Businesses are working on their reopening plans as the provincial government moves us through the phases of recovery from COVID-19. An important part of that plan are COVID-19 screening measures – for employees and for clients. What does a business need to have in place to protect client and employee safety and privacy?
There is an obligation on businesses to keep their employees and their clients safe. One way of doing so is having COVID-19 screening measures in place. Many of the possible screening measures that could be implemented will result in the collection of personal health information, which is considered to be sensitive information, and requires additional protection.
In order to meet privacy law obligations, businesses should keep the collection, use and disclosure of personal information to the minimum required to prevent and to manage COVID-19 in the workplace. They also have to ensure that meaningful consent is provided by an individual when collecting their personal information.
The federal, provincial and territorial guardians issued a joint statement on COVID-19 contact tracing apps to ensure that Canadian citizens’ privacy rights were protected. The privacy principles raised in the joint statement are equally applicable to businesses developing return to work/business plans, and need to be considered when drafting them:
- Consent and trust – businesses need to demonstrate a high level of transparency and accountability to their clients and to their employees.
- Legal authority – proposed measures are to be grounded in a clear legal basis, and consent for the collection of personal information is to be meaningful.
- Necessity and proportionality – screening measures should be necessary for a specific purpose (e.g. to be able to notify individuals exposed to COVID-19), tailored to the specific purpose, and is likely to be effective in achieving that purpose.
- Minimum intrusiveness – the personal information collected should be the minimum required to meet the specific purpose identified by the business for its collection.
- Purpose limitation – personal information must be used for its intended purpose and for no other.
- De-identification – depending on the personal information collected, businesses may need to consider de-identifying the data.
- Time limitation – a retention period for the personal information needs to be set, and the data destroyed when it expires.
- Transparency – individuals should be fully informed about the personal information being collected, how it will be used, to whom it will be disclosed, where it will be stored, how it will be securely stored, and when it will be destroyed.
- Accountability – businesses should conduct ongoing monitoring to ensure the effectiveness of the return to work/business plan, as it relates to the collection, use and disclosure of personal information. As more control over the pandemic is achieved, the amount and/or frequency of personal information needed to be collected may change.
- Safeguards – appropriate organizational and security safeguards need to be in place to protect the personal information collected.
The Lerners Privacy, Data and Information Security team of lawyers can assist businesses in developing policies related to COVID-19 screening measures to implement as operations resume and employees and clients return to the workplace. Privacy Impact Assessments can be conducted to evaluate and minimize the privacy implications of return to work/business plans.