On March 20, 2020 the Office of the Privacy Commissioner of Canada (“OPC“) issued its guidance for privacy during a pandemic. The guidance, Privacy and the COVID-19 outbreak, deals primarily with the ability of an organization to handle personal information during a health emergency. Similar guidance was issued by the Privacy Commissioners in seven other provinces and is linked to within the OPC’s guidance.
Businesses hopeful that there would be some flexibility in the interpretation of the privacy laws during the COVID-19 pandemic will be disappointed. The OPC’s guidance does not offer any information on how businesses – many of which are being forced to rapidly retool existing processes or adopt new digital ones – can think differently about privacy or indicate that the OPC may interpret privacy laws more leniently in the context of an emergency.
Notably, the OPC indicates that notwithstanding the current pandemic and resultant disruption, privacy laws continue to apply:
The COVID-19 outbreak is raising questions about privacy issues during a pandemic. During a public health crisis, privacy laws still apply, but they are not a barrier to appropriate information sharing. This document serves to provide general guidance on the applicable federal privacy laws […]
Public health situations are sometimes referred to as emergencies. Under both federal and provincial laws, governments are authorized to declare formal public emergencies. Where that is done, the powers to collect, use and disclose personal information may be further extended and can be very broad. To understand the impact of such legislation on privacy, one has to read its specific terms. Normal privacy laws apply unless emergency legislation provides otherwise.
With many provinces having now officially declared a state of emergency, such laws will generally trump privacy laws to the extent there is a conflict between the two. Businesses should not, however, assume that privacy laws are modified or suspended without consulting counsel.
In addition, in an declared emergency, organizations are likely to have a broader ability (in some cases, an obligation) to disclose certain types of personal information to a chief medical officer. Some statutes include protections for good faith disclosures of infection-related information, but not all.
In its guidance, the OPC reminds organizations that any collection, use, or disclosure of personal information must be appropriate in the circumstances and the organization must have obtained meaningful consent. However, the OPC notes that PIPEDA provides for some exceptions to consent, including:
- If the collection is clearly in the interests of the individual and consent cannot be obtained in a timely way (paragraph 7(1)(a)), such as if an individual is critically ill or in a particularly dangerous situation, and needs help.
- If the collection and use is for the purpose of making a disclosure required by law (paragraphs 7(1)(e), 7(2)(d) and 7(3)(i)). For instance, this would include where a public health authority has the legislative authority to require the disclosure.
- If the disclosure is requested by a government institution under a lawful authority to obtain the information and the disclosure is for the purpose of enforcing or administering any law of Canada or a province (subparagraphs 7(3)(c.1)(ii)-(iii)). Again, this would include instances where a public health authority has the legislative authority to require the disclosure.
- If the disclosure is made on the initiative of the organization to a government institution, which has reasonable grounds to believe that the information relates to a contravention of the laws of Canada, a province or a foreign jurisdiction that has been, is being or is about to be committed (paragraph 7(3)(d)(i)). This would include if an organization believes an individual is in contravention of an invoked quarantine order.
- If the use or disclosure is for the purpose of acting in respect of an emergency that threatens the life, health or security of an individual (paragraphs 7(2)(b) and 7(3)(e)), such as if an individual requires urgent medical attention, and they are unable to communicate directly with medical professionals.
For more information about Denton’s data expertise and how we can help your business manage privacy and information during the COVID-19 pandemic, please see our Transformative Technologies and Data Strategy page and our unique Dentons Data suite of data solutions for every business.