When (and what) can I disclose? Sharing personal information with government agencies in the context of COVID-19

Governments and public health authorities are increasingly turning to private sector data to get better insight into the virus’s spread and the effectiveness of their containment strategies. This includes recourse to information that organizations are compiling about employees and customers. While organizations may value the public interest in sharing such information with governmental authorities, organizations must not lose sight of their ongoing privacy obligations when handling personal information.

What you need to know

• There are few circumstances where private sector companies are legally required to share personal health information with government. While voluntary disclosure may be justified in some circumstances, the risk to organizations is higher and a documented privacy analysis is recommended.
• A privacy analysis for COVID-19-related disclosures should consider:
  • the purpose of the disclosure;
  • whether the information was specifically requested by government;
  • the agencies that will receive—and possibly further transfer—the information and how it will be used;
  • whether personal information is required to serve the purpose of disclosure, or whether de-identified information can be used;
  • whether individuals can be notified—in advance or after the fact—of the disclosure, and any existing consents to share the information; and
  • whether the initial collection of the personal data complied with privacy law and other laws, such as employment, consumer protection and health professional regulations.
• The ultimate decision of whether to disclose personal information to public sector authorities should be centralized within the organization to ensure consistent analysis and documentation for all proposed disclosures.
• Data governance is central to ensuring that personal information related to pandemic response activities can be separated from ordinary business data and storage systems, and destroyed when no longer needed.

Why disclose personal information?

Many organizations support the public health initiatives to identify and contain cases and spread of COVID-19  across Canada. However, that does not translate into a legal obligation to inform public health agencies when an organization learns about individuals affected by this illness. Very few private sector companies currently have an obligation to disclose personal information to government under existing laws, professional regulations or emergency orders. Businesses who have been asked to share personal information with public sector agencies should determine whether it is a legal requirement or a request for cooperation and carefully review the scope of the demand.

Businesses considering voluntary disclosure of COVID-19-related information must assess both why sharing the data will achieve a public health, emergency management, or business purpose as well as what information is truly required to meet that objective. Organizations must scrutinize whether that data must be personally identifiable or whether aggregated information (such as statistics about infection or exposure rate) or de-identified data (such as business location, facility type and time period when an affected individual was present rather than their name, title or role) is sufficient.

In addition, most private sector organizations will not be able to control how governmental authorities use, disclose or retain the personal information provided. Before disclosing personal data, consider what legal requirements—such as government archive laws—may apply to the recipient and whether the particular agency can provide any assurances around limiting the further transfer, use or retention of the information. Where a public sector body is unable to commit to such limits, further attention to the possibility of de-identifying information is critical.

Especially where companies do not know what other data sets government will be pairing with their information, minimizing the personal information shared will reduce regulatory, litigation and reputational risk for the organization.

Justifying collection, use and sharing

In considering whether to share personal information with government, businesses must consider whether doing so will attract scrutiny into the origins of the data. Organizations should be able to show that any personal information collected or used as part of their pandemic response plans, such as temperature, travel, diagnosis, family exposure or health data about an employee, service provider or client, was compliant with privacy laws and best practices.

Privacy-law-compliant data handling includes documenting individual consent where possible. For instance, although numerous privacy statutes have health emergency exemptions that allow an organization to disclose information without consent, what constitutes as a heath emergency varies and many exemptions are premised on the assumption that consent is not reasonably available. In the context of COVID-19, individuals may be able—and willing—to consent to the disclosure of their personal information to serve public health objectives. Exemptions to consent for the collection, use or sharing of personal information should not replace reasonable efforts to communicate with affected individuals about how their data may be shared, and to seek their cooperation.

Even where consent is not practical in the circumstances, organizations must still comply with other privacy obligations, such as transparency, accountability and access. Private sector businesses must have protocols for informing individuals that their personal information was shared with public agencies as part of the pandemic response, either upon request from the individual or as soon as practical after the disclosure. Individuals should be given the opportunity to ask questions about what information was shared, and to update or correct their information with the organization and the recipient (e.g., in the case of an incorrect diagnosis.)

Centralize data-sharing decisions

Given the rapidly shifting landscape, consistency in handling personal information is difficult, yet critical. Businesses should centralize the process for all decisions to disclose personal information relating to COVID-19, and keep records of what information has been disclosed, to which agencies, and for what purposes. In many cases, accountability for data disclosures can align with the organization’s crisis management team that is monitoring governmental and public heath emergency orders and guidance, with appropriate input from privacy, legal and employment advisors. Although multinational organizations must be aware of regional legal and regulatory differences, consistency in disclosure decisions across geographies remains an important tool in mitigating reputational risk.

Thinking ahead: data governance and debriefing

When the emergency is over, organizations will need to (1) stop the collection, use and disclosure of personal information that is no longer necessary; and (2) apply appropriate retention policies to ensure any personal information collected, used or disclosed for pandemic response purposes is destroyed once it is no longer needed. This means that personal information relating to COVID-19 will need to be stored in a manner that can be easily separated from other data about employees, consumers and business partners and destroyed or archived on a different schedule. Because electronically-stored information can be difficult to destroy once collected, data governance must be considered at the outset.

Finally, as with any crisis, allocate time after the incident is resolved to update crisis management and business continuity plans to incorporate the organization’s experiences with data-sharing during the pandemic. This should include debriefs with internal teams and external partners, as well as incorporating protocols and privacy analyses used during COVID-19 response into templates for use in other scenarios.

Read all our coronavirus-related updates on our COVID-19 guidance for organizations resource page.