Our federal and provincial Privacy Commissioners have confirmed that our privacy laws, although still fully in force, are not a barrier to the appropriate information sharing in the midst of the global COVID-19 crisis.
So, what does this mean for your business or organization? Can you disclose personal information without consent, such as who has tested positive for COVID-19, to appropriate recipients without infringing your applicable privacy law? What safeguards must you take when using technology to disclose personal information to respond to COVID-19 related matters or when remote working during this crisis?
Like any privacy law question, this answer depends on what privacy legislation governs your organization and how those provisions are being interpreted and applied by the provincial or federal privacy commissioner.
For public bodies in British Columbia
If you are a public sector organization, such as a university, school, municipality, provincial government, or a self-governing regulatory body, you are governed by the Freedom of Information and Protection of Privacy Act (“FIPPA”), also known as FOIPPA.
Of utmost interest to those governed by FIPPA is Ministerial Order No. M085 pronounced on March 26, 2020, which responds to two COVID-19 privacy related concerns in the public sector.
The Ministerial Order provides clarity on when a public sector can disclose personal information to fight COVID-19, inside or outside of Canada. The Ministerial Order explicitly allows for the disclosure of personal information inside or outside Canada on the condition that the disclosure is necessary:
- for the purposes of communicating with individuals respecting COVID-19;
- for the purposes of supporting a public health response to the COVID-19 pandemic, or
- for the purposes of coordinating care during the COVID-19 pandemic.
The Ministerial Order also temporarily removes a technological challenge that FIPPA presents for the public sector, provided certain conditions are met. By way of background, British Columbia’s public sector has strict privacy laws and is one of only two Canadian jurisdictions which prohibit the storage of or access to the personal information of its citizens outside of Canada. Those governed by FIPPA must, for instance, ensure that any personal information within its control is stored and accessible only from clouds within Canada. To make it easier for our health care professionals to communicate pertinent health care information and for schools to function remotely, the Ministerial Order has removed these restrictions and has enabled the public sector to temporarily enable the use of technologies that would otherwise be restricted.
In particular, the Ministerial Order allows for disclosure of personal information to be made inside or outside Canada using third-party tools and applications provided that the disclosure of personal information is for one of the following purposes:
- the third-party tools or applications are being used to support and maintain the operation of programs or activities of the public body or public bodies;
- the third-party tools or applications support public health recommendations or requirements related to minimizing transmission of COVID-19 (e.g. social distancing, working from home, etc.), and
- any disclosure of personal information is limited to the minimum amount reasonably necessary for the performance of duties by an employee, officer or minister of the public body.
The aforementioned Ministerial Order is in effect until June 30, 2020. The Province will work with the Office of the Information and Privacy Commissioner on or before this date to either rescind or renew this Order, depending on where we are with the global health crisis.
For the private sector
Private companies in British Columbia, which include a doctor’s private practice, are obliged to comply with the Personal Information and Protection of Privacy Act, SBC 2003, ch. 63 (“PIPA”).
If you are a private company located outside of British Columbia and in a province or territory that does not have its own substantially similar privacy legislation, or if you are a federally regulated organization, such as a radio and television broadcaster or inter-provincial transport company, the Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 (“PIPEDA”) governs your organization.
PIPA and PIPEDA generally require an individual’s consent for the collection, use or disclosure of his or her personal information. However, both PIPA and PIPEDA have relevant statutory exceptions which allow for use or disclosure without consent provided that specific requirements are met. Notwithstanding these exceptions, where possible, informed consent for the collection, use or disclosure of one’s personal information should be obtained.
A relevant exception in PIPA can be found in section 18(1) which allows for disclosure of personal information without consent of the individual in certain defined circumstances. Subsection (k) sets out a health and safety related exception to the consent requirement. In particular, it provides:
“18(1) Disclosure of Personal Information without consent – An organization may only disclose personal information about an individual without the consent of the individual, if
(k) there are reasonable grounds to believe that compelling circumstances exist that affect the health and safety of any individual and if notice of disclosure is mailed to the last known address of the individual to whom the personal information relates,” [emphasis added].
The above exception allows for “disclosure” under subsection 18(1)(k). The same exception can be found in section 15(1)(i) for the “use” of personal information without consent where the above prerequisites have been met. There is no such exception for the “collection” of personal information upon establishing the above.
The above PIPA exception is more broad than its counterpart under section 7(3)(e) of PIPEDA which addresses disclosure without consent where there is “an emergency which threatens the life, health, or safety of an individual” and if the individual is alive, the individual is to be informed in writing without delay. The broader exception under PIPA also allows for the disclosure and use of the personal information of any individual.
PIPEDA has other potentially applicable exceptions to the consent requirement. It is ideal to obtain legal advice as to when the requirements of the above-mentioned statutory exceptions are met, particularly given the nuances in this area of the law, the quickly changing landscape of this crisis, and the frequency at which the Privacy Commissioner is issuing further guidance documents on these kinds of issues.