Your privacy and security responsibilities during the pandemic

As Canada responds to the global pandemic, your organization may find itself handling more data than usual at a time when you may be adjusting to new processes, including shifting to remote work. These changes trigger additional privacy and security considerations with regards to personal information.

With new threats emerging from cyber criminals aiming to take advantage during the pandemic, the time is right for your organization to ensure your privacy and security practices remain strong.

Here are important considerations to help your organization remain resilient and prepared:

Your obligations around personal information

The Office of the Privacy Commissioner of Canada (OPC) has issued guidance to help organizations across all sectors understand their privacy obligations during the COVID-19 outbreak. Given the importance of data, including sensitive health data, to the COVID-19 pandemic response, it is critically important for your organization to consider your privacy obligations, depending on which privacy law you are subject to (including applicable federal, provincial or health information statutes, or, if handling the personal information of non-Canadians, foreign laws like the GDPR).

PIPEDA, Canada’s privacy law governing commercial activities, still applies during the current public health crisis. If your organization is subject to PIPEDA, we remind you to follow its 10 fair information principles, including the overarching principle that the collection, use and disclosure of personal information must be for purposes a reasonable person would consider appropriate in the circumstances.

Privacy laws like PIPEDA will continue to apply unless a state of emergency is declared by the federal or provincial government. In this case, emergency legislation might extend broader powers with regards to the handling of personal information. Although some provinces have declared states of emergency at this time, the federal government has not taken this step, meaning normal PIPEDA obligations still hold.

That said, PIPEDA is not intended to serve as a barrier to appropriate information-sharing during a public health crisis. There are some circumstances under which your organization may collect, use or disclose personal information without the consent of the individual. The new OPC guidance indicates five areas where this could be the case, including:

• If the collection is clearly in the interests of the individual and consent cannot be obtained in a timely way (such as if an individual is critically ill or in a particularly dangerous situation, and needs help);
• If the collection and use is for the purpose of making a disclosure required by law (such as if a public health authority has the legislative authority to require the disclosure);
• If the disclosure is requested by a government institution under a lawful authority to obtain the information and the disclosure is for the purpose of enforcing or administering any law of Canada or a province (again, if a public health authority has the legislative authority to require the disclosure);
• If the disclosure is made on the initiative of the organization to a government institution, which has reasonable grounds to believe that the information relates to a contravention of the laws of Canada, a province or a foreign jurisdiction that has been, is being or is about to be committed (such as if an organization believes an individual is in contravention of an invoked quarantine order), or;
• If the use or disclosure is for the purpose of acting in respect of an emergency that threatens the life, health or security of an individual (such as if an individual requires urgent medical attention, and they are unable to communicate directly with medical professionals).

If relying on these exemptions to consent during a public health crisis, all other PIPEDA principles still apply. You should collect, use or disclose the minimum amount of information necessary to fulfill the purpose, protect the data appropriately, and keep sufficient written records. It’s also critically important for you to communicate to the individuals involved the specific legislative authority under which your action was taken.

Strengthen security and be wary of COVID-19 cyberthreats

PIPEDA requires your organization to implement reasonable and appropriate safeguards to protect personal information in your custody and control. This includes the physical, technical and administrative controls necessary to protect personal information from loss, theft, unauthorized disclosure and more.

The work from home environment precipitated by the COVID-19 pandemic has raised new security concerns for many organizations. Now is an important time for your organization to ensure your information security programs and practices are up to the task, particularly given the increased use of VPNs, personal devices and wifi networks.

You should also familiarize yourself with COVID-19-related cyberthreats, including new phishing campaigns and malware scams. We encourage you to read this bulletin from the Canadian Centre for Cybersecurity with tips to stay protected, along with other important resources for marketers during the pandemic on the CMA’s Marketing Connected webpage.

For more information from the CMA on privacy compliance and best practices, check out our privacy and data protection resources and guides here.

Questions or comments? E-mail us – we want to hear from you.