Businesses and public bodies in Quebec are attempting to put in place all necessary measures to prevent and slow the risks of spreading Covid-19. This may include how different kinds of personal information are handled. Some practices may not, however, constitute an infringement of the protection of personal information from a privacy law perspective. It is important to note that the laws concerning the protection of personal information continue to apply, despite the current situation. Measures taken must, therefore, always strike a balance between accommodating/protecting public (and individuals') health, while ensuring the protection of person information and privacy of individuals/employees.
Employers must contend with issues arising in three particular areas:
- How to address the risks of cyber-attacks?
- How to ensure the protection of their employees?
- Can we disclose the identity of an employee infected with COVID-19 to his or her colleagues?
Regarding Cyber Attack Risks
Covid-19 has an impact in terms of cybersecurity. Computer hackers take advantage of teleworking and remote connections to send phishing emails that exploit epidemic-related fears to infiltrate business and individual computer networks.
So even if security measures implemented in the business are sufficient, it is important to regularly remind employees about the best practices for computer security.
Implementing Measures to Protect Employees
Employer management in the context of Covid-19 entails major issues regarding privacy and protecting personal information. Can businesses rely on the protection of public health as grounds for collecting sensitive data in order to communicate it to third parties without obtaining employee consent?
It is important to recall that prior to collecting, using and/or communicating personal information, the individual's informed consent must be obtained and the following questions must be considered:
- Is the employer's measure (e.g. taking an employee's body temperature, geolocation of employees, video surveillance) justified in terms of the intended purpose (taking the necessary measures to protect the health and ensure the physical safety and well-being of all employees)? The reasons used to justify a measure may not, in principle, be related to the surveillance of employee productivity or for disciplinary purposes.
- Is the contemplated measure likely to be effective in meeting need?
- Is the loss of privacy in proportion to the benefit gained?
- Is there another less privacy-invasive way to achieve the same end? For example, if an employer imposes the monitoring of its employees' body temperature, it may be possible to suggest that each employee take it at home.
The implementation of measures for the purpose of preventing employees from being infected with Covid-19 must not prevent compliance with the applicable personal information protection laws. More specifically, employees must be informed prior to implementing any measure requiring the collection of personal information or that may infringe their right to privacy. It is also necessary to obtain their consent.
Informing Employees of a Covid-19-related Case:
If an employee is infected by the virus, his or her colleagues must be informed that an individual in their workplace has tested positive. However, the information disclosed must not allow the sick person to be identified. Given that a medical diagnosis is health-related information, this information that is especially sensitive. On the other hand, the company may provide information relating to the department in which the infected person works, areas in the workplace that were used by the infected person, and any information that allows his or her colleagues to take the necessary measures to protect their health and that of others. As such, the employer could require employees who were in contact with the infected person to self-quarantine due to having been in contact with a person who tested positive.
If the name of the individual must be disclosed, or may be deduced (e.g. if there are only two employees in the department and one of them is sick), it is preferable to obtain that person's consent prior to disclosure.