Canadian Data Privacy Regulator Releases Guidance for Canadian Privacy Law Compliance During COVID-19

Building on previous guidance released in March 2020, the Office of the Privacy Commissioner of Canada (OPC) recently released a privacy compliance framework to guide organizations’ compliance with applicable Canadian privacy laws during the COVID-19 outbreak, including the Privacy Act, which applies to federal agencies, and the Personal Information Protection and Electronic Documents Act (PIPEDA), which applies to private-sector organizations.

These releases from the OPC provide guidance to organizations attempting to balance individuals’ privacy with the need to collect and track sensitive personal information, such as health and location data, in the fight against COVID-19. These exemptions may allow for an increased flow of information in response to COVID-19. As stated in the March 2020 guidance, potentially applicable exemptions to PIPEDA’s notice and consent requirements include situations where:

  • The collection is clearly in the interests of the individual and consent cannot be obtained in a timely way, such as if an individual is critically ill or in a particularly dangerous situation, and needs help.
  • The collection and use is for the purpose of making a disclosure required by law (e.g., a public health authority has the legislative authority to require the disclosure).
  • The disclosure is requested by a government institution under a lawful authority to obtain the information and the disclosure is for the purpose of enforcing or administering any law of Canada or a province.
  • The disclosure is made on the initiative of the organization to a government institution, which has reasonable grounds to believe that the information relates to a contravention of the laws of Canada, a province or a foreign jurisdiction that has been, is being or is about to be committed (e.g., there is a good-faith belief that someone is violating a valid quarantine order).
  • The use or disclosure is for the purpose of acting in respect of an emergency that threatens the life, health or security of an individual, such as if an individual requires urgent medical attention, and they are unable to communicate directly with medical professionals.

In its April 2020 guidance, the OPC supplemented its earlier guidance, noting that “[d]uring a public health crisis, privacy laws and other protections still apply, but they are not a barrier to the appropriate collection, use and sharing of information.” To that end, the OPC laid out nine privacy principles to guide organizations in responding to COVID-19 in a way that minimizes the privacy impact on individuals. While the April 2020 compliance framework is primarily intended to guide government agencies in compliance with the Privacy Act, a majority of these principles apply to private entities struggling with PIPEDA compliance.

  1. Legal authority: any proposed measures to combat COVID-19 must have a clear legal basis.
  2. Necessity and proportionality: the measures must be necessary and proportionate, and, therefore, be science-based and necessary to achieve a specific identified purpose.
  3. Purpose limitation: personal information must be used to protect public health and for no other purpose.
  4. Safeguarding measures: use de-identified or aggregate data whenever possible.
  5. Vulnerable populations: consider the unique impacts on vulnerable groups.
  6. Openness and transparency: provide clear and detailed information to Canadians about new and emerging measures, on an ongoing basis.
  7. Open data: carefully weigh the benefits and risks of the release of public datasets, giving particular attention to health and location data, and impacts on vulnerable populations.
  8. Oversight and accountability: new laws and measures specific to the crisis should also provide specific provisions for oversight and accountability.
  9. Time Limitation: privacy-invasive measures should be time-limited, with obligations to end when they are no longer required.

TIP: Companies should be thoughtful about the purpose and scope of data collection and proactively monitor guidance issued by regulators to stay within legal expectations.

This entry has been created for information and planning purposes. It is not intended to be, nor should it be substituted for, legal advice, which turns on specific facts.