As British Columbia begins to allow businesses to re-open, certain industries are being asked (and more may be asked in the future) to collect personal information to assist government agencies with tracking the potential spread of COVID-19.
Any private company in British Columbia that is asked to collect personal information must ensure they are complying at all times with the Personal Information Protection Act, SBC 2003, c.63 (“PIPA”).1 Companies may also be required to comply with Personal Information Protection and Electronic Documents Act, SC 2000, c.5 when the personal information of residents from other provinces has been affected or if a company is transferring personal information outside of the province.
Personal information under PIPA includes information that is reasonably capable of identifying a particular individual on its own (for example, name, home address, phone number, and much more), and it also includes information that can, when combined with information from other available sources, identify the individual.
Recently, restaurants have been asked by the Province of British Columbia to record the name and contact information for at least one member of each group that eats at the establishment. This information is expected to be saved for 30 days in the event the provincial medial health officer needs such information for contact tracing regarding potential COVID-19 infections.
The above example, or any future government requests to companies to collect personal information, will require companies to take the following steps to ensure compliance with PIPA:
- Ensure all customers provide informed consent in advance of them giving their personal information. Under PIPA, companies are expected to advise individuals in advance of them providing their personal information and be clear about the information to be collected, how it will be used, who will have access to it, where it will be stored, how it will be securely retained and when it will be destroyed.
- Put appropriate physical, administrative and technical safeguards in place to protect personal information from unauthorized access, collection, use, disclosure, copying, modification or disposal or similar risks. To start with, companies should limit the number of staff who collect, record and save the personal information collected to help the company maintain its protection over the personal information. Safeguards also mean ensuring the data is saved in a secure location (if it is a physical document) that would ensure it is under lock and key and there are limited people who have access to the key. Or if the personal information is saved in digital form and on a computer or other electronic device, the information should be password-protected and limited individuals should know the password. Personal information should not be left lying around nor in a place that customers or staff could easily view other people’s information.
- If disclosure is required (i.e., based on a request from the provincial medical health officer), procedures should document which individual(s) in a company are authorized to make the disclosure. Such disclosure should take place in a secure manner to ensure that no other party has access to the personal information being disclosed.
- Take steps to ensure that personal information collected is not used for any purpose other than its intended public health purpose, or any other purpose disclosed to individuals in advance of them providing their personal information. If people have been told that their information will be disclosed (and only if requested) to the provincial medical health officer, then the company cannot disclose, sell or let out of its possession in any way the personal information it collects to any other person or company for any other reason.
- Destroy the personal information in the timeline and manner expressed to individuals when the information was collected. Since it is not normal to necessarily request personal information from customers, the Office of Information and Privacy Commissioner of British Columbia (the “OIPC“) has advised that personal information collected as a result of COVID-19 should be time-limited and any personal information collected during this period should be destroyed when the crisis ends. Using the restaurant example, the recent provincial government request follows this advice and states that companies should destroy the personal information 30 days after it is collected. As such, companies should be advising individuals of the pending destruction prior to collection and companies will need to ensure the information has been securely destroyed. This will mean both regular monitoring of the information that should be destroyed on a daily basis and ensuring appropriate destruction methods are employed to guarantee the information has been destroyed and the company can prove such destruction (if necessary).
- Collect only the information necessary and not collect anything more. If companies are under provincial government requirements to collect specific personal information, PIPA is clear that companies may only collect personal information for purposes that a reasonable person would consider appropriate in the circumstances and that fulfill the purpose(s) that the organization discloses; they are expected to not collect anything beyond this.
It is important that companies ensure everyone within their organization understands the steps necessary to ensure compliance with PIPA regarding the collection of personal information from customers, clients and whoever else the company engages with. There are a lot of changes for companies and their usual operating practices during the pandemic, but companies are expected to meet any requests for personal information made by the provincial government in ways that protect individuals’ rights to privacy and the protection of their personal information.
For further inquiries about these issues, or assistance with other privacy matters, please contact Scott Allen at firstname.lastname@example.org or 604.484.1730, or another member of our Information + Privacy Practice Group. Keep well and stay safe.
For more COVID-19 related privacy blogs, see: Protecting your Organization from Cyber Attacks while Implementing COVID-19 Remote Working Protocols and Permissive Disclosure of Personal Information in the Midst of the COVID-19 Crisis by Karen R. Zimmer.
1 Private companies located outside of British Columbia or in a province or territory that does not have its own substantially similar privacy legislation, and federally regulated organizations, such as radio and television broadcaster and inter-provincial transport companies, must comply with the Personal Information Protection and Electronic Documents Act, SC 2000, c.5 (“PIPEDA”). PIPEDA requires businesses to, among other things, use security safeguards that are appropriate to the sensitivity of the information to protect personal information.
All public sector organizations in British Columbia, such as a university, school, municipality, provincial government or a self-governing regulatory body, are governed by the Freedom of Information and Protection of Privacy Act (“FIPPA”), also known as FOIPPA, which also requires organizations governed by FIPPA to protect personal information in its custody or under its control by making reasonable security arrangements against such risks as unauthorized access, collection, use, disclosure or disposal.