In light of the far-reaching actions to restrict the spread of COVID-19 (a.k.a. Coronavirus), many organizations are implementing new processes and procedures to accommodate rapidly changing restrictions to their operations. In the midst of these changes, it remains important for organizations like yours to be mindful of your privacy obligations to individuals, including employees, customers, clients and others. The following are some key considerations for you to examine in this context.
What law applies?
Privacy laws set out obligations with respect to how an organization collects, uses or discloses personal information (which includes essentially any identifiable information about an individual). Depending on the circumstances, organizations in Western Canada may be subject to one or more of the following privacy laws:
- For private-sector organizations, the Personal Information Protection and Electronic Documents Act (Canada) (PIPEDA) applies to personal information collected, used or disclosed in Saskatchewan and Manitoba, and personal information that crosses provincial and national borders. For personal information collected, used or disclosed only in British Columbia, Alberta or Quebec, the respective provincial counterparts to PIPEDA will apply.
- For public sector or certain publicly-funded organizations, there are various public sector laws that may apply depending on the jurisdiction and nature of the organization and the type of information it handles.
- For any organization, other privacy laws may be applicable. For example, international laws such as the European Union’s General Data Protection Regulation, and state laws such as the California Consumer Privacy Act, may apply to the extent that an organization interacts with individuals outside of Canada. In addition, organizations may be subject to sector-specific privacy laws, or information-specific privacy laws such as health information privacy legislation.
Please see the Federal Privacy Commissioner’s website for an overview of privacy laws in Canada.
Even if your organization is not directly subject to the foregoing privacy laws, the common law will apply to your organization’s privacy practices. Following the appropriate privacy principles on a best practices basis is one of the best ways to mitigate privacy-related risks.
What does this mean for my organization?
Many organizations will already have some form of privacy compliance program in place. However, the unique circumstances raised by COVID-19 will require organizations to consider novel situations which may not be contemplated by existing programs. For example, in the context of COVID-19, many organizations already are, or are considering collecting additional information about individuals’ health, exposure/interactions with other individuals, or travel history. All such information constitutes personal information of individuals, and could include highly sensitive health information. As such, it is important for organizations to ensure that they comply with applicable privacy laws with respect to such practices. A failure to do so can result in significant regulatory, financial, reputational and other consequences.
What are my organization’s privacy requirements in this context?
The foregoing privacy laws generally outline key principles which are widely accepted in Canada as the basis for ethical personal information practices and which have been applied as privacy best practices for organizations. Some of the key principles in the context of COVID-19 include:
- Your organization should tell individuals what personal information it collects, why it collects it, and what it does with it when collected.
- Collection, use, or disclosure of personal information should normally be done only with individuals’ knowledge and consent, unless there is an available exemption (please see #4 below).
- Your organization should only collect personal information that is necessary for its stated purpose, and collect it by fair and lawful means.
- Your organization should normally use or disclose personal information only for the purposes that it collected the information for, and keep it only as long as it is needed for those purposes, unless it has individual consent to do something else with it, or is legally required to use or disclose it for other purposes.
- Personal information of individuals needs to be accurate, complete and up-to-date.
- Individuals should be able to access their personal information and be able to challenge the accuracy and completeness of it.
- Your organization should be open about and accountable for the collection, use and disclosure of personal information, and be responsive to complaints or inquiries. Organizations will need to be particularly cautious in the context of COVID-19 to ensure that personal information in their custody or control is protected with appropriate safeguards, given the relative sensitivity of this information.
- Your organization should consider de-identifying personal information to the extent possible.
To ensure compliance with these principles, it is critical to effectively educate and train individuals who may handle personal information in the context of COVID-19 of applicable privacy principles.
What about collecting, using or disclosing personal information in the context of managing a pandemic?
One key obstacle that organizations face in the context of the COVID-19 pandemic extends to their ability to collect, use, and disclose personal information in the context of responding to public health and occupational health and safety requirements. An organization’s rights and obligations will depend on the specific circumstances, however, the following tips provide general, high-level guidance for your organization:
- If possible, using de-identified information (information which does not identify the impacted individual) is preferable.
- If using de-identified information is not possible:
- Unless there is an exemption available (see below), your organization should only collect, use and disclose personal information where it has the individual’s informed consent to do so.
- Your organization may collect, use or disclose personal information without consent where there is an exemption available pursuant to applicable privacy laws. For example, your organization would generally be permitted to disclose personal information where required by law (such as pursuant to public health requirements), provided that you are in compliance with the remaining privacy principles (e.g. disclosure should include only what has to be disclosed on a need-to-know basis). It will be important to confirm the applicable exemption and related restrictions on a case-by-case basis.
The above is an overview of some key privacy considerations for organizations in the context of COVID-19, however, there are many potential issues that may arise based on the particular circumstances of your organization. Canada’s federal and provincial information and privacy regulators have a number of helpful general resources on their websites. In addition, please do not hesitate to reach out to our MLT Aikins Team if you require assistance with privacy-related questions – we would be pleased to assist you in navigating the unique circumstances presented by this pandemic.
Note: This article is of a general nature only and is not exhaustive of all possible legal rights or remedies. In addition, laws may change over time and should be interpreted only in the context of particular circumstances such that these materials are not intended to be relied upon or taken as legal advice or opinion. Readers should consult a legal professional for specific advice in any particular situation.