As organizations in Canada identify employees, contractors or guests in the workplace who are or may be carrying, or who may have been exposed to others who are or may be carrying, the novel coronavirus (COVID-19), they will need to consider how to collect, use and disclose personal information about these identified individuals in a privacy compliant manner.
While the response to COVID-19 represents uncharted waters, the analytical framework to collect, use and disclose personal information remains the same—organizations seeking to use and disclose personal information related to COVID-19 identified in the workplace should answer the following four questions:
Organizations are typically required to take reasonable steps to protect the health and safety of their employees, contractors and guests. In light of the current COVID-19 outbreak, it may be reasonable for an organization to take steps to identify employees, contractors or guests in the workplace who are or may be carrying, or who may have been exposed to others who are or may be carrying, COVID-19, and to then act on that information by complying with the then current recommended courses of action by the applicable public health authorities.
Organizations are well advised to review such recommended courses of action in their respective jurisdictions on a regular basis and to align their activities to same. Such recommendations may address:
The personal information collected, used and disclosed by the organization about the identified individuals should be limited to the personal information needed to meet the reasonable purpose for which it was collected, such as to comply with the then current recommended courses of action by the applicable public health authorities (see above). For example, using the sample recommendations above:
As with every collection, use or disclosure of personal information, the organization should always consider whether there are less invasive means of achieving the same ends (at comparable cost and with comparable benefits).
Canadian private sector, privacy legislation generally permits an organization to collect, use and disclose personal information about an individual without consent in certain situations. In Alberta, for example, an organization is not required to obtain consent where the use or disclosure of information is necessary to respond to an emergency that threatens the life, health or security of an individual or the public.
But care needs to be exercised, these exemptions are not uniform within each statute. For example, the aforementioned "life, health or security" exemption in Alberta applies to the use and disclosure of personal information—it does not apply to the collection thereof. It is also important to note that such exemptions are not uniform among each of these "substantially similar" privacy laws in Canada. For example, the federal privacy legislation differs from Alberta in that the "life, health or security" exemption does not expressly include the public.
As a result, it will be important for each organization to:
To the extent that an organization cannot rely on the aforementioned exemption to collect, use or disclose an individual's personal information, it will need to provide notice, and if required, obtain consent to do so.
A jointly issued guidance from the Office of the Privacy Commissioner of Canada and the Offices of the Information and Privacy Commissioner of Alberta and British Columbia identified several principles underlying meaningful consent, including the need to provide an individual with information about:
The commissioners stressed that it is important for organizations to consider the appropriate form of consent to use (express, deemed or implied) for any collection, use or disclosure of personal information for which consent is required. When making this determination, organizations need to take into account the sensitivity of the information and the reasonable expectations of the individual. Both of these will depend upon context.
Given the potential limitation in the exemption discussed above, an organization is well advised to provide appropriate notice its employees, contractors and guests that the organization has adopted a COVID-19 response policy, and that such policy sets out how it will manage the collection, use and disclosure of personal information when COVID-19 is identified in the workplace.
The impact of COVID-19 could be very significant to organizations. If you have any questions regarding the information in this article, please contact a member of the Bennett Jones Privacy and Data Protection team. In addition, please visit our COVID-19 Resource Centre for other COVID-19-related materials.