Canada has a framework to provide privacy protection while also collecting data, says Chantal Bernier
Before establishing social consensus on its ethical grounding, technology has been widely used in response to the COVID-19 pandemic. Alberta launched the voluntary ABTraceTogether contact tracing app, Quebec used its health emergency powers to locate an infected person through cell phone data, and a supermarket introduced—and quickly withdrew—a thermal camera to collect the temperature of its customers.
On April 29 the prime minister stated that the privacy of Canadians would be taken into account when considering digital solutions to fight the spread of this novel coronavirus. Some want to see more privacy protection, while others want to address crucial data gaps.
Canada has a well-established framework to do both. On May 7, our federal, provincial and territorial privacy commissioners issued guidance to navigate through these competing yet complementary objectives.
Legitimacy for the use of personal data starts with a demonstration of necessity and reasonable purpose. A pandemic response requires person-level, identified data, and not only population-level, anonymous data. Personal health information legislation exists in every province in Canada, prohibiting its collection, use or sharing without consent.
Specific public health protection legislation, however, creates well-defined, narrow exceptions. For example, the federal Quarantine Act creates the duty to disclose personal data to a border-screening officer where individuals have reasonable grounds to believe they may have been exposed to a communicable disease. Provincial legislation, such as the Ontario Health Protection and Promotion Act, allows for the designation of a “reportable communicable and virulent disease,” creating the duty to disclose, as was the case for SARS in 2003. Section 108 of the Quebec Public Health Act allows the director of public health to issue an order to “do everything reasonably possible” to locate and apprehend a person where there is “a real threat to the health of the population.”
Even in the exceptional circumstances of pandemic response, we have rules and processes to address privacy risks.
First, the Canadian Charter of Rights and Freedoms is clear: no government in the country can infringe upon privacy except within “reasonable limits prescribed by law as can be demonstrably justified in a free and democratic society.” Courts have interpreted this provision to impose the duty to demonstrate that: (i) any collection, use or sharing of personal information is necessary; (ii) no more personal data is collected or used than is necessary; (iii) the measure is effective, which requires ongoing assessment to verify that; and (iv) there is no less intrusive alternative. The Alberta ABTraceTogether app has achieved this balance with a voluntary model, requiring express consent through positive action on the part of the individual, and safeguards around the use and storage of the data.
Second, where personal data is necessary, even without consent (for example, through the duty to disclose), there are rules to collect, use and share it to both protect privacy and public health. Data can be collected only for public health purposes; data collection and use must be minimized to what is necessary to meet those purposes; and data must be protected at the highest level of safeguarding, in view of their sensitivity. In addition, organizational governance structures must be established to ensure internal compliance, and external mechanisms such as privacy commissioners, tribunals and debate in legislative assemblies must exercise oversight to uphold citizens’ rights.
Third, any government initiative in Canada that involves the use of personal data is mandatorily (for example, at the federal level, through a Treasury Board Directive) or expected to be subject to a Privacy Impact Assessment (PIA). PIAs identify privacy risks of the proposed initiative, analyse the need for the proposed data elements to be used, describe the proposed data flows and apply a legal analysis to determine compliance with privacy law. In Alberta, the Information and Privacy Commissioner’s statement about ABTraceTogether refers to the PIA she received for review of the privacy implications of the app. Best practice is to submit the PIA to privacy commissioners for review, amend it according to the recommendations of the privacy commissioner, and approve it when privacy compliance has been established. Some PIAs are published on government department websites, offering the best transparency tool for accountability to citizens.
Finally, the private sector is not a free-for-all. Collection and use of personal data in the private sector is only legal with consent and reasonable purpose. Privacy commissioners’ guidelines on the use of security cameras in the private sector serve as a useful reference point. Consent can be implied if it is the only way to collect personal information broadly, with clear information to customers and for a demonstrably reasonable purpose. Reasonable purpose is assessed through both demonstration of need and effectiveness of use. This is where thermal cameras could run into problems, as there are many reasons besides COVID-19 to have an elevated body temperature and the unreliability of results could complicate the demonstration of reasonable purpose.
The bottom line is that we have clear, established rules and processes to find our way through the challenge of using personal data, even in the public interest, including in response to a pandemic. Let’s rely on them rigorously.