This tip sheet will help employers and workers understand the privacy considerations when personal information is collected during the COVID-19 pandemic.
For general COVID-19 prevention practices for both employers and workers, refer to these CCOHS resources:
Each workplace is unique. It is important for employers to assess the risks of COVID-19 for their specific workplace and implement appropriate hazard controls using the hierarchy of controls and taking a layered approach.
Personal and Health Information to Consider During the COVID-19 Pandemic
Privacy is considered a fundamental right for Canadians. Any information that can identify an individual is considered to be personal information. The age of a worker, their marital status, medical history, education, and even the opinions you have about them are all examples of personal information.
Personal health information includes a worker’s COVID-19 test results, COVID-19 vaccinations, and accommodation needs. How will you ensure personal and health information will be kept private?
What Privacy Laws Apply to My Workplace?
There are several privacy laws which govern the collection, use, and disclosure of personal information of individuals:
Federal Privacy Laws
The Privacy Act explains how personal information is handled by federal government institutions and Crown corporations. It protects personal informationconcerning old age security, employment insurance, tax collection, border security, and federal policing and public safety.
The Personal Information Protection and Electronic Documents Act (PIPEDA) applies to most private sector organizations who collect, use, or disclose information while engaging in commercial activity. The act may not apply to charity and not-for-profit organizations, political parties and associations, or organizations covered by provincial privacy laws. Refer to the Office of the Privacy Commissioner of Canada to determine if PIPEDA applies to your organization.
Provincial and Territorial Privacy Laws
Organizations in the Northwest Territories, Yukon, and Nunavut are covered under PIPEDA. Others may be covered by their own jurisdictional privacy laws.
Considerations for Employers
Organizations should consider the implications of collecting personal information when implementing measures to prevent COVID-19 transmission. What information will be collected, by whom, and for what reasons? Visit the Privacy Guide for Canadian Businesses for additional details on how organizations can comply with privacy law. General guidance is provided as follows:
Assign responsibility
Identify who in the organization will be responsible for privacy issues. Will this responsibility be shared? Who will collect worker, customer, or client information? Who will be the contact person to address inquiries or concerns about the use of personal information? Clearly outline the roles and responsibilities and provide training to all workers who will be responsible for private data.
Develop and communicate polices and practices
Ensure that your workers and others (e.g., clients and customers) understand your privacy policies and practices. Outline the roles and responsibilities of all stakeholders and include information on how individuals can access their personal information from the organization. Make your policies readily available (e.g., postings, website, etc.).
Establish complaint procedures
Workers, customers, and clients should understand what steps they can take if they have concerns about how their private information is collected, used, stored, and destroyed. Establish easy-to-follow procedures for responding to inquiries and complaints about a privacy concern.
Identify the reasons for collecting personal information and obtain consent
Make sure you identify the reasons why the personal information is being collected before and during the time of collection. Your workers (and others) should know what information is being collected (e.g., name, phone number, and mailing address), for what purpose (e.g., for contract tracing purposes) and what the employer will do with the information (e.g., share it if required by public health authorities for contact tracing purposes).
Confirm information is accurate and only gather what is needed
Ensure that information is accurate, complete, and current. Only gather what is needed for its intended purpose (e.g., screening, contact tracing, point-of care rapid antigen detection test results, accommodation requests, etc.).
Limit use of collected information
Only use the information for its intended purpose. For example, personal information used for contact tracing should not be used for an employer’s mailing list. Always obtain consent, even from your workers, to use personal information for reasons other than why it was originally collected.
Protect information
Keep all personal information private and secure from loss or theft. Keep in mind that workers have the right to access their own personal information.
Keep records
Determine whether documentation will be on paper, electronic, or combination of both. Follow your privacy laws and establish a procedure for recording, storing, accessing, and destroying personal information.
Considerations for Workers
Your employer and other businesses may collect your personal information when implementing measures to reduce COVID-19 transmission. Your personal information may be obtained through screening, contact tracing, point of care testing results, accommodation requests, and when traveling. To learn more about your privacy rights, visit:
Understand the reasons for collecting your personal information
Make sure you understand what information is being collected from you and how it will be used. Ask questions so you know what the employer will do with the information (e.g., share it if required by public health authorities for contact tracing purposes).
Review company policies
Review your company policies and those of any websites and apps you use. Ensure you understand how your personal information will be used, stored, and destroyed. Remember you have the right to access your personal information including the information your employer has about you.
It is important that mental health resources and support are provided to all workers, including access to an employee assistance program, if available.
Note that this guidance is just some of the adjustments organizations can make during a pandemic. Adapt this list by adding your own good practices and policies to meet your organization’s specific needs.
For further information on respiratory infectious diseases, including COVID-19, refer to the Public Health Agency of Canada.
Disclaimer: As public and occupational health and safety information may continue to change, local public health authorities should be consulted for specific, regional guidance. This information is not intended to replace medical advice or legislated health and safety obligations. Although every effort is made to ensure the accuracy, currency, and completeness of the information, CCOHS does not guarantee, warrant, represent or undertake that the information provided is correct, accurate or current. CCOHS is not liable for any loss, claim, or demand arising directly or indirectly from any use or reliance upon the information.
