COVID-19 Privacy and Data Collection

corona virus

Best Practices relating to privacy and data collection in the age of COVID-19 

While some businesses are considering reopening its physical doors as Ontario heads into Stage 2 of its reopening plans, and others are implementing long-term work-from-home measures, privacy and data collection issues will undoubtedly continue to arise more frequently as a result of the COVID-19 pandemic.   

Canada is home to both federal-level and provincial-level authorities that oversee and regulate privacy-related legislation. While privacy laws continue to apply during the COVID-19 pandemic, these regulatory bodies have made it clear that these laws should not act as “a barrier” to appropriate information sharing. That being said, now is the perfect time for all organizations to implement best practices on how it intends to collect, store, and use private information – below, we have summarized and highlighted privacy-related best practices with respect to personal information, employee information, and data collection tips to pass onto your employees.

 

Best practices for organizations that collect, use, and disclose “personal information”

During the COVID-19 health crisis, all organizations must continue to comply with privacy laws and act responsibly, particularly with respect to handling personal information, and information about individuals’ health, travel, movements and contacts or association. As “personal information” is broadly defined within legislation, and generally includes all recorded information about an identifiable individual, organizations must be well aware of their statutory obligations relating to collecting personal information.

There exists privacy legislation at both the federal and provincial levels that govern the collection, use, and disclosure of personal information. Most private sector Ontario-based organizations that collect personal information must continue to operate in accordance with the Personal Information Protection and Electronic Documents Act (“PIPEDA”), which allows organizations to collect, use, or disclose information only for purposes that a reasonable person would consider to be appropriate in the circumstances. In most cases, personal information can only be collected, used, or disclosed after obtaining meaningful consent from the individual in question. Key privacy principles that organizations should keep in mind when collecting, using, or disclosing personal information include:

  1. Privacy laws apply to all personal information even when using public sources such as social media.
  2. Personal information collected, used or disclosed with respect to COVID-19 issues must not be used for other reasons. Individuals would not reasonably expect that their information collected for COVID-19 related issues could become available for commercial purposes.
  3. Any personal information collected with respect to COVID-19 issues ought to be properly destroyed following the end of the COVID-19 crisis.
  4. De-identify personal information/data whenever possible.
  5. Ensure physical (e.g. a secure safe) and/or electronic safeguards (e.g. encryption methods) are in place to protect personal information collected.
  6. Ensure there are strict time limits on measures implemented to collect personal information in response to the crisis.

 

Best practices relating to privacy of employees’ information (e.g. temperature testing results)

There is no private sector privacy legislation that is directly applicable to employee privacy in Ontario, save and except for those private sector organizations that qualify as “federal works” (e.g. banks, airlines, telecom companies). While there is provincial legislation relating to “personal health information”, generally speaking, employers who hold personal health information are not governed by these laws, unless they receive personal health information from a defined health information custodian – such as a physician. When an employer receives personal health information from a defined health information custodian, the employer may, in general, only use or disclose the information for the authorized purpose for which the information was disclosed or for the purpose of carrying out a statutory or legal duty. 

While privacy laws are not meant to prevent an employer taking reasonable precautions to ensure the health and safety of its employees, in order to avoid privacy violations at common law, any COVID-related information directly obtained from employees (e.g. temperature testing results, other health screening information) should not be collected, recorded, stored, used or disclosed for any purpose aside from determining whether the employee should be permitted to enter and/or stay within the workplace. 

What is clear is that employers have a legal obligation to provide a safe workplace for employees. While the Information and Privacy Commissioner of Ontario (the “IPC”) has not provided specific guidance with respect to obtaining and storing COVID-related employee information, some best practices to follow include:

  1. Obtaining employees’ consent before having their temperature checked.
  2. Make clear why the information collected is needed and explain how the information will be stored then destroyed by the organization.
  3. Anonymizing information collected.
  4. Limiting access to any information collected to only designated individuals who are well informed about the privacy-related obligations of the employer.
  5. Only obtaining as little information as needed to fulfill the purpose of maintaining a safe work environment. Do not ask general questions relating to an employee’s disability that is not related to COVID-19.
  6. Ensuring electronic encryption of stored information.

In addition, employers should consider human rights related issues when conducting medical tests and safeguarding employees’ information. The position of the Ontario Human Rights Commission, a provincial government agency that administers human rights legislation, is that medical tests (such as temperature testing) in determining an employee’s fitness to perform their job duties may be permissible, if employers only obtain information that is reasonably necessary to determining the employee’s fitness to perform on the job. At the same time, organizations should not seek information from medical testing that may identify a pre-existing disability and employees’ test results must not lead to automatic negative consequences such as termination.

 

Privacy/data collection tips to pass down to your employees

The COVID-19 pandemic has led to the creation of numerous remote workplaces across the province, and it is inevitable that a significant portion of the Ontario workforce will continue to be encouraged to work from home, until a vaccine for COVID-19 is found. When employees are working from home, employers must be aware of their obligations to ensure that their employees use secure and appropriate remote work procedures and that the privacy and the security of personal/confidential information (e.g. client information, trade secrets) is not put at risk.

In particular, Ontario employers and organizations should be aware of what the IPC has recommended with respect to best practices during the COVID-19 pandemic, which we have summarized below. 

  1. Ensure that USB drives containing work-related information are encrypted and password protected.
  2. Protect all mobile devices with strong passwords and lock your device when not using them.
  3. Remove information from physical offices only if absolutely necessary to carry out work tasks and duties.
  4. Keep the organization’s anti-virus software up-to-date.
  5. Make it clear that personal email inboxes are not to be used for work purposes.
  6. Encourage your employees to check that they are sending their emails to the correct recipient, particularly for emails involving personal data, prior to sending the email.
  7. Securely store electronic devices and paper records in public spaces.

Issues relating to privacy and data collection can be complicated and can lead to potential complaints and legal proceedings relating to privacy breaches or unauthorized access to personal information. We encourage you to consult a member of Brazeau Seller’s employment law team when you learn of privacy and data collection related issues within your workplace.

Our Team

David Spears
Partner
613.237.4000 x207
dspears@brazeauseller.com

Jay Kim
Lawyer
613.237.4000 x241
jkim@brazeauseller.com

Download the COVID-19 Privacy and Data Collection PDF

Note to readers:

The above-noted information does not constitute legal advice and is of general application only. The information regarding COVID-19 is rapidly evolving and the recommendations contained herein are accurate only up to the date of publishing (June 18, 2020).

Brazeau Seller Law Congratulates Trina Fraser on being recognized as one of the Top 25 lawyers in Canada by Canadian Lawyer Magazine

Location:  Ottawa, Ontario
Date:  August 6, 2019

https://www.canadianlawyermag.com/surveys-reports/top-25-most-influential-lawyers/the-top-25-most-influential-2019/277779

trina fraser top 25 lawyer award

Learn more about Trina’s award here

For more information about Brazeau Seller Law’s capabilities and the benefits of its membership in Meritas, visit www.brazeauseller.com or call 613-237-4000.

About Brazeau Seller Law
Brazeau Seller Law, a Meritas member firm, was founded in 1989 and currently operates with 22 lawyers and 33 support staff. The firm has distinguished itself among the best across a full range of service areas (business transactions & acquisitions, corporate & commercial, family business, litigation, employment law, real estate and development, tax and estate planning, wills and estate administration, cannabis law) and is locally and nationally recognized. For more information about Brazeau Seller Law, visit www.brazeauseller.com or call 613-237-4000.

About Meritas
Founded in 1990, Meritas is an international alliance of commercial law firms working across jurisdictions to provide clients the best of both worlds: a local legal partner with full-service capabilities and the cost efficiency and personal attention unmatched by mega law firms. Each member law firm is required to adhere to rigorous and specific service standards on a regular basis. Headquartered in Minneapolis, Minnesota, Meritas has member firms in 247 global markets and 7,049 lawyers. To find a Meritas law firm or for more information, visit meritas.org or call 612-339-8680.

Brazeau Seller Law Contact:
Tanya Jenkins, Managing Director
+1-613-213-4000
tjenkins@brazeauseller.com

Brazeau Seller Law Earns Recertification in Meritas, a Global Alliance of Independent Business Law Firms

Affiliation offers clients access to quality legal expertise around the globe

Ottawa, Ontario – February 12, 2019 – Brazeau Seller Law, an Ottawa-based law firm, today announced that it has been awarded recertification in Meritas, a global alliance of independent business law firms. Brazeau Seller Law joined Meritas in 1999 and, as a condition of its membership, is required to successfully complete recertification every three years.

Meritas is the only law firm alliance with an established and comprehensive means of monitoring the quality of its member firms—a process that saves clients time validating law firm credentials and experience. Meritas membership is selective and by invitation only. Firms are regularly assessed and recertified for the breadth of their practice expertise and client satisfaction. The organization’s extensive due diligence process ensures that only firms meeting the tenets of Meritas’ unique Quality Assurance Program are allowed to maintain membership. Firm performance and quality feedback are reflected in a Satisfaction Index score, which is made available online.

“We are proud of our firm’s achievements, and look forward to continuing our relationship with Meritas,” said Fred Seller, founding partner at Brazeau Seller Law. “Meritas’ Quality Assurance Program is not just valuable for our clients seeking legal expertise around the world; it also provides us with a framework to consistently monitor and enhance the quality of our services.”

The recertification process includes exacting self-assessment, peer review by other law firms and client feedback. It examines such factors as timeliness and quality of a firm’s client service, professional conduct and adherence to Meritas policies including acknowledgment of Meritas firm or client correspondence within 24 hours.

“Businesses trust the Meritas alliance of law firms for top-tier quality, convenience, consistency and value,” said Tanna Moore, president and CEO of Meritas. “Brazeau Seller Law has demonstrated its commitment to world-class client service, and therefore has successfully earned its recertification in Meritas.”

For more information about Brazeau Seller Law’s capabilities and the benefits of its membership in Meritas, visit www.brazeauseller.com or call 613-237-4000.

About Brazeau Seller Law
Brazeau Seller Law, a Meritas member firm, was founded in 1989 and currently operates with 20 lawyers and 29 support staff. The firm has distinguished itself among the best across a full range of service areas (business transactions & acquisitions, corporate & commercial, family business, litigation, employment law, real estate and development, tax and estate planning, wills and estate administration, cannabis law) and is locally and nationally recognized. For more information about Brazeau Seller Law, visit www.brazeauseller.com or call 613-237-4000.

About Meritas
Founded in 1990, Meritas is an international alliance of commercial law firms working across jurisdictions to provide clients the best of both worlds: a local legal partner with full-service capabilities and the cost efficiency and personal attention unmatched by mega law firms. Each member law firm is required to adhere to rigorous and specific service standards on a regular basis. Headquartered in Minneapolis, Minnesota, Meritas has member firms in 247 global markets and 7,049 lawyers. To find a Meritas law firm or for more information, visit meritas.org or call 612-339-8680.

Brazeau Seller Law Contact:
Tanya Jenkins, Managing Director
+1-613-213-4000
tjenkins@brazeauseller.com

Meritas Contact:
Beth LaBreche
+1-612-578-2834
beth@labreche.com