Written By Stephen Burns and Sébastien Gittens

As organizations in Canada identify employees, contractors or guests in the workplace who are or may be carrying, or who may have been exposed to others who are or may be carrying, the novel coronavirus (COVID-19), they will need to consider how to collect, use and disclose personal information about these identified individuals in a privacy compliant manner.

While the response to COVID-19 represents uncharted waters, the analytical framework to collect, use and disclose personal information remains the same—organizations seeking to use and disclose personal information related to COVID-19 identified in the workplace should answer the following four questions:

1. Is the collection, use or disclosure of the personal information for a reasonable purpose?

Organizations are typically required to take reasonable steps to protect the health and safety of their employees, contractors and guests. In light of the current COVID-19 outbreak, it may be reasonable for an organization to take steps to identify employees, contractors or guests in the workplace who are or may be carrying, or who may have been exposed to others who are or may be carrying, COVID-19, and to then act on that information by complying with the then current recommended courses of action by the applicable public health authorities.

Organizations are well advised to review such recommended courses of action in their respective jurisdictions on a regular basis and to align their activities to same. Such recommendations may address:

1. requiring the individual to self-isolate;
2. advising the organization's COVID-19 response team of the identification of COVID-19 in the particular workplace;
3. where the identified individuals are employees, advising their supervisor(s) of their absence from the workplace due to self-isolation;
4. where the identified individuals are contractors or guests, if reasonably required, advising their contact(s) at the organization of their self-isolation;
5. advising the organization's other employees, contractors and guests that COVID-19 has been identified in the particular workplace;
6. advising those individuals who are reasonably expected to have come into contact with the identified individuals of their possible exposure and requiring them to self-isolate; and
7. advising the applicable public health authority.

2. Is the personal information to be collected, used or disclosed limited to that necessary to meet the purpose?

The personal information collected, used and disclosed by the organization about the identified individuals should be limited to the personal information needed to meet the reasonable purpose for which it was collected, such as to comply with the then current recommended courses of action by the applicable public health authorities (see above). For example, using the sample recommendations above:

1. when advising the organization's COVID-19 response team of the identification of COVID-19 in the particular workplace, as with any other health issue to be managed by the organization, the disclosure of the identity of the identified individuals is likely needed, but it is unlikely that the specific details of their current health and health care plans are needed;
2. when advising the supervisor(s) of the identified individuals of their absence from the workplace due to self-isolation, as with any other health issue to be managed by the organization, the disclosure of the identity of the identified individuals is likely needed, but again it is unlikely that the specific details of their current health and health care plans are needed;
3. when advising the identified individuals' contact(s) at the organization of their self-isolation, as with any other health issue to be managed by the organization, the disclosure of the identity of the identified individuals is likely needed, but again it is unlikely that the specific details of their current health and health care plans are needed;
4. when advising the organization's employees, contractors and guests that COVID-19 has been identified in the particular workplace, neither the identity of the identified individuals nor their current health or health care plans should be disclosed;
5. when advising those individuals who are reasonably expected to have come into contact with the identified individuals of their possible exposure to COVID-19 and requiring them to self-isolate, the disclosure of the identity of the identified individuals may (or may not) be needed, but again it is unlikely that the details of their current health and health care plans are needed; and
6. when advising the applicable public health authority, the disclosure of the identity of the identified individuals and their respective contact information as well as the details of the possible exposure to COVID-19 is likely needed, and, unless specifically requested by the public health authority, it is unlikely that the details of their current health and health care plans are needed.

As with every collection, use or disclosure of personal information, the organization should always consider whether there are less invasive means of achieving the same ends (at comparable cost and with comparable benefits).

3. Is the collection, use or disclosure of the personal information authorized by law without the need to obtain consent from or provide notice to the individuals in question?

Canadian private sector, privacy legislation generally permits an organization to collect, use and disclose personal information about an individual without consent in certain situations. In Alberta, for example, an organization is not required to obtain consent where the use or disclosure of information is necessary to respond to an emergency that threatens the life, health or security of an individual or the public.

But care needs to be exercised, these exemptions are not uniform within each statute. For example, the aforementioned "life, health or security" exemption in Alberta applies to the use and disclosure of personal information—it does not apply to the collection thereof. It is also important to note that such exemptions are not uniform among each of these "substantially similar" privacy laws in Canada. For example, the federal privacy legislation differs from Alberta in that the "life, health or security" exemption does not expressly include the public.

As a result, it will be important for each organization to:

1. identify which private sector privacy law applies in the circumstances; and
2. assess the applicability of any exemption therein with respect to the collection, use and (potential) disclosure of any personal information collected in connection with its identification of COVID-19 in the workplace.

To the extent that an organization cannot rely on the aforementioned exemption to collect, use or disclose an individual's personal information, it will need to provide notice, and if required, obtain consent to do so.

4. Where collection, use or disclosure without consent from or notice to the individuals in question is not authorized by law, has the organization obtained consent from or provided notice to the individuals in question?

A jointly issued guidance from the Office of the Privacy Commissioner of Canada and the Offices of the Information and Privacy Commissioner of Alberta and British Columbia identified several principles underlying meaningful consent, including the need to provide an individual with information about:

1. what personal information is being collected;
2. the purpose for which personal information is collected, used or disclosed; and
3. the potential risk of harm and other consequences from the collection, use or disclosure.

The commissioners stressed that it is important for organizations to consider the appropriate form of consent to use (express, deemed or implied) for any collection, use or disclosure of personal information for which consent is required. When making this determination, organizations need to take into account the sensitivity of the information and the reasonable expectations of the individual. Both of these will depend upon context.

Given the potential limitation in the exemption discussed above, an organization is well advised to provide appropriate notice its employees, contractors and guests that the organization has adopted a COVID-19 response policy, and that such policy sets out how it will manage the collection, use and disclosure of personal information when COVID-19 is identified in the workplace.

The impact of COVID-19 could be very significant to organizations. If you have any questions regarding the information in this article, please contact a member of the Bennett Jones Privacy and Data Protection team. In addition, please visit our COVID-19 Resource Centre for other COVID-19-related materials.