On March 20, 2020, the Office of the Privacy Commissioner of Canada issued guidance to help organizations subject to federal privacy laws understand their privacy-related obligations during the COVID-19 outbreak. The assistance comes as the outbreak raises questions about privacy issues during a pandemic.
The main message is that, during a public health crisis, privacy laws still apply − but they are not a barrier to appropriate information sharing.
Essentially, the Office of the Privacy Commissioner states that, though there may be certain privacy provisions that authorize the collection, use and disclosure of personal information in a public health crisis, it is still necessary to communicate to the persons involved the specific legislative authority that is being relied upon (exactly what provisions) when collecting, using or disclosing the personal information.
Moreover, the Office of the Privacy Commissioner states:
Public health situations are sometimes referred to as emergencies. Under both federal and provincial laws, governments are authorized to declare formal public emergencies. Where that is done, the powers to collect, use and disclose personal information may be further extended and can be very broad. To understand the impact of such legislation on privacy, one has to read its specific terms. Normal privacy laws apply unless emergency legislation provides otherwise.
If we examine the Personal Information Protection and Electronic Documents Act (PIPEDA) for a moment, notwithstanding both consent requirements that can be found in section 6.1 and Principle 3 in Schedule 1 of PIPEDA, and requirements allowing the collection, use and disclosure of personal information only for purposes that a reasonable person would consider appropriate in the circumstances as seen in subsection 5(3) of PIPEDA, there may be some specific circumstances under which organizations may collect, use, or disclose personal information without the consent of the individual.
Here are a few examples:
- Section 7(1)(a): the collection of personal information is clearly in the interests of the individual, and consent cannot be obtained in a timely way. For instance, there could be a situation where an individual is critically ill or in a dangerous situation, and needs help
- Sections 7(2)(b) or 7(3)(e): the use or disclosure of personal information is for the purpose of acting in respect of an emergency that threatens the life, health or security of an individual. For example, there could be a situation where an individual requires urgent medical attention, and they are unable to communicate directly with medical professionals
- Section 7(3)(d)(i): the disclosure of personal information is made on the initiative of the organization to a government institution, which has reasonable grounds to believe that the information relates to a contravention of the laws of Canada, a province or a foreign jurisdiction that has been, is being, or is about to be committed. For instance, there could be a situation where an organization believes an individual is in contravention of an invoked quarantine order
What does this mean for employers?
It is important to reiterate that, during a public health crisis, privacy laws still apply − but they are not a barrier to appropriate information sharing.
Employers are recommended to review the privacy laws that apply to their organizations and be aware that there may be some provisions that allow for the collection, use or disclosure of individuals’ personal information in public health crises. But as explained above, it is still necessary to communicate to the individuals involved which privacy provisions are being relied upon by organizations that are collecting, using or disclosing the personal information in these circumstances.
- Hefty GDPR fine for Meta - January 20, 2023
- 2022 report: More data breaches and costs rising - November 1, 2022
- Bill C-27: a look at proposed AI provisions - August 9, 2022
