As businesses around the world struggle to adapt to life amid the COVID-19 pandemic, what happens when an organization is faced with an emergency situation involving someone’s personal information? For example, what is a retailer to do if public health officials are attempting to trace the movements of an infected person and that person may have shopped at one of that retailer’s stores? Can the retailer disclose any information about that person, and if so, what?
In Canada, organizations that are subject to the Personal Information Protection and Electronic Documents Act (PIPEDA) are subject to the general rule that they must have express or implied consent to collect, use or disclose personal information in the course of their commercial activities. PIPEDA also provides an overarching principle that collection, use and disclosure of personal information must be for purposes that a reasonable person would consider to be appropriate in the circumstances.
While the consent rule is broad, there are a number of exceptions to it. Some of these exceptions are helpful in emergency situations.
Collection – Section 7(1) of PIPEDA lists a number of circumstances in which information may be collected without consent. Included among these exceptions are the following:
- the collection is clearly in the interests of the individual and consent cannot be obtained in a timely way;
- it is reasonable to expect that the collection with the knowledge or consent of the individual would compromise the availability or the accuracy of the information and the collection is reasonable for purposes related to investigating a breach of an agreement or a contravention of the laws of Canada or a province.
Use – Section 7(2) of PIPEDA sets out the exceptions to the consent requirement for use of personal information. Personal information may be used without consent in either of the cases described above under “Collection.” In addition, it may be used without consent for the purpose of acting in respect of an emergency that threatens the life, health or security of an individual. The purposes for which the information may be used in all of these situations can be different than the purposes for which the information was originally collected.
Disclosure – Section 7(3) of PIPEDA provides a wide range of situations in which personal information may be disclosed without consent. Of those various exceptions, the following may be germane to a national/local emergency:
- a disclosure made to a government institution or part of a government institution that has made a request for the information, identified its lawful authority to obtain the information and has indicated that
- it suspects that the information relates to national security, the defence of Canada or the conduct of international affairs;
- the disclosure is requested for the purpose of enforcing any law of Canada, a province or a foreign jurisdiction, carrying out an investigation relating to the enforcement of any such law or gathering intelligence for the purpose of enforcing any such law;
- the disclosure is requested for the purpose of administering any law of Canada or a province; or
- the disclosure is requested for the purpose of communicating with the next of kin or authorized representative of an injured, ill or deceased individual;
- the disclosure is necessary to identify the individual who is injured, ill or deceased, made to a government institution, a part of a government institution or the individual’s next of kin or authorized representative and, if the individual is alive, the organization informs that individual in writing without delay of the disclosure;
- the disclosure is made to a person who needs the information because of an emergency that threatens the life, health or security of an individual and, if the individual whom the information is about is alive, the organization informs that individual in writing without delay of the disclosure.
As in the case of “Use,” the purposes for which the information may be disclosed in these scenarios can be different purposes than those for which the information was originally collected.
Of course, in times of national or local emergencies, the powers of government authorities to demand personal information may be quite broad. The privacy challenge is to provide the requested information while upholding privacy principles.
Although the Office of the Privacy Commissioner of Canada has not issued recent guidance on this issue, its 2011 submission to the Government of Canada’s Beyond the Border working group public consultations1 included the recommendations that any sharing of personal information in health emergency situations should be narrowly defined, appropriately limited and directly relevant to the specified health emergency. The OPC also urged that personal information should not be used for any purpose other than the specific purpose for which it was disclosed in the emergency, and that it should be protected with appropriate security safeguards, retained only for as long as is necessary to fulfill the purposes related to the specific health emergency and that it should be held in confidence unless a statutory obligation mandates disclosure.2
For organizations seeking to comply with PIPEDA while providing timely and useful information sought by government authorities during a pandemic, we recommend that they carefully review the available PIPEDA exceptions, release the minimum amount of information required, document the request for information as well as a list of the released information, and, in the case of reliance on the exceptions permitting disclosure without consent because of the need to identify an individual or an emergency that threatens the life, health or security of an individual, provide immediate written notification to the individual of the disclosure.
As always, we are here to assist our clients in complying with their PIPEDA obligations. We will update this elert as further information becomes available.
1 Government of Canada, Beyond the Border: a shared vision for perimeter security and economic competitiveness: A declaration by the Prime Minister of Canada and the President of the United States of America, (Ottawa, February 4, 2011), online: <http://www.borderactionplan-plandactionfrontalier.gc.ca/psec-scep/declaration-declaration.aspx>.
2 Office of the Privacy Commissioner of Canada, Fundamental Privacy Rights within a Shared Vision for Perimeter Security and Economic Competitiveness, (Ottawa: OPC, June 2011), online: <https://www.priv.gc.ca/en/opc-actions-and-decisions/submissions-to-consultations/sub_bs_201106/#fn2.>