How far can employers go when it comes to requesting information from workers?
Last week, we looked at some of the practical considerations around what an employer should be thinking about when implementing a mandatory vaccination policy at the workplace.
But what about privacy, especially when we are talking about potentially sensitive employee medical information? Canadian HR Reporter asked Lyndsay Wasser, partner privacy data protection at McMillan in Toronto, about some of the ways employers should safeguard that data.
Q: What should be included in a written policy?
A: “From a privacy law perspective, the considerations will vary somewhat because the legislation varies depending on the jurisdiction and whether it’s a private sector or public sector organization but the federal, provincial and territorial privacy commissioners have issued a joint statement on privacy and COVID-19 vaccine passports — as they call them — which is really just proof of vaccination.
“As part of that, what they suggested is that there certainly needs to be defined purposes as to why it’s necessary to collect this information and consideration of the effectiveness and the proportionality of the policies. But in terms of the content of the policy, what would certainly be addressed is the purposes for which the information is being collected and will be used ,and there should be information about how long the information will be kept, and who it will be shared with and also the retention period for how long the information is going to be retained.
“One of the most important things is to make sure that the purposes are accurately described and described in full because often the policy is serving a statutory notice requirement and in some jurisdictions, information about employees can only be collected if the purposes have been explained in advance.
“What you don’t want is to have a partial list of purposes in your policy and then use the information for another ancillary purpose that wasn’t made clear because that would put you outside privacy legislation.
“The policy should also contain information on who the individuals should contact if they have questions and if they want to access or correct any information that the company has on file with respect to their vaccination status.”
Q: What constitutes proof of vaccination for employees?
A: “The guidance privacy regulators have provided is that the organization should collect the minimum amount of information required in the circumstances — which is a general tenet of privacy law for anything — which is called data minimization, which is only collect, use and disclose the minimum information necessary to achieve your purposes.
“Obviously, the honour system is likely the least amount of information but keeping in mind the requirements of necessity, effectiveness and proportionality, you have to think about: is it going to be as effective to rely on the honour system if it could be that employees are misrepresenting or misunderstanding in some way a requirement? And will that be as effective?
“If there’s a way to confirm vaccination status, short of the full vaccination certificate, then that’s helpful as well.
“One method that has some merit to it is having individuals display or present to an authorized person their proof of vaccination but not having the company copy or retain or retain that documentation. In other words, show it to the person so that they make a note that they’ve confirmed vaccination but that way you’re not retaining more information than you need to.
“That may be easier said than done when many workers are remote at this time but the key is to design a process that takes into account that data-minimization principle.”
Q: “How should an employee’s private medical information be secured?
A: “There’s a number of best practices. The requirement is to implement appropriate physical, technological and organizational safeguards that are appropriate to the sensitivity of the information, and also the format and method of storage of the information: that’s the overarching statutory requirements.
“What that means in practice is if you’re maintaining information in electronic form, you’ll want it to be accessible only to the authorized individuals. Whether that is in private files or password-protected files, [the employer] might want to consider encryption given the sensitivity of the information.
“Physical safeguards would be things like making sure that any information that’s in hard copy is locked up in filing cabinets and not left out on desks and then organizational safeguards are things like appropriate policies and procedures, that individuals who have access to the information are required to follow when they’re handling that information.
“Organizations need to think about both the transmission of the information — so if you’re asking individuals to provide the proof of vaccination, you have to make sure that you set up a secure form of transmission and then also, once the information is within the hands of the organization, to make sure that the physical and the technological and the organization’s safeguards are in place.
“Generally, health information should be kept separate and apart from the individual personnel file, the general HR file, because likely the authorized person to access that information is a smaller group that the personnel file might be accessible to a broader HR group or to a manager in some circumstances but the health information should definitely be restricted on a strict need-to-know basis, which means that essentially it’s preferable to keep it separate.
“The privacy regulator’s guidelines also suggests that creation of central databases across nationally or across jurisdictions shouldn’t be permitted but rather it is better to store that information locally as well.”
Q: Who should have access to the data?
A: “The general principle is that the access that should be strictly limited to those who have a need to know the information to perform their job duties.
“If there is an individual or a small group responsible for the health and safety of the workforce or for managing the company’s COVID response processes and procedures, those will be the people who would need access but again, if you have a large HR group within your organization and only certain individuals have been tasked with implementing appropriate controls for preventing and reducing the spread of COVID-19, then it would be that task force or team that would have but it should really be a tight knit group of individuals who need to perform the duties.
“The key thing to remember is that we are dealing with a very dynamic, changing legal landscape. The government guidance and the legislation case law is coming out on a rolling basis, sometimes quite quickly, so it’s really important for organizations to make sure that when they are making decisions or changing their plan, that they do make sure they get up-to-date guidance; even guidance a few weeks ago is already going to be out of date unfortunately. It is critical to keep abreast of the new developments.”