|
April 2020 Charity & NFP Law Update Federal Privacy Commissioner Releases Privacy Framework for COVID-19 In response to the COVID-19 pandemic, the Office of the Privacy Commissioner of Canada (“OPC”) released Privacy and the COVID-19 Outbreak (the “Guidance”) on March 20, 2020, followed by A Framework for the Government of Canada to Assess Privacy-Impactful Initiatives in Response to COVID19 (the “Framework”) on April 17, 2020. Both the Guidance and Framework indicate that despite the pandemic, normal privacy laws will apply to organizations, including charities and not-for-profits (“NFPs”) unless emergency legislation provides otherwise. The Guidance, which was discussed in more detail in Charity & NFP Law Bulletin No. 468, provides a brief overview of the Personal Information Protection and Electronic Documents Act (“PIPEDA”), which applies to private-sector organizations that collect, use or disclose personal information in the course of commercial activities, as well as the Privacy Act, which applies to federal government departments and agencies, especially in terms of their application in the context of emergency situations. As discussed in previous publications, charities and NFPs that operate in provinces that do not have substantially similar provincial privacy legislation may be subject to PIPEDA to the extent that they are engaged in commercial activity. One of the key takeaways from the Guidance is the message that during a public health crisis, privacy laws still apply but they are not a barrier to appropriate information sharing. Building on this message, the Framework frames the discussion in the context of the urgency of the pandemic crisis and the fact that public health authorities are searching for ways to leverage personal information and “Big Data” to battle the virus. The Framework expresses the OPC’s concerns that more extraordinary and less voluntary measures may be taken that would have significant implications for privacy and civil liberties. Repeating the message that privacy laws and protections are not a barrier to appropriate collection, use and sharing of information, the Framework provides a set of principles that organizations and government should take into account when planning privacy-impacting measures to combat COVID-19. These principles include: (1) organizations must identify and continue to operate within lawful authority, i.e. in accordance with PIPEDA or substantially similar provincial laws, as applicable, for private sector organizations; (2) organizations must ensure that contemplated measures are necessary and proportionate (e.g. the public health purpose that the measure would achieve is science-based and specifically and precisely defined, the measure is rationally connected to that purpose, and, using an evidence-based approach, is necessary rather than simply potentially useful); (3) personal information collected, used or disclosed to alleviate the public health effects of COVID-19 must not be used for other reasons; (4) deidentified or aggregate data should be used as much as possible and organizations should be aware of the risks of re-identification. Physical, administrative and technical safeguards appropriate to the sensitivity of the information must be used to protect personal information collected; (5) organizations should consider how vulnerable groups may be uniquely and disproportionately impacted, including greater sensitivities for certain groups; (6) organizations should be transparent and continually provide clear and detailed information about new and emerging measures and about the purposes for which personal information is being collected; (7) organizations should weigh the benefits and risks of releasing public datasets as, even with aggregate data, there can be disproportionate impacts on vulnerable populations, such as with regard to geolocation data. The assessment of how granular data sets can be will depend on the context; (8) any new crisis-specific laws and measures should provide specific measures for oversight and accountability; and (9) privacy-impacting measures should be time-limited so that they end when they cease to be required, and most personal information that was collected is destroyed once the crisis ends, and measures should be limited as much as possible in terms of the types and range of personal information collected, used and disclosed during the crisis. Charities and NFPs that collect, use, or disclose personal information in the course of their commercial activities pursuant to PIPEDA, and those that comply with PIPEDA as a matter of practice, should review the Guidance and Framework. Both documents provide helpful guidelines for how to balance privacy interests against the need to contain and defeat the COVID-19 virus. Read the April 2020 Charity & NFP Law Update Direction and Control: Current Regime and Alternatives
|
Subscribe
TO OUR NEWSLETTER & STAY UP-TO-DATE