The rapid outbreak of COVID-19 (the “Pandemic”) is presenting a number of ongoing privacy law issues for businesses to navigate. From a legal perspective, privacy laws (both in Alberta and federally) are still in effect for organizations that collect, use and disclose personal and/or health information, notwithstanding the Pandemic.
PRIVACY LAWS IN ALBERTA
In Alberta, there are three privacy laws that may apply to an organization’s collection, use and disclosure of information, depending on the nature of the organization:
- Freedom of Information and Protection of Privacy Act1Freedom of Information and Protection of Privacy Act, RSA 2000, c F-25. (“FOIP”) applies to public sector organizations;
- Health Information Act2Health Information Act, RSA 2000, c H-5. (“HIA”) applies to health sector organizations; and
- Personal Information Protection Act3Personal Information Protection Act, SA 2003, c P-6.5. (“PIPA”) applies to private sector organizations.
Under these privacy laws, an organization’s ability to collect, use or disclose personal information and/or health information must generally be limited to what is reasonable or necessary in the circumstances. However, the Alberta government declared a state of public health emergency on March 17 under the Public Health Act4Public Health Act, RSA 2000, c P-37, s. 52.1., which could affect the scope and ability of organizations to both collect and use or disseminate such personal and/or health information in relation to the Pandemic.
Moreover, if the government of Alberta declares a provincial state of emergency (in line with such provinces as Ontario, B.C. and Saskatchewan) under the Emergency Management Act5Emergency Management Act, RSA 2000, c E-6.8, s. 18., the government will be granted additional sweeping powers to deal with and combat the Pandemic in the province.
In Alberta, the Office of the Information and Privacy Commissioner (“OIPC”) has released a useful overview of how privacy laws apply during a pandemic or emergency situation, entitled “Privacy in a Pandemic”.
INFORMATION SECURITY AND WORKING REMOTELY
With many employees now fully transitioned to working from their homes, one serious privacy concern for organizations is the increased burden of keeping personal and health information secure remotely. Many employees will continue to be working with sensitive information while working remotely; organizations should ensure they have taken the proper steps to secure the information in their control that is also in their employees’ physical possession remotely.
However, if an organization does not have such policies in place, it should contact a privacy lawyer immediately to help draft and disseminate a policy in order to ensure that:
- it is continuing to meet its privacy law obligations during the Pandemic,
- the sensitive information in its possession and control remains secure, and
- employees are also aware of their obligations to keep sensitive information secure.
In addition, organizations should take additional measures now to ensure their employees are aware of and are protected from the heightened current risk of online cyberattacks and fraud scams that are circulating during the Pandemic. Organizations can also remind employees of basic steps that may be taken to ensure privacy and security of information, such as only working from secured wifi networks and secured VPN networks, not using their personal devices or networks when working remotely, and being vigilant to the increased risk of online scams, malicious emails, and cybersecurity attacks that could compromise private information and the security of their networks.
TESTING FOR AND IDENTIFYING COVID-19 IN THE WORKPLACE
While some segments of the workforce are able to and have already transitioned to working remotely, for others remote working is simply not possible. Thus, many businesses and employees providing essential services, such as those working in the health care and transportation industries, continue to work during the Pandemic. Privacy law issues arise when employers must conduct COVID-19 testing of their employees or when COVID-19 is present (or potentially present) in an employee, requiring quarantine and tracing.
According to the OIPC, any organization that needs to collect, use or disclose an employee’s personal information in an emergency should communicate to its employees the specific legislative authority that gives it the power to do so.6See OIPC For example, if the government issues an Order under either of the Public Health Act or the Emergency Management Act in relation to the Pandemic requiring an organization to share personal and/or health information, the employer should communicate that requirement to its employees (and clients, as applicable).
An employer’s obligation to maintain a safe and healthy working environment for its workers and its customers (as applicable) may also require it to conduct testing for COVID-19. In this situation, employers should also communicate with their employees the relevant occupational health and safety legislation in connection with any COVID-19 testing it may be required to conduct.
As the Pandemic continues to evolve on a daily basis, an organization’s privacy obligations will also continue to evolve. We recommend that any businesses with privacy questions contact a qualified privacy lawyer for advice on how to ensure the sensitive information in their care and control is protected and their privacy obligations are met during the Pandemic.
Carscallen LLP’s Privacy Law Expertise
We understand that the rapid emergence of COVID-19 means that many businesses are dealing with a myriad of legal issues. Please contact us if you have any legal questions about your privacy law obligations in connection with COVID-19, or any other privacy law matters. Our lawyers routinely work remotely and will continue to do so during this time. We remain available to provide legal advice and guidance to clients for all issues that may arise during the Pandemic.
For more updates related to COVID-19, please visit our resources page and follow us on LinkedIn.
As this is an ongoing situation of a global nature, the information provided herein is current as of the publishing date of this blog.
- 1Freedom of Information and Protection of Privacy Act, RSA 2000, c F-25.
- 2Health Information Act, RSA 2000, c H-5.
- 3Personal Information Protection Act, SA 2003, c P-6.5.
- 4Public Health Act, RSA 2000, c P-37, s. 52.1.
- 5Emergency Management Act, RSA 2000, c E-6.8, s. 18.
- 6See OIPC