The implementation of the proof of vaccination requirement to access certain non-essential events, services and businesses has inevitably raised privacy concerns. Since September 13, a person must show a vaccine passport and a valid government ID to participate in indoor activities at movie theatres, indoor sports events and concerts, restaurants, gyms and more.
The act of balancing public health and individual rights to privacy is clearly a difficult one, but this situation presents a good opportunity for businesses to consider and review their privacy policies and obligations in light of the new mandate.
PIPA
The Personal Information Protection and Electronic Documents Act, or PIPA, is the piece of legislation governing how private sector organizations in British Columbia collect, use and disclose personal information in the course of their business.
PIPA defines “personal information” as information that identifies an individual, whether directly or indirectly alongside other pieces of information. An individual’s vaccination status is health information, which along with their ID, constitutes protected personal information.
Businesses must develop compliant policies and practices to protect their customers’ personal information and privacy, including the collection process itself, a process to respond to complaints and a means of making information available when requested.
Collection
Businesses should make clear what personal information is collected, how it is collected, and why it is collected. For proof of vaccination, the only information that should be collected is the customer’s vaccine status (through the passport) and a check of their government ID – and no more.
PIPA makes clear that a business should collect only as much information as is necessary to fulfill a reasonable purpose and should only use such information for that purpose – whether that is compliance with public health orders, reducing transmission, or ensuring the safety of staff and other customers. The business’s purpose for collecting, using and, if applicable, disclosing personal information should be i) reasonable (i.e. a reasonable person would consider it appropriate in the circumstances) and also ii) clearly communicated to customers. Collecting limited information in accordance with public health orders is likely a reasonable purpose, but that purpose must be clearly communicated to customers when requesting the information.
Obtaining consent to collect, use and/or disclose personal information is also a requirement under PIPA. However, if a customer does not consent to the collection of their vaccination status, the business will not be able to provide them full access to the service. Businesses could consider how to provide services to those who are not vaccinated, cannot provide proof of vaccination, or do not consent to the collection of their immunization status. For example, restaurants could offer takeout or delivery service, and gyms could offer virtual or at-home personal training.
Usage
Businesses should also make clear how personal information is used, where and whether it is stored, and whether it will be destroyed. You may consider the possibility of simply asking to view the customer’s vaccine passport and ID, without retaining any records. However, storage of information on vaccination status could be subject to further governmental guidelines – health authorities may ask businesses to keep a record for statistical purposes. The bottom line is information should only be kept for as long as is necessary to fulfil a particular reasonable purpose and must be stored in a secure location.
Disclosure
Whether the information is shared with third parties, including the government, is of course subject to further guidance from public health authorities. However, businesses should be sure that if they do decide to retain a record on customers’ or employees’ vaccination status, they limit who within the organization can access this information (such as management only). Importantly, businesses must warn and strictly prohibit employees tasked with collecting proof of vaccination information from disclosing or sharing the vaccination status of any customer.
Other considerations
Aside from establishing a process for the collection system, businesses are also obligated under PIPA to set up a process for individuals to request access to their personal information (such as to update it) as well as a process to respond to complaints about the collection system
A manager/employee needs to be appointed as the business’s “privacy officer” who acts as the first point of contact when privacy issues arise and is responsible for implementing and maintaining the business’s privacy policy. Their name and contact information should be publicly available. This role will often default to the owner for many small and medium sized businesses.
Key takeaways for businesses
It is clear the onus is on businesses to actively collect and potentially store/disclose personal information under the vaccine passport system. However, it’s also important to realize that a business’s privacy obligations with respect to handling personal information have not changed; rather, the vaccine passport system has simply introduced new types of personal information businesses must collect and new collection methods.
Here are some important considerations when implementing and managing the vaccine passport system in order to minimize privacy concerns:
- Businesses should review existing privacy policies to ensure they adequately address the vaccine passport requirement and need to develop a written privacy policy if one does not exist.
- Businesses must protect customers’ privacy rights while also complying with its own privacy policy, PIPA, and the provincial health regulations.
- Customers must be clearly and explicitly informed as to what information is being collected and why, and their consent must be obtained before collecting, using, or disclosing their identification and vaccination status.
- If a customer does not consent, the business may consider other ways to serve them in compliance with the public health orders.
- Information on a customer’s vaccination status should not be kept/stored unless for a reasonable purpose (ex. a government order) and if so, it must be stored in a secure manner.
- Employees should be prohibited from sharing, disclosing, or discussing the vaccination status of any customer or colleague.
- A system must be in place to deal with complaints and requests for information, and a contact person (the privacy officer) should be made available to deal with any privacy issues/complaints.
Conclusion
If you need help drafting a privacy policy or have questions regarding managing the vaccine passport system then give us a call and we will help analyze your situation.
About the Author
Jay Spiro helps businesses and non-profit employers manage their workforce effectively and lawfully. His strength is in collaborating with clients to develop practical solutions and courses of action that achieve the employer’s goals while fitting their budget. If you would like to schedule a meeting with Jay or another lawyer, call us at 604-988-1000. We will be happy to help.