Best Practices relating to privacy and data collection in the age of COVID-19
While some businesses are considering reopening its physical doors as Ontario heads into Stage 2 of its reopening plans, and others are implementing long-term work-from-home measures, privacy and data collection issues will undoubtedly continue to arise more frequently as a result of the COVID-19 pandemic.
Canada is home to both federal-level and provincial-level authorities that oversee and regulate privacy-related legislation. While privacy laws continue to apply during the COVID-19 pandemic, these regulatory bodies have made it clear that these laws should not act as “a barrier” to appropriate information sharing. That being said, now is the perfect time for all organizations to implement best practices on how it intends to collect, store, and use private information – below, we have summarized and highlighted privacy-related best practices with respect to personal information, employee information, and data collection tips to pass onto your employees.
Best practices for organizations that collect, use, and disclose “personal information”
During the COVID-19 health crisis, all organizations must continue to comply with privacy laws and act responsibly, particularly with respect to handling personal information, and information about individuals’ health, travel, movements and contacts or association. As “personal information” is broadly defined within legislation, and generally includes all recorded information about an identifiable individual, organizations must be well aware of their statutory obligations relating to collecting personal information.
There exists privacy legislation at both the federal and provincial levels that govern the collection, use, and disclosure of personal information. Most private sector Ontario-based organizations that collect personal information must continue to operate in accordance with the Personal Information Protection and Electronic Documents Act (“PIPEDA”), which allows organizations to collect, use, or disclose information only for purposes that a reasonable person would consider to be appropriate in the circumstances. In most cases, personal information can only be collected, used, or disclosed after obtaining meaningful consent from the individual in question. Key privacy principles that organizations should keep in mind when collecting, using, or disclosing personal information include:
- Privacy laws apply to all personal information even when using public sources such as social media.
- Personal information collected, used or disclosed with respect to COVID-19 issues must not be used for other reasons. Individuals would not reasonably expect that their information collected for COVID-19 related issues could become available for commercial purposes.
- Any personal information collected with respect to COVID-19 issues ought to be properly destroyed following the end of the COVID-19 crisis.
- De-identify personal information/data whenever possible.
- Ensure physical (e.g. a secure safe) and/or electronic safeguards (e.g. encryption methods) are in place to protect personal information collected.
- Ensure there are strict time limits on measures implemented to collect personal information in response to the crisis.
Best practices relating to privacy of employees’ information (e.g. temperature testing results)
There is no private sector privacy legislation that is directly applicable to employee privacy in Ontario, save and except for those private sector organizations that qualify as “federal works” (e.g. banks, airlines, telecom companies). While there is provincial legislation relating to “personal health information”, generally speaking, employers who hold personal health information are not governed by these laws, unless they receive personal health information from a defined health information custodian – such as a physician. When an employer receives personal health information from a defined health information custodian, the employer may, in general, only use or disclose the information for the authorized purpose for which the information was disclosed or for the purpose of carrying out a statutory or legal duty.
While privacy laws are not meant to prevent an employer taking reasonable precautions to ensure the health and safety of its employees, in order to avoid privacy violations at common law, any COVID-related information directly obtained from employees (e.g. temperature testing results, other health screening information) should not be collected, recorded, stored, used or disclosed for any purpose aside from determining whether the employee should be permitted to enter and/or stay within the workplace.
What is clear is that employers have a legal obligation to provide a safe workplace for employees. While the Information and Privacy Commissioner of Ontario (the “IPC”) has not provided specific guidance with respect to obtaining and storing COVID-related employee information, some best practices to follow include:
- Obtaining employees’ consent before having their temperature checked.
- Make clear why the information collected is needed and explain how the information will be stored then destroyed by the organization.
- Anonymizing information collected.
- Limiting access to any information collected to only designated individuals who are well informed about the privacy-related obligations of the employer.
- Only obtaining as little information as needed to fulfill the purpose of maintaining a safe work environment. Do not ask general questions relating to an employee’s disability that is not related to COVID-19.
- Ensuring electronic encryption of stored information.
In addition, employers should consider human rights related issues when conducting medical tests and safeguarding employees’ information. The position of the Ontario Human Rights Commission, a provincial government agency that administers human rights legislation, is that medical tests (such as temperature testing) in determining an employee’s fitness to perform their job duties may be permissible, if employers only obtain information that is reasonably necessary to determining the employee’s fitness to perform on the job. At the same time, organizations should not seek information from medical testing that may identify a pre-existing disability and employees’ test results must not lead to automatic negative consequences such as termination.
Privacy/data collection tips to pass down to your employees
The COVID-19 pandemic has led to the creation of numerous remote workplaces across the province, and it is inevitable that a significant portion of the Ontario workforce will continue to be encouraged to work from home, until a vaccine for COVID-19 is found. When employees are working from home, employers must be aware of their obligations to ensure that their employees use secure and appropriate remote work procedures and that the privacy and the security of personal/confidential information (e.g. client information, trade secrets) is not put at risk.
In particular, Ontario employers and organizations should be aware of what the IPC has recommended with respect to best practices during the COVID-19 pandemic, which we have summarized below.
- Ensure that USB drives containing work-related information are encrypted and password protected.
- Protect all mobile devices with strong passwords and lock your device when not using them.
- Remove information from physical offices only if absolutely necessary to carry out work tasks and duties.
- Keep the organization’s anti-virus software up-to-date.
- Make it clear that personal email inboxes are not to be used for work purposes.
- Encourage your employees to check that they are sending their emails to the correct recipient, particularly for emails involving personal data, prior to sending the email.
- Securely store electronic devices and paper records in public spaces.
Issues relating to privacy and data collection can be complicated and can lead to potential complaints and legal proceedings relating to privacy breaches or unauthorized access to personal information. We encourage you to consult a member of Brazeau Seller’s employment law team when you learn of privacy and data collection related issues within your workplace.