Adam Kardash, Patricia Kosseim, John Salloum, Komil Joshi, Claire Feltrin, David Seevaratnam
Mar 19, 2020
Last updated: April 1, 2020
Responding to the COVID-19 pandemic requires organizations across all sectors to collect, use and disclose personal information, including sensitive personal health information.
Given the sheer volume, breadth and sensitivity of the data processing that may be involved in the COVID-19 pandemic response, it is critically important for Canadian organizations across all sectors to consider key requirements under applicable privacy laws, and to otherwise address the privacy and security risks involving their treatment of the personal information in their custody and control.
As a general principle, as long as certain conditions are met, Canadian privacy laws will not impede the necessary efficiency and breadth of personal information flows needed between relevant stakeholders, and across different sectors, to address this massive health emergency.
Over these past few weeks, our team has been receiving numerous (and an increasing volume) of inquiries regarding the privacy and security obligations that apply in the COVID-19 context. To help guide organizations during these uncertain times, we have set out below key privacy law principles that apply during this time of crisis.
Personal Information Processing In the Public Health Emergency Context
- Under Canadian private sector, health sector and public sector privacy statutes (“Canadian privacy statutes”), organizations may disclose personal information with consent of the individual, or under an exception to consent set out under the applicable statute. Generally, Canadian privacy statutes provide exceptions to consent for the disclosure of personal information in emergency situations involving threats to life, health or security of an individual or the public at large. (There are a number of other exceptions to consent in Canadian privacy statutes that may also be applicable in the context of the COVID-19 pandemic.)
- The exceptions to consent for emergency situations vary somewhat across Canadian privacy statutes, and may contain certain conditions. Generally, these exceptions to consent provide that notice of the disclosure must be provided to the individual before disclosure (if practicable) or without delay after the fact.
- Where an organization has legal authority to collect, use or disclose personal information (e.g. via consent or an exception to consent), Canadian privacy statutes require (and privacy regulators expect) organizations to:
- collect, use and disclose personal information only as reasonable or appropriate in the circumstances. In the pandemic context, the determination of what is reasonable and appropriate will be informed by various factors, including guidance from public health authorities, advice from health care professionals, and fact-specific considerations such as the type, breadth and volume of personal information required to be collected, used or disclosed in the circumstances;
- limit (e.g. the type, breadth and volume) of personal information to that which is necessary to achieve the purpose of the collection, use or disclosure (known as the “data minimization principle”). For example, to the extent practicable, personal information should be de-identified, especially location data;
- comply with the accountability principle, by documenting the disclosures of personal information (including the rationale for the disclosures) made in connection with the pandemic, and ensuring that written policies and procedures appropriately address the types of collection, use, disclosure and storage of personal information in the COVID-19 context; and
- be open and transparent about their policies and practices relating to the management of personal information, including the specific legislative authority they are relying on to collect, use and disclose personal information in the context of a public health crisis (see OPC Guidance, Privacy and the COVID-19 Outbreak).
In an Employment Context
- In the employment context, Canadian private sector privacy statutes (where applicable) do not require consent to collect, use or disclose personal information that is necessary to manage the employer - employee relationship as long as the employee has been notified that their personal information will or may be collected, used or disclosed for those purposes.
- Where necessary to fulfill their health and safety obligations in the context of a pandemic, employers may be justified in asking employees to disclose whether they have tested positive for the COVID-19 virus, or been exposed to certain risk factors such as recent travel or proximity with others who have tested positive for the COVID-19 virus.
- As such, what is necessary in the circumstances may depend on an employer’s health and safety obligations to all of their employees, or as required by public health authorities. If employers do collect, use or disclose employee personal information in an emergency, they should communicate to employees the specific legislative authority that authorizes them to do so (see Alberta OIPC’s guidance, Privacy in a Pandemic).
- Some EU regulators (for example, Belgium and Hungary) caution against the disproportionate requirement for general and compulsory checks using diagnostic devices (e.g. thermometers) on all employees, unless the employer, upon consideration of all of the circumstances and on the basis of a considered risk assessment, finds it absolutely necessary for certain jobs particularly affected by exposure to the disease. This guidance provides that in these cases, an employer may call for these diagnostic tests to be carried out only by qualified healthcare providers and medical professionals and employers can only be informed of the results.
- Generally speaking, to comply with Canadian privacy statutes, employers should not disclose the reasons for an employee’s leave or remote working arrangements, except to those employees who require that information to carry out their employment duties or to maintain a safe workplace. The overall objective is to provide potentially exposed employees with sufficient information to protect themselves from the risk. In carrying out such notifications, employers should make reasonable efforts not to disclose information that might (alone or together with publicly available information) identify the specific individual(s) who may have caused the COVID-19 transmission risk. Depending on the circumstances, it may not always be possible to provide notice of a COVID-19 transmission risk without expressly or implicitly identifying the individual at the source of the risk.
- For more information on privacy and other legal considerations in the employment context, see the Osler.com resource Managing the Coronavirus (COVID-19) for employers.
Information Security Concerns
- Organizations are required under Canadian privacy statutes to implement reasonable and appropriate safeguards to protect personal information in their custody and control. The COVID-19 pandemic is raising a range of information security concerns, mainly relating to remote working arrangements that have been implemented by organizations (in some cases, overnight).
- To comply with obligations under Canadian privacy statutes, and contractual and other legal confidentiality obligations, it remains critical for organizations to consider the physical, technical and administrative controls necessary to appropriately protect their data assets from loss, theft, unauthorized disclosure and other compromise. Where and as necessary, organizations should seek the assistance of external information security experts to assist in this regard. Key information security considerations include the following:
- ensure that Virtual Private Networks (“VPNs”) are appropriately secured, including with multi factor authentication so that remote access to data remains at least as secure as it would in the traditional workplace;
- given the increase in the use of portable devices, consider ensuring that personal information that may be stored on such devices is both encrypted at-rest and in-transit, and that access to the device requires authentication (e.g. using password protection, Face ID, Touch ID or similar technologies);
- consider augmenting employee training with regard to information security, and in particular, sensitize employees to new COVID-19 threats such as phishing and SMS-based scams;
- to the extent that remote workers use their own systems to access the organization’s resources, help such workers install and keep anti-virus/malware technologies up-to-date;
- consider the impact of remote work arrangements on your organization’s data incident response, disaster recovery and business continuity processes. This will include carefully reviewing existing written policies and protocols, and considering the sufficiency of existing arrangements with third party service providers.
Further Information and Resources
- Privacy-related issues in a Pandemic: Our March 2020 Monthly Call focused specifically on the unique privacy and security issues arising from COVID-19. Listen here
- Key Resources: The Osler Privacy & Data Management team is preparing a collection of further guidance and key resources necessary to manage privacy concerns related to managing COVID-19, which will be accessible in a soon-to-be-released Topic Hub through the AccessPrivacy Knowledge Portal.
- For further information and helpful resources, please see Osler’s dedicated webpage on Coronavirus: Navigating legal implications and business impacts.