With the emergence of COVID-19 in Canada, organizations are faced with many additional concerns and considerations in their daily operations and strategic planning. Remote work has become the norm, and the health of employees, customers and suppliers is a key concern for organizations and society at large. Organizations are finding themselves in a position where additional data, including personal information, is being collected from employees, visitors, and other partners. Additionally, there are increasing threats from cyber criminals who are trying to take advantage in this time of global crisis. Privacy and cybersecurity during COVID-19 may not always be a straightforward task, but adhering to basic privacy principles will set the right tone for any organization.
Privacy Laws Apply
When data is collected about an individual, and that data allows the individual to be identifiable, it will be considered “personal information” under the Personal Information Protection and Electronic Documents Act (“PIPEDA”) or applicable provincial or territorial privacy laws (for example, applicable provincial private sector, public sector or health privacy laws).
In provinces that do not have “substantially similar” private-sector privacy legislation, and where those organizations are not “federal businesses, works or undertakings” under PIPEDA, personal employee information is usually not covered by privacy legislation. As a result, employers must be mindful of the common law protections pertaining to employee data (for example, that all employees have a “reasonable expectation of privacy” in the workplace). Organizations should also be mindful that extraterritorial privacy laws (as discussed below) may also apply to them, and information collected in response to managing the COVID-19 outbreak is no different.
Additional Information Collected in COVID-19
Federal and provincial governments have emergency management legislation and can declare public emergencies which provide them with the ability to broaden their power and ability to collect, use, and disclose personal information, including for the coordination of emergency responses. In addition, public health agencies have the authority to collect, use and disclose personal information, including personal health information about individuals who have, or who are suspected to have, communicable or reportable diseases of public health significance such as COVID-19. Authority to collect, use and disclose personal information for these purposes may be set out by order or statute.
Absent the declaration of a formal public emergency, PIPEDA allows for the collection and disclosure of personal information without receiving consent from the individual whose information is being disclosed in certain circumstances. The OPC recently released a set of guidelines outlining these collection and disclosure powers. The circumstances include, but are not limited to:
- if collection is in the interests of the individual and consent cannot be obtained in a timely manner. For example, if the individual is extremely ill or in a dangerous situation, and needs help (PIPEDA s. 7(1)(a)).
- if the use or disclosure is for the purposes of acting in respect of an emergency that threatens the life, health or security of an individual. This includes, for example, a situation where an individual requires urgent medical attention, and they are unable to communicate directly with medical professionals (PIPEDA s. 7(2)(b), s. 7(3)).
The types of information being collected can span from asking about recent travel, an individual’s health or the health of a person with whom the individual is co-habiting, the health of the individual’s children, and whether or not an individual employee is working remotely. PIPEDA (and most other privacy laws) require that an organization have a purpose that is clearly stated and tied to the collection of that specific piece of information:
Principle 2 – Identifying Purposes
4.2.1 The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.
4.2.5 Persons collecting personal information should be able to explain to individuals the purposes for which the information is being collected.
The CSA Model Code for the Protection of Privacy, which is Schedule 1 to PIPEDA, and the basis of privacy legislation in Canada also requires that an organization limit the collection to what is necessary to fulfill the purpose and then protect that data sufficiently. It is imperative for an organization to be able to refer to the specific legislation they rely upon when collecting or using personal information, and communicate with the individuals who are affected by that collection or use. For example, public bodies or institutions that are subject to public sector privacy legislation may be required to provide individuals with a notice of collection.
Provision of Virtual Services and Cyber Security Alert
The Canadian Centre for Cyber Security issued an alert on March 20, 2020, to identify an elevated level of risk to Canadian health organizations involved in the national response to the COVID-19 pandemic, including those involved in medical research, manufacturing, distribution and policy-making. The concern relates to the risk that sophisticated threat actors may attempt to steal intellectual property related to COVID-19, or sensitive data related to Canada’s response.
In addition, the alert highlights the increased risk from cyber criminals who may take advantage of the COVID-19 pandemic to target health organizations to extract ransom payments. Even before COVID-19, there had been a significant increase in ransomware attacks on health organizations, however, the impact could be more severe during the current pandemic. COVID-19 has accelerated the widespread use of virtual and telehealth technologies; many of which have been implemented very quickly.
Although directed to the health sector, the advice and guidance provided apply to other Canadian businesses; particularly those with employees teleworking through VPNs. This includes, among other things:
- taking extra care in identifying, as early as possible, vulnerabilities and possible compromises that may lead to the deployment of ransomware.
- being familiar with and practicing your business continuity plans, including restoring files from back-ups and moving key business elements to a back-up infrastructure.
- remaining vigilant to ensure that you are engaged in cyber defense best practices, including increased monitoring of network logs, reminding employees to practice phishing awareness and ensuring that servers and critical systems are patched for all known security vulnerabilities.
- ensuring that you undertake privacy and security assessments when implementing new technologies, and have appropriate agreements in place to ensure the protection of personal and personal health information.
Personal Information from Abroad
A number of European Data Protection Authorities (“DPA”) have recently released guidance on when COVID-19 related information should be considered “health information” that is more “sensitive” and thus, afforded specific protection under European General Data Protection Regulation (“GDPR”). This guidance is useful because for one, the GDPR is highly influential on Canadian privacy law and, two, PIPEDA contemplates information to be protected according to its sensitivity. Under PIPEDA, personal health information about an individual is considered to be sensitive. For example:
- information about recent travel is not personal health information.
- information about (flu-like) symptoms should be considered health information (sensitive).
- information about staying home to care for a sick family member could also be considered health information of that other individual (who would likely be identifiable).
TIPS for Organizations
- Ensure your cybersecurity program is appropriate for the risks you are exposed to. This includes technical and organizational measures, such as training staff on phishing scams, where there is currently heightened risk.
- Know which law(s) applies to your organization. These may be Canadian federal and/or provincial and can include U.S. or European law (GDPR) if you operate or have customers internationally.
- Collect only information necessary for your purpose (for example, if the purpose is to screen for COVID-19 contraction risk, ask only for information relevant to that purpose).
- Protect sensitive information (store paper copies in a safe place; avoid sending personal information by email).
- Train employees on privacy considerations and how to protect data – some employees who are now collecting information may not have handled sensitive personal information before. They should be trained in the law and best practices in handling that information.
- Disclose personal information only in accordance with applicable law. Section 7(3) of PIPEDA provides for a number of situations in which personal information may be disclosed without consent. This includes situations where the information is needed as a result of an emergency that threatens the life, health or safety of an individual. The same is true under Articles 6 and 9 of GDPR.
- Report data breaches when you become aware of them. PIPEDA, Alberta’s Personal Information Protection Act, Ontario’s Personal Health Information Protection Act and various other statutes have mandatory data breach obligations.
If you have any questions about these data privacy issues, please reach out to Kathryn Frelick and David Krebs of Miller Thomson’s privacy and cyber security team.