Canadian Privacy Commissioners Issue Joint Guidance on Vaccine Passports
Canadian Privacy Commissioners Issue Joint Guidance on Vaccine Passports
Canada’s federal, provincial and territorial privacy commissioners have released a joint statement regarding the privacy implications of vaccine passports.
Despite the laudable intentions of vaccine passports, the commissioners strongly caution that their potential benefits must be weighed against the encroachment on the civil liberties of Canadians and their right to privacy. Accordingly, privacy considerations must be “front and centre” as both governments and businesses develop and implement vaccine passports in the coming months.
What are Vaccine Passports?
The commissioners recognize that, in an effort to pack away the sweatpants and return to some semblance of normal life, both governments and businesses are exploring the possibility of vaccine passports, which they define broadly to include a means of confirming a person’s COVID-19 vaccination or immunity status, such as immunity passports, vaccination certificates or cards or digital proof of vaccination.
The commissioners anticipate that vaccine passports may be used to allow individuals to prove that they are vaccinated in order to travel or gain access to services or locations, such as restaurants, sporting events or flights. Employers may also be contemplating whether to require employees and/or visitors to present vaccine passports in order to enter the workplace.
Passports Must Be Necessary, Effective and Proportionate
Vaccine passports inherently involve the collection, use and disclosure of individuals’ personal health information. The commissioners take the position that such information is sensitive and that vaccine passports must therefore achieve a high level of privacy protection commensurate with such sensitivity.
In particular, the commissioners expect that the necessity, effectiveness and proportionality of vaccine passports will be established in each context in which they are used.
In order to implement vaccine passports, an organization will therefore generally need to show that:
- There is evidence to support that vaccine passports are necessary and likely to be effective at achieving the public health purpose(s) they are intended to address, and will remain effective throughout their lifecycle;
- There are no less privacy-intrusive measures available and equally effective in achieving the public health purpose(s) the passports are intended to address;
- The privacy risks associated with the vaccine passports are proportionate to the public health purpose(s) they are intended to address; and
- The vaccine passports collect, use and disclose the least amount of personal health information possible.
The organization is responsible for continually monitoring the necessity, effectiveness and proportionality of the vaccine passports and must decommission the passports if, at any time, they no longer meet these criteria.
The privacy commissioners indicate that they have not yet been presented with evidence of vaccine effectiveness to prevent the transmission of COVID-19. This suggests that, at present, organizations looking to imminently develop or implement vaccine passports will need to point to some purpose(s) other than preventing the transmission of COVID-19 within the organization in order to satisfy the necessity requirement.
Legal Authority is Required
The commissioners have further opined that public and private entities that require or request that an individual present a vaccine passport must ensure that they have the clear legal authority to do so for each intended purpose.
This authority may come from a new, existing or amended law or a public health order. However, for now, the commissioners have not pointed to any existing authority that affirmatively allows organizations to request or compel that an individual show their vaccine passport in order to receive a service or access a premise.
The commissioners recognize that, in some circumstances outside of Quebec, obtaining an individual’s consent to using or showing their vaccine passport may provide sufficient legal authority. However, at a minimum, all of the following conditions must be met in order to rely upon an individual’s consent:
- Consent must be voluntary and meaningful and must be based on clear and plain language describing the specific purpose(s) to be achieved;
- The personal health information must be necessary to achieve the purpose(s);
- The purpose(s) must be one(s) that a reasonable person would consider appropriate in the circumstances; and
- Individuals must have a true choice, meaning their consent must not be required as a condition of service.
Limitations on Collection, Use, Disclosure and Retention
Like other forms of personal information, the collection, use, disclosure and retention of vaccine and immunity information must be limited to what is necessary for the purpose(s) of developing or implementing the vaccine passports. For example, organizations should consider whether simply viewing the individual’s vaccine passport is sufficient or if there are bona fide reasons why a copy of the passport needs to be retained. Vaccine and immunity information should not be processed for secondary purposes, such as to track individuals’ activities, unless required or authorized by applicable law.
Organizations must also comply with all other tenets of Canadian privacy laws, including (without limitation) by:
- Providing plain-language information to individuals about the purpose(s) and scope of the vaccine passport and about the processing of their personal information for those purpose(s);
- Informing individuals of the person they can contact to access or correct their personal health information or to make an inquiry or complaint;
- Limiting access to personal information to those who have a strict need to know this information in order to perform their duties and responsibilities, and prohibiting staff who do have access to such information from disclosing it to others;
- Safeguarding personal health information using appropriate technical, physical and administrative safeguards, and regularly testing the effectiveness of those safeguards to prevent privacy breaches, including employee snooping and inadvertent loss/disclosure or theft of personal information; and
- Destroying personal information or decommissioning vaccine passports when the pandemic is declared over by public health officials or when the necessity, effectiveness and proportionality of the vaccine passports can no longer be established, unless otherwise required by applicable law.
The commissioners also recommend that they be consulted throughout the development and implementation of vaccine passports, and that privacy impact assessments or other meaningful privacy analyses be completed, reviewed by the commissioners and proactively published with a plain language summary.
Tips for Organizations
Organizations that are considering developing or implementing vaccine passports must weigh a variety of benefits, risks and legal obligations, including (without limitation) the following:
- Keep privacy top of mind. Privacy considerations should be weighed and addressed at the earliest opportunity when contemplating the development or implementation of vaccine passports.
- Understand which privacy laws apply. Vaccine passports must be developed and implemented in accordance with all applicable privacy laws. Accordingly, organizations should understand which privacy laws(s) apply to their handling of employees’, customers’ and other third parties’ personal information, as applicable. For example, some businesses operating across Canada may need to comply with more than one piece of privacy legislation, such as the federal Personal Information Protection and Electronic Documents Act (“PIPEDA”) and/or substantially similar private sector privacy legislation in the Provinces of Alberta, British Columbia and Quebec.
- Weigh other legal considerations. The analysis of whether to develop or implement a vaccine passport program does not end with privacy law considerations. Organizations should consider other legal risks and obligations, including pursuant to employment and human rights laws.
- Know your purpose(s). At the very outset of designing or implementing a vaccine passport program, organizations must consider the purpose(s) for which individuals’ personal health information will be collected, used and disclosed and the legal authority the organization is relying upon for same. This is important not only to defend the necessity, effectiveness and proportionality of the vaccine passport program, but will also guide decisions around the type(s) of personal information that is collected and how long such information is retained.
- Consider obligations regarding cross-border data transfers. Organizations must understand and implement any applicable legal requirements if individuals’ personal information will be stored by or disclosed or made accessible to third parties (including foreign affiliates and service providers) and/or transferred or stored outside of Canada (or, where Quebec’s private sector privacy legislation applies, outside of the Province of Quebec).
- Draft and implement a policy and protocol. Organizations who weigh the risks and decide to proceed with using vaccine passports should develop a written policy and protocol setting out how vaccine passport collection, use and disclosure will be implemented in a manner that complies with all applicable laws and reduces risks of complaints or claims. The policy and protocol may address, for example, the purposes and legal authority for collecting personal health information, the specific type(s) of information that will be collected, with whom such information will be shared, where and how long the information will be stored, and possible actions that may be taken based on whether or not the individual has been vaccinated or can otherwise prove immunity.
Though the principles enumerated by the privacy commissioners may appear simple, their application remains complex in the face of unsettled scientific evidence regarding the efficacy of COVID-19 vaccinations and a dearth of legislation providing organizations with the clear legal authority to request or compel an individual to present proof of vaccination or immunity. Organizations are advised to seek legal advice before implementing any vaccine or immunity verification program to weigh all applicable legal risks.
A Cautionary Note
The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.
© McMillan LLP 2021
Insights (5 Posts)
The Government of Canada has published regulations clarifying how paid medical leave for employees will work.
Canada will extend the duration of the copyright term, and enhance regulation of artificial intelligence, the Internet of things, and online intermediaries.
First draft regulation under Act 25 regarding the protection of personal information and confidentiality incidents.
OSFI issued final Guideline B-13 – Technology and Cyber Risk Management, key takeaways summarized.
An update on Canada's regulation of PFAS substances, in comparison to US and European regulation
Get updates delivered right to your inbox. You can unsubscribe at any time.