The COVID-19 pandemic raises privacy issues for businesses in British Columbia. How should a landlord respond if a tenant tests positive for COVID-19? What should an employer do if an employee discloses that she or he has the virus?
Under the Personal Information Protection Act (BC) (“PIPA”), organizations in British Columbia must not collect, use or disclose personal information without consent. However, obtaining timely consent may be difficult during emergency situations resulting from the COVID-19 pandemic.
PIPA applies to the collection use or disclosure of personal information within BC. The federal Personal Information Protection and Electronic Documents Act applies to organizations when personal information is disclosed over provincial or international borders. This article provides guidance on how organizations can comply with PIPA during the rapidly changing COVID-19 context.
Personal information means, in general terms, information about an identifiable individual. Information is generally considered personal information where there is a serious possibility that an individual could be identified through the use of the information, either alone or in combination with other available information.
Express vs. Implied Consent
In general, PIPA requires organizations to obtain express consent to collection, use or disclosure of an individual’s personal information. Nonetheless, consent may be implied in certain circumstances. For example, an individual who tells their landlord or employer that they have tested positive for or have symptoms of COVID-19 may be deemed to consent to the collection, use or disclosure of that personal information for reasonable purposes. However, what constitutes implied consent depends on the particular circumstances of each case, and organizations should be very cautious about relying on implied consent. Express consent is always preferable. In addition, PIPA provides several exceptions to the consent requirement which may apply during the COVID-19 pandemic.
Exceptions to Consent
Collection, Use and Disclosure
Consent is not required if the collection, use or disclosure by an organization of personal information:
- is clearly in the interests of the individual and consent cannot be obtained in a timely way;
- is necessary for the medical treatment of the individual and the individual does not have the legal capacity to give consent; or
- is required or authorized by law.
Consent is not required if use of personal information is necessary to respond to an emergency that threatens the life, health or security of an individual.
Consent to disclosure of personal information is not required if:
- disclosure is for the purpose of contacting next of kin or a friend of an injured, ill or deceased individual;
- disclosure is to a lawyer who is representing the organization; or
- there are reasonable grounds to believe that compelling circumstances exist that affect the health or safety of any individual and if notice of disclosure is mailed to the last known address of the individual to whom the personal information relates.
Employee Personal Information
PIPA does not require consent to collection, use or disclosure of personal information for the purposes of establishing, managing or terminating an employment relationship, provided that the employee is notified that their personal information will be collected, used or disclosed for those purposes. This exception may justify collection, use or disclosure of employees’ COVID-19 status without consent, especially in light of employers’ health and safety obligations during the COVID-19 pandemic (see this EKB article for an overview of those health and safety obligations).
As a matter of best practice, organizations should:
- obtain express consent to collection, use and disclosure of personal information where possible;
- minimize collection, use or disclosure to that which is necessary to achieve the purpose of the collection, use or disclosure;
- use adequate safeguards to protect unauthorized access to personal information; and
- pay attention to the rapidly changing COVID-19 context and tailor their approach accordingly.
EKB’s Information & Privacy team is experienced and knowledgeable in all areas of privacy law and is here to assist business owners navigating privacy issues in the context of the ever-changing COVID-19 pandemic.