Education, which is standard practice for complex cases.
The employee signed a consent agreement but added a handwritten condition stating the release was “conditionally upon mutual agreement of who, specifically, will have access to the non-medical information, the storage of the non-medical information, and the length of time the non-medical information will be stored.”
Despite this written condition, no further discussion took place between HR, Education and the employee about the terms of such an agreement.
Reports shared with four officials
The IME reports were ultimately shared with four government officials: an HR employee relations manager, an HR employee relations director, and two Education assistant deputy ministers. The employee alleged this constituted unauthorized disclosure of personal information.
However, Commissioner Graham Steele found the sharing was legally justified under Nunavut’s Access to Information and Protection of Privacy Act.
Regarding the HR director’s access, Steele noted that “GN public bodies are, by their nature, organized hierarchically” and that privacy provisions “should not be used in a way that prevents GN managers from exercising hierarchical supervision and support to their employees.”
For the first Education assistant deputy minister, the commissioner found the sharing appropriate because HR works with an employee’s home department on such cases. While the employee’s direct supervisor would normally be involved, Education had “good reasons for not including the Complainant’s direct supervisor in the discussion.”
The second Education ADM received the reports because they were covering for the first ADM during annual leave. Though this official never actually needed to review the documents, Steele found there was “always a possibility” they might need to step in with decisions on the file.
Misleading statements during videoconference
During a videoconference with the employee, the HR manager stated that only two people within government had seen the IME reports. This was untrue, as four officials had received them by that point.
Steele found this statement “unfortunate and perhaps not necessary” but stopped short of calling it a privacy breach, noting that “the ER division does not owe the Complainant an explanation of its internal functioning.”
Conditional consent rejected
The employee argued that sharing the reports violated the handwritten condition they added to the consent agreement. However, Steele found no evidence that HR or Education had accepted this condition.
“The condition written by the Complainant does not have substantive content. It is a proposal. No agreement was ever reached – in fact no discussion was ever held – on the items specified by the Complainant,” the commissioner wrote.
He also noted that the reports could be shared within government even without consent, as long as the sharing fit within allowable circumstances under the privacy act.
Medical versus non-medical information
The commissioner took issue with HR’s position that IME reports contain only non-medical information. HR stressed in its consent forms that employees were consenting only to release of “non-medical information.”
“I have trouble accepting HR’s position. Even though the IME reports are written by medical doctors and based on medical examinations, HR says they are, somehow, not medical reports,” Steele wrote.
He noted that one report included a doctor’s treatment recommendation, calling it “a medical opinion” regardless of “how much semantic dancing one does.”
Storage practices found inadequate
While finding no unauthorized disclosure, the commissioner concluded that Education and HR failed to make “reasonable security arrangements” to safeguard the employee’s personal information.
The reports were distributed by email and remained in various officials’ email inboxes and sent folders. Steele found that “the use of an email program for digital storage of IME reports is not a ‘reasonable security arrangement'” under the privacy act.
He recommended that officials should have placed PDF copies in secure shared network folders, referred colleagues to those folders, and deleted the emails. “If a sensitive document must be emailed, it could at least have been password-protected or encrypted,” he wrote.
WhatsApp usage criticized
The two Education assistant deputy ministers also exchanged brief messages about the case via WhatsApp, which the commissioner found problematic though not a privacy breach.
Steele repeated a previous recommendation that Education stop using WhatsApp for senior management communications, noting the platform “is outside the control of Education or the GN. It may be insecure. It should not be used to discuss human-resources issues.”
Culture and recommendations
The commissioner emphasized that “the best safeguard against unauthorized disclosure of personal information is a strong privacy culture” and noted that while there was no unauthorized disclosure in this case, “at almost every point, however, the reports could have been handled more carefully than they were.”
His recommendations included revising email storage practices to ensure IME reports are deleted from email programs after transfer to secure network folders, reviewing document-handling protocols to favour secure folder sharing over email distribution, and implementing password protection or encryption when reports must be emailed.
For more information, see Departments of Education and Human Resources (Re), 2025 NUIPC 8 (CanLII).
