Another bit of privacy got chipped away last month. In a place you might not normally look and wrapped in the flag of workplace safety. The implications are troubling.
Amendments to Ontario’s Occupational Health and Safety Act came into force in 15 June 2010. Without going into all the details, they essentially require organizations to establish workplace violence and harassment policies (s.32.0.1); conduct workplace violence risk assessments (s.32.0.3) and generally implement a workplace violence and harassment program (ss.32.0.2, 32.0.6).
Here’s where it gets interesting: one amendment requires the disclosure of personal information about co-workers and others with a history of violence (s.32.0.5(3)). The full provision reads:
“An employer’s duty to provide information to a worker under clause 25(2)(a) and a supervisor’s duty to advise a worker under clause 27(2)(a) include the duty to provide information, including personal information, related to a risk of workplace violence from a person with a history of violent behaviour if,
(a) the worker can be expected to encounter that person in the course of his or her work; and
(b) the risk of workplace violence is likely to expose the worker to physical injury. 2009, c. 23, s. 3.”
Section 32.05(4) further provides:
No employer or supervisor shall disclose more personal information in the circumstances described in subsection (3) than is reasonably necessary to protect the worker from physical injury. 2009, c. 23, s. 3.
All of this presupposes employers and employees know what a “history of violent behaviour” means (it’s not a defined term). It’s also far from clear as to what is or should be the threshold for an employer’s duty to advise employees of risk? This is important because it has become the trigger for the possible disclosure of personal information. And what personal information is an employer to provide?
This would also seem to impose an obligation on employers to take proactive steps to inquire about an employee’s “history”. How far are they to go? Parenthetically, one might want to ask the question as to which employers are actively amending their employee application forms this summer. Where does this information go once provided? Simply into the general HR file or is it to be kept separate?
This seems an easy rationale for criminal checks on all employees. Do employers really want to go there for non-sensitive positions? If organizations are to embrace the concept of data minimization this legislative development doesn’t help. Not all incidents may show up in such reports and, if an incident does turn up, it may have been isolated or there might have been remedial measures taken (e.g. an anger management program). What about information from “unofficial” sources? How is the employer to be assured that information obtained from “unofficial” sources meets the “complete, accurate and up-to-date” requirements contained in data protection legislation to which most are subject?
How this new OHSA requirement squares with other Ontario legislation raises another interesting question. Section 5(1) of the Ontario Human Rights Code states:
Every person has a right to equal treatment with respect to employment without discrimination because of race, ancestry, place of origin, colour, ethnic origin, citizenship, creed, sex, sexual orientation, age, record of offences, marital status, family status or disability. (Emphasis added)
Will a disclosure of personal information about a “history of violent behaviour” violate the Human Rights Code? Or will the disclosure of “violence” in one’s personal history result in employers simply using this “red flag” to avoid trouble and move on to the next applicant?
Similarly, for municipal or provincial institutions there’s the application of the Freedom of Information and Protection of Privacy Act and its municipal equivalent to consider. While the OHSA is silent on this point, Ontario’s Information and Privacy Commissioner has determined that OHS records are excluded from the application of FIPPA where the requirements of FIPPA’s section 65(6) have been established. Unless exceptions contained in section 65(7) apply, the records would not be subject to the FIPPA. Given the similarities between FIPPA and MFIPPA (albeit with different section numbering), the same logic holds.
Organizations subject to the federal Personal Information Protection and Electronic Documents Act (PIPEDA) don’t really have an issue here. PIPEDA doesn’t apply to employees unless an organization is a federal, work, undertaking or business and if it is, the organization is subject to the occupational health and safety requirements of the Canada Labour Code.
While no one wants to say that privacy trumps the prevention of workplace violence, one can’t help but feel that the requirement to disclose to employees personal information about a person with a history of violence may not be the best way to handle the issue. What does this disclosure really achieve?
It will require a very steady hand at the tiller to avoid the shoals presented in balancing workplace safety and privacy and I don’t envy the managers who will be called upon to do so.