Wendy J. Wagner
Partner
Co-leader, National Cybersecurity & Data Protection Group
Article
40
The COVID-19 pandemic has led to unprecedented social and economic responses across Canada and globally. Such responses implicate, but do not override, Canadian privacy laws. In fact, attention to privacy laws may be more important than ever in light of businesses shifting to online and remote delivery models and questions around public surveillance in light of this global occurrence.
Generally, Canadian privacy regulators are announcing that during a public health crisis, privacy laws continue to apply but should not present a barrier to appropriate information sharing due to available exemptions under those laws.[1] Where there is a declaration of public emergency, powers to collect, use, and disclose personal information may be expanded, within the bounds of the specific law in question. Privacy Commissioners across Canada have highlighted that the principles of necessity and proportionality should inform decisions made to address the current crisis.[2] Moreover, in these exceptional times, in which remote working has become the norm, organizations must be aware of their obligations to ensure that their employees use safe and secure remote access procedures and that the new working environment does not jeopardize the privacy and the security of personal information.
In this article, we will provide a summary of general trends across the guidance documents, notices and statements issued by Canadian Privacy and/or Access to Information Commissioners (section A.). This will be followed by an overview of the specific guidance issued by each of the federal, provincial, and territorial authorities overseeing privacy legislation in their respective jurisdictions (section B.). Not all Privacy Commissioners have addressed the same concerns. Some Privacy Commissioners have chosen to focus their comments on "access" provisions under access to information and privacy laws, including whether an extension of time to respond to an access to information request may be warranted. Others have also addressed privacy provisions within these laws and the specific disclosure exceptions that may be applicable in a public health crisis.
To date, the following Privacy and/or Access to Information Commissioners have made statements that relate to their operations, the protection of privacy, and/or the application of privacy and access to information laws in light of COVID-19:
We were unable to locate similar guidance applicable to organizations in Nunavut and Prince Edward Island.
Additionally, we have highlighted and consolidated the "tips", where offered by Privacy Commissioners, for persons engaged in remote work (see Section C.).
We also invite you to review articles prepared by our Birmingham Office in order to understand responses to "privacy in a pandemic" in other jurisdictions:
DISCLAIMER: We expect that there will consistently be new information available as the situation evolves. Please check the websites of Canada's Privacy Commissioners for the most updated information. This information does not include updates following the date of publication, unless otherwise advised.
At a high level, businesses can expect that "privacy in a pandemic" may:
Several layers of public and private sector privacy legislation at the federal, provincial and territorial levels may concurrently play a role during the management of a public health crisis, which involves close coordination between different levels of government.[3] As such, businesses must still be aware of the different privacy laws that apply to them and the ways in which such laws intersect. It is recommended that the specific laws that are applicable and any issued guidance and announcements from relevant privacy regulators be reviewed closely.
Of the Privacy Commissioners that have issued COVID-19 related guidance materials or announcements, many have expressly indicated that existing privacy law frameworks already provide for legislative authorizations that allow organizations to respond to a public health crisis. These include the ability to disclose personal information without consent in specific, exceptional circumstances. Examples are outlined in greater detail below.
We note that the legislative authorizations referenced above do not apply to "regular" business operations, simply because a public health crisis exists. While businesses are faced with a variety of challenges in light of the pandemic, as well as shifting business practices as they move to an online delivery model, compliant privacy practices must remain a focus. As such, businesses should be wary of applying legislative authorizations that provide exemptions to the requirement to obtain consent for the collection, use and disclosure of personal information. Organizations relying on legislative authorizations or other exemptions to privacy laws must be able to communicate and justify the basis for doing so, and the specific authority that is being relied on in each case.[4]
Privacy Commissioners have indicated that response times to privacy complaints and access to information requests may be affected by the pandemic. Organizations engaged in these processes may have to anticipate delays in receiving responses from institutions, but also may be able to benefit from extensions in circumstances where they are required to respond to privacy/access related requests. Further information is provided below.
Please see section C. for more information on best practices for employers.
The Office of the Privacy Commissioner of Canada ("OPC") and several provincial and territorial authorities that oversee compliance with privacy and access legislation in their respective jurisdictions have published their own statements in response to the pandemic. These statements emphasize that privacy laws continue to apply but should not be a barrier to appropriate information sharing within the bounds of the law, and in the case of access requests, may extend timelines for response.
On March 20, 2020 the OPC issued guidance to help organizations subject to federal privacy laws understand their privacy-related obligations during the COVID-19 outbreak. The OPC has urged that while privacy laws still apply, they are not necessarily a barrier to appropriate information sharing.
OPC is responsible for overseeing compliance with Canada's federal privacy legislation:
(1) Personal Information Protection and Electronic Documents Act ("PIPEDA"); and
(2) Privacy Act.
PIPEDA and the Privacy Act each contain provisions that allow for personal information to be used or disclosed for specific reasons that may be relevant in the time of a public health situation. The following is an overview of relevant provisions from each Act.
PIPEDA applies to private sector organizations that collect, use or disclose personal information in the course of commercial activities unless their activities are wholly within a province with substantially similar privacy laws (i.e. Alberta, British Columbia and Quebec). PIPEDA also applies to the collection, use, or disclosure of personal information in connection with the operations of a federal work, undertaking or business (FWUBs) and for these organizations only, it applies to employee as well as customer data. FWUBs includes airlines, telecommunications providers, and other federally regulated entities. It should be noted that organizations may be subject to both PIPEDA as well as other provincial privacy laws, depending on their specific operations (e.g. provincial private sector privacy laws and health sector privacy laws). These laws may further restrict or prohibit the disclosure of personal information/personal health information without consent.
Pursuant to Principle 3 of PIPEDA, organizations are required to obtain meaningful consent prior to the collection, use, or disclosure of an individual's personal information. There are exceptions, which may allow for the collection, use, and disclosure of personal information without consent:
The Privacy Act governs the personal information-handling practices of federal government departments and agencies. Information may only be disclosed without an individual's consent in a limited set of circumstances. These include:
The OPC has further provided that, "[w]hile privacy laws include several provisions that authorize the collection, use and disclosure of personal information in the context of a public health crisis, if you rely on them, you should be able to communicate to the persons involved the specific legislative authority under which this is done". As such, it is important to consult the text of these specific exemptions prior to taking action that implicates the privacy of an individual.
Given the Minister of Health's announcement of an Emergency Order under the Quarantine Act on March 25, 2020, it is possible that the above listed provisions may be relied upon to justify the disclosure of personal information without consent.
In a recent advisory, "Privacy in a Pandemic Guidance", the Office of the Information and Privacy Commissioner of Alberta (OIPC AB) has noted that in the case where a public or general emergency is declared, the powers to collect, use and disclose personal information or personal health information to protect the public may be very broad.
Alberta has three privacy laws, which govern the collection, use, and disclosure of personal or personal health information, the:
(1) Freedom of Information and Protection of Privacy Act for the public sector;
(2) Health Information Act for the health sector; and
(3) Personal Information Protection Act for the private sector.
Each legislation contains provisions to allow for the sharing of personal or personal health information in the event of an emergency, without consent. However, this authority must be exercised proportionately and limited to information that is needed to achieve the purpose of collection, use, or disclosure, and within the scope of the authorization provided by the specific exemption. Organizations must consult the text of the applicable privacy law for the wording of the specific disclosure exemption.
On the access to information front, the OIPC AB has issued a separate notice regarding "Requests for Time Extensions During an Emergency". The OIPC AB is currently not considering any time extensions for responding to access requests beyond the circumstances outlined in section 14(1) of the Freedom of Information and Protection of Privacy Act. "A public body does have authority to grant itself a 30-day extension under section 14(1) if unable to access or process records due to a disaster or pandemic. Furthermore, the Commissioner has no ability to grant an extension in such circumstances." If requests cannot be addressed in a timely fashion, the Commissioner advises public bodies to inform applicants about their right to seek a review pursuant to section 65(1).
The Office of the Information and Privacy Commissioner for British Columbia (OIPC BC) has issued a statement on COVID-19, indicating that British Columbia's privacy laws are designed to ensure appropriate information sharing that protects the health and safety of British Columbians. The Provincial Health Officer has broad authority to collect and use personal information in the public interest. While no reference is made to the interpretation afforded to British Columbia's privacy laws in light of COVID-19, we expect that certain exemptions therein may also be applicable in some circumstances during this emergency.
The OIPC BC is responsible for overseeing and enforcing the:
(1) Freedom of Information and Protection of Privacy Act; and
(2) Personal Information Protection Act.
For example, section 33.1 of the Freedom of Information and Protection of Privacy Act outlines circumstances in which a public body may disclose personal information, with or without consent. The text of these particular disclosure exceptions should be reviewed to assess their application in a particular situation.
As it relates to access requests under British Columbia's privacy laws, British Columbia's Privacy Commissioner has issue a "Decision" stating that it is fair and reasonable to grant the head of each public body in British Columbia permission to extend the time to respond to a request for access to records under the Freedom of Information and Protection of Privacy Act (FIPPA).
This permission applies only to requests for access to records that a public body receives between March 1, 2020 and April 30, 2020. These extensions are granted in addition to any extension of time that a public body is authorized to make. A public body that extends time pursuant to this Decision is expected to provide the Commissioner's Office with a document listing every request for access in respect of which it has extended the time for responding by June 30, 2020. Moreover, pursuant to subsection 10(3) of FIPPA, public bodies are reminded to notify each applicant of any extension of time.
As a result of the COVID-19 pandemic, the Minister of Citizens' Services in British Columbia has enacted Ministerial Order No. M085, directly dealing with the province's public sector privacy law. In an effort to strengthen the province's public health response, this Order provides public bodies with explicit authority to disclose personal information within and outside Canada pursuant to the Freedom of Information and Protection of Privacy Act until June 30, 2020. The disclosure must be necessary:
The Order also provides for disclosures of personal information inside or outside Canada, using third party tools and applications, in prescribed circumstances. This carves out new exceptions from British Columbia's privacy and data-residency laws which require personal information about citizens to be stored in and only accessed within Canada. This Order aims to temporarily permit health care bodies, such as the Ministry of Health, the Ministry of Mental Health and Addictions, and other health authorities to use communication and collaboration software that may host information outside of Canada to better respond to the pandemic.
The Office of the Ombudsman in Manitoba has oversight over the following provincial access and privacy laws:
(1) Freedom of Information and Protection of Privacy Act; and
(2) Personal Health Information Act.
Manitoba has not commented on any specific interpretations that apply to these privacy laws in light of a public health emergency. We recommend that the text of the laws themselves be reviewed to discern whether particular exemptions may apply in light of current events. For example, section 44(1) of the Freedom of Information and Protection of Privacy Act outlines instances in which a public body may disclose personal information. Consent of the individual is not required under certain exceptions.
The Office of the Ombudsman has issued advisories for public bodies (in relation to its public sector privacy law) and trustees (in relation to its health sector privacy law). Manitoba is taking the impact of COVID-19 into consideration as an exceptional circumstance that may impact a public body's ability to respond to access requests within the 30 day time limit mandated by the province's Freedom of Information and Protection of Privacy Act. The Manitoba Ombudsman has also issued a specific advisory for trustees about responding to access requests under the Personal Health Information Act.
In New Brunswick, the Office of the Ombud for New Brunswick ("Office of the Ombud"), Access to Information and Privacy Division, oversees and enforces the:
(1) Right to Information and Protection of Privacy Act; and
(2) Personal Health Information Privacy and Access Act.
On March 27, 2020, the Office of the Ombud issued guidance on privacy and the COVID-19 outbreak. This guidance highlights the provisions, under both legal frameworks, in which public bodies (under the public sector privacy law) and custodians (under the health sector privacy law) may disclose personal information or personal health information without consent in specific circumstances. The provided guidance also emphasizes that: "Both Acts require that any collection, use or disclosure of personal information or personal health information be limited to that which is needed to achieve the responsible purpose of the collection, use or disclosure". Please visit the guidance document and text of the applicable legislative provisions for more information.
The Office of the Ombud has also issued a notice on its operations and impacts to access requests related to its public sector privacy law. The Access and Privacy Division of the Office of the Ombud has closed its offices and suspended active complaint investigations. However, it will continue to respond to urgent matters, such as time extension applications and requests to disregard access requests (sections 11 and 15 of the Right to Information and Protection of Privacy Act).
Newfoundland & Labrador's privacy laws are the:
(1) Access to Information and Protection of Privacy Act, 2015; and
(2) Personal Health Information Act.
The Office of the Information and Privacy Commissioner for Newfoundland and Labrador (OIPC NL) is the body responsible for overseeing and enforcing these laws. It has issued COVID-19 privacy guidance in the form of a slide deck, "Don't Blame Privacy – What To Do and How To Communicated in an Emergency". The position of the OIPC NL is that emergencies impact, but do not supplant the need for privacy. While privacy considerations should not put anyone's health at risk, privacy interests should still be protected where possible:[5] "This slide deck is intended to shine some light on where the communication line is when privacy and urgent circumstance collide. The goal is to demonstrate how to not unnecessarily violate privacy, while also preventing unwarranted concerns from slowing response times."
The materials highlight circumstances under each Newfoundland and Labrador privacy law whereby the indirect collection of personal information and personal health information is appropriate. While obtaining consent for the disclosure of personal information is the general rule, these statutes are not barriers to the appropriate sharing of information in an emergency where consent cannot be obtained. "Both acts (ATIPPA and PHIA) have provisions that allow for disclosure in emergencies or when the public interest trumps the protection of privacy."[6] The slide deck also discusses issues around the repercussions of release. Specifically, the application of certain "shields" for public bodies and custodians when they act in good faith under the provincial privacy laws. However, it is important to note that regardless of the situation, privacy principles continue to apply and parties are reminded to collect, use, and disclose the minimum information that is necessary.
On March 18, the Office of the Information and Privacy Commissioner announced that it is preparing an application to the Supreme Court to extend the 65 business day time limit for the issuance of Commissioner's reports. A further notice will be issued when the Court decides on this application.
The Northwest Territories has two privacy laws, which fall under the purview of the Information and Privacy Commissioner of the Northwest Territories:
(1) Access to Information and Protection of Privacy Act;
(2) Health Information Act.
The Information and Privacy Commissioner of the Northwest Territories has issued/promoted several resources in response to these extraordinary circumstances: (1) Privacy in a Pandemic; (2) Privacy and Working from Home; and (3) Access to Information in Extraordinary Times (a message from Canada's Information Commissioner that applies to NT as well).
The "Privacy in a Pandemic" resource highlights specific legislative provisions, pursuant to each privacy law, that permits disclosure of personal information and personal health information, with or without consent of the individual. These may be engaged as necessary and applicable in the public interest in the event of an emergency. Any collection, use, or disclosure of personal information or personal health information must be limited to that which is needed to achieve the reasonable purpose of that collection, use, or disclosure.
This particular resource also highlights that the Chief Public Health Officer has broad powers to collect, use and disclose personal health information to protect public health, whether or not a formal health emergency is declared. Moreover, Orders issued under public health legislation could require the collection, use, and disclosure of certain personal information relating to employees, patients and customers.
The Information and Privacy Commissioner of Nova Scotia oversees and is responsible for the:
(1) Freedom of Information and Protection of Privacy Act; and
(2) Personal Health Information Act.
On March 24, Nova Scotia's Office of the Information and Privacy Commissioner (OIPC NS) released a statement emphasizing that the Provincial Health Officer has broad authority to collect and use personal information in the public interest during times like these. It encourages public bodies to contact the office if they are unclear of their responsibilities to collect and use personal information.
The OIPC NS has directed those with questions about the pandemic to refer to guidance issued by the Privacy Commissioner of Canada and the Information and Privacy Commissioner for Newfoundland & Labrador, offering a link to the slide deck referenced above. As it relates to disclosure exceptions, please review the text of the applicable statute in light of the particular circumstances. While such exceptions were not referenced specifically by the OIPC NS, the current privacy laws still apply and disclosure exceptions could be leveraged by public bodies and health information custodians, as applicable and required.
As it relates to access rights under Nova Scotia's privacy laws, the OIPC NS will be able to review and approve or decline time extension requests from public bodies and municipalities.[7]
The Information and Privacy Commissioner of Ontario ("IPC") has not yet released specific guidance on how to interpret the province's privacy legislation during a public health emergency, such as COVID-19. However, its news release on the Impact of COVID-19 offers insight into its operations, including what essential services will be provided by the IPC during this time, and "tips" for those working from home.
While the IPC news release was not explicit in describing the application of privacy laws during a public health crisis, exceptions to disclosure may still be applicable in the circumstances. For example, section 42 of Ontario's Freedom of Information and Protection of Privacy Act outlines permitted disclosures, not unlike those found in other privacy laws.
The IPC oversees the application of several privacy laws in Ontario, meaning that its news release is applicable for relevant organizations in the public, health and child and youth sectors across Ontario. These laws include:
(1) Freedom of Information and Protection of Privacy Act;
(2) Part X of the Child, Youth and Family Services Act;
(2) Municipal Freedom of Information and Protection of Privacy Act; and
(3) Personal Health Information Protection Act.
IPC has stated that the expectation to comply with Ontario's access laws remains in effect. However, the current circumstances will be taken into account when evaluating appeals relating to deemed refusals should there be an impact on an organization's ability to respond within prescribed time limits
On March 25, 2020, the Québec Commission d'accès à l'information (COI) commented on the impact of COVID-19 on the protection of personal information. The Québec government declared a state of health emergency on March 13, 2020. Pursuant to the Public Health Act (c. S-2.2), such a declaration allows health authorities to gain access to personal or confidential information in order to protect the health of the population [section 123].
In Québec, two main laws outline the protection of personal information:
(1) la Loi sur l'accès aux documents des organismes publics et sur la protection des renseignements personnels (c. A-2.1) for the public sector; and
(2) la Loi sur la protection des renseignements personnels dans le secteur privé (c. P-39.1) for the private sector.
Pursuant to both, consent is a necessary element to communicating personal information, unless there is an exception provided by law. These exceptions can allow for the disclosure of personal information without consent if such disclosure is:
(a) necessary for the application of a law in Quebec;
(b) made to a person having the power to compel the disclosure of personal information and who requires it in the exercise of their functions;
(c) made due to an emergency situation that endangers the life, health or safety of the person concerned; and
(d) necessary for the exercise of a mandate or the execution of a service or business contract.
The Information and Privacy Commissioner of Saskatchewan (IPC SK) has oversight over the:
(1) Freedom of Information and Protection of Privacy Act;
(2) Local Authority Freedom of Information and Protection of Privacy Act; and
(3) Health Information Protection Act.
The IPC SK has issued several statements, which can be accessed here at the bottom of the page, under the heading, "What's New?".
The statement on COVID-19 supports that privacy laws should not be a barrier to appropriate information sharing. Provisions under each act will allow for the sharing of personal information or personal health information by public bodies and trustees in the event of an emergency, within the bounds of the particular exception. The collection, use, or disclosure of personal information or personal health information must be limited to that needed to achieve the purpose for which these actions were taken (i.e. "data minimization principle").
The statement on access to information during a pandemic clarifies that citizens of Saskatchewan still have the right to request information or records and public bodies are still required to accept and process access requests. "Public bodies when faced with a heavier that normal workload on access requests, can consider an extension but no public body should just refuse to process the request."
The Yukon Information and Privacy Commissioner has oversight authority to monitor compliance with Yukon's two privacy laws, the:
(1) Access to Information and Protection of Privacy Act ("ATIPP"); and
(2) Health Information Privacy and Management Act ("HIPMA").
The Ombudsman and Information and Privacy Commissioner of the Yukon has oversight of these laws. The Yukon Information and Privacy Commissioner has issued guidance on Disclosure of Personal Information during an Emergency in Yukon. This guidance maintains that Canadian privacy laws all contain provisions that allow for the disclosure of personal information or personal health information in the event of an emergency. The documents proceed to outline provisions that authorize public bodies to disclose personal information without an individual's consent. The same exercise is undertaken for HIPMA and the comparable authorizations for custodians.
Section 36(b) of ATIPP authorizes a public body to disclose personal information about an individual with their consent. However, section 28 and section 36(d), (f), (n), (o) authorize public bodies to disclose personal information without an individual's consent including in the case of emergency. Similarly, HIPMA contains several provisions that authorize a custodian to disclose personal health information without consent. Some of these provisions provide specific authority for custodians to disclose personal health information in the case of an emergency. Regardless, information custodians must apply the limitation principles to disclosure.
Several provincial privacy authorities have urged employers to deploy secure remote access measures for employees. Relevant guidance can currently be found for the following jurisdictions:
Québec
Saskatchewan
Ontario and Yukon have both released helpful guidance for employees dealing with personal information when working from home. These can be summarized as follows:
In Québec, public bodies and businesses have the obligation to put in place security measures to ensure the protection of personal information. The COI has also warned employers to be aware and equipped to deal with cyberfraud and phishing attempts by phone, email or text message.
Alberta's Information and Privacy Commissioner has asked health custodians considering new administrative practices or information systems with implications for individuals' privacy to combat the pandemic to notify the Commissioner about such new measures. These health custodians are also required to submit privacy impact assessments pursuant to section 64 of the Health Information Act.
***
We will continue to provide you with important updates as new developments continue to happen. Please reach out to the COVID-19 dedicated team at Gowling WLG for support and questions.
[1] Office of the Privacy Commissioner of Canada ("OPC"), "Announcement: Commissioner issues guidance on privacy and the COIVD-19 outbreak" (March 20, 2020), online: <https://www.priv.gc.ca/en/opc-news/news-and-announcements/2020/an_200320/> ["Announcement"].
[2] Announcement, ibid.
[3] OPC, "Privacy and the COVID-19 outbreak" (March 2020), online: https://www.priv.gc.ca/en/privacy-topics/health-genetic-and-other-body-information/health-emergencies/gd_covid_202003/ ["OPC-COVID-19 outbreak"].
[4] OPC-COVID-19 outbreak, ibid.
[5] Office of the Information and Privacy Commissioner for Newfoundland and Labrador, "Don't Blame Privacy – What To Do and How to Communicate in an Emergency" at slide 2, online: <https://www.oipc.nl.ca/pdfs/EmergenciesPrivacy.pdf>.
[6]Ibid at slide 6.
[7] Office of the Information & Privacy Commissioner of Nova Scotia, "What's New", online: <https://oipc.novascotia.ca/>.
NOT LEGAL ADVICE. Information made available on this website in any form is for information purposes only. It is not, and should not be taken as, legal advice. You should not rely on, or take or fail to take any action based upon this information. Never disregard professional legal advice or delay in seeking legal advice because of something you have read on this website. Gowling WLG professionals will be pleased to discuss resolutions to specific legal concerns you may have.