In the fight against the spread of the Covid-19 virus, businesses have put in place different types of measures that may involve processing personal information. However, some practices may result in a breach of personal information protection or privacy.
It is therefore important to note that different laws regarding personal information protection continue to apply, despite the current crisis. The measures taken must consequently always strike a balance between accommodating/protecting public health (and that of individuals), while ensuring the protection of the personal information and privacy of individuals/employees.
This situation is not unique to Québec, or even Canada. It is the same in Europe. Examining the situation in the European Union under the GDPR as well as the situation in Québec provides a good overview of what can be done to protect individuals while also respecting their privacy.
In a previous bulletin, we addressed three challenges that most businesses were facing during this pandemic. A month and a half later, while the pandemic shows no sign of waning and continues to paralyze society, regulatory authorities in Québec, Canada and Europe have set out the approaches to be adopted in managing personal information during this exceptional period.
As such, this bulletin will examine the specifics provided by the regulatory authorities with regard to the following three topics:
- cyber-attack risk management;
- information that can be collected, used and disclosed or, more precisely, the possibility of implementing measures considered "necessary" to try to stop the spread of the virus and protect the workplace;
- issues related to disclosing the identity of an employee infected with Covid-19 to his or her colleagues.
Managing cyber-attack risks
The Covid-19 outbreak has forced businesses to take the appropriate measures to ensure business continuity, while also protecting their personnel, such as by allowing them to work from home.
In order to effectively manage and ensure the security of remote access to information systems, cybersecurity procedures must be reviewed to determine any modifications that may be required in this unprecedented context. Accordingly, the ENISA ("European Union Agency for Cybersecurity") published its recommendations on the security measures to comply with when teleworking,1 by reminding businesses that they must use online tools that support encrypted data, properly assess security settings as well as carefully read the privacy policy to ensure that the tool used does not transfer data to third parties.
In addition to these procedures, regular cybersecurity training is a valuable tool for businesses to raise employee awareness in this regard. As such, employees must be regularly reminded that they must only disclose highly confidential or sensitive information through the company's secure data transfer tools and not simply by email. Similarly, the company's VPN must be used to ensure data security.
Lastly, businesses must ensure that they have an incident response plan that is adequate and easy to implement, so as to be able to quickly identify the protocol to follow in the event of a cyber-attack, such as who to contact.
The possibility of implementing measures considered "necessary" to try to stop the spread of the virus and protect the workplace
Covid-19 management by businesses entails major issues regarding an individual's privacy and the protection of personal information. Can companies use protecting public health as a reason to collect sensitive data and to transfer it to third parties without, however, having obtained the consent of the employees?
The situation in Québec and Canada
In Quebec and throughout Canada, collecting personal information, such as by an employer, is based in particular on the following principles: consent, necessity and proportionality.
In a recently published document2 in this respect, the Commission d'accès à l'information provides that any consideration of the impact of a technological solution must involve a two-step assessment, namely: 1) balancing the objective of the solution (necessity test) with 2) its impact on individual privacy (proportionality test). If, and only if, this first step effectively determines that the objective justifies the solution and that it is proportional to the objective, can the second step of the assessment be then considered.3 This second step consists of ensuring that the terms and conditions of the solution are consistent with the principles and best practices associated with the protection of personal information4 (determine the type of consent to be obtained, determine the impact of the contemplated technological solution, limit the collection and use of personal information, notify individuals affected, comply with the applicable legal principles regarding the use of biometric or geolocation information,5 define the duration of the retention period of the information, implement security measures, provide for rights of access).
In other words, implementing measures to prevent employees from being infected with Covid-19 must not prevent compliance with the applicable personal information protection laws.
Despite this unprecedented situation we are experiencing, the personal information protection and privacy laws still apply and are not a barrier to the appropriate collection, use and disclosure of personal information.
This was also recently confirmed by the Office of the Privacy Commissioner of Canada in a document it published setting out an assessment framework intended to help federal institutions respond to the health crisis.6 The assessment framework is composed of the following principles:
- legal authority (compliance with applicable laws);
- necessity and proportionality;
- purpose limitation (information collected must be used for the intended objective, such as mitigating the effects of Covid-19 on public health);
- de-identification and other safeguarding measures (whenever possible, personal data must be de-identified or aggregated);
- consider the unique impacts on vulnerable groups (organisations must pay particular attention to sensitive information, disproportionate consequences that data sets may have on certain subgroups or communities and disproportionate impacts that may be created by algorithmic decision-making or AI);
- transparency (organizations must inform individuals about new measures on an ongoing basis);
- assessing open data (the benefits and risks of the release of public datasets must be carefully weighed);
- oversight and accountability (measures specific to the crisis should also provide specific provisions for oversight and accountability);
- time limitation (measures should be time-limited, ending when they are no longer required).
As such, measures taken that aim to contain and stop the spread of the virus, such as in the workplace, must be carefully assessed. The test of necessity is strictly applied by both the Commission d'accès à l'information and the Office of the Privacy Commissioner of Canada. In other words, the test of necessity implies that the personal information collected is absolutely required, such that any personal information that is merely useful (or convenient) for the purposes of the objective will not meet the test of necessity.7 Accordingly, we recommend obtaining a legal opinion prior to deciding to implement a measure that involves collecting personal information, especially in the workplace context. In fact, it is paramount to ensure that the contemplated measure meets the requirements of necessity and proportionality under the law.
Moreover, if the test of necessity and proportionality is met, collecting sensitive information (such as data collected through thermal cameras, temperature screening, blood tests or nasal swabs) must be subject to stricter measures. Lastly, determining whether an exception to the consent principle may apply should be confirmed by a legal opinion.
Situation in the European Union
In Europe, although it is possible to rely on consent to collect personal data, under the GDPR other legal means can be relied upon as well. As such, in the employment relationship context, processing personal data may be necessary to comply with a legal obligation to which the employer is subject, such as regarding occupational health and safety, or is based on public interest, such as to control disease and other health threats.
Similarly, the GDPR also provides exemptions to the prohibition of processing certain special categories of personal data, such as health data, where it is necessary for reasons of substantial public interest in the area of public health, on the basis of Union or national law (GDPR, Art. 9.2(i)), or where there is the need to protect the vital interests of the data subject (GDPR, Art. 9.2(c)). Note that recital 46 explicitly refers to the control of an epidemic.8
It is important to keep in mind that the GDPR continues to fully apply during the pandemic, including the principles of proportionality and purpose limitation.
Can an employer require visitors or employees to provide specific information regarding their health in the context of Covid-19?
In this situation, the European Data Protection Board considers that the employer may only require health-related information to the extent permitted under the national law and if required to satisfy its obligations.
This is why, according to the data protection authority in France, the CNIL, employers must refrain from collecting in a systematic or generalized manner, or through individual inquiries and requests, information relating to possible symptoms presented by employees and their relatives.9 The CNIL also states that it is therefore not possible to implement temperature readings of employees or visitors when recorded in an automated process or in a paper logbook, as well as automated temperature recording operations or by means of tools such as thermal cameras10.
Informing employees about Covid-19 cases
As explained in a previous bulletin, if an employee is infected by the virus, his or her colleagues must be informed that an individual in their workplace has tested positive. However, the information disclosed must not allow the sick person to be identified.
In this regard, the European Data Protection Board states that employers should inform staff about Covid-19 cases and take protective measures, but should not communicate more information than necessary. In cases where it is necessary to reveal the name of the infected employee, and if it is permitted under the national law, such employee must be informed of this in advance and their dignity and integrity must be protected.11
In France, the CNIL recommends that when alerted to a Covid-19 case, an employer may record (but not disclose) the date and identity of the person suspected of having been exposed to the virus.
Footnotes
1. https://www.enisa.europa.eu/news/enisa-news/tips-for-selecting-and-using-online-communication-tools
3. Id.
4. Id.
5. The Act to establish a legal framework for information technology, chapter C-1.1 provides specific limitations regarding technologies used to geolocate individuals.
6. Commissioner publishes framework to assess privacy-impactful initiatives in response to COVID-19, April 2020. See also the Office of the Privacy Commissioner of Canada's document: Privacy and the COVID-19 outbreak, March 2020.
7. See, for example, Laval (Ville de) v. X, 2003 C.A.I. 280.
8. EDPB, Statement on the processing of personal data in the context of the COVID-19 outbreak. 19 March 2020. See also EDPB, Letter to Ms Duris Nicholsonová, Dear Mr Jurzyc, 23 April 2020; EDPB, Letter to Olivier Micol, 14 April 2020
9. Coronavirus (covid-19) : les rappels de la CNIL sur la collecte de données personnelles
10. Coronavirus (COVID-19) : les rappels de la CNIL sur la collecte de données personnelles par les employeurs, 07 mai 2020
Originally published May 11, 2020.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
