Provincial health orders, guidance and physical distancing measures in response to COVID-19 have changed the way Canadians are working and studying. Organizations are suddenly more reliant on technical tools and approaches to doing business which have not all been fully vetted for privacy and security.
Over the past few weeks, Canadian privacy commissioners have made several announcements and have published guidance documents to help Canadians understand their privacy rights and obligations in light of COVID-19. We have outlined below the recent guidance from B.C. and across Canada.
B.C. Guidance for Online Tools
The transition to a remote workplace and classroom has resulted in an increased reliance on tools such as videoconferencing software to help individuals remain connected to their colleagues, patients, customers, teachers and others. On March 26, 2020, the B.C. government issued a ministerial order temporarily exempting public bodies from the "in Canada Only" requirements in B.C.'s public-sector privacy legislation, the Freedom of Information and Protection of Privacy Act ("FIPPA"). We discuss this order in detail in our earlier blog post. This temporary exemption is intended to ensure that public sector workers have access to the necessary technological tools to do their jobs, and that those involved in health care are able to share personal information on an urgent basis. However, public bodies were reminded that they still have to do some due diligence before using third-party tools and applications that disclose personal information outside of Canada. The head of the public body must be satisfied that:
- the third party application has reasonable security measures to protect against risks such as unauthorized access, collection, use disclosure or disposal; and
- the public body makes all reasonable efforts to remove personal information which is collected, used or disclosed through a third-party application from the third-party application, as soon as is operationally reasonable, and the public body retains and manages the information.
On April 8, 2020, the Office of the Information & Privacy Commissioner for British Columbia ("BC OIPC") published a guidance document entitled FIPPA and online learning during the COVID-19 pandemic.
The considerations raised by the BC OIPC would be useful for any organization implementing new third party tools. In the guidance document, the BC OIPC makes several recommendations to educators to ensure that online learning tools comply with FIPPA:
- Business model: determine how the company makes money, and in particular, whether it makes money by re-selling personal information collected through the tool. The BC OIPC cautions that companies which offer services for free often make money from the personal information input into the tool by users (i.e. "data mining"). While the company may simply be using that information for itself, it could also be selling it to other companies. The BC OIPC notes that while it may be tempting for educators to use free products that they are familiar with in their personal lives, that does not necessarily mean the products are suitable for online learning or compliant with FIPPA.
- Jurisdiction: not all jurisdictions provide the same level of protection to personal information. Look for companies headquartered in jurisdictions with strong privacy laws, such as Canada and the European Union.
- Data storage: while the location of the company's headquarters is important, the company may still store data in another country or countries. Find out where its servers, data backups, and disaster recovery are located. Since public bodies must still ensure that they take all reasonable steps to delete the information from outside Canada once they are done with it (i.e. once we return to traditional classroom learning), make sure that the online tool allows users to delete information from the tool.
- Security settings: educators should set the default security settings to the highest level of security available and instruct users to do the same. For example, turn on end-to-end encryption on videoconferencing platforms, where an available feature.
- Limit disclosure: disclose as little personal information as possible and avoid the use of unique identifiers such as student numbers and date of birth. Use pseudonyms or first names only, where possible.
- Work e-mail and secure file transfer: use work e-mail accounts and look into whether a secure file transfer site can be set up to exchange class materials. Look into whether your organization can purchase software to install on its own servers.
- Privacy impact assessment ("PIA"): public bodies are still required to conduct PIAs in accordance with FIPPA. In this guidance, the BC OIPC refers educators to template PIAs for online learning platforms on the Focused Education Resources website.
While this guidance is intended for educators governed by FIPPA, private sector organizations governed by the Personal Information Protection Act also have privacy obligations, including the obligation to implement safeguards to protect personal information in their custody or under their control. As such, all organizations would benefit from carefully reviewing the third party tools that they are using to facilitate remote working.
The BC OIPC has also issued the following:
- A statement reminding individuals that the B.C. Provincial Health Officer has broad authority to collect and use personal information in the public interest during these times.
- A guidance document with tips for public bodies and organizations in setting up remote workspaces. This guidance discusses best practices with respect to mobile devices, emails, and paper records.
Below, we have summarized some other COVID-19-related announcements made by the Canadian privacy commissioners over the past few weeks.
The Privacy Commissioner of Canada ("OPC") has issued guidance to organizations that are subject to federal privacy laws on their privacy obligations during the COVID-19 pandemic. The OPC reminds organizations that while normal privacy laws still apply during the pandemic, federal privacy legislation does permit the collection, use and disclosure of personal information without consent in limited circumstances. The guidance provides some examples of how those exceptions to consent may apply in the context of COVID-19.
The Office of the Information and Privacy Commissioner of Alberta ("AB OIPC") has published three notices:
- A notice explaining what public bodies should do if they are unable to access or process records in response to an FOI request as a result of COVID-19.
- A notice reminding health care custodians that the requirements for submitting PIAs have not been relaxed during the current public health emergency. However, the AB OIPC acknowledges that what constitutes "reasonable safeguards" during a public health emergency may be different from normal circumstances. Where a health care custodian is considering new administrative practices or information systems to combat COVID-19, and those practices/systems have privacy implications, custodians are asked to notify the Alberta commissioner (which can be done via email).
- A notice that it will accept affidavits that have been commissioned according to the instructions issued by the Alberta Court of Queen's Bench.
The Office of the Saskatchewan Information and Privacy Commissioner published a statement reminding public bodies, health trustees and private sector organizations of their obligations with respect to personal information and personal health information in a pandemic.
The Information and Privacy Commissioner of Ontario ("IPC") published a notice which has answers to frequently asked questions about compliance with Ontario's privacy laws in during this pandemic. While the timelines for responding to requests for access to or correction of information remain in force, the IPC will consider these exceptional circumstances when evaluating appeals relating to deemed refusals. Time limits for initiating complaints or appeals to the IPC are "frozen" as of March 16, 2020. Individuals, institutions, health information custodians and child and family service providers can use online complaint and breach report forms (as applicable) to file complaints or report privacy breaches. The IPC also acknowledges that many employees are now working from home, and may need to handle personal information from their homes. It directs institutions to guide staff working from home on how to work within a privacy-protected environment.
Newfoundland and Labrador
The Office of the Information and Privacy Commissioner of Newfoundland and Labrador has published a presentation entitled, Don't Blame Privacy – What To Do and How to Communicate in an Emergency. It informs public bodies and custodians about information collection, use and disclosure in emergency situations.
The Yukon Information and Privacy Commissioner has published two guidance documents: Disclosure of Personal Information During an Emergency in Yukon, and Working Remotely: Guidance for Employees of Public Bodies and Custodians.
The Office of the Information and Privacy Commissioner of the Northwest Territories has published a notice summarizing the privacy laws applicable to public bodies, health custodians and private sector organizations.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.