Hands, medical or writing with doctor and patient in hospital for appointment
Insight

Is It a Breach of Privacy if an Employer Collects Its Employee’s Refusal to Take a Drug Test?

In some cases, yes. In Order P26-05 BC’s Office of the Information and Privacy Commissioner (the “OIPC”) found that Altrad Service Ltd. violated the Personal Information and Privacy Act (“PIPA”) by documenting an employee's refusal to submit to drug testing.

The unique decision offers practical guidance for employers on the reasonableness standard governing employee personal information.

Background

The complainant was a painter who worked for Altrad, a subcontractor on an LNG Canada project in Kitimat, BC. The general contractor was JGC Fluor LNG JV.  Upon return to the site from an assignment with other Altrad employees, the general contractor requested a sniffer dog search. The dogs detected something on the vehicle and security alerted Altrad.

Altrad issued a drug and alcohol testing demand to the complainant. Altrad’s drug and alcohol testing policy stated that employees would be drug tested only where they were unfit for duty due to drug or alcohol impairment; however, Altrad’s documents indicated impairment was not current at the time.

When the complainant refused testing, Altrad documented the refusal and terminated his employment.

The Decision

The OIPC accepted that drug-testing information can qualify as "employee personal information" collectable without consent under PIPA where it serves legitimate employment management or health and safety purposes. Altrad’s management of its relationship with the general contractor was also part of managing Altrad’s employment relationship, so the imposition of site rules on Altrad was part of managing the employment relationship.  However, such collection and use must still be “reasonable”. The OIPC determined that Altrad’s collection and use of the complainant’s drug testing information was not for several reasons, including:

  • Altrad’s existing drug policy stated employees would be tested when they were unfit for duty, but Altrad’s own evidence was that the complainant was not impaired.
  • There was no evidence that the drug-sniffing dogs were effective in protecting the health and safety of employees, as the complainant was not a danger to himself or others on the site.
  • Altrad had not considered any less intrusive measures to achieve their goals, like talking to employees face-to-face to determine if they were impaired.
  • Altrad did not have a detailed policy or procedure for workplace searches.

Accordingly, the OIPC declared that Altrad was not authorized under PIPA to collect or use the complainant’s refusal to submit to drug testing.  Importantly, however, the OIPC specifically declined to make an order regarding the collection or use of the complainant’s personal information.  Had the OIPC made such an order, the complainant may have been able to seek damages in the Supreme Court based on the decision. As a result of the OIPC’s refusal, the complainant probably does not have a damages remedy flowing from the OIPC’s decision and is left to find another cause of action to recover any damages related to the breach. 

On a related issue, the OIPC also held that because Altrad had a privacy policy, albeit notably deficient in some respects, it had complied with its statutory duty to develop and follow policies and practices to meet PIPA requirements.

Key Implications

While most BC employers may not require drug testing, this decision provides guidance for any employer. First, when developing and implementing workplace policies, employers should consider factors like the sensitivity, amount, necessity, and effectiveness of the personal information they collect about employees. Every collection and use must be reasonable. Reasonableness is also assessed against the employer's own stated policies — inconsistency between policy and practice will be fatal.

Further, having a privacy policy, even an imperfect one, probably satisfies PIPA's compliance obligation; the greater risk lies in the reasonableness of specific collection and use practices. Altrad may have benefited from having a detailed policy regarding workplace searches.

Finally, employers should audit and update privacy and workplace search policies proactively: the OIPC declined to impose remedial orders here precisely because the conduct was historical, suggesting that ongoing non-compliance carries greater regulatory risk and increases the prospect of an order entitling a complainant to pursue a damage claim.  When addressing a compliance issue, adaptation and compliance updates to the policies might help employers avoid onerous terms or orders if a privacy complaint is later brought. 

Subscribe to our newsletter