Pandemic privacy woes: Molly Reynolds on personal health data

Privacy issues have remained top-of-mind amid the pandemic. With the use of health declarations becoming the new normal and the high likelihood that vaccine passports will be needed for future travel, there is continued concern over the privacy of health data.

Director Lens Communiqué has published an article in an effort to address ongoing individual privacy concerns and has sought insight from Privacy lawyer Molly Reynolds on the topic.

Molly told the publication that from the onset of the pandemic privacy regulators have specified that individuals’ privacy rights are not to be jeopardized and a contextual approach needs to be taken. She did however point out that the lack of government advice in this area has left businesses with the responsibly of making judgment calls on where to draw the line.

“For management, it’s a struggle to conduct that assessment and balance competing operational and regulatory requirements,” Molly said.

“For boards, the challenge is to know which questions to ask.”

Molly also discusses the consequences relating to the use of vaccine passports and whether organizations have the right to ask employees and customers if they have been vaccinated and require proof of vaccinations.

“Because these questions call for personal and sensitive information, they have implications for privacy,” Molly said.

“Even if you are not working within a formal vaccine passport regime, you can map the principles discussed to those informal discussions around the questions you can ask people before they enter premises, and the information you can require versus request.”

Molly also touched on the host of emerging privacy issues relating to remote working.

“Ongoing risk mitigation efforts need to be in place, whether that's in regard to new ways of accessing a network from a cybersecurity perspective, or brand-new forms of information that we're collecting about individuals,” she said.

She also noted that companies need to start planning for the eventual return to the office and establish a point when certain information and data about employees’ health status will no longer be collected.

Read: To find out more about the crucial role of cybersecurity within an organization read our article “Data governance and Canada’s c-suite: are directors and officers liable for cybersecurity failures?” from our Litigation trends 2020 report.

“Data retention is not a glamorous area, and it’s one people don’t want to dwell on,” Molly said.

“In the context of the board and senior management, it’s also an area that’s chronically underfunded in most organizations. But if sensitive data that’s no longer needed for operational or legal purposes is then compromised in a data breach or cybersecurity incident, it can multiply the risk to an organization.”

You can read more about our Privacy practice on the expertise page.