COVID-19 UPDATE: Vaccinations and Employee Privacy
On December 11, 2020 the Office of the Information and Privacy Commissioner of Saskatchewan (the “OIPC”) released an advisory on questions regarding vaccines for organizations, employers and health trustees (the “Advisory”). This blog summarizes the OIPC’s best practices for employers who are considering developing a vaccine-verification program that respects privacy rights. While the Advisory is directed toward Saskatchewan employers, it nevertheless provides some direction to employers in other jurisdictions with respect to employment and privacy considerations.
With Health Canada’s recent announcement authorizing the first COVID-19 vaccine for use in Canada, employers are now asking whether they will require their employees to receive the vaccine or whether they can ask for proof of vaccination as a means of protecting the health and safety of its workplace. However, asking an employee whether they have had the vaccination and requesting proof of vaccination or a vaccination certificate is a collection of personal information/personal health information triggering privacy considerations. Employers should be mindful of the applicable privacy legislation (if any) that applies to them.
Can employers ask employees whether they have received the vaccine or request proof of vaccination?
The OIPC did not say that asking employees about their vaccine status, or asking for proof of vaccination, was prohibited. In fact, the OIPC implied that employers may do so in some circumstances and with appropriate privacy protection measures in place. While employers in Saskatchewan, and all provinces, have an obligation to ensure the health, safety and welfare of its workers, this must be balanced with the employee’s right to privacy. Employers should evaluate whether implementing a vaccine verification program is integral to providing a safe workplace and ensure that such a program does not unreasonably infringe on an employee’s privacy expectations.
If an employer determines that a vaccine verification program is integral to the health and safety of its workers, the OIPC advises that, regardless of whether an employer is subject to privacy legislation, the following key principles are best practices:
(1) Establish the purpose and authority for asking for the information and notify employees of the purpose
Employers should determine the purpose for collecting information about an employee’s vaccination prior to implementing any vaccine verification program. Is it to keep the workplace safe? Is it to prevent transmission of COVID-19 being spread from employee to employee, customer or patient?
Once employers have decided to implement a vaccine verification program, the OIPC suggests that employers develop a policy on COVID-19 vaccinations. The OIPC recommends employers use a privacy impact assessment (“PIA”) to assist organizations in assessing whether a proposed measure complies with privacy legislation. However, the OIPC recognizes that current times may demand that employers take a faster approach. So, either a shortened version of a PIA or a policy statement regarding COVID-19 vaccinations is recommended. At minimum, the OIPC says the policy should contain:
- authority for the collection;
- a statement of the purpose;
- a statement as to whether employees will be asked to show a vaccination certificate;
- a statement on possible actions taken based on whether the employee has the vaccination or not;
- a statement on where information will be stored;
- a statement as to who it will be shared with (with public authorities or not); and
- a statement on when the information will be destroyed.
Employers are encouraged to be open and transparent with their employees and should advise them that they will be asking whether the employee has received the vaccine, has a vaccination certificate and inform them of the purpose.
(2) Collect the least amount of information to meet the purpose
Employers should collect only what is necessary to achieve the purpose of implementing the vaccine verification program. Examples given by the OIPC of varying degrees of collection include: (i) accepting an employee’s verbal confirmation that they have been vaccinated, or (ii) requiring proof of vaccination but not making a copy of the vaccination certificate.
(3) Share information with only those who need to know
Employers should check relevant legislation prior to using the information collected for any purpose other than the one identified for implementing the vaccine verification program. The OIPC recommends that very few people will need to know whether an employee has received the vaccination and instead only statistical information as to how many employees have received the vaccination should be shared. Employers should not include names or identify who has or has not been vaccinated. This information should be treated like other sensitive health information and as confidential.
(4) Store the information, keep it secure, and destroy it when no longer needed
The OIPC recommends either storing employee information related to vaccinations: (i) in each employee HR personnel file, or (ii) in a separate folder for all employees. Employers subject to privacy legislation have an obligation to protect and secure this information (such as a locked file cabinet or on a computer that is password protected, encrypted and on a secure network). Employers not subject to privacy legislation should still follow best practices.
Personal information should only be kept in accordance with applicable privacy legislation and should only be kept for as long as required to fulfil the identified purpose.
Generally, it is a good practice to destroy any personal information as soon as it is no longer needed. Holding on to personal information unnecessarily increase the risk of a data breach and the severity of data breach that does occur.
Takeaway for employers
Prior to implementing a vaccine verification program it is strongly recommended that employers seek legal advice and review applicable privacy legislation (if any) in their jurisdiction. If employers implement a vaccine verification program in their workplace, consider the above key principles when collecting employee’s personal information/personal health information.
For more information on employment-related issues arising from COVID-19, please visit our COVID-19 Recovery Hub and our McCarthy Tétrault Employer Advisor Blog and TechLex. Additionally, if you are an employer and have questions about this blog or otherwise need assistance, please reach out to any member of our National Labour & Employment Team or our Cyber/Data Group.