Sask. privacy commissioner, SHRA at odds over privacy breach

Saskatchewan’s privacy commissioner, Saskatoon Health Region Authority at odds over disclosing disciplinary action against snooping employee. Brent McGillivray / Global News

SASKATOON – Saskatchewan’s privacy commissioner and the Saskatoon Health Region Authority (SHRA) are at odds over whether disciplinary action taken against a snooping employee should be disclosed. The employee in question had viewed her own along with other individuals’ health records without a need-to-know.

According to Ronald Kruzeniski, Saskatchewan’s information and privacy commissioner (IPC), the health records clerk viewed the personal health information to satisfy curiosity and alleviate boredom.

The privacy breach came to light in early 2015 through a regular audit. The employee was found to have viewed the personal health information of six people, including her own.

READ MORE: Privacy breached by insurance dealer in Lestock, Sask.

The breach was reported by the SHRA to the IPC on May 7 and the affected individuals were notified.

Kruzeniski’s office made a number of recommendations to the SHRA’s approach to snooping:

Story continues below advertisement
  1. Suspend employees who have snooped. The length of the suspension should be dependent upon the seriousness and frequency of the snooping;
  2. Monitor employees who have snooped for a period of years instead of months;
  3. Work with eHealth Saskatchewan (eHealth) so that eHealth can audit and monitor the snooper for any electronic system eHealth is a trustee for;
  4. Terminate employees who have snooped intentionally and maliciously;
  5. Report the snooping to the professional regulatory body to whom the employee/practitioner may belong once the snooping has been investigated and substantiated;
  6. Disclose the details of the disciplinary action taken against the employee to the affected individual(s) and to all regional health authority employees and practitioners

The parties agreed on points two and three, and the SHRA asserted to the IPC that point one and four were part of its progressive discipline process. On point five, the SHRA stated that licensing bodies required the reporting of cases where an employee has been terminated.

READ MORE: Saskatchewan Cancer Agency patient privacy breach

Where the sides disagree is on point six.

The SHRA says it will not comply with disclosing the details of any disciplinary action taken as it regards that as personal information under applicable legislation but would make it public if grievances of discipline result in an arbitration ruling.

“I agree that employee discipline qualifies as personal information,” wrote Kruzeniski.

Story continues below advertisement

“However, given the seriousness of employee snooping and how it undermines patient trust, I would argue that there is a public interest disclosure of such personal information.”

Kruzeniski stated disclosing disciplinary action would help provide closure to the affected individuals and act as a deterrent to snooping by other employees.

“It could also help to restore Saskatchewan residents’ trust that the health region is protecting personal health information appropriately.”

“An employee who has snooped should have a diminished expectation of privacy. I strongly recommend that SHRA disclose the disciplinary action taken against employees who snoop,” concluded Kruzeniski.

The SHRA is expected to respond to the report Tuesday afternoon.

Sponsored content