Managing privacy and cyber risks during a pandemic

In a recent announcement, the Office of the Privacy Commissioner of Canada (OPC) reaffirmed its commitment to protecting Canadians’ privacy during the COVID-19 outbreak, stating that, “[d]uring a public health crisis, privacy laws still apply, but they are not a barrier to appropriate information sharing.” Other privacy commissioners throughout Canada have made similar statements.

Given the extraordinary nature of the current situation, organizations are understandably concerned about protecting the safety of their clients and employees. At the same time, they are increasingly being asked to reveal personal information about known or suspected cases of the virus within their establishments and to provide information about their employees and customers to different public authorities. This has led some to implement various screening measures (e.g. temperature checks, questionnaires, etc.) to reduce the chances of the virus spreading. Before collecting or disclosing any information about an identifiable individual, organizations must accurately assess their obligations under the laws that govern the protection of personal information in Canada (“Canadian Privacy Laws”) in order to determine the extent to which they may collect and share such information, and under what conditions.

Employers should also be aware of the increased security risks posed by malicious actors who want to take advantage of the disruption and confusion caused by the virus. In particular, many cyber security experts have warned about an increase in the number of phishing emails about COVID-19. Organizations must ensure that effective security measures are in place to protect both the health and physical safety of their employees and clients, as well as from a cyber risk perspective for employees working remotely.

We have published a bulletin in which we provide answers to the following key questions related to managing privacy and cybersecurity-related issues during a pandemic:

1- Can businesses lawfully request their employees disclose whether they have tested positive for the COVID-19 virus or been exposed to certain risk factors? Can employers request that employees undergo certain types of testing or compulsory checks?

2- In the context of a public health emergency such as COVID-19, when can organizations share personal information – including health-related information – with other employees, clients or regulatory authorities, without the consent of the affected individual(s)?

3- What must organizations do to comply with Canadian Privacy Laws and address the cybersecurity risks triggered by remote working arrangements and COVID-19?

Read our bulletin on this topic (French version is also available) or access our summarizing chart (legal provisions by jurisdiction) on this topic.

This content has been updated on April 2, 2020 at 14 h 30 min.