The challenges we are facing in connection with COVID-19 continue to rapidly grow and evolve. While the primary focus is on slowing transmission and addressing public health impacts, there are numerous other issues that businesses are facing.
We have summarized below our thoughts on critical COVID-19 cyber and privacy questions our clients have been asking us. We recognize that change is happening in real-time. Accordingly, our Technology and Cybersecurity, Privacy & Data Management Group is available to assist clients on a 24/7 basis. If you need assistance, please reach out to any member of our team whenever you need to.
As privacy laws vary across Canada (both by location and by sector), the below answers have been generalized to standard principles or are limited to certain areas. For specific question as to how these might be applied to your business, please reach out to any member of our team.
When having employees work from home, what are key privacy and cyber issues that should be top of mind?
Work-from-home arrangements are increasingly being relied on to help contain the spread of COVID-19, but there are special considerations that need to be addressed where employees require the use of personal information to perform their jobs (for example employees performing payroll or other HR functions). Privacy laws require that personal information is at all times protected by appropriate security safeguards, and this requirement will continue to apply in connection with COVID-19 work-from-home arrangements. For employees working with personal information from home, it is important to ensure that:
- remote connections are secure;
- digital storage media and laptops are password protected and encrypted; and
- paper copies are physically protected and securely disposed of.
More generally, organizations should remain particularly vigilant about their cyber security practices. Unfortunately, there are already reports of cyber criminals attempting to exploit this crisis. Expect them to go after all vulnerabilities and weaknesses that develop during this period and be prepared for an increased threat level. This will be particularly challenging for businesses due to competing priorities, reduced resources caused by quarantines, increased reliance on remote working technologies and the rapidly changing environment. In addition, IT resources are likely to be stretched thin as they deal with higher demands on IT systems and support requests from remote workers.
Finally, employees are likely to be more susceptible to phishing attempts during this time due to higher anxiety levels, a flurry of non-standard notices and communications, increased use of social media and the adoption of new remote working practices. Expect to see an increase in phishing attempts as cyber criminals attempt to leverage these weaknesses, and consider reminding employees about cyber security best practices.
Staying on top of cybersecurity during this time, including an emphasis employee awareness, will pay dividends in the long term.
Can we start collecting personal information in an effort to contain the spread of COVID-19 and manage associated risks?
Some examples of collections that might be entertained include:
- requiring site visitors to disclose all travel, symptoms and known exposure to COVID-19 before being allowed on premise; and
- implementing infra-red temperature scanning of all visitors as they enter a building.
Challenging times lay ahead, and organizations have a difficult set of competing responsibilities and objectives that must be balanced. Ultimately the correct determination will depend on the surrounding context and details of the collection. As such the answer is neither simple nor static. With that said, it is possible to provide some guiding principles that may be helpful.
At the outset, it is worth noting two limits with respect to the scope of PIPEDA. First, PIPEDA only applies to personal information that an organization collects, uses or discloses in the course of commercial activities. Information collected and used to mitigate the risks of COVID-19 that is not done in the course of commercial activities may fall outside the scope of PIPEDA. We would advise seeking legal advice when determining whether or not an activity has a commercial character for the purposes of PIPEDA. Second, PIPEDA does not apply to the personal information of employees, other than for federally regulated businesses (e.g. banks, airlines and telecommunications companies). As such, if your organization is subject to PIPEDA, and is not a federally regulated business, then PIPEDA will not apply to the personal information of your employees.
Assuming that the activity does fall within the scope of the applicable privacy law, three key limiting factors will be relevant to any such collection :
- Consent. Collection of personal information can only be done with the individual’s knowledge and consent, subject to limited exceptions. PIPEDA, for example, does not have an exception that allows for collection without consent when acting in respect of a health emergency. Given this, any such collection would likely need to be done with the individual’s consent. There are also limitations in connection with obtaining consent – for example privacy laws generally prohibit making the supply of a product or service conditional on an individual supplying consent beyond that required to fulfil an explicit and legitimate purpose. For the jurisdictions and sectors where employee personal information is subject to privacy legislation, consent is not typically required to collect, use or disclose employee personal information for purposes necessary for managing the employment relationship (but points two and three below may still apply).
- Appropriate Purpose. Even with consent, organizations are limited to “collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.” The question then becomes whether there is a legitimate purpose for collecting the information, and whether the individual’s consent can be validly obtained. The answer to this question is very context dependent and will change both based on the nature of the collection, as well as severity of the pandemic at the particular place and time. For example, the collection of information from customers of a hardware store in a city with no known COVID-19 cases must be evaluated differently from visitors to a nursing home located in a community with sky-rocketing infection rates.
- Minimization. PIPEDA requires that “[t]he collection of personal information shall be limited to that which is necessary for the purposes identified by the organization”. This creates challenges where organizations can achieve their health and safety objectives without collecting personal information.
Given the complexities in this area, we would advise seeking specific legal advice before proceeding with any such collection.
Finally, it is also worth noting that public health authorities can issue orders in the context of a public health emergency that require the collection, use and disclosure of personal information. This is relatively rare, but if this did occur private sector privacy legislation would not impede this. If your organization becomes subject to such an order, to the extent possible you should communicate the details of the order to the individual, along with the specific legislative authority that the order was made under.
If we learn that an individual has (or has symptoms of) COVID-19, is that personal information? If so are we permitted to disclose it to others?
The fact that an individual is displaying symptoms of COVID-19 (or has tested positive for COVID-19) is certainly personal information that is subject to the protections of privacy laws. With that said, curbing transmission to other individuals is also a legitimate objective and it is in the public interest to have individuals notified if they have come in contact with COVID-19. These competing objectives need to be balanced.
All notifications should include sufficient information about the exposure (e.g. date, time, location and surrounding circumstances) so that other individuals can act accordingly but, if at all possible, notifications should not include information that identifies the particular individual (either expressly, implicitly or in combination with other information). In some cases, it may not be possible to provide a useful notification without identifying the particular individual (e.g. if there were only two people in the office on the day in question). In such a case, consent of the individual should be obtained if possible. If consent is not possible, there is a limited exception that may allow disclosure of personal information without consent. For example, PIPEDA allows for disclosure without an individual’s knowledge or consent where the information is needed because of an emergency that threatens life, health or safety. Legal advice is recommended when relying on such an exception as certain privacy laws impose additional caveats and restrictions.
Further discussion on how to manage disclosures of COVID-19 cases to other employees is addressed in our March 12 blog post: School's Out - An Update on Managing the Impact of COVID-19 on Workplace
Can we contact our customers and clients and to notify them of COVID-19 related information?
As most organizations are aware, Canada’s anti-spam law (“CASL”) prohibits sending commercial electronic messages (e.g. email and SMS) unless consent is obtained and other requirements are met. With that said, CASL applies only to electronic messages that encourage participation in a commercial activity (e.g. the direct or indirect solicitation of business). It is noteworthy that CASL will also apply to a message that has a combined purpose of both soliciting business and providing COVID-19 related health notices. In order to send COVID-19 notices that are not subject to the requirements of CASL, it will be necessary to limit the content of the message and not mix commercially-driven content with health advisory information. To the extent an electronic message has the solicitation of business as one of its purposes, then the message will be subject to the requirements of CASL.