Can an organization fire an employee who has breached the organization’s privacy obligations by accessing personal information they have no right to see? Maybe – maybe not!

In an arbitration decision involving a health care worker in Saskatchewan,  Health Sciences Association of Saskatchewan v Saskatchewan Association of Health Organizations, 2014 CanLII 5231 (SK LA)the answer was yes.  A Physical Therapist at the Prairie North Health Region, an employee with an unblemished record and 25 years of service, was dismissed after it was discovered that she had accessed the personal health information of 99 persons without authorization over a ten-month period. The records did not relate to her patients, or individuals within her circle of care. She had no need to know the medical information.

She grieved her dismissal, claiming that she did not know it was wrong for her to access the records and that she did it “because of ‘medical curiosity’ and the ‘need to understand’ the medical diagnosis”. Her union argued that, while her actions were wrong, dismissal was too tough a penalty and that discipline would be more appropriate.

The Arbitration Panel rejected the claim that the Grievor did not know it was wrong to access the records. It reviewed the employer’s policies and procedures and rejected her evidence as to what she claimed to have known and why she accessed the records. Citing the pattern of repetitive behaviour and the seriousness of the breach, involving as it did highly sensitive health information, the Panel upheld the dismissal. The Grievor’s past unblemished record was not enough to mitigate the result.

However, in another case involving health information, this time in British Columbia, the decision was different. In Vancouver Coastal Health Authority v Health Sciences Association of British Columbia, 2014 CanLII 15539 (BC LA)a Clinical Support Coordinator Cardiac Systems, employed at the Vancouver Coastal Health Authority for over 20 years, was dismissed for having improperly accessed patient information. She grieved her dismissal. The facts in this case were different than in the Saskatchewan situation. This was a one-off situation where the Grievor claimed she was acting to provide information to a mutual friend.

Nevertheless, the employer argued, “The misconduct engaged in by the Grievor is among the most egregious of employment offences—especially where, as here, she is largely unsupervised and in a position of trust. The image of VCH, a public health authority, is severely damaged when employees access confidential medical information. Even greater damage is done where, as here, an employee discloses, via email, that information to outside parties. When confidence is lost in the VCH, it is to the detriment of the communities and public that it serves. The Grievor’s conduct put the integrity of the VCH and into question in a very public way.”

However, the Arbitrator, applying existing jurisprudence regarding dismissals, determined that the dismissal was excessive in the circumstances. Acknowledging that the case law provides that, “the circumstances of a privacy breach – ‘zero tolerance” being the norm – must be ‘extremely compelling’ to support a penalty other than dismissal”, the Arbitaror looked at several other factors, including the Grievor’s remorse and other significant stresses in her life at the time, and set aside the dismissal. He substituted a three month suspension instead.

So – while dismissal will normally be justified in the case of a privacy breach – the appropriateness of the remedy will have to be assessed on a case by case basis and there can be mitigating circumstances that make dismissal inappropriate.