Privacy rights are never absolute in nature. Rather, in each case, there must be a careful assessment and balancing of competing interests, with a determination about what is reasonable in the circumstances. Many times, the result depends on the particular facts of a given situation. We can see this in privacy laws, all of which recognize multiple exceptions to the general rule that “personal information” (that is, information about an identifiable individual) can only be collected, used and disclosed with consent.
For business owners, COVID-19 is no different.
On the one hand, it is well understood that medical information is incredibly sensitive. There are many rules that limit the extent to which employers and others can demand and use their employees’ medical information. Those concerns are particularly acute in the context of a pandemic, given the stigma that attaches to a positive test for COVID-19 and the potentially life-threatening consequences of a diagnosis.
On the other hand, a business has obligations under workplace safety and health laws to take steps to ensure the safety of its employees. There are moral (if not legal) duties to warn other employees and customers of any risks that have been created by exposure to a person who has developed COVID-19.
We are seeing these issues in at least two scenarios. First, with respect to requests of employees for information related to their potential exposure to, and contraction of, COVID-19. Second, with respect to warning other employees and customers who may come into contact with a person who has, or was exposed to, COVID-19.
It’s clear that in either case, action taken by the employer or business will negatively impact on an employee’s privacy rights. The challenging question is whether the benefits that arise from any infringement outweigh the infringement of an employee’s privacy. This involves a consideration of the risk and whether asking for or sharing the employee’s medical information will be effective to help reduce that risk. What we know about COVID-19 continues to develop, so it’s important to remember that today’s answer might be different, tomorrow. And, no two scenarios are exactly the same, owing to the highly fact-specific factors that are used to assess risk, and the related risk mitigation measures.
With that in mind, it is extremely difficult to lay down black-and-white rules about the role privacy plays, in decisions like this. In each case, a principled decision must be made, based on a number of factors.
Understanding what privacy laws apply to your business, in these circumstances.
In Manitoba, private-sector, provincially regulated businesses are not subject to any general privacy laws, when it comes to how they collect, use and disclose employee personal information, as part of their management of the employment relationship. Federally-regulated private sector businesses are subject to the Personal Information and Protection of Electronic Documents Act (or PIPEDA), when they handle employee personal information.
Public-sector employers must follow The Freedom of Information and Protection of Privacy Act (or FIPPA), while health care providers and other “trustees” must follow The Personal Health Information Act (or PHIA).
In a unionized workplace, the collective agreement might impose its own privacy obligations.
In each case, you need to look at the applicable laws, and determine whether they prohibit or permit the particular collection, use or disclosure of personal information that is at issue (whether that’s asking an employee for updates about their health, or disclosing an employee’s medical condition to others).
Generally speaking, these laws allow for the collection and disclosure of personal information without consent, but only to prevent an emergency. Depending on the circumstances, that might be applicable, but it might not, either.
Even if you aren’t in these circumstances subject to a privacy law of general application, there are a number of reasons why you should tread carefully (including the proliferation of statutory or common law privacy torts, which allow people to sue others for invading their privacy).
Consent isn’t a silver bullet (but it’s helpful).
While privacy laws do not allow people to consent to unreasonable collections, uses or disclosures of their personal information, a common thread among these laws is that personal information can be managed with a person’s permission.
So, if you have an employee who has indicated to you that they have tested positive for COVID-19, or that they were exposed to COVID-19, you may seek their cooperation to the disclosure of their condition to any co-workers or customers who may have been exposed to a threat.
Ensure any requests for information are carefully tailored, so as to receive the minimal amount of medical information that is necessary (see below). There is no need to enquire about unrelated, underlying medical conditions, for example.
Collect and use as little personal information as is necessary.
It is a cardinal rule of privacy law that a business should collect, use or disclose no more personal information than is necessary, to accomplish the purposes that are sought to be achieved.
If you are concerned that a sick employee has come to work and may have exposed other employees and clients to COVID-19, do not ask the employee to share with you any more than is necessary to help you understand the nature of the risk. You don’t need to know, for example, who the employee has seen or what they have done post-exposure outside the workplace, because your interest is limited to your workplace. This is in many respects similar to how privacy laws look at employee off-duty conduct more generally.
If you’re asked by an employee about why another employee is working remotely, unless it is necessary to warn the employee, there is no need to discuss the details of another employee’s working arrangements (in that sense, it is no different than when an employee goes on a medical leave – other employees have no interest in knowing why the employee went on leave).
If you want to make others in the workplace aware that they may have been exposed to COVID-19 from a co-worker, keep in mind the objective – reducing the risk. In order to do that, co-workers need to understand that they may have been exposed, where the exposure occurred, when and for how long. In many (if not most) cases, it is not necessary for other co-workers to know who the particular co-worker is. Rather, a targeted description of the circumstances in which close contact with the affected co-worker occurred would be sufficient.
We aren’t medical experts – some things are better left to the experts.
As indicated above, this is about risk, and the amount of risk is driven by medical information. Unless you are yourself a medical professional, it may be difficult to make an informed assessment. Leave it to the experts – in Manitoba, you call Health Links at 204-788-8200 in Winnipeg or toll free at 1-888-315-9257. While there may be a wait time before you are able to speak with a trained health professional, this can be an excellent resource to help you understand the risk and next steps you can and should be taking.
If it becomes necessary to notify individuals who may have been exposed to COVID-19, these public health officials have the knowledge that is needed in order to make the notifications and answer any follow-up questions that might arise. They may also be able to make the notifications directly.
Privacy regulators can help.
Many privacy regulators have already published guidance to help businesses understand their privacy obligations, as they relate to COVID-19. The Office of the Privacy Commissioner, which interprets PIPEDA, has published a statement here: https://www.priv.gc.ca/en/privacy-topics/health-genetic-and-other-body-information/health-emergencies/gd_covid_202003/. This statement also contains links to materials that have been prepared by other Canadian privacy regulators.
Be prepared for shifting rights and responsibilities.
The situation regarding COVID-19 remains extremely dynamic. Do not assume that yesterday’s course of action is appropriate today. Keep your eyes and ears open for regulatory and legal developments that might change your rights and responsibilities.
Act quickly, but carefully.
Senior World Health Organization (WHO) officials have indicated that it is better to be quick than perfect, in the response to COVID-19. The same principle applies to a business, when it comes to ensuring it is meeting its privacy obligations. That said, there is a difference between moving swiftly and moving carelessly. Ensure you consider these obligations before you act, even if you need to act quickly.
Please do not hesitate to contact your relationship partner or lawyer if you have any questions or if we can be of assistance in guiding you through these new challenges.
This article was prepared by:
ANDREW J.D. BUCK
This article represents general information and is not legal advice. Please contact us if you would like legal advice that is tailored to your particular circumstances. We would be happy to help.