As businesses prepare to return to on-site operations, welcoming customers, employees and suppliers back to their worksites, we can expect some public health measures will remain in place for several months.
While these preventative measures are important to ensuring businesses can stay open and employees are protected, many of them raise privacy, cybersecurity and data governance considerations.
The Office of the Privacy Commissioner of Canada has emphasized that organizations’ privacy obligations are not reduced during public health emergencies; they must still be able to justify the handling of personal information in accordance with the law.
Prepare a privacy impact analysis
A key element of return-to-work planning is therefore a privacy impact analysis (PIA) to document why specific precautionary measures that engage personal information (such as health or travel questionnaires, temperature checks, medical documentation requests) are necessary and proportional in the current circumstances. The central elements of this framework—knowing the intended audience, defining the purpose and rationale for a particular measure, canvassing alternatives, and restricting the use and retention of data collected in the process—are described below.
1. People. Which groups of people are targeted by the measure?
Different preventative measures aimed at customers, employees, service providers or other groups will involve different statutory, regulatory, contractual and reputational areas of risk. Where a measure is intended to apply to all individuals entering the workplace, each of these areas of risk should be considered separately, as applicable to each group of individuals.
2. Purpose. What is the specific purpose of the measure?
Beyond the general goal of returning to business while protecting public health, organizations must articulate the specific purpose of particular preventative measures. For example, symptom screening questionnaires may serve different purposes than mandatory personal protective equipment (PPE) rules. Businesses should resist the urge to rely on steps taken by their peers without examining how and why those measures will benefit their own stakeholders.
3. Particulars. How will the measure achieve the purpose, what alternatives are available, and how significant is the privacy impact?
It is critical that businesses show why a preventative measure that involves personal information is both necessary and proportionate in the circumstances. This requires an explanation of why the measure will be effective in achieving the purpose. In the context of COVID-19, where the science and public health information is developing rapidly, organizations are best protected where they can point to an authoritative source supporting the measure. Where the measure has not been endorsed by a public health agency, the organization must do more to support the connection between the purpose and the measure.
As part of the analysis of how the measure will work, the particular types of personal information involved should be identified, and their sensitivity assessed. The organization should also note whether it would ordinarily collect this type of information. For example, some employers may regularly receive travel or health information to administer leave and benefits programs, but many businesses would never ordinarily receive health information about their customers. The more sensitive the information and unusual the collection by the organization, the more significant the privacy impact. It is important to keep in mind that personal health information (PHI) is among the most sensitive types of personal information, and collecting it to determine an individual’s eligibility to return to work could have serious impacts on that person and their family, some of which may be difficult to ascertain.
Similarly, the organization should identify whether individuals have a meaningful choice in whether to provide the personal information associated with the preventative measure, such as remote work or service options or alternative screening measures.
The analysis should also identify any alternative measures that could serve the same purpose with less impact on individual privacy. A common example is the use of signage to tell people with travel histories or symptoms not to enter a facility, rather than asking individuals to provide the company with the details of where they have travelled or the specific symptoms they are suffering. Where a less-invasive measure has been rejected, some evidence of why it is not effective—or why it is not reasonable in the circumstances—is important to justifying the use of a measure with more privacy impact.
4. Proportionality. Does the purpose and utility of the measure outweigh the privacy impact?
The analysis should conclude with a holistic assessment of the risk arising from the proposed measure. Can the organization explain how the measure achieves its intended purpose and why it is appropriate to use? What reputational risks might arise from that explanation (e.g., media allegations that the company is prioritizing cost savings over privacy rights)? Will customer trust or employee morale be affected by the measures, or any resulting regulatory investigations, litigation or bad press? Would the tangible or intangible costs of any negative consequences outweigh the benefits of the measure itself? The proportionality of the measure is likely to be determined both by a reasoned risk analysis and by the organization’s culture and ethos.
Assess and implement the measures through your data governance framework
It is critical that the initial assessment and implementation of any proposed on-site preventative measures be managed through an organization’s data governance framework. Whether that framework is currently in place or is created for this purpose, it should enable the organization to properly govern the availability, usability, integrity and security of an organization’s data. Through carefully managed data governance, the organization will be able to:
- map data collected as part of the preventative measure to its intended purpose;
- segregate that data from other data so it is not used for other purposes or stored in a manner or for longer than is allowed;
- defend the research or commercial use of any aggregated or de-identified data sets created from personal information collected as part of public health measures;
- safeguard the data using measures appropriate for its level of sensitivity;
- plan for and respond to cybersecurity incidents specifically involving that data;
- retain the data only for so long as it needs to be stored;
- respond to requests from individuals or inquiries from regulators that specifically apply to the data (for more, see our article “When (and what) can I disclose? Sharing personal information with government agencies in the context of COVID-19”); and
- manage and enforce contracts with third-party suppliers responsible for carrying out any of the above activities.
Get input and advice from stakeholders and advisers
These are unprecedented times raising novel issues. An organization will be better prepared to welcome its customers, employees and suppliers back onsite by consulting with internal stakeholders and external experts on the risks and solutions. When dealing with highly sensitive, novel data, the “reasonable person” standard applied by courts and regulators can often be found by engaging the intended audiences for their reactions. The level of comfort of employees, management, or directors, if asked to provide the information themselves or to explain the proposed measure directly to a customer, can be helpful in assessing the legal, regulatory and reputational risks described above.
Similarly, it is a good idea to seek input from privacy and information governance experts on how this information should be handled through the organization’s data governance framework to ensure data is not being stored, used or disclosed in a way that increases risk.