The Office of the Privacy Commissioner of Canada (OPC) recently released “key privacy principles that should factor into any assessment of measures proposed to combat COVID-19 that have an impact on the privacy of Canadians.”
The framework covers legal authority, ensuring that measures are "necessary and proportionate," limiting the purpose for data collection use or disclosure, safeguards and deidentification measures, considering the "unique impacts on vulnerable groups," providing clear and detailed information, the importance of open data sets, making organizations accountable, and keeping use time limited.
The OPC had previously clarified the application of the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada's national privacy law, during the COVID-19 pandemic.
Entities may “collect, use or disclose information only for purposes that a reasonable person would consider appropriate in the circumstances,” according to PIPEDA. “Organizations are required to obtain the knowledge and meaningful consent of the individual for the collection, use, or disclosure of their personal information” and consent may only be “valid if it is reasonable to expect that the individual understands the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting.”
Still, the OPC guidance noted several “circumstances under which organizations may collect, use, or disclose personal information without the consent of the individual,” such as:
- “If the collection is clearly in the interests of the individual and consent cannot be obtained in a timely way (paragraph 7(1)(a)), such as if an individual is critically ill or in a particularly dangerous situation, and needs help.”
- “If the collection and use is for the purpose of making a disclosure required by law (paragraphs 7(1)(e), 7(2)(d) and 7(3)(i)). For instance, this would include where a public health authority has the legislative authority to require the disclosure.”
- “If the disclosure is requested by a government institution under a lawful authority to obtain the information and the disclosure is for the purpose of enforcing or administering any law of Canada or a province (subparagraphs 7(3)(c.1)(ii)-(iii)). Again, this would include instances where a public health authority has the legislative authority to require the disclosure.”
- “If the disclosure is made on the initiative of the organization to a government institution, which has reasonable grounds to believe that the information relates to a contravention of the laws of Canada, a province or a foreign jurisdiction that has been, is being or is about to be committed (paragraph 7(3)(d)(i)). This would include if an organization believes an individual is in contravention of an invoked quarantine order.”
- “If the use or disclosure is for the purpose of acting in respect of an emergency that threatens the life, health or security of an individual (paragraphs 7(2)(b) and 7(3)(e)), such as if an individual requires urgent medical attention, and they are unable to communicate directly with medical professionals.”
This information is not intended and should not be construed as or substituted for legal advice. It is provided for informational purposes only. It is advisable to consult with private counsel on the precise scope and interpretation of any laws/regulation/legislation and their impact on your particular business.