In almost every profession – whether it’s law or journalism, finance or medicine or academia or running a small business – people rely on confidential communications to do their jobs. We count on the space of trust that confidentiality provides. When someone breaches that trust, we are all worse off for it.
The common law privacy right, or the tort of intrusion upon seclusion, arrived in Canada with Jones v. Tsige. That case arose when a bank employee used her computer to snoop on the banking records of a co-worker. The decision brought the issue of privacy in the workplace into the limelight. It is interesting to see what arbitrators and adjudicators have been doing with this issue . Some general themes emerge from recent cases that may also apply to discipline in the non-union context. Let’s have a quick look.
Arbitrators take the issue seriously
Arbitrators are quick to agree that confidentiality of certain records, such as medical records, is critically important. Canada Labour Board adjudicators generally agree that confidentiality of client records (e.g., bank records) is critically important. Where the cases differ is when the adjudicator’s eye turns to the issue of mitigation: the reason “why” the snooping occurred, whether or not the employee was aware of a confidentiality policy, whether there is remorse, and whether the snooping is likely to happen again. Even where mitigation favours reinstatement, arbitrators impose lengthy unpaid suspensions. The issue is taken seriously.
Here’s what a few have said
Most arbitrators find that there should be a zero tolerance standard when looking at confidential information in the medical context:
…I again wish to stress that the ‘zero tolerance’ standard should be the norm and that only in compelling circumstances should termination not be the result of deliberate breaches of the Act, Standard or confidentiality policies. …
That quote is from Arbitrator Rayner in Bluewater Health and O.N.A. (Hardy) (Re) 2010 CLB 33129. The arbitrator said that the vulnerability of patients to the misuse of their medical records by employees with access to those records is obvious. In the Bluewater matter there were two grievors: one, a part time nurse with two years’ service, accessed the medical records of four patients she had no connection to for very short periods – a matter of seconds. The grievor characterized this as ‘accidental access’. The other grievor, a 15-year employee with a good work record, accessed the medical records of two patients – her daughter and her father. Her reason? She testified that she accessed her daughter’s records because her daughter suffered from severe cerebral palsy and she was the primary caregiver. She said that she accessed her father’s records because she wanted to explain and discuss what she discovered about his condition with him. In both cases, neither grievor had obtained consent, either express or implied, to access the patient records that they did.
What did Arbitrator Rayner do? He upheld the discharge of the first grievor, rejecting her de minimis argument focusing on the fact that she failed to report any “accidental access” required by policy. With the second grievor, he found that mitigation justified reinstatement without compensation, but with no loss of seniority.
In Timmins & District Hospital and O.N.A. (Peever) (2011), 208 L.A.C. (4th), Arbitrator Marcotte agreed with Arbitrator Rayner that “zero tolerance” is the norm. In Timmins, the grievor was a Registered Nurse, with 22 years’ service who was discharged for breach of confidentiality after accessing the clinical mental health records of a patient. Her reason? The patient whose records the grievor accessed had been married to the grievor’s son who was then embroiled in a custody dispute with the patient. Arbitrator Marcotte was unable to find any compelling circumstances to mitigate the penalty of discharge saying that, based on his conclusions that she knowingly accessed the information in violation of the employer’s ethics and confidentiality policies and applicable privacy legislation without remorse, there was no assurance that her actions would not re-occur.
And then there’s social media – where a breach of confidentiality can go viral with one click
One of the first “social media” confidentiality cases also arose out of a health care employment relationship. In CAW-Canada, Local 127 (J.C.) v. Chatham-Kent (Municipality),  O.L.A.A. No. 135 (QL), the grievor was a personal caregiver with eight years’ service and some history of discipline. She was discharged after making a number of blog entries and posting photos accessible to anyone with internet access (i.e., the world). Some of the photos she posted were of co-workers and one was of a resident patient. In her blog entries, the grievor criticized management decisions, identifying one manager by first name and another by initials. Some comments were derogatory and laced with coarse language. The grievor also complained about several residents using their first names and even revealing one resident’s diagnosis. The employer had a training manual saying that each employee was required to ensure that all information obtained during the course of duty was to be kept from social conversation and to remain confidential. The manual clearly said that discipline, including termination, would follow such disclosure. Arbitrator Williamson recognized that health care sector employees “are held to a high standard in matters of maintaining the confidentiality of personal information” and upheld the discharge.
The facts in Credit Valley Hospital v. Canadian Union of Public Employees, Local 3252 (Braithwaite Grievance) (2012), 214 L.A.C. (4th) 227 were tragic. A part-time Environmental Service Representative (non-medical position), with five years’ service was discharged when, after assisting in cleaning up a suicide scene, he took two pictures with his cell phone and later posted them on Facebook with the following captions: “Mother pleads with kid not to jump…” and “This is what I have to clean up”. The employer said these actions breached the patient, employee and even the hospital confidentiality, relying on an Employee/Volunteer Confidentiality Form that the grievor had signed when hired. This form said patients and staff members had a reasonable expectation that their personal information would be treated in complete confidence and that confidential information included verbal, written and electronic data concerning patients, staff and hospital business. The policy said that disclosure without authorization would result in disciplinary action up to and including dismissal. During the hearing, the grievor claimed to be unaware that the suicide victim was a patient. Arbitrator Levinson upheld the discharge saying that the grievor had “constructive knowledge” that the victim was a patient and that the grievor’s actions were culpable. In addition, the arbitrator noted that the grievor was neither remorseful nor did he fully accept responsibility for his misconduct. This undermined positive rehabilitative prospects. Although noting that there might have been some “spur of the moment” lack of judgment on the grievor’s part, Arbitrator Levinson found that once the photos were posted on Facebook, they had the “hallmark of premeditation”, given the passage of time between when the pictures were taken and when they were posted, and given the fact that they were posted during the grievor’s break. Arbitrator Levinson said:
…By his actions of taking the pictures and posting them on his Facebook page with comments that others viewed, Mr. Brathwaite without any justification has put his own self-interest and feelings ahead of the well-known, the well-understood and the all-encompassing fundamental obligation on employees to maintain the confidentiality of patient information. …
So, by 2012, arbitrators in Canada recognized a well-known, well-understood and all-encompassing fundamental obligation on health care employees to maintain the confidentiality of patient information.
And now, some order in the court on the issue
Earlier this year, we blogged about a wrongful dismissal decision, Steel v. Coast Capital Savings Credit Union; that blog can be read here. That decision will be of interest to non-union employers who place a high expectation on their employees to ensure privacy and confidentiality of clients. Briefly, Ms. Steel was a 20-year employee, most recently working as a Helpdesk analyst in the IT Department of the credit union. In her position, she had access to any document or file in the organization, her work was unsupervised, and no one monitored what documents she accessed or for what reason or purpose. Why? It would not be practical. Further, Ms. Steel’s job description required that she “Respect the privacy and confidentiality of all customer and staff information at all times”. In her job, Ms. Steel could access employee personal folders when she was assisting with technical problems. Her access, however, was restricted by protocol: (a) the employee whose personal folders were to be accessed had to provide consent; or, (b) the VP of corporate security had to authorize it. Nevertheless, Ms. Steel, had signed off on the employer’s Acceptable Use Policy, Code of Conduct Policy and Information Confidentiality Policy, and accessed a spreadsheet in a co-worker’s personal file that contained confidential employee information including pay grades and seniority dates. After an investigation by the employer, Ms. Steel was terminated for cause. The Court agreed that the employer had cause saying:
Ms. Steel occupied a position of great trust in an industry in which trust is of central importance. In her position [she] was given the ability to access confidential documents. The employer established clear policies and protocols known to Ms. Steel at the relevant time that were to govern access to confidential documents.
The court found that the ‘trust’ fundamental to Ms. Steel’s position was broken beyond repair.
If it’s private and confidential, why wouldn’t we insist on it?
The outcome of an arbitration or court case can never be 100% predictable because of the large role that individual facts play. What is predictable is that allegations of confidentiality breaches will continue, whether as a result of human curiosity or snooping. Nonetheless, employers are equipped with strong guidance from arbitrators as well as the courts. Decision makers are saying that in some industries, ‘zero tolerance’ is the standard and unless there are sufficient mitigating circumstances, dismissals should be upheld. Even in cases where mitigation does play a role, arbitrators are saying lengthy unpaid suspensions are appropriate.
Employers, whether unionized or non-unionized, in the health care, banking or any other sector where confidentiality is an expected condition of employment, should continue to educate employees through codes of conduct or confidentiality policies and should clearly say discipline will follow when these policies are violated. As in all cases, policies and discipline must always be consistent and equally applied. Hillary Clinton summed it up in the quote opening this article: We count on the space of trust that confidentiality provides. When someone breaches that trust, we are all worse off for it. Why wouldn’t we insist on it?