As the case numbers of COVID-19 rise across the province, employers in Manitoba are increasingly confronted with questions as to the amount of information they can share when an employee informs their employer that they have tested positive for the virus.
Employers must be mindful that a COVID-19 diagnosis is private health information, and the individual employee’s privacy must be maintained whenever possible. At the same time, employers have an obligation to take reasonable steps to provide a safe workplace for their employees. Assessing the appropriate use and disclosure of employee personal health information involves the balancing of an individual employee’s right to privacy with the employer’s obligation to protect its workplace.
As a starting point, employers need to be aware of what privacy legislation may apply to them, and how that may impact the ways in which they can use and disclose employee personal health information. In Manitoba, there are a number of privacy laws that may or may not be applicable depending on the nature of the business.
Unlike in some provinces, provincially regulated private sector employers in Manitoba are not subject to specific provincial privacy legislation concerning the collection, use, and disclosure of employee personal information. This does not mean that employers do not need to be concerned with protecting employee privacy!
The Privacy Act (Manitoba) creates a statutory tort where a person “substantially, unreasonably and without claim of right” violates the privacy of another person, which may allow an individual to bring a civil claim if they believe their privacy has been violated. In addition, an employee may have the option to file a Human Rights complaint if they feel that discrimination or harassment has occurred. In unionized work environments, grievances may be filed if an employer does not properly protect the personal health information of employees.
Employers in the public sector, or which are federally regulated, must be mindful of additional legislation which applies to their businesses. The Personal Information Protection and Electronic Documents Act (PIPEDA) applies to the private sector, federally regulated employers. Public sector employers are governed by the Freedom of Information and Protection of Privacy Act (FIPPA). The Personal Health Information Act (PHIA) applies to health care providers and others deemed to be “trustees” of personal health information.
Respect for employee privacy and privacy legislation matters. Failure to comply with applicable privacy legislation can result in hefty fines, and even those employers who are not subject to specific privacy legislation may be sued or find themselves subject to a complaint or grievance. As a result, it is important to consider what steps can (and cannot) be taken where an employee tests positive.
It is clear that employers may find themselves in a difficult situation where an employee notifies the employer that the employee has tested positive for COVID-19. The employer must balance their obligation to protect the health and safety of other employees with their obligation to protect the privacy of the individual employee. The employer’s goal should be to disclose sufficient information to make other employees aware of a possible exposure but to give as little information as possible regarding the identity of the employee who has tested positive (or about the employee’s condition/other health information).
As a first step, the employer should determine when the affected employee was on the employer’s premises and when possible transmission to other employees could have occurred. The employer is generally entitled to send a notification to employees informing them that an employee has tested positive for COVID-19. This notice can typically specify the times and general locations (building, floor, etc.) where the employee was present in order to allow other employees to assess whether they may have been exposed and monitor for symptoms.
Except in rare situations, this notice should not reveal the identity of the employee in question, and employers should be careful not to reveal information that inadvertently identifies the specific employee (such as the employee’s specific work station). If the employee voluntarily gives express permission to be identified, the employer may identify the employee. The employer must, however, be careful to ensure that the employer does not inadvertently pressure the employee to grant such permission.
The employer should also make efforts to identify specific individuals who are likely to have come into close contact with the COVID-19 positive employee and to notify those employees that they may have been in contact with an employee who tested positive for COVID-19. There may be circumstances where notifying an employee that they have been in close contact will effectively identify the COVID-19 positive employee – for example, where two employees work closely together but have limited exposure to other employees. In such cases, employers should act with caution if they do not have consent to identify the employee. Depending on the circumstances, the employer may wish to ask exposed employees to work from home (if possible) or take other measures in order to isolate and monitor for symptoms.
Employers should also be mindful of ensuring that all health information provided by employees is stored securely and can only be accessed by managers and human resources personnel who require the information. This may require storing employee health information in a secure location which is separate from normal employee personnel files.
Given the potential consequences for employers, it is imperative that employers be mindful of the above principles while managing any situation involving a COVID-19 positive employee. If the employer is subject to specific privacy legislation, the employer should also consult that legislation to ensure that they are compliant with all legislative requirements. In summary, employers must carefully secure any and all personal health information, only disclose the minimum amount of information necessary for the purpose, obtain consent prior to disclosure wherever possible, and comply with any applicable legislation.
DISCLAIMER: This article is presented for informational purposes only. The content does not constitute legal advice or solicitation and does not create a solicitor client relationship. The views expressed are solely the authors’ and should not be attributed to any other party, including Thompson Dorfman Sweatman LLP (TDS), its affiliate companies or its clients. The authors make no guarantees regarding the accuracy or adequacy of the information contained herein or linked to via this article. The authors are not able to provide free legal advice. If you are seeking advice on specific matters, please contact Keith LaBossiere, CEO & Managing Partner at email@example.com, or 204.934.2587. Please be aware that any unsolicited information sent to the author(s) cannot be considered to be solicitor-client privileged.
While care is taken to ensure the accuracy for the purposes stated, before relying upon these articles, you should seek and be guided by legal advice based on your specific circumstances. We would be pleased to provide you with our assistance on any of the issues raised in these articles.