Mar 25, 2020
March 2020 AccessPrivacy Call
March’s Monthly Call focused on privacy-related issues in a pandemic, providing an overview of various guidelines and statements on COVID-19 recently released by Canadian and international data protection authorities. The call also includes a discussion of the impacts of the pandemic on health, technology, and labour and employment law and features conversations with:
Listen to the privacy call now
Register for future AccessPrivacy Calls
Already registered as a member with AccessPrivacy?
Register for Upcoming AccessPrivacy Calls
Not registered as a member with AccessPrivacy?
Create a free AccessPrivacy account to register for events and our free e-newsletters. Once you are registered, click on the Events Tab to sign up for Upcoming AccessPrivacy Calls.
PRESENTER: Good morning, ladies and gentlemen. Welcome to AccessPrivacy monthly conference call. I would now like to turn the meeting over to Mr. Adam Kardash and Ms. Patricia Kosseim. Please go ahead.
ADAM KARDASH: Hello everyone, my AccessPrivacy colleague, Pat Kosseim and I want to welcome you to our March monthly privacy call. For colleagues who are not able to join us today note that all of our AccessPrivacy calls are incorporated under the Resources tab of our online platform for subscribers to listen to any time at their convenience.
While we don't have an opportunity to answer questions during these calls, subscribers can find more information on today's topics and many others in this month's monthly scan, also available under the Resources tab of our new subscription platform. The scan is intended to provide subscribers with a convenient one page snapshot to a consolidated list of hyperlinks to recent decisions, guidance, documents, and other notable developments that have occurred in the privacy arena, together with easily accessible links all in one place to help keep you in the know and hopefully safely available time.
This month's call is being dedicated to the privacy issues arising from this unprecedented and extraordinary COVID-19 pandemic. Given the pervasive nature of this crisis that has rocked literally every aspect of our lives, Pat and I have invited several of our Osler colleagues from different practice groups to speak to related issues that cut across the areas of law, including health, technology, and employment. To get us started, let me hand it over to Pat to give us an overview of the various guidelines and statements on COVID-19 recently issued by Canadian and international data protection authorities.
PATRICIA KOSSEIM: Thank you, Adam. And welcome everyone. Since the outbreak, data protection authorities around the world have acted very quickly to release privacy related guidance for government institutions and organizations having to share personal information literally with lightning speed in order to contain this public health emergency and help save lives. If there was one difficult lesson painfully learned from SARS it was the need for greater intergovernmental coordination and information sharing.
And mindful of this data protection authorities around the world are the first to say that while privacy laws still clearly apply, they do not nor should they impede the emergency flow of information needed between relevant system actors to help track, contain, and hopefully end this pandemic.
There's an increasing number of Canadian and international data protection commissioners around the world who've now released guidance and/or official statements. And you'll find this growing list in our AccessPrivacy topic hub on COVID-19 under the private sector hub of our subscription platform.
In sum, a few overall comments or observations can be made. First, most, if not all, Canadian data protection statutes contain exemptions that allow the use and disclosure of personal information without consent to public health authorities were permitted, or required by law, or pursuant to an intergovernmental sharing agreement, or in the public interest for compassionate purposes, or in emergency situations that threaten the life, health, or security of an individual. And each of these exemptions may be subject to different conditions that may vary depending on the jurisdiction and the statute in question.
Second, and other than consent other data protection principles under privacy statutes generally continue to apply, including the general overarching agreement that organizations can only collect, use, or disclose personal information that a reasonable person would consider appropriate in the circumstances.
Now of course what is reasonable in this context of an urgent pandemic situation may be constantly fluctuating on the basis of daily governmental advisories and public health directives. And what is reasonable may also be granted much higher social license for individual questioning, body testing, monitoring, tracking, or surveillance measures that we're seeing increasing to deal with this crisis on an urgent and temporary basis, which would otherwise never be tolerated under normal circumstances.
Organizations still have to limit the type, breadth, and volume of personal information to that which is necessary. For example, public health authorities now looking to use cell phone data to track the movement of people to assess the effectiveness of social distancing measures in curbing the spread of the virus should limit themselves to aggregate or de-identify data wherever possible.
Organizations still have to comply with the accountability principle by documenting the disclosures of personal information, including the rationale for the disclosures wherever and however possible made in connection with this pandemic, and citing their statutory authority to do so. And they have to be open and transparent with patients, employees, and customers about their policies and practices relating to the management of information in this emergency context.
A third observation generally is that even guidance from data protection authorities may evolve in this fast changing environment. For example, some of the first regulatory authorities out of the gate with guidance may already be rethinking whether their expectations are still realistic or whether their original stance may have to be softened in light of how much more serious the pandemic has become and the significant increase in the numbers of deaths.
And a final interesting observation is how DPAs themselves having had to close offices and deal with significantly reduced capacity have intimated a willingness to be flexible with their observation of notification requirements, or timelines, where they're permitted to do so, or where prescription periods have been statutorily suspended pursuant to emergency legislation. And generally they're showing themselves more understanding in terms of the challenges organizations are facing in meeting their normal information security standards, particularly I'd say in the health sector where they're struggling to care for patients affected by this deadly disease or virus and otherwise meet essential services. It's quite unprecedented indeed.
So with us today to speak about the particular challenges facing health care professionals and health providers is Michael Watts, who's Chair of Osler's Health Industry Group and Co-chair of our Cannabis Group. So thank you for joining us today, Michael, and welcome.
MICHAEL WATTS: Thank you for the opportunity of allowing you to participate. I'm looking forward to it.
PATRICIA KOSSEIM: Michael, in the health context we often speak of the need to balance patient safety and staff safety with the need to protect privacy. And in an emergency context, let alone the global pandemic we're currently living through, that balance tends to shift towards enabling greater information sharing across the health system and a loosening of the rules around privacy protection. Given your pulse on the situation, what would you say is the general risk calculus of your health provider clients today?
MICHAEL WATTS: I think initially beginning of January that everyone in Canada, including our politicians and health care providers overestimated our ability, their ability to contain and manage COVID-19. Today amongst all stakeholders particularly since the declarations of emergencies in a number of our provinces, I believe there's a clear understanding that there is a need to flatten the curve. And any step that's required to flatten the curve to protect Canadians, their staff, and patients overrides the need to provide the traditional protection afforded to PHI and personal information.
And I think that there's a very aggressive view that they will take steps necessary to protect Canadians, their patients, and their staff that goes beyond what may be permissible. And I think it's just a reflection of the environment that we're in and the dire warnings that we have about the lack of personal protection equipment. So I would say that there's definitely been a shift towards protecting Canadians that overwrites in this current circumstance traditional compliance with the legislation.
PATRICIA KOSSEIM: And Michael, you would have worked with many health sector clients at the time of SARS. And what are some of the hard lessons if any, that you'd say health providers have learned from the SARS crisis that's being applied today.
MICHAEL WATTS: In post SARS, particularly in Ontario, there was significant litigation and a SARS commission that reviewed very carefully how we had managed SARS across our health care institutions. And from that very considered analysis and litigation, there are a couple of hard lessons.
One, as you know people, employees, dedicated health care professionals unfortunately died of SARS that they were exposed to while they were working on behalf of Canadians to serve our patients in dire circumstances. And the important lessons that are, obviously are infection control measures in our health care institutions reflect many of the lessons learned from that.
But also most importantly, I think in today's environment is that the employers understand that their paramount duty during this pandemic is to protect their staff and the patients from the spread of the virus. And in today's environment where it's obvious that there's a shortage of personal protective equipment, it's a very complex issue. And layered on top of that, we now have emergency orders and declarations.
So in all of that the important lesson, I believe that we've learned through SARS is that we need to engage our internal stakeholders in the measures that we're going to take, that the institution is going to take, that collectively they're going to take to protect the workers as they try to help all of us, and in particular the patients that enter their premises during the pandemic.
And today with the shortage of the personal protective equipment the need to engage and encourage our staff to participate in those measures is critical. Because one of the important seminal comments from the SARS commission was that you can't coerce staff to come to work, expose themselves to the virus, and therefore expose their families. So it's very important that this lesson learned be embraced by all health care institutions.
PATRICIA KOSSEIM: And so given this urgent need to respond to the current crisis while still having of course, to deal with other health emergencies and maintain a basic level of patient care remotely wherever possible, how are health provider clients coping with the situation and what are some of the novel types of data queries that you're getting to help them get through these challenging times?
MICHAEL WATTS: The-- I'll use an example, where earlier this week one of our clients, we have numerous digital health providers at Osler, and one of them who has a national presence but it's primarily focused in Ontario, asked the question as to whether or not their physicians could provide virtual care across Canada, and was there a relaxation of prior, the existing legislative regulatory framework across Canada in order to enable that.
And we're undertaking that review now but it doesn't appear that the colleges, as you know health care is regulated provincially, and each of the health care providers physicians, nurses are regulated provincially. And we're currently under taking an update to see whether or not the regulatory provisions that regulate these professionals that would, for example, allow a physician in Toronto to provide virtual care throughout Canada, would be relaxed.
And we're undertaking the review but the principle is that physician needs to be licensed in, the jurisdiction in which she is licensed has to provide care to patients in that jurisdiction. So that's a limitation and under the Health Insurance Act in the Canada, I should say the Canada Health Act, that the Health insurance Act in Ontario, for example, physicians can't provide virtual care and be insured for those services if the contact is initiated by the patient, other than small exemptions for telehealth.
So there are legislative and regulatory limitations to the use of the leverage of virtual care and contrary to the States where they relax those rules, we've yet to do so in Canada. But we're going to be confirming that in the next couple of days.
PATRICIA KOSSEIM: Fascinating. Very, very helpful. Very valuable insight. Thank you, Michael.
MICHAEL WATTS: Thank you.
PATRICIA KOSSEIM: Turning now to employment considerations more generally across all sectors, we've invited Allan Wells, Partner in Osler's Employment and Labor Law Group to join our call. So thank you, Allan, and welcome to this month's call.
ALLAN WELLS: Yeah, thank you. Great to be here.
PATRICIA KOSSEIM: So before we get into specific employee privacy issues, Allan, what legal obligations does an employer have generally to keep the workplace safe?
ALLAN WELLS: So in all our [INAUDIBLE] employers, are subject to occupational health and safety legislation. And that requires them to take every precaution reasonable in circumstances to protect their workers. Now so there are regulations into the statutes that place specific requirements on employers with respect to various activities in the workplace. But when something unexpected and unprecedented arises, such as the COVID-19 pandemic, there are no regulations that employers can turn to that will provide all the answers.
So employers must determine what is reasonable to protect our workers in this situation based on available information at the time, which would include guidance from public health authorities. And it's also important for those who stay up to date with what these authorities are saying on a daily basis and also be mindful of what precautions other employers in your industry are taking.
So In the context of COVID-19, one, there are never common questions that we're hearing. And I thought that might be interesting to share with our listeners. So [INAUDIBLE] we are frequently hearing employers ask whether I can ask employees to disclose symptoms, or to disclose if they may have been exposed to someone with symptoms. And in response to that the short answer is yes, in the current pandemic environment it would be reasonable to ask employees to self disclose any information that is relevant to the health and safety in the workplace.
The key principal law of privacy law continue to apply, which is that employers should be requesting own personal information from employees that is reasonable in the circumstances. So for example, it is relevant to know that an employee has symptoms but not other medical information about the employee, or that the employee may have been in contact with someone else but not necessarily the identity of that other person unless the person was that, they are also an employee in [INAUDIBLE]
Another question is that if an employee advises they have tested positive, or have been in contact with someone who has tested positive, do I have to tell other employees in the workplace? And we would say first in response to this that essentially as I said a public health issue and therefore we recommend seeking advice in public or local public health authorities when this arises.
But in addition to getting advice from local health authorities, consistent with the principle of taking all reasonable precautions to protect workers, employers should be providing a potentially exposed employees with sufficient information so that they can protect themselves from the risk.
So the question would be what details do other employees need to protect themselves? And in most situations, it's probably unnecessary to say the employee's name, that is to say the employee who tested positive. It will be sufficient in most cases to say that an employee who worked, for example, on the sane floor, or in the same area, tested positive. And therefore other employees in the area should comply with directions that have been issued by the local health authorities with respect to self-isolation, and of course to seek medical advice if they start to show symptoms of the COVID-19 virus.
Now in some situations, it may be necessary to disclose the name of the person who tested positive to protect other employees. And that is the situation with the idea that the duty to protect the safety of other employees in the workplace would outweigh that positive, the employees tested positive of their individual privacy rights.
Another question is if we have an employee in the workplace who we find out has tested positive, do we have to report that to local health authorities? And the responses except for certain employers and those to be health care providers, like hospitals, long-term, care home, others who are in that industry, and school, most employers do not have a statutory obligation to report employers who test positive.
However, if an employee does test positive, in my view, they would be practical obligated to report to the authorities, because pursuant to my previous comment, you want to make sure you're getting the right advice. It's exactly what you should be doing in the workplace to protect others. So that if you want to know what the public health authorities are going to tell you, so that you're not missing any steps.
In addition, the Ontario Workplace Safety and Insurance Act has said that COVID-19 is seen as an occupational illness. And there is a requirement to report all occupational illnesses. So this would include now COVID-19 to the Ministry of Labor, in writing within four days of being advised of it. Employers should also report any positive tested employees to their joint health and safety committee, and to work with the health and safety rep whichever is appropriate.
And quickly the last question I'm hearing frequently is can we as an employer test to screen our employees? And so from a privacy perspective an employee's temperature would be their personal information, therefore collecting their temperature would be collecting the personal information, which should be only done if it's reasonable and with the employee's consent. So given the current pandemic, our view is that temperature screening is reasonable in a workplace where employees are expected to work together, even accounting for the two meter social distancing rule.
If employers are, if employers are testing, then we do recommend that they screen in accordance with following guidelines. First the employee should be given notice of the test in advance so that when they arrive at the workplace geographically explaining it with their consent. We recommend that any test be conducted using the least intrusive method, so non-contact, infrared thermometers, for example, would be better than thermometers that would have to actually be inserted into a part of the body.
We recommend that qualified individuals be available to administer the tests to ensure that the tests are being done in a safe manner and there's no cross contamination for an employee to employ or that indeed the tester that him or herself is trained to take all of these precautions for their own safety. Also a qualified tester would know which temperatures are relevant to disqualify an employee from the workplace.
The records of employees who test within the normal range would normally not be retained by the employer, and even temperatures that are above the level that is deemed safe for the employer to be enter into the workplace, would likely not be set by the employer. Although the person who's doing the test, the medical professional, they have their own requirements under their profession to keep the test results.
And also just finally the individuals who are tested at a higher level must of course be advised to seek medical advice due to the symptoms. So those that are some of the questions that we're hearing most often that relate specifically to employee privacy in the workplace.
ADAM KARDASH: Allan, thank you so much for joining us and providing us with those insights. And I know that the firm's employment and labor group has posted on our firm's main website a whole bunch of information about these and other employment considerations that have arisen during the pandemic.
We're going to turn now to the information security that the COVID-19 pandemic is beginning to raise a range of information security concerns arising from various factors, including a drastic shift to remote working arrangements for a massive number of employees that were urgently implemented by organizations which in turn is spawning among other things endpoint security challenges.
There's challenges being raised by stretched information security resources. There's practical challenges for information security personnel who now themselves are working remotely. And these factors and more have generated growing concerns that nefarious actors are taking advantage, or will soon be taking advantage of vulnerabilities within organizational information security controls. There's already been a spike in COVID-19 email and SMS phishing scams, among other COVID focused types of incidents.
These risks will only be exacerbated with extreme financial pressure being felt by organizations. And certainly will intensify dramatically with insolvencies. Now to comply with obligations under Canadian privacy statutes, and contractual, and other legal confidentiality obligations, it will clearly remain critical for organizations to consider the physical, technical, and administrative controls necessary to appropriately protect their data assets from loss, theft, unauthorized, disclosure, and other compromise.
These controls relate to vendor and partner arrangements and include considering and addressing information security concerns relating to personal information and other data processed by a service provider arrangements. To explore these particular issues further, I've asked Wendy Gross, Chair of our firm's Technology Practice to join us to talk about how security and data issues generally are manifesting themselves in contracts, and other discussions, and client calls. Wendy, thank you for joining us.
WENDY GROSS: Thank you for inviting me to speak today.
ADAM KARDASH: Well, one of the technical issues that everyone's having is conference call connectivity. But thank you for joining us on this. So to begin, what are the types or themes of privacy and data related questions and issues that are arising in the course of the service provider arrangements you're working on?
WENDY GROSS: So it's been an interesting evolution, with the inquiries that we've been receiving on both sides of the service provider arrangements, both from customers and from service providers. The initial focus was on just performance of services, and exposure, and potential liability related to inability to provide the contracted services. And a whole spate of inquiries regarding force majeure provisions, and whether or not clients on one side or the other could rely on force majeure provisions to avoid liability.
As that first wave has now abated somewhat, people are, our clients are starting to focus on some of the other issues that arise. And in particular our service provider arrangements tend to include a fairly robust information security controls and requirements the client, the customers will be imposing on the service providers, and service providers will commit to.
And with this massive shift over the last couple of weeks to work from home while everybody was initially focusing on just the operational logistics and challenges of implementing that, clients are now starting to focus on whether or not they're able to comply with the security controls that are in their contract in this new environment.
And even with service providers, sophisticated service providers, who have developed quite robust pandemic workarounds and contingency plans in the wake of SARS, this has been an unprecedented circumstance in terms of the entire workforce being forced to work from home. And so even those contingency plans may not quite allow service providers to maintain the controls that are in the contract.
So we are starting to receive inquiries about non-compliance with the contract. And again whether force majeure provisions can be relied upon to avoid complying with some of the information security controls in the agreement.
ADAM KARDASH: So Wendy, you and I have discussed on client matters, the concept of reasonableness is embedded within privacy statutes, but even during the crisis data protection authorities around the world have emphasized that organizations remain obligated under privacy statutes to implement reasonable and appropriate security safeguards.
And a standard that, for the reasons you just mentioned, is likely fluid but notably organizations will still for instance be obligated during the crisis to this to comply with security breach notification requirements under PIPEDA, PIPA Alberta, and foreign data protection regimes. So it's going to, we'll be watching all of this intently.
But further to your client discussions, how are companies currently addressing the challenges you've cited?
WENDY GROSS: So as I mentioned, this is really, clients are really at the early stages of starting to focus on this. But I think it is really important as you mentioned that and the threats and the information security risk is heightened right now. And in most service provider arrangements there is enhanced liability, separate and apart from the regulatory exposure, there's enhanced liability for service providers under most customer agreements, if there is an information security incident.
And so clients are just starting to focus on this now and the risks that they're confronting by perhaps not complying and the liability exposure that is resulting from that. And so we are encouraging our clients not to try to rely on force majeure clauses, but on both sides that this requires a proactive approach.
So both customers and service providers, we think need to start a dialogue sooner rather than later to the extent that the current circumstances are posing challenges from a compliance standpoint, both with information security controls and perhaps security incident management, to work together to come up with appropriate workarounds that will still protect information security. But take into account some of the challenges in the new environment
ADAM KARDASH: Yeah, presumably that would be part of the new reasonable in the circumstances. What are the three key recommendations that you would have for companies to mitigate regulatory and other legal risks and liability in connection with their contractual safeguarding requirements?
WENDY GROSS: So I think the most important thing right now is for clients to be proactive. And I would say this is for both customers, who are in most cases responsible as the controller of the information, and for service providers, who have assumed large responsibilities and potential liabilities for their processing of that data.
On both sides, clients should be proactive. They should be triaging their most important and their highest risk agreements first and foremost. And talking to their, looking at those agreements and what they've committed to, talking to their infosec teams to determine whether there's any respects in which they're having or anticipate having compliance challenges due to the new working environment.
And to the extent that there are issues, I think it's really important to reach out to the counterparty and the contractor on the other side with a proposal for an appropriate workaround, and to work together to document what both parties agree is an appropriate set of revised security controls and processes under the current environment.
ADAM KARDASH: Wendy, thank you so much for joining us today and providing us with those reflections and insights. That brings us to the end of our monthly call. As Pat mentioned, we have resources specifically developed on our website, a topic up for privacy issues arising in the wake of the COVID-19 pandemic. And we're continuing to update that topic hub, and other resources regularly.
We'll also be continuing to focus on emerging COVID related data issues on our next monthly call in April. And in the meantime, and most importantly, both Pat and I, and everyone on this call hope that all of you and your family and friends remain safe and healthy. Speak to you all soon. Bye-bye.
PRESENTER: Thank you. The conference has now ended. Please disconnect your lines at this time. And we thank you for your participation.