As Canada's federal and provincial health authorities address the novel coronavirus (COVID-19), various questions have arisen regarding the role that organizations should play in balancing the privacy of its employees, contractors, and guests against the overall safety of the workplace and the broader general public. In particular, organizations are determining:
- if and to the extent they should adopt screening procedures to help identify whether someone attending a workplace may potentially be carrying COVID-19; and
- how to navigate Canada's complicated patchwork of privacy legislation that would apply to any personal information collected from the adoption of any such procedures.
While the COVID-19 response represents uncharted waters, the analytical framework to collect, use and disclose personal information remains the same—organizations seeking to adopt any COVID-19 screening should answer the following four questions:
1. Is the collection, use or disclosure of the personal information for a reasonable purpose?
An organization typically has an obligation to take reasonable steps to protect the health and safety of its employees, contractors and guests. In light of the current COVID-19 outbreak, it may be reasonable for an employer to adopt certain screening methods that are designed to assess the risk of any individual attending the workplace carrying COVID-19. Such methods may include: (i) taking an individual's temperature at the time they enter into the workplace; or (ii) a questionnaire asking, for example, if the individual or someone in their household has recently traveled outside of Canada, or is experiencing any COVID-19-related symptoms.
2. Is the personal information to be collected, used or disclosed limited to that necessary to meet the purpose?
The type of information an employer gathers should be strictly limited to assessing whether an individual attending the workplace may be carrying COVID-19. Care should be taken to ensure that the personal information collected would be effective in meeting the organization’s need. To this end, an organization should consult with a recognized resource (e.g., a medical consultant) to design or verify any screening method to be adopted. As it does so, it should consider whether there are less invasive means of achieving the same ends (at comparable cost and with comparable benefits).
3. Is the collection, use or disclosure of the personal information authorized by law without the need to obtain consent from or provide notice to the individuals in question?
Canadian private sector privacy legislation generally permits an organization to collect, use and disclose personal information about an individual without consent in certain situations. In Alberta, for example, an organization is not required to obtain consent where the use or disclosure of information is necessary to respond to an emergency that threatens the life, health or security of an individual or the public.
But, care needs to be exercised as these exemptions are not uniform within each statute. For example, the aforementioned "life, health or security" exemption in Alberta applies to the use and disclosure of personal information—it does not apply to the collection thereof. It is also important to note that such exemptions are not uniform among each of these "substantially similar" privacy laws in Canada. For example, the federal privacy legislation differs from Alberta in that the "life, health or security" exemption does not expressly include the public.
As a result, it will be important for each organization to:
- identify which private sector privacy law applies in the circumstances; and
- assess the applicability of any exemption therein with respect to the collection, use and (potential) disclosure of any personal information collected in connection with its COVID-19 screening activities.
To the extent that an organization cannot rely on the aforementioned exemption to collect, use or disclose an individual's personal information, it will need to provide notice and, if required, obtain consent to do so.
4. Where collection, use or disclosure without consent from or notice to the individuals in question is not authorized by law, has the organization obtained consent from or provided notice to the individuals in question?
A jointly issued Guidance from the Office of the Privacy Commissioner of Canada and the Offices of the Information and Privacy Commissioner of Alberta and British Columbia identified several principles underlying meaningful consent, including the need to provide an individual with information about:
- what personal information is being collected;
- the purpose for which personal information is collected, used or disclosed; and
- the potential risk of harm and other consequences from the collection, use or disclosure.
The commissioners stressed that it is important for organizations to consider the appropriate form of consent to use (express, deemed or implied) for any collection, use or disclosure of personal information for which consent is required. When making this determination, organizations need to take into account the sensitivity of the information and the reasonable expectations of the individual. Both of these will depend upon context.
Given the potential limitation in the exemption discussed above, we recommend that appropriate notices be present at the point of any COVID-19 screening to ensure that notice is given, and where consent is required, consent is obtained from each individual by their participation in such screening.