On May 22, 2020 the Provincial Health Officer (“PHO“) of British Columbia updated an order that food and drink establishments must, if already collecting information from patrons to make reservations or to seat them, retain contact information for one member of every party of patrons for 30 days. The purpose of collection is for the local medical health officer to conduct contact tracing if someone who visited the establishment is diagnosed with COVID-19.
The Office of the Information and Privacy Commissioner (“BC OIPC“) subsequently published a guide to assist establishments subject to this order with compliance with this requirement in a manner that also protects patrons’ privacy under BC’s Personal Information Protection Act (“PIPA“). Organizations in other jurisdictions which lag behind BC in its re-opening may wish to consider the BC OIPC’s guidance as their province re-opens.
The BC OIPC makes the following suggestions.
Explain to customers why you are collecting their contact information
At the time of collecting a patron’s contact information, clearly explain what information is being collected and why. Reference the public health/emergency order or equivalent statutory authority. Consider having a copy of the order or statute on hand in case patrons request to see it.
Only collect the minimum amount of personal information necessary
The purpose of collection is to notify individuals if they have come into contact with someone diagnosed with COVID-19. Therefore, name, phone number or email, and date of visit from one member of the party should be sufficient. Organizations should not collect additional “excess” information e.g., do not collect a patron’s physical address or other contact information such as where they work.
Do not use or disclose the collected information other than to provide to the public health authority upon request.
Do not use the collected information for other purposes, such as marketing or analytics.
Further, organizations must not provide the collected information to anyone other than the public health authority upon request or as authorized in certain circumstances under BC’s PIPA (or other applicable privacy legislation in other provinces).
If you share the collected information with the public health authority, keep a record of the transaction
If the information is requested by the public health authority, keep a record of what information is shared with them. In British Columbia, under s. 23 of PIPA, individuals have a right to ask organizations to whom the organization has disclosed their personal information. Other privacy legislation has similar requirements. Keeping a record of what you shared with whom will ensure your establishment can meet this requirement.
Only keep collected information for 30 days
Organizations should routinely and securely destroy information collected after 30 days. A suggested practice is to delete 31-day old information at the same time new daily contact information is added. Any papers containing personal information should be securely shredded rather than just placing them in a garbage can or recycling bin.
Properly secure the collected information
An organization must make reasonable security arrangements to protect personal information in its custody or under its control. For example, if the collected information is in paper form, it should not be left in a publicly accessible area. Rather, it should be stored in a locked file cabinet. If the organisation is storing the list on a computer, the computer should be
password protected, encrypted, and on a secure network. Position computer monitors so that personal information displayed on them cannot be seen by visitors.