The COVID-19 pandemic has created an unprecedented challenge for federal and provincial governments and other public health organizations in Canada. To respond in a timely and effective manner, government organizations require greater access to, and an enhanced ability to use, personal information and personal health information. Both federal and provincial privacy legislation contain specific provisions that broaden the scope of collection, use, and disclosure of personal information and personal health information during a public health crisis, to ensure privacy laws do not impede the effective provision of healthcare.
Although privacy legislation does not act as a barrier to the collection, use, and disclosure of personal information during the pandemic, it is imperative that organizations continue to adhere to their privacy law obligations while responding to the COVID-19 crisis. The pandemic cannot be treated as a carte blanche to collect information at will, however, privacy laws should not be used to impede the work of public health officials.
In recent statements, Canadian Privacy Commissioners emphasize that while privacy laws are not a barrier to effective pandemic responses, compliance remains mandatory, particularly when implementing more invasive technology such as contact tracing apps.
Joint Commissioners’ Statement on Contact Tracing and Similar Apps
Canada’s privacy commissioners recently issued a joint statement on contact tracing technologies, providing guidance for the use of these apps, which “raise important privacy risks.” This joint statement builds on the previously released Framework for the Government of Canada to Assess Privacy-Impactful Initiatives in Response to COVID-19 (“OPC Framework”) from the Privacy Commissioner of Canada (“OPC”). The joint statement recommends adherence to core principles including that:
- use of apps be voluntary, which is considered essential to building public trust;
- there must always be legal authority for the processing of personal information;
- measures should be proportionate, minimal in their collection, and necessary;
- measures should be time limited, while always transparent;
- there should be clear accountability for the particular measure as well as independent oversight; and
- security measures be put in place, including educating the public about fraud and malware risks.
Canada’s joint statement on the use of contact tracing apps is consistent with international guidelines. Regulators in the European Union have been vocal about the continued importance and relevance of privacy laws in the COVID-19 response efforts and have released guidelines on a number of issues, including precautions to take when using location data and contact tracing tools. These guidelines are of interest to Canadian organizations with operations in Europe as well as developers of these tools:
“The EDPB [European Data Protection Board] generally considers that data and technology used to help fight COVID-19 should be used to empower, rather than to control, stigmatise, or repress individuals. Furthermore, while data and technology can be important tools, they have intrinsic limitations and can merely leverage the effectiveness of other public health measures. The general principles of effectiveness, necessity, and proportionality must guide any measure adopted by Member States or EU institutions that involve processing of personal data to fight COVID-19.”
More generally, the previously released OPC Framework provides guidance to organizations to ensure their collection, use, and disclosure of personal information during the COVID-19 pandemic remains consistent with the Personal Information Protection and Electronic Documents Act, Canada’s federal legislation governing private-sector organizations, and the Privacy Act, Canada’s federal legislation governing federal government departments and agencies.
Privacy regulators in British Columbia, Alberta, Saskatchewan, Ontario, Quebec, Newfoundland and Labrador, the Yukon, and the Northwest Territories have similarly published their own sets of guidelines to promote adherence to provincial and territorial privacy obligations as well.
The OPC Framework outlines the following key principles for organizations and government institutions to keep in mind when considering and implementing measures in response to COVID-19:
Legal Authority: the organization collecting, using, or disclosing information must cite the specific legal authority enabling it to collect, use, and disclose that information. This is true for privately collected information and information collected from an open source, such as social media.
Necessity and Proportionality: the purpose for the collection, use, and disclosure of personal information must evidence-based, necessary for the promotion of public health, and must be defined in specific terms. The measure must be rationally connected to that defined purpose.
Purpose Limitation: the information must only be collected, used, or disclosed for the specific purpose of promoting public health in response to COVID-19.
De-Identification and Other Safeguarding Measures: where possible, specific information should be de-identified, and aggregate information used when appropriate.
Vulnerable Populations: organizations should always be cognizant of the unique impact that collection, use, and disclosure of personal information could have on vulnerable or marginalized population.
Openness and Transparency: organizations should provide clear and detailed information to individuals whose information is being collected and used. Ensuring individuals understand the purpose of collection and the extent of use of information is fundamental to supporting the necessity, proportionality, and purpose limitation guidelines. Transparency is a cornerstone of democratic governance.
Open Data: organizations must weigh the risks associated with release of publicly available datasets, particularly where the information relates to vulnerable populations. This is imperative where location data is involved.
Oversight and Accountability: organizations must ensure institutional safeguards to protect personal information during the COVID-19 situation and should be accountable to individuals when collecting, using, and disclosing their information. For more information on safeguarding information during the COVID-19 crisis, see our previous article, Privacy and cybersecurity during COVID-19 – Tips for Canadian organizations.
Time Limitation: organizations should place specific time limits on the periods for collection, use, and disclosure of personal information. Time limits should be conservative, with the option for extension, and information should be destroyed when the time limit is reached.
The more general OPC Framework is also consistent with international guidelines.
The Office of the Australian Information Commissioner, in its guidance, stated that although “the Privacy Act will not stop critical information sharing… [i]n order to manage the pandemic while respecting privacy, agencies and private sector employers should aim to limit the collection, use and disclosure of personal information to what is necessary to prevent and manage COVID-19, and take reasonable steps to keep personal information secure.”
As fluid as the pandemic itself, requirements and best practices relating to the collection, use, and sharing of personal information to manage the response should be continually monitored and assessed by Canadian organizations to ensure data privacy risk is managed appropriately.