30 April 2020, 9:40 a.m.
(Disponible en français : Protection des renseignements personnels et sécurité des données en temps de pandémie)
To quickly limit the spread of the coronavirus (COVID‑19), the federal government could consider exceptional measures – some of which would infringe on privacy – such as the use of personal information and big data to learn more about the virus. In addition, the pandemic is forcing an unusually large number of people to work from home, increasing the risk to data security and confidentiality. In this context, what are the obligations of federal institutions and private sector organizations and how can personal information protection and data security be ensured with respect to telework?
Obligations under Federal Privacy Legislation
Federal privacy legislation consists primarily of the Privacy Act, which deals with the handling of personal information by federal government institutions, and the Personal Information Protection and Electronic Documents Act (PIPEDA), which seeks to protect personal information in the private sector. Responsibility for ensuring compliance with these acts rests with the Privacy Commissioner of Canada, an Agent of Parliament whose mission is to protect and promote privacy rights.
On 20 March 2020, the Office of the Privacy Commissioner of Canada (OPC) issued guidance to help organizations subject to federal privacy laws understand their privacy-related obligations during the COVID‑19 pandemic. In this document, the OPC reiterates that, during a public health crisis, privacy laws are not a barrier to appropriate information sharing. The OPC also notes that privacy laws still apply unless emergency legislation provides otherwise.
On 17 April 2020, the OPC released a framework for federal institutions to assess privacy-impactful initiatives in response to COVID‑19. This document accompanies the previously issued guidance and sets out nine key privacy principles, including necessity and proportionality (which means essentially that the measures are evidence-based, necessary for the specific purpose identified and not overbroad), openness and transparency, and time limitation of the measures in question.
The Privacy Act
Section 4 of the Privacy Act provides that “[n]o personal information shall be collected by a government institution unless it relates directly to an operating program or activity of the institution.” However, some exceptions allow government institutions to collect, use or disclose personal information without consent.
For example, paragraph 8(2)(f) of the Privacy Act provides that personal information may be disclosed without consent under an agreement between the Government of Canada and the government of a province or foreign state, an international organization of states or certain First Nations councils for the purpose of enforcing any law or carrying out an investigation. In this regard, the OPC notes that the Government of Canada is represented in a multi-lateral information sharing agreement as part of the Pan-Canadian Public Health Network.
The Personal Information Protection and Electronic Documents Act
PIPEDA applies to private sector organizations and federal works, undertakings or businesses that collect, use or disclose personal information in the course of commercial activities and to information about employees of federal works, undertakings or businesses. PIPEDA governs these activities federally and in the territories, and in provinces that have not enacted legislation that is “substantially similar” to PIPEDA. It also applies to all businesses that operate in Canada and handle personal information that crosses provincial or Canadian borders, regardless of which province or territory they are based in.
Subsection 5(3) of PIPEDA allows an organization to collect, use or disclose personal information only “for purposes that a reasonable person would consider are appropriate in the circumstances.” An organization must also inform an individual and obtain the individual’s meaningful consent to collect, use or disclose personal information about the individual.
However, some exceptions allow an organization to collect, use or disclose personal information without consent. For example, under section 7 of PIPEDA, a public health authority could have the legislative authority to require the disclosure of personal information or a disclosure could be made to a government institution by an organization that has reasonable grounds to believe that the information relates to a contravention of federal, provincial or foreign law. In this regard, the OPC argues that this exemption would cover an organization disclosing to the government the fact that an individual is in contravention of a quarantine order.
Privacy and Cyber Security: Teleworking
Since the rapid implementation of teleworking inevitably exposes organizations to privacy and cyber security risks, it has been recommended that organizations in the public or private sector take preventive measures to mitigate these risks. For example, employers should:
- ensure that remote access to an organization’s data by employees is done securely by ensuring that the virtual private networks they use are properly secured;
- ensure that employees password-protect their access to any electronic devices used for work and enable encryption to ensure encrypted access;
- improve employee awareness and education on COVID‑19-related cyber security and threats (e.g., phishing attempts) so that employees are aware of online risks and can take appropriate precautions when teleworking; and
- limit the collection of data, including personal information, to what is absolutely necessary.
In a pandemic, cyber security becomes particularly important given the significant amount of work being done online outside of the workplace. Bad actors may attempt to take advantage of the situation by exploiting vulnerabilities in computer systems like out-of-date virtual private networks or unsecured servers in employees’ homes.
The pandemic has also led many organizations to introduce innovative ways to continue operations, including the use of new technologies. Web-based applications and software are now being used by many organizations to make phone calls, hold virtual meetings, work together on collaborative documents online, and for many other purposes.
However, the use of these technologies can pose privacy and cyber security risks. In a pandemic, the dramatic increase in the number of users of some technological platforms has highlighted some of their vulnerabilities in terms of confidentiality and data security.
To help Canadian organizations and Canadians ensure their online security in a pandemic, the Canadian Centre for Cyber Security has published a document offering a number of tips and information on a variety of topics, including teleworking. It has also issued an alert that lists considerations for the safe use of video-teleconference products and services.
It is therefore important for organizations that need to ensure business continuity in a pandemic to comply with privacy legislation. Special attention must also be paid to the security of confidential data exchanged online so that it is not compromised when teleworking.
As the OPC asserts, “[p]rivacy protection isn’t just a set of technical rules and regulations, but rather represents a continuing imperative to preserve fundamental human rights and democratic values, even in exceptional circumstances.”
European Union Agency for Cybersecurity, Tips for Cybersecurity When Working From Home, 24 March 2020.
Canadian Centre for Cyber Security, Cyber Hygiene for COVID‑19, 13 March 2020.
Chantal Bernier, Vie privée et gestion des pandémies: les balises juridiques, La Presse, 3 April 2020 [in French only].
Dentons, Privacy Law in the Context of Pandemics, 23 March 2020.
GibsonDunn, Privacy and Cybersecurity Issues Related to COVID‑19, 20 March 2020.
McCarthy Tétrault, COVID-19 – Managing Privacy and Cyber Issues, 17 March 2020.
National Institute of Standards and Technologies, Telework Security Basics, 19 March 2020.
Osler, Privacy and Security Challenges in the Wake of Covid‑19, 19 March 2020.
Authors: Alexandra Savoie and Maxime-Olivier Thibodeau, Library of Parliament