COVID-19 Workplace Plans and PIPEDA – Are You Privacy Compliant?

Staying on top of the (almost) daily changes in COVID-19 requirements and guidelines is hard enough, but employers must also think about the privacy issues that go along with their COVID-19 response.  Employers must comply with privacy legislation and that means paying attention to how personal information is collected, used and disclosed when an employer implements its COVID-19 response.  We’ll talk about some of the key privacy issues to consider.

Most private sector businesses in provinces other than Alberta, B.C. and Quebec must comply with the Personal Information Protection and Electronic Documents Act (“PIPEDA”) when they are collecting personal information.  In Alberta, B.C. and Quebec businesses must generally comply with provincial privacy legislation that is very similar to PIPEDA.  These laws apply to personal information that is collected by an employer with respect to COVID-19.

Employers may want to collect information about employees who may have COVID-19, employees with confirmed cases of COVID-19, and employees who have been required to self-isolate.  Employers may also want to use and disclose this information to advise others in the workplace about possible exposure to COVID-19, advise the public about possible COVID-19 exposure and advise public health authorities about COVID-19 exposures.

Under PIPEDA, the key issues that an employer must consider when collecting and using this personal information include:

  • clearly identifying and documenting the purpose for the collection of personal information (eg. preventing the spread of COVID-19 through identification and isolation of employees who may have been exposed);
  • ensuring the purpose is reasonable;
  • limiting collection and disclosure to only what is necessary to meet the purpose (eg. collecting and disclosing an employee’s name);
  • getting consent to collect personal information, if an exemption does not apply;
  • Collecting, using and disclosing only for the purpose (only using the information about an employee with COVID-19 for the purpose of preventing the spread of COVID-19, and not for any other purpose);
  • ensuring there are security safeguards in place to protect the personal information; and
  • disposing of this information when it is no longer needed for the purpose.

These issues must be considered when thinking about what information you will collect, how you will collect it, how you will use it and how you will safeguard it and ultimately dispose of it.  See Optimize Compliance for more of the requirements under PIPEDA.