Privacy Commissioner of Canada Provides Organizations with Framework for COVID-19

As organizations across Canada continue to look for new ways to respond to the COVID-19 global pandemic, regulators are urging them not to overlook their privacy obligations.

In particular, regulators are reminding organizations that privacy law protections are not a barrier to the appropriate collection, use and disclosure of personal information during the pandemic, provided that appropriate steps are taken. This blog provides a short overview of some recent guidance from the Office of the Privacy Commissioner of Canada (the “OPC”) for organizations to comply with their privacy law obligations in the context of COVID-19.

The OPC recently published A Framework for the Government of Canada to Assess Privacy-Impactful Initiatives in Response to COVID-19. This framework reviews the key privacy principles that the Federal Government and public health authorities should consider when proposing measures to combat COVID-19 — particularly when those measures will impact the privacy of Canadians. Although this framework is aimed at federal public bodies, it is useful for all organizations to ensure that their measures to address COVID-19 are in compliance with applicable privacy laws.

The framework supplements an earlier notice from the OPC reminding organizations that regular privacy laws apply unless emergency legislation states otherwise. In the framework, the OPC emphasizes that while privacy laws provide authority for the collection, use and disclosure of personal information during a public health crisis, organizations must continue to operate under lawful authority and act responsibly, especially when dealing with sensitive personal information (e.g., an individual’s health information, travel movements, associations or contacts).

The framework outlines the following key points for organizations to keep in mind when considering measures proposed to combat COVID-19:

What is the legal authority to collect, use and disclose personal information?

  • Is the collection, use, and disclosure in compliance with applicable laws?
  • Is the information personal information that must be protected in accordance with privacy laws (even if it is collected from public spaces or sources such as social media)?

Are the measures necessary and proportionate?

  • Is the measure science-based and defined with some specificity?
  •  Is the measure tailored in a way that is rationally connected to the specific purpose to be achieved?
  •  Is the measure necessary; that is, more than potentially useful? Is it evidence-based and likely to be effective?

Is the use of personal information appropriately limited?

  • Is information used only for the measure and appropriately protected so it is not used for other, inappropriate purposes?

 Can the personal information be de-identified and what other safeguards can be implemented?

  • Is identifiable information required in the context, or is de-identified or aggregate data sufficient?
  • Have appropriate steps been taken to mitigate the risk of re-identification?

 Have the unique impacts on vulnerable populations been considered?

  •  Will the measure disproportionally impact vulnerable populations (e.g., even if only aggregate or geolocation data is released, will this disproportionately impact vulnerable populations, subsets of populations, or groups)?

 Has the measure been openly and transparently communicated?

  • Has the public, and individuals wherever possible, been informed of the purpose of the collection of their personal information?

 Is the measure time-limited, with obligations to end when it are no longer required?

  • Are there strict time and other limits implemented (e.g. type and range of personal data collection, sharing, and use)?
  •  Will the information be securely destroyed when the crisis ends, except for narrow permitted purposes?

Canada’s federal and provincial information and privacy regulators, including the OPC, have several helpful general resources on their websites that organizations may wish to review when considering measures that may impact privacy. In addition, please see our COVID-19 Privacy Considerations For Your Organization blog post for the key privacy considerations that organizations should keep in mind during COVID-19. Our MLT Aikins team would also be pleased to assist you in navigating the unique circumstances presented by this pandemic.