Privacy in the Time of a Pandemic: Guidance for Organizations
The Office of the Privacy Commissioner of Canada, the Office of the Information and Privacy Commissioner for British Columbia and the Office of the Information and Privacy Commissioner of Alberta, have received inquiries from organizations seeking clarification about how privacy laws apply in the private sector workplace during the H1N1 pandemic.
There is specific privacy legislation that applies to the private sector at the federal level, and in Alberta, British Columbia and Quebec. This legislation governs the collection, use and disclosure of personal information by employers.
The World Health Organization has declared H1N1 to be a pandemic flu. In the future, should the virus become even more widespread and severe, federal, provincial and territorial authorities in Canada may decide that it is an emergency pandemic and they may invoke special emergency measures. Privacy legislation would not prevent the sharing of information in the event that H1N1 is declared to be an emergency pandemic.
In the current “non-emergency” situation, privacy laws apply in the usual way. As an employer, you should focus on business continuity planning and communicating with employees about appropriate flu-prevention measures and providing them with resources that will reduce the need to collect personal information. For example, you may wish to post notices outside and within the organization about appropriate flu-prevention measures, such as hand washing. You may also wish to provide hand sanitizers and information about vaccination clinics. In the event a flu outbreak occurs in your workplace or region, privacy laws continue to apply in the usual way.
This guidance has been written in October 2009 to ensure that organizations are aware of the distinction between the current non-emergency pandemic situation and an emergency situation. This document may be updated as circumstances demand. A Fact Sheet for Employees has also been written to assist employees in knowing the information that employers can collect, use and disclose in both non-emergency and emergency pandemic situations. The Treasury Board of Canada has also developed guidance for the federal public sector.
Provincial public health statutes and privacy requirements
Public health services are generally understood to be a responsibility shared by all three levels of government. The rules vary somewhat from jurisdiction to jurisdiction, but generally the disclosure of personal information without the individual’s consent may be justified for public interest reasons, such as for the administration of public health, if there is a serious and imminent threat to public health and the information is needed under provincial law. Some jurisdictions have public health laws or regulations that provide for the confidentiality of personal information regarding all infectious diseases. Few public health statutes expressly provide for interjurisdictional information-sharing.
Part 1 – Developing a Business Continuity Plan
1. To help me plan for possible staffing shortages, can I survey employees to find out if they may be absent from work in order to look after children (in the event of a school closure, for example) or care for elderly parents?
Private sector privacy legislation requires that the collection of personal information be reasonable and the minimum necessary to fulfill the purposes. Employers should review resources about privacy in the workplace as part of their pandemic planning efforts.
You may wish to know if your employees might need to remain home, telework, or adopt an alternate work schedule to look after family members. To do this, you may wish to collect personal information from your employees. However, you should do this in the least privacy-intrusive way, and collect the minimum amount of personal information. For example, instead of asking employees if they have children or elderly parents, an employer might distribute a survey asking employees if they may need to make alternative work arrangements to care for children or elderly parents in the event of a pandemic emergency. This way, employers will be able to estimate how many employees could be absent, without collecting more detailed personal information.
Employers should remember that they will need to obtain consent to collect even this personal information from employees. It should be made clear to employees that the personal information collected is to be used for pandemic planning purposes only and indicate when it will be destroyed.
Employees are not required to provide employers with personal information to assist in pandemic planning. However, employees may see the benefits of providing this information to their employer to better manage a difficult situation. Employers should clearly communicate their expectations around employees staying at home and their return to work.
2. Can managers ask for employees’ personal phone numbers and personal email addresses in order to keep in touch with them?
Generally, employers will already have contact information for their employees. However, if you want to be able to contact employees that are away from the office to, for example, provide updates about a pandemic situation, you could ask employees to advise you as to how they would prefer to be contacted. You should obtain employees’ consent to collect and use this information for this purpose. Employers should also be sensitive to the fact that sharing private contact information may cause concern for employees and may wish to discuss acceptable alternatives. For example, you may wish to ask the employee to call in to work at regular, agreed-upon intervals in the event of a pandemic emergency.
3. My organization wants to keep track of how many employees have been diagnosed with pandemic flu. What information can be shared with other managers?
Privacy laws require that organizations make reasonable efforts to ensure that personal information they collect is accurate. It will be difficult for employers to accurately track the number of employees that have been diagnosed with pandemic flu, as many employees will not be officially diagnosed by a physician, and will not themselves know if they have pandemic flu. In addition, tracking the number of employees that have pandemic flu will require knowing the employee’s diagnosis. In a non-emergency pandemic situation, it will likely not be reasonable for an employer to require employees to disclose their diagnosis.
From a privacy perspective, it is preferable for employers to focus on business continuity planning and communicating with employees about appropriate flu-prevention measures. For example, employers should be posting notices about hand washing and providing hand sanitizers as well as information about vaccination clinics.
An employer can certainly monitor the number of employees who are away from work due to illness, and it is common practice for employees to contact their managers directly to let them know they are unable to come to work because they are feeling ill. This should not change under a pandemic flu situation but managers should only collect the minimum information required for business continuity planning. Private sector privacy legislation applies to personal information, whether it is recorded or not.
Part 2 - Employee relations (non-emergency pandemic)
1. When my employee calls in sick, can I ask them if they have the flu?
Private sector privacy laws require employers to collect only the minimum amount of personal information necessary to meet a business need. An employer will need to know if an employee cannot come to work due to illness. However, in almost all situations, the employer will not need to know the employee’s specific diagnosis, including whether or not the employee has the flu. A manager may ask if the employee is sick and when the employee is likely to return to work. It is reasonable for the employee to have to provide her expected date of return to work to help the organization plan, but the employee only needs to provide the prognosis and not a diagnosis.
Employers should clearly communicate expectations around employees staying at home and their return to work.
2. Can I send an employee home if I think the employee appears to be sick?
This is not strictly a privacy issue, but, yes it is your discretion to ask an employee to go home if you believe that the employee is exhibiting flu-like symptoms and is therefore unfit to work or potentially putting others at risk. In a non-emergency pandemic, it is “business as usual”.
If it is possible in your operations, you should develop a plan for your employees to work remotely and develop a telework policy so that expectations are clear on both sides.
3. Am I allowed to ask my employees if they may have a higher risk of infection, for example, whether they have asthma or a compromised immune system? Can I ask these questions about my employee’s family members?
Employers can only collect personal information for reasonable purposes, and to an extent reasonable to meet those purposes. Instead of collecting detailed medical information from employees, such as whether they have asthma or a compromised immune system, an employer should instead communicate information to all employees that certain at-risk employees should consider taking additional precautions. Employers will generally not have a reasonable need to collect a diagnosis, such as asthma.
4. Can I ask my employees or their families if they have been vaccinated?
Instead of asking employees if they have been vaccinated, employers should provide employees with information about vaccinations, such as dates for vaccination clinics.
5. How do we inform other employees that an employee is unavailable for work without revealing the diagnosis by inference?
An employee may volunteer to her manager that she believes she has pandemic flu. However, just as managers do not share diagnosis in any other circumstances, they should not share this information in the current pandemic situation. A manager should say that the employee is unavailable and provide an alternate contact.
Part 3 - Declaration of a public health emergency
A pandemic flu emergency would be primarily a public health emergency and managing and responding to the emergency is a responsibility that falls under provincial jurisdiction. Generally speaking, emergencies such as pandemics would be managed at the level of a hospital or municipality. If the local officials need assistance, they would turn to the provinces or territories. If a pandemic were to escalate beyond their capabilities, the provinces or territories would in turn seek assistance from the federal government.
A pandemic emergency would be monitored by the federal government. The Public Health Agency of Canada’s Centre for Emergency Preparedness and Response is Canada's central coordinating point for public health security issues. The federal Emergency Management Actgives authority forthe development and implementation of emergency preparedness measures. Each province and territory has legislation that deals with emergencies within their boundaries.
Canada’s pandemic flu plan explains that the triggers for health services emergency plans may include: the proportion of emergency room visits attributable to the flu, the proportion of flu cases requiring hospitalization and the capacity of the hospital to accommodate flu cases.
If an outbreak is declared to be a public emergency, the powers to collect, use and disclose personal information to protect the public health may be very broad. Canada’s pandemic flu plan explains that it is expected that emergency management and coordination of a response to a flu pandemic will be based on existing plans and structures for health emergencies at all levels of government.
In the event that a public health or general emergency is declared, orders issued under public health legislation could require the collection, use and disclosure of certain personal information relating to employees and customers. Private sector privacy legislation would not impede the work of public health officials in this regard. If you need to collect, use or disclose employee personal information in an emergency, you should communicate to your employees the specific legislative authority that is engaged to do so.
Privacy Commissioner of Canada
Information and Privacy Commissioner of Alberta
Information and Privacy Commissioner for British Columbia
- Date modified: