COVID-19: 7 key questions on employee privacy

What kind of policy is needed? When should co-workers be notified?

COVID-19: 7 key questions on employee privacy

Does privacy take a back seat during a pandemic when it comes to personal employee information?

Sort of, but there rules that must be adhered to regarding the collection and dissemination of identifying information, according to a Calgary lawyer.

Adam LaRoche, associate at Osler Hoskin Harcourt in Calgary, provided Canadian HR Reporter with answers to seven questions that employers and HR professionals may be asking during the COVID-19 outbreak.

Q: If someone contracts the virus, do they have to inform their employer?

A: “Yes, they do. You can institute a workplace rule that requires employees to disclose whether they’re experiencing symptoms or have tested positive for the virus. That’s a reasonable collection and use of employee personal information in this case. It goes hand-in-hand with the declaration of emergency that’s in all provinces.”

Q: When should the public health authority be notified?

A: “Our guidance to date has been that you should contact your local health authority to let them know if there has been a transmission risk. The local health authority will typically step in at that point and handle or guide you through who you should contact. If somebody has been positive diagnosed and they’ve been in close contact with others, my view is you should be notifying those people. [But] you want to try to maintain the anonymity of the person who has actually contracted COVID. That’s not always possible.

Q: What should you disclose about the employee?

A: “You can absolutely disclose the name and the age to the local health authority; I think you can even go so far as to disclose the identity. But they’ll inform you what information they need.

“Typically speaking, the local health authority will try to take it upon themselves to initiate some kind of contact tracing. Again, it depends on the region that you’re in. Some local health authorities are a lot more proactive about that, other local health authorities are just overwhelmed, so they’re not actually going to be able to initiate the full contract-tracing process."

Q: When do co-workers need to be notified?

A: “If you end up identifying the person, whether expressly or it’s implied based on who you’re contacting — [for example] if two people share a specific workstation or they’re switching on and off between the same workstation over the course of the day it’s going to be pretty obvious if you notify the second person who’s come down with the illness — in that case, depending on the province — specifically if you’re in Alberta, B.C. or if you’re a federally regulated business under PIPEDA [Personal Information Protection and Electronic Documents Act] — there are exceptions that let you actually identify the person who has COVID, and in British Columbia, you have to actually notify the person that their personal information has been disclosed for an emergency purpose.

“Under the emergency exception, because there’s a real risk to the health and safety of the second person in that case, you can disclose the identity of the first person if you have to.”

Q: Should employers have a policy around this?

A: “Absolutely. Your initial policy doesn’t necessarily have to be fully developed; it can be something as simple as an email that sets out how the company is going to be handling these kinds of matters.

“Typically speaking, well-prepared employers will already have an employee privacy policy in place. It probably won’t address this specific circumstance and that’s OK because the legislation already considers this to be an exceptional circumstance and that’s why it deals with the emergency revisions.

“If you don’t have a policy in place, think about reaching out to your legal counsel just to get something quickly developed, so you can send it out to your employees [to say] ‘Here’s the work-from-home situation, you need to let us know if you or someone else your household starts experiencing COVID symptoms.’

“And then enforce those policies to the best of your ability.”

Q: Is sending out a mass email a good place to start?

A: “That’s the first step. Most employers aren’t going to have the time right now to develop a comprehensive 15-page policy with proper definitions, so what you want to do is get your immediate policy out the door and that’s just a notice to your employees. In Alberta and B.C., and also from our perspective in Quebec and under PIPEDA, there’s a requirement that you provide sufficient notice to employees about the collection, use and disclosure of their personal information and the reasons for the collection use and disclosure of the personal information.

“It’s not a strict consent requirement, so the notice is sufficient from the perspective of privacy legislation. For the most part, you have to tell employees how you’re going to be collecting using or disclosing their PI (personal information); you don’t have to have them sign off on it so long as you’ve provided them with an adequate notice that describes what you’re doing and why you’re doing it.”

Q: How is privacy legislation involved during the pandemic?

A: “The first and most important thing to do is that you implement adequate safeguards including administrative, technical and physical safeguards to ensure that personal information isn’t compromised or subject to unauthorized access or destruction.

“The second thing that you want to do is determine how long you’re going to keep that personal information and develop some kind of a retention policy, because it’s highly sensitive.

“The general idea, and what’s required by the law in Alberta, B.C. and Quebec and what’s a suggested principle in the rest of Canada, is that you only keep that personal information for as long as you reasonably require it. By the end of the pandemic, you want to be destroying that information, or rendering it unreadable, because you don’t really have the purpose for keeping it anymore.

“The third thing that you have to do is develop a set of policies or procedures about how you’re going to use the information about employee-positive diagnosis to ensure that it’s, in fact, a reasonable use of that personal information.

“The trick with PIPEDA is that it does not apply to the collection, use or disclosure of employee personal information except in a federally regulated undertaking: pipelines, airlines, etc. PIPEDA tells those kinds of companies how and when they can collect personal information about employees.

“For every other business that’s not federally regulated, PIPEDA actually doesn’t apply in respect to the collection, use and disclosure of employee personal information. In every province, except for Alberta, B.C. and Quebec, there’s actually no laws about how you collect information about your employees, as long as it’s reasonably related to the employment relationship. In Alberta, B.C. and Quebec, there are provincial laws that deal with that.”

Latest stories