These days, many Ontario businesses are asking themselves whether they can ask clients or customers coming into their store or office whether they have been vaccinated and, further, whether they can require proof of vaccination. This question involves many considerations and may ultimately come down to what is best for the business but, from a legal perspective, the short answer is yes. An organization or business can ask its customers whether they have been vaccinated or even require vaccination before they enter the premises, including requiring proof of vaccination. The caveat to this is accommodation where warranted under the Ontario Human Rights Code and addressing privacy concerns.
With respect to the Human Rights Code, the Ontario Human Rights Commission has provided some guidance on the issue of mandatory vaccines stating that “requiring proof of vaccination to ensure fitness to safely perform work, or protect people receiving services or living in congregate housing, may be permissible under the Code if the requirement is made in good faith and is reasonably necessary for reasons related to health and safety.” However, the Code grounds of disability and/or creed may be engaged when service providers impose proof of vaccine requirements. Therefore, under the Code, a service provider may have a duty to accommodate those who are unable to obtain a vaccine for reasons related to disability or creed, unless it would amount to undue hardship based on cost or health and safety. Whether and how a particular business may be required to accommodate depends on the specific circumstances of the business and the individual and advice should be sought on such issues.
Regarding privacy, the Federal, Provincial and Territory Privacy Commissioners issued a joint statement in which they acknowledged the potentially substantial public benefits from mandatory vaccines and provided guidance on how to address the privacy concerns that necessarily arise when organizations and businesses require individuals to disclose personal health information in exchange for goods or services or access to certain premises or locations. The Commissioners recommend that such requirements be implemented not only in accordance with privacy laws but also privacy best practices.
The Commissioners highlighted the importance of establishing the necessity, effectiveness and proportionality of a mandatory vaccine policy such that if it is shown that such a policy within a specific context is not necessary, effective or proportional for maintaining health and safety, it should not be continued. In addition, any entity collecting personal information must ensure that it has a legal basis to do so.
In the absence of a Public Health Order or new legislation providing legal authority for the collection of personal health information from customers or clients, private businesses will rely on consent from the individual as their legal authority. As such, the manner in which the information is collected and consent obtained is very important.
In order to obtain meaningful consent to the collection of vaccine status information, an organization should take reasonable steps to ensure the following:
- The individual providing their information understands what they are consenting to;
- In the circumstances, it is reasonable to expect that the individual understands the nature, purpose and consequence of providing their information;
- The individual is advised of the consequences of withholding consent; and
- Where the disclosure is required, the organization is satisfied that it is truly necessary for the specified and legitimate purpose for which it is obtained.
Regarding the last point, it is preferable if consent to disclosure is a choice, meaning it is not required to obtain a service. However, this does not mean that the service must be provided in the same manner in the event vaccine information is not disclosed. If a business is able to provide alternative service, such as curbside pick-up or virtual meetings/consultations, then the individual has the choice of whether to disclose their vaccine status or not and still receive the service one way or the other. On the other hand, if the nature of the business is such that disclosure of vaccine status will be required to obtain service, then the onus on the organization to ensure that vaccination is necessary, effective and proportional is arguably higher and it should seek advice and assistance in documenting its decision and process in a written policy.
Of course, all businesses are best served by having a clear policy for the collection of personal information as it relates to vaccination status in particular. In preparing such a policy, an organization should consider the four key elements of meaningful consent, as outlined by the Office of the Privacy Commissioner (OPC):
i. What information is being collected?
ii. Who will it be shared with?
iii. For what purpose is it being collected, used or disclosed?
iv. What, if any, are the risks of harm and other consequences?
Ideally, the answers to the above questions are provided to the individual at the time they consent to disclosing their vaccination status by way of a posted notice or policy. How that information is collected will vary depending on the nature of the business and the extent to which the information will need to be retained. Again, advice should be sought about the best solution for the particular context.
Finally, as with all personal information collected from clients and customers, security controls and procedures are very important to protect against the unauthorized use, access, or disclosure of personal information. The organization should ensure that any vaccine information collected is subject to the same controls to ensure that clients’ and customers’ privacy is protected on an ongoing basis.
Lerners’ Privacy, Data & Information Security Group can assist businesses in managing their privacy policies and procedures. For more information, contact us today.