Privacy and the COVID-19 outbreak
The COVID-19 outbreak is raising questions about privacy issues during a pandemic. During a public health crisis, privacy laws still apply, but they are not a barrier to appropriate information sharing. This document serves to provide general guidance on the applicable federal privacy laws.
In Canada, the management of public health crises is a matter involving close coordination between all levels of government. There is therefore a variety of public and private sector privacy legislation at the federal, provincial and territorial levels that govern the collection, use and disclosure of personal information. There are provincial and territorial privacy authorities that oversee compliance with the privacy legislation in their respective jurisdictions, and some have published their own statements relevant to the matter of COVID-19:
- Office of the Information and Privacy Commissioner of British Columbia
- Office of the Information and Privacy Commissioner of Alberta
- Office of the Information and Privacy Commissioner of Saskatchewan
- Office of the Information and Privacy Commissioner of Ontario
- Commission d'accès à l'information du Québec
- Office of the Information and Privacy Commissioner of Newfoundland and Labrador
- Yukon Information and Privacy Commissioner
- Office of the Information and Privacy Commissioner of the Northwest Territories
While privacy laws include several provisions that authorize the collection, use and disclosure of personal information in the context of a public health crisis, if you rely on them, you should be able to communicate to the persons involved the specific legislative authority under which this is done.
Public health situations are sometimes referred to as emergencies. Under both federal and provincial laws, governments are authorized to declare formal public emergencies. Where that is done, the powers to collect, use and disclose personal information may be further extended and can be very broad. To understand the impact of such legislation on privacy, one has to read its specific terms. Normal privacy laws apply unless emergency legislation provides otherwise.
The application of Canada’s federal privacy legislation
The Office of the Privacy Commissioner of Canada is responsible for overseeing compliance with both the Personal Information Protection and Electronic Documents Act (PIPEDA), and the Privacy Act. These Acts govern the collection, use, and disclosure of personal information.
PIPEDA applies to private-sector organizations that collect, use or disclose personal information in the course of a commercial activity and to information about employees of federal works, undertakings or businesses. A number of provinces have enacted their own private-sector privacy laws and personal health information laws deemed substantially similar to PIPEDA, which apply within the respective province. However, PIPEDA continues to apply to the collection, use or disclosure of personal information in connection with the operations of a federal work, undertaking or business, such as airlines and telecommunications providers, in the respective province and the collection, use or disclosure of personal information that occurs outside of the province.
The Privacy Act covers the personal information-handling practices of federal government departments and agencies.
PIPEDA and the Privacy Act each contain provisions that allow for personal information to be used or disclosed for specific reasons that may be relevant in the time of a public health situation. The following is an overview of relevant provisions from each Act.
Personal Information Protection and Electronic Documents Act
PIPEDA allows organizations to collect, use or disclose information only for purposes that a reasonable person would consider appropriate in the circumstances (subsection 5(3)). Organizations are required to obtain the knowledge and meaningful consent of the individual for the collection, use, or disclosure of their personal information (Principle 3). Consent is only valid if it is reasonable to expect that the individual understands the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting (section 6.1).
This said, there are some circumstances under which organizations may collect, use, or disclose personal information without the consent of the individual, including:
- If the collection is clearly in the interests of the individual and consent cannot be obtained in a timely way (paragraph 7(1)(a)), such as if an individual is critically ill or in a particularly dangerous situation, and needs help.
- If the collection and use is for the purpose of making a disclosure required by law (paragraphs 7(1)(e), 7(2)(d) and 7(3)(i)). For instance, this would include where a public health authority has the legislative authority to require the disclosure.
- If the disclosure is requested by a government institution under a lawful authority to obtain the information and the disclosure is for the purpose of enforcing or administering any law of Canada or a province (subparagraphs 7(3)(c.1)(ii)-(iii)). Again, this would include instances where a public health authority has the legislative authority to require the disclosure.
- If the disclosure is made on the initiative of the organization to a government institution, which has reasonable grounds to believe that the information relates to a contravention of the laws of Canada, a province or a foreign jurisdiction that has been, is being or is about to be committed (paragraph 7(3)(d)(i)). This would include if an organization believes an individual is in contravention of an invoked quarantine order.
- If the use or disclosure is for the purpose of acting in respect of an emergency that threatens the life, health or security of an individual (paragraphs 7(2)(b) and 7(3)(e)), such as if an individual requires urgent medical attention, and they are unable to communicate directly with medical professionals.
Under the Privacy Act, government institutions can only collect personal information that relates directly to an operating program or activity of the institution (section 4). Where possible, government institutions must collect personal information that is to be used for an administrative purpose directly from the individual to whom the personal information pertains, except where the individual authorizes otherwise or where personal information may be disclosed to the institution under subsection 8(2) (subsection 5(1)). The individual must also be informed of the purpose for which the information is being collected from them (subsection 5(2)). Personal information may be collected indirectly and without notice to the individual if direct collection and notice would result in the collection of inaccurate information or defeat the purpose or prejudice the use for which information is collected (subsection 5(3)).
Unless the individual has provided consent, government institutions must only use an individual’s personal information for the purpose for which it was collected or a use consistent with that purpose, or for specific purposes for which the information may be disclosed to the institution under subsection 8(2) (section 7).
Purposes for which personal information may be disclosed by a government institution without consent include:
- For the purpose for which the information was obtained or compiled, or for a use consistent with that purpose (paragraph 8(2)(a)), including if employers wish to use their employee’s phone number to provide updates about a pandemic.
- Where authorized by any other Act of Parliament or any regulation made thereunder that authorizes its disclosure (paragraph 8(2)(b)), such as where a public health authority has the legislative authority to require the disclosure.
- Under an information sharing agreement between federal government institutions and the government of a province, some First Nations councils, the government of a foreign state, and international government organizations, for the purpose of enforcing any law or carrying out a lawful investigation (paragraph 8(2)(f)). For example, the Government of Canada is represented in a multi-lateral information sharing agreement as part of the Pan-Canadian Public Health Network.
- Where, in the opinion of the head of the institution, the public interest in disclosure clearly outweighs any invasion of privacy that could result from the disclosure; or where the disclosure would clearly benefit the individual to whom the information relates (paragraph 8(2)(m)). An example of this would be if the Deputy Minister of an institution deemed that a disclosure to another institution where an infected individual recently visited and may have spread the virus satisfied the balancing test. Although the Privacy Act specifies that the federal institution needs to notify the Privacy Commissioner in advance of a public interest disclosure, it also recognizes that in certain matters, time is of the essence. Where it is not reasonably practicable for the head of the government institution to inform the Commissioner in writing prior to the disclosure, notification to the Commissioner must be made as soon as possible after the fact (subsection 8(5)). If an institution suspects that the COVID-19 virus was spread or contracted in the workplace, it is recommended that the relevant public health authority be contacted to conduct any necessary contact tracing.
- Date modified: