Privacy Implementation Notice 2020-01: Collecting and disclosing employees’ personal information related to the novel Coronavirus (COVID-19) pandemic
1. Effective Date
This implementation notice takes effect on March 13, 2020.
This implementation notice is issued pursuant to paragraph 71(1)(d) of the Privacy Act.
This implementation notice provides guidance to privacy officials to support them in providing advice to their institution concerning the collection and disclosure of employees’ personal information related to the novel Coronavirus (COVID-19) pandemic.
On March 11, 2020, the World Health Organization confirmed COVID-19 as a controllable pandemic. The Government of Canada has implemented exceptional measures to curb the COVID-19 pandemic and protect the health and safety of federal employees. Government institutions may be involved in collecting information from their employees in relation to the management of the COVID-19 pandemic.
The questions and answers in Annex A are intended to assist privacy officials to provide consistent advice regarding questions that arise in their institutions.
This implementation notice applies to the government institutions as defined in section 3 of the Privacy Act, including parent Crown corporations and any wholly owned subsidiary of these corporations.
Related Treasury Board Policy Instruments
Members of the public may contact Treasury Board of Canada Secretariat Public Enquiries for information about this implementation notice.
Employees of federal institutions may contact their Access to Information and Privacy (ATIP) coordinator for information about this implementation notice.
Questions and answers: Collecting and Disclosing Employees’ Personal Information Related to the COVID-19 Pandemic
1. Does an institution have the authority to collect personal information related to COVID-19 exposure or infection from employees during the COVID-19 pandemic?
Yes. Institutions have legal authority to collect personal information relating to COVID-19 in fulfillment of their responsibilities for health and safety in the workplace under the Canada Labour Code. This includes the collection of the identities of employees who have been exposed to COVID-19 (presumptive or confirmed), who are being tested for COVID-19, who have tested positive for COVID-19, or who are exhibiting symptoms of COVID-19.
Institutions also have legal authority to collect personal information pursuant to paragraph 7(1)(e) and subsection 11.1 of the Financial Administration Act for the purposes of managing human resources. This would include, for example, collecting information as to whether an employee who is required to be physically present at a work location must self-isolate due to exposure or infection in order to apply the appropriate leave.
Considerations respecting the collection and disclosure of the identities of these individuals are set out below.
2. What personal information can be collected as it relates to occupational health and safety activities?
The Occupational Health and Safety Personal Information Bank permits the collection of an individual’s name and limited medical information, such as the fact that the individual has been tested for or diagnosed with COVID-19 (see Standard Personal Information Bank PSE 907).
The determination whether a piece of personal information relates to the health and safety of individuals in the workplace involves a consideration of the rights and obligations under Part II of the Canada Labour Code and the medical and factual information pertaining to COVID-19 and the pandemic more generally. The Public Health Agency of Canada provides the latest information and advice related to COVID-19 on their website. Your legal advisors will be able to advise on specific situations.
3. Is there authority under section 4 of the Privacy Act to collect information about an identifiable person’s diagnosis of COVID-19 for the purpose of informing other individuals in the workplace who may have been in contact with the sick employee?
This will depend on the circumstances. Collection of personal information related to an individual’s diagnosis to inform other individuals in the workplace that they may have been in contact with a sick employee is required by the occupational health and safety program to protect the health and safety of other employees where there has been the possibility of exposure in the workplace.
Where there is no possibility of exposure in the workplace though, then there is no authority to collect the information uniquely for the purpose of informing others. For example, if an employee is diagnosed with COVID-19 but has been on maternity leave and out of the office for 6 months, there is no collection authority as there is no health and safety impact to others in the workplace of that individual’s diagnosis. Generally, collection should be limited to what is needed to implement guidance from public health authorities as it applies to the workplace. The Public Health Agency of Canada provides the latest information and advice related to COVID-19 on their website.
There may be other aspects of the occupational health and safety program that may require collection of personal information related an individual’s diagnosis. For example, the presence of an infected or potentially infected individual at work may trigger additional occupational health and safety obligations, such as a requirement to investigate and fulfil related record-keeping and reporting obligations. In such circumstances, it would be legitimate to collect personal information that is demonstrably required for that specific process (applying the minimum collection principle).
Other programs or activities specific to government institutions may support the need to collect personal information related to an individual’s diagnosis. The determination of whether other authorities exist should be made on a case-by-case basis, in consultation with the ATIP office and legal advisors.
4. If personal information has been lawfully collected, can an institution ask for consent from an affected individual to disclose his or her diagnosis of COVID-19?
Yes. Institutions can request the consent (preferably in writing) of the affected individual to disclose their infection status. The individual must be made aware of to whom the information will be disclosed, for what purpose, and how the information will be used in order for the consent to be considered valid.
In some circumstances, it may be appropriate to advise the individual that even if they do not provide consent, the head of the government institution may nevertheless disclose the information if they are of the opinion that there is a public interest that outweighs the invasion of privacy resulting from the disclosure
5. Can personal information relating to an individual’s diagnosis of COVID-19 be disclosed without their consent?
Disclosure of personal information related to COVID-19 should be considered on a case-by-case basis.
In considering the disclosure of the name or identifying attributes of an individual diagnosed with COVID-19 for the purpose of ensuring the health and safety of other employees, officials should first explore whether the desired result could be achieved without disclosing the identifying information in order to minimize loss of privacy. For example, institutions could consider identifying only the work location(s) that an individual has attended while infected or potentially infected with the virus and the timeframe of their presence in those work locations.
There are circumstances in which the disclosure of information about an identifiable individual diagnosed with COVID-19 may be permitted. Subsection 8(2) of the Privacy Act outlines specific disclosure provisions which would allow institutions to disclose personal information without the consent of the individual.
Paragraph 8(2)(j) of the Privacy Act allows for the disclosure of personal information for research or statistical purposes if the purpose for which the information will be used cannot reasonably be accomplished unless the information is provided in a format that identifies the individual to whom it relates and the person or body to whom the disclosure is being made agrees in writing not to further disclose the information in a form that would identify the individual.
Paragraph 8(2)(m) of the Privacy Act may apply if the disclosure of personal information is deemed to be in the public interest. Disclosure may be deemed to be in the public interest if:
- the public interest in disclosure clearly outweighs any invasion of privacy that could result from the disclosure; or
- the disclosure would clearly benefit the individual to whom the information relates (paragraph 8(2)(m) of the Privacy Act).
The determination of whether the disclosure of personal information is in the public interest should be made by the head of the government institution or a person with delegated authority on a case-by-case basis, in consultation with the institution’s ATIP officials and legal advisors. Notice must also be provided to the Office of the Privacy Commissioner in accordance with subsection 8(5) of the Act. While notification should optimally be provided before the disclosure, where that is not practicable, notification should follow as soon as possible afterwards.
Whether with the consent of an individual, or disclosing the information under a permissible disclosure provision of the Privacy Act, disclosure of identifying attributes of an individual should only be contemplated after other possible options have been carefully considered. When personal information about an individual diagnosed with COVID-19 is disclosed, it should be done on a need to know basis and individuals receiving the personal information should be reminded to maintain the confidentiality of the information.
6. Who can decide to disclose personal information under subsection 8(2)(m) of the Privacy Act?
In cases of disclosure made under paragraph 8(2)(m) of the Privacy Act, the decision to disclose can only be made by the head of the institution or person with delegated authority (usually the ATIP Coordinator). This is a legal requirement.
7. Can information about a non-identifiable individual be disclosed?
Generally speaking, the collection, use and disclosure of non-personal information is not restricted by the Privacy Act. The collection of the aggregate numbers of employees who have been affected by COVID-19 does not raise privacy concerns except if, in disclosing the aggregate number, the identity of a specific employee can be determined. This would occur in a situation where there are only a few employees in a workplace.
As a starting point, limiting aggregate data to places where there are ten or more employees would usually ensure that individuals can’t be identified, but this will depend on context. The test is whether the disclosure of the number of people would make them reasonably identifiable using information available to those accessing the aggregate data (e.g. publicly available information).
8. Who can assist me if I get an inquiry about COVID-19 that is privacy-related, and I do not know the answer?
Program officials should consult their ATIP officials for all privacy-related advice.
9. Can an institution or a government employee/official be held liable for a disclosure of personal information about an individual who has been diagnosed with COVID-19?
This is unlikely if the information was disclosed in good faith and was done in accordance with the Privacy Act. Section 74 of the Privacy Act makes it clear that “no civil or criminal proceedings lie against the head of any government institution, or against any person acting on behalf or under the direction of the head of a government institution, and no proceedings lie against the Crown or any government institution, for the disclosure in good faith of any personal information pursuant to this Act, for any consequences that flow from that disclosure, or for the failure to give any notice required under this Act if reasonable care is taken to give the required notice.”
- Date modified: