Friday, April 10, 2020

Privacy best practices in a pandemic public health emergency

Since the early days of the COVID-19 pandemic, privacy questions have been in the headlines. International media reported stories from Asia about smartphones being used to enforce quarantine orders. In Ontario, Premier Ford suggested using telecom data to track social isolation compliance and more recently the Quebec police announced that it had arrested a woman in violation of a quarantine order by tracking her down via her cellphone.

Companies are wondering what information they can require from employees about their health, diagnosis or risk factors, and what information they can provide to public health authorities if asked. Companies also have similar questions about customer information.

What privacy laws apply?

Since Canada has a patchwork of privacy laws, the first question is always whether a privacy law applies at all and if so, which one. In Atlantic Canada, public sector employers and “federal works, undertakings and businesses” are subject to privacy regulation for employee information, but the private sector is only covered for customer information. The majority of private-sector employers in Canada (other than in British Columbia, Alberta and Quebec) fall in the gap without privacy regulation for the workplace. Even if no law applies, this does not mean that privacy should be thrown out the window.

Companies should be guided by privacy best practices described below, all of which are embodied in privacy statutes across Canada. These best practices align closely with what employees have come to expect regarding handling of their personal information. Organizations that adopt these principles generally avoid negative reaction from employees that their personal information has been misused. Transparency also encourages honest reporting, as individuals are usually more comfortable with disclosing personal information to an organization that is forthright about how they propose to use the information.

Organizations should be concerned about the relatively new common law causes of action for “intrusion upon seclusion” and “public disclosure of private facts”. Given that health information is particularly sensitive and the irrational stigma that seems to attach to COVID-19 disease, one might allege that disclosing infection risk or status to others may meet the “highly offensive to a reasonable person” threshold for the torts. Applying best practices would minimise the risk of liability.

Balancing privacy with public and occupational health

For employers, what should emerge is a careful balance between privacy principles and legitimate occupational health and safety concerns. The occupational health and safety imperative is a legal one, on both the employer and the employees, as the Occupational Health and Safety Act of Nova Scotia places obligations on both sides to ensure a safe workplace. Given the mode of transmission of the novel coronavirus, employers have a responsibility to keep employees who are at risk of spreading infection out of their workplaces. Some companies have decided to take the temperature of everyone entering the premises and excluding anyone with a fever. Others have adopted questionnaires or mandatory reporting of risk factors. Each of these scenarios involves the collection of personal information, so tread carefully.

What practices to adopt should be informed by the following privacy best practices:

(i) the collection of personal information must be justified, reasonable and non-discriminatory;

(ii) individuals should be given notice of the purposes for the collection, use and disclosure through policy or other direct communications such as signage;

(iii) personal information collected should be restricted to the minimum that is reasonable in the circumstances;

(iv) personal information should only be used for those purposes and should not be disclosed further than necessary; and

(v) the personal information should be accurate, as it will be used to make a decision of whether the employee, contractor or visitor will be permitted to work in the workplace.

What is justifiable and reasonable should be informed by the latest information from public health.

Disclosing personal information to public health authorities

Until recently, public health officials have largely been out of the spotlight, but they have been discreetly and diligently working to contain public health hazards, such as sexually transmitted infections. They are often been given special powers to do so, which includes the ability to require personal information from others. For example, in Nova Scotia, section 15 of the Health Protection Act gives the Chief Medical Officer of Health or his delegate broad powers to order information from third parties. Every privacy law in Canada permits disclosures where required by law and many also permit disclosures where it’s reasonably necessary related to the health and safety of the individual. Obviously, check your local statutes.

That said, we have to be very, very careful about attempts to get data in bulk, such as location data from telcos.

While health and safety are of course top of mind in this pandemic, privacy considerations should also be taken into account.

[Note: This post is based on an upcoming article for the Canadian Bar Association - Nova Scotia's Nova Voce magazine.]