Governments and public health authorities are increasingly turning to private sector data to get better insight into the virus’s spread and the effectiveness of their containment strategies. This includes recourse to information that organizations are compiling about employees and customers. While organizations may value the public interest in sharing such information with governmental authorities, organizations must not lose sight of their ongoing privacy obligations when handling personal information.
Many organizations support the public health initiatives to identify and contain cases and spread of COVID-19 across Canada. However, that does not translate into a legal obligation to inform public health agencies when an organization learns about individuals affected by this illness. Very few private sector companies currently have an obligation to disclose personal information to government under existing laws, professional regulations or emergency orders. Businesses who have been asked to share personal information with public sector agencies should determine whether it is a legal requirement or a request for cooperation and carefully review the scope of the demand.
Businesses considering voluntary disclosure of COVID-19-related information must assess both why sharing the data will achieve a public health, emergency management, or business purpose as well as what information is truly required to meet that objective. Organizations must scrutinize whether that data must be personally identifiable or whether aggregated information (such as statistics about infection or exposure rate) or de-identified data (such as business location, facility type and time period when an affected individual was present rather than their name, title or role) is sufficient.
In addition, most private sector organizations will not be able to control how governmental authorities use, disclose or retain the personal information provided. Before disclosing personal data, consider what legal requirements—such as government archive laws—may apply to the recipient and whether the particular agency can provide any assurances around limiting the further transfer, use or retention of the information. Where a public sector body is unable to commit to such limits, further attention to the possibility of de-identifying information is critical.
Especially where companies do not know what other data sets government will be pairing with their information, minimizing the personal information shared will reduce regulatory, litigation and reputational risk for the organization.
In considering whether to share personal information with government, businesses must consider whether doing so will attract scrutiny into the origins of the data. Organizations should be able to show that any personal information collected or used as part of their pandemic response plans, such as temperature, travel, diagnosis, family exposure or health data about an employee, service provider or client, was compliant with privacy laws and best practices.
Privacy-law-compliant data handling includes documenting individual consent where possible. For instance, although numerous privacy statutes have health emergency exemptions that allow an organization to disclose information without consent, what constitutes as a heath emergency varies and many exemptions are premised on the assumption that consent is not reasonably available. In the context of COVID-19, individuals may be able—and willing—to consent to the disclosure of their personal information to serve public health objectives. Exemptions to consent for the collection, use or sharing of personal information should not replace reasonable efforts to communicate with affected individuals about how their data may be shared, and to seek their cooperation.
Even where consent is not practical in the circumstances, organizations must still comply with other privacy obligations, such as transparency, accountability and access. Private sector businesses must have protocols for informing individuals that their personal information was shared with public agencies as part of the pandemic response, either upon request from the individual or as soon as practical after the disclosure. Individuals should be given the opportunity to ask questions about what information was shared, and to update or correct their information with the organization and the recipient (e.g., in the case of an incorrect diagnosis.)
Given the rapidly shifting landscape, consistency in handling personal information is difficult, yet critical. Businesses should centralize the process for all decisions to disclose personal information relating to COVID-19, and keep records of what information has been disclosed, to which agencies, and for what purposes. In many cases, accountability for data disclosures can align with the organization’s crisis management team that is monitoring governmental and public heath emergency orders and guidance, with appropriate input from privacy, legal and employment advisors. Although multinational organizations must be aware of regional legal and regulatory differences, consistency in disclosure decisions across geographies remains an important tool in mitigating reputational risk.
When the emergency is over, organizations will need to (1) stop the collection, use and disclosure of personal information that is no longer necessary; and (2) apply appropriate retention policies to ensure any personal information collected, used or disclosed for pandemic response purposes is destroyed once it is no longer needed. This means that personal information relating to COVID-19 will need to be stored in a manner that can be easily separated from other data about employees, consumers and business partners and destroyed or archived on a different schedule. Because electronically-stored information can be difficult to destroy once collected, data governance must be considered at the outset.
Finally, as with any crisis, allocate time after the incident is resolved to update crisis management and business continuity plans to incorporate the organization’s experiences with data-sharing during the pandemic. This should include debriefs with internal teams and external partners, as well as incorporating protocols and privacy analyses used during COVID-19 response into templates for use in other scenarios.
Read all our coronavirus-related updates on our COVID-19 guidance for organizations resource page.
To discuss these issues, please contact the author(s).
This publication is a general discussion of certain legal and related developments and should not be relied upon as legal advice. If you require legal advice, we would be pleased to discuss the issues in this publication with you, in the context of your particular circumstances.
For permission to republish this or any other publication, contact Janelle Weed.
© 2023 by Torys LLP.
All rights reserved.