As businesses begin to reopen, many organizations will examine ways to protect their workers and attract returning customers. Various mechanisms to screen customers for COVID-19 risks will become more common. Examples include providing customers with questionnaires regarding their travel history, exposure to others, and symptoms, or temperature scanning before entry. Organizations will be permitted to screen individuals in a reasonable manner, depending on the circumstances.
Privacy laws continue to apply to the collection of screening information. Further, personal health information is generally considered to be sensitive. Organizations remain obligated to properly manage the collection, use and disclosure of their customers’ personal information. We have outlined some guidelines for additional screening below.
You may also be legally required to collect and retain certain personal information about customers. In our conclusion, we outline the new order regarding food and drink serving establishments and the companion guidance issued by the Office of the Information & Privacy Commissioner for British Columbia (“OIPC”).
The following are privacy guidelines that businesses should keep in mind before screening customers for COVID-19 exposure.
1. Consider whether the collection of personal information is reasonably necessary
Not all screening methods will be appropriate in all cases. Consider whether there are ways to screen customers for risk of exposure that do not involve the collection of personal information. For example, low volume and low contact intensity environments may support self-screening methods through signs and notices rather than the collection of information by the organization. Other circumstances may support verbal or written questionnaires and temperature screening.
2. Limit use of the information
The information obtained through customer screening for COVID-19 should not be collected, recorded, stored, used or disclosed for any purpose aside from determining whether the individual should be allowed to access a facility or service due to risk of COVID-19 exposure. Therefore, in many cases, the information collected to permit entry need not be retained after the screen is complete.
3. Seek customers’ consent
Before collecting personal information, businesses must explain to customers why they are collecting the personal information, explain how they are planning to use or disclose it to other organizations, and get customers’ consent to do so. Consent may be implied where the purpose for collection, use, or disclosure would be obvious to a reasonable person and the customer voluntarily provides the information for that purpose.
Good signage can support informed consent, as can well trained front line staff who can explain the screening purposes and use of the information.
Organizations should not, as a condition of supplying a product or service, require individuals to consent to the collection, use or disclosure of personal information beyond what is necessary to provide the product or service. Organizations should, wherever possible, establish an alternative means of providing the service available to those who do not want to provide personal information.
4. Protect customers’ personal information
Businesses must protect all personal information under their custody or control by making reasonable security arrangements to prevent unauthorized access, collection, use, copying, modification or disposal, or similar risks. Extra care must be taken with personal health information. Thus, if an organization does not need to hold the information, it should be securely destroyed as soon as possible.
If there are reasons to retain the information, appropriate administrative, physical and technical safeguards should be in place.
5. Prepare Procedures for “Failed” Screens
Organizations should be prepared to handle this in a sensitive manner. Front line staff ought to be trained to discretely address how to implement a decision that an individual cannot be admitted on the basis that admission could jeopardize the health and safety of others. Alternatives to entry or a follow up process to obtain clearance may be appropriate.
Privacy laws require organizations to retain personal information used to make a decision that directly affects the individual for at least a year so the person has a reasonable opportunity to access it, however, in the circumstances of a failed screen, organizations may want to ask the individual for consent to destroy the information rather than have to retain it.
Collection of Personal Information from Patrons of Food and Drink Establishments
On May 22, 2020, the B.C. Provincial Health Officer (PHO) issued an order to the following classes of persons:
- owners and operators of a place at which food and/or drinks is prepared and served;
- owners and operators of places at which meals and drinks, including drinks containing liquor, are prepared and served;
- owners and operators of a retail liquor establishments; and
- holders of liquor licenses and liquor license endorsements that does not offer meal service at their premises.
If your business is one of the establishments set out above and in the ordinary course of business collects information from patrons for the purpose of making reservations or seating patrons, your business must collect the following personal information from one member of every party of patrons:
- first and last name; and
- telephone number or email address.
Businesses must retain this information for thirty days. If someone who visited one of the categories of establishments above is diagnosed with COVID-19, a local medical health officer has the right to request this personal information to conduct contact tracing.
The B.C. Personal Information Protection Act (“PIPA”) permits organizations to collect, use and/or disclose personal information about an individual without consent if the collection, use and/or disclosure is required or authorized by law. However, businesses must still comply with their obligations under PIPA with respect to how they use, retain and share this information. To help businesses comply, the OIPC’s guidance document has the following tips for businesses to whom the May 22nd Provincial Health Order applies:
- Explain to customers why you are collecting their contact information: explain to patrons why you are collecting their name and contact information. The OIPC recommends having a copy of the Provincial Health Officer’s order on hand to provide to patrons who want to see it.
- Only collect the minimum amount of personal information necessary: do not engage in over collection. The order only requires the collection of name, and telephone number or e-mail address, and the date of the visit.
- Do not use or disclose the collected information other than to provide to the PHO upon request: the purpose of the order is to enable local medical health officers to conduct contact tracing. You should only be using this collected information for that purpose and not for other purposes (e.g. marketing or analytics). You should also not share the collected information to anyone other than the Provincial Health Officer upon request, or as may otherwise be authorized under PIPA.
- If you share the collected information with the PHO, keep a record of that disclosure: if requested, PIPA requires that organizations provide individuals with the names of the individuals and organizations to whom their personal information has been disclosed. In order to be able to comply with this requirement, businesses should maintain records about the disclosure of personal information to the Provincial Health Officer (e.g. what information was shared and on what date).
- Only keep collected information for 30 days: the information should be routinely and securely destroyed after 30 days.
- Properly secure the collected information: the information should be protected by reasonable security arrangements. For example, storing information in paper form in a locked file cabinet, or storing electronic information in a password protected and encrypted document, and on a secure network.
If your business would like assistance implementing a privacy-compliant customer screening program, or if you have any questions about the Provincial Health Officer’s order and its implications for your privacy obligations, please contact a member of our Privacy & Data Management Group.
Ryan Berger is a leading privacy and employment lawyer, with a primary focus on providing strategic advice to businesses and employers.
Ryan leads the firm’s Privacy Group and routinely advises public and private sector ...
Jocelyn McAdam is an associate in Lawson Lundell’s Labour, Employment and Human Rights Group and Privacy and Data Management Group in Vancouver.
Jocelyn advises clients on a range of labour and employment issues, including ...
Cory Sully is an associate in our Labour, Employment and Human Rights Group and Privacy and Data Management Group in Vancouver. She advises and represents clients in all areas of workplace law. Cory provides practical and strategic ...
Lawson Lundell's Privacy and Data Management Blog provides updates on the most recent issues emerging in the legal and business communities. We cover a range of issues, legal developments, and new technology as they impact privacy and data management. We will focus on how organizations can protect, manage and innovate with information considering the various risks, regulatory and governance requirements.