Vaccine mandates for entry into Canada
Complaints under the Privacy Act
May 29, 2023
Description
Under Emergency Orders issued under the Quarantine Act in 2021 and 2022 travellers entering Canada were required, with certain exceptions, to provide proof of vaccination status to enter Canada without quarantining (and providing pre and post arrival COVID-19 tests). We investigated whether the related collection, use, retention and disclosure of personal information by Public Health Agency of Canada (PHAC) and Canada Border Services Agency (CBSA) was compliant with the Privacy Act (the Act). Additionally, we examined the necessity and proportionality of the measures considering the circumstances under which they were established.
Takeaways
- PHAC and CBSA had the authority to collect personal information, including vaccination status, to administer the Emergency Orders, as this collection was directly related to activities, they were mandated to carry out under the Quarantine Act.
- Though the principle of necessity and proportionality is not currently a requirement of the Privacy Act, limiting the collection of personal information to what is demonstrably necessary is a requirement of the TBS Directive on Privacy Practices. We identified weaknesses in PHAC’s assessment and documentation, but ultimately found that the collections were necessary, effective, and proportional in the circumstances.
- To determine if a collection is necessary and proportional, the objective should be clearly defined, so stakeholders and the public understand the scope of what the measures are trying to achieve.
- Institutions should clearly assess and document their consideration of potentially less privacy invasive alternatives, such as, in this case, COVID-19 testing as an alternative to vaccination status.
Report of Findings
Overview
In the wake of the COVID-19 pandemic, 80 Emergency Orders were issued from February 3rd, 2020 to June 24th, 2022 under the Quarantine Act to prevent the introduction and spread of COVID-19 in Canada. Until September 30, 2022 they imposed restrictions on travellers entering the country which varied depending on their age, residency status/citizenship, symptoms and vaccination status. To determine a given traveller's applicable entry requirements and to ensure that these requirements were being respected, the Canada Border Services Agency (“CBSA”) and the Public Health Agency of Canada (“PHAC”) collected personal information from individuals entering Canada.
The complainants argued that this collection, and the subsequent use and disclosure of their personal information, was unlawful, and believed that their vaccination status in particular should not have been used to limit their other rights (e.g., mobility rights, right to enter Canada, right to liberty, right to security of the person). Some complainants requested that their information be disposed of and claimed that the CBSA’s and PHAC’s retention of personal information is unnecessary. We note that numerous complaints raised issues which fall outside the scope of the Privacy Act, and therefore were not considered by our Office.
We found that the CBSA and PHAC acted in accordance with the Privacy Act. The personal information collected was directly related to an operating program or activity (i.e., the administration and enforcement of the Emergency Orders). The information was primarily used and disclosed for the purpose for which it was collected, and/or a purpose authorized by an Act of Parliament. The CBSA and PHAC’s retention periods for the personal information collected are equally compliant with the Privacy Act.
We also examined the necessity and proportionality of the CBSA and PHAC’s personal information processing activities. While not a requirement of the Privacy Act, necessity and proportionality is a key privacy principle that we and provincial and territorial Privacy Commissioners recommended be considered in relation to the establishment of vaccine mandates in a Joint Statement.
We found that overall, CBSA and PHAC’s collection of personal information under the Emergency Orders was necessary and proportional. However, we identified gaps in PHAC’s assessment of potentially less privacy intrusive alternatives, and related issues with respect to clarity of the objectives, in the final six months of the Orders.
In light of these issues, we recommended that if PHAC considers similar mandatory collections for the purpose of addressing a pandemic in the future, it specifically examine and document its assessment of potentially less privacy intrusive alternatives against clearly delineated objectives. Further, should the Quarantine Act be reviewed in the aftermath of the Pandemic, we would encourage Parliament to consider explicitly clarifying the scope of the purpose of the Quarantine Act. PHAC committed to implement the recommendation with respect to examining potentially less privacy intrusive alternatives and confirmed that should the Quarantine Act undergo review it will take the OPC’s comments above into consideration.
Background
- Pursuant to section 58 of the Quarantine Act, the Governor in Council may make an order prohibiting or subjecting to any condition the entry into Canada of any class of persons who have been in a foreign country if the Governor in Council is of the opinion that:
- there is an outbreak of a communicable disease in the foreign country;
- the introduction or spread of the disease would pose an imminent and severe risk to public health in Canada;
- the entry of members of that class of persons into Canada may introduce or contribute to the spread of the communicable disease in Canada; and
- no reasonable alternatives to prevent the introduction or spread of the disease are available.
- On February 3rd, 2020, the firstFootnote 1 of 80 emergency orders (“Emergency Orders”) was issued pursuant to section 58 of the Quarantine Act by the Governor in Council, on the recommendation of the Minister of Health, with the purpose of reducing the risk of importing and spreading the coronavirus disease 2019 (“COVID-19”) into Canada. These Orders imposed conditions on individuals entering Canada, which evolved as the Orders were revised and reissued:
- Prior to the availability of COVID-19 vaccines, earlier versionsFootnote 2 of the Emergency Orders required most travellers to present an acceptable, pre-arrival COVID-19 test resultFootnote 3, to test post-border and to quarantine for 14 days upon arrival.
- Effective July 5th, 2021Footnote 4, fully vaccinatedFootnote 5 travellers with a right of entry into Canada were no longer required to test post-border or to quarantine. We note that travellers who did not qualify as fully vaccinated or who chose not to present a proof of vaccination were still required to quarantine for 14 days upon arrival.
- Effective April 1st, 2022Footnote 6, pre-arrival testing requirements (also referred to as pre-departure testing) and additional post border requirements were removed for fully vaccinated travellers, with no changes to the requirements applicable to non-fully vaccinated travellers.
- The last Emergency OrderFootnote 7 expired on September 30th, 2022, with the Government of Canada announcingFootnote 8 its decision to end the COVID-19 entry restrictions, including testing and quarantine requirements. They attributed this decision to a number of factors, including “modelling that indicate[d] that Canada ha[d] largely passed the peak of the Omicron BA.4 and BA.5 fuelled wave, Canada’s high vaccination rates, lower hospitalization and death rates, as well as the availability and use of vaccine boosters (including new bivalent formulation), rapid tests, and treatments for COVID-19.”
Analysis
Issue 1: Was the personal information collected directly related to an operating program or activity of PHAC and CBSA?
- The majority of the complainants argue that the collection of personal information by the CBSA and by PHAC pursuant to the Emergency Orders, and specifically the collection of an individual’s vaccination status, was unlawful. We note that the measures under analysis will be limited to those which were in effect from January to September of 2022, as the first complaint related to the Emergency Orders was received by our Office in January of 2022.
- Section 4 of the Privacy Act stipulates that no personal information shall be collected by a government institution unless it relates directly to an operating program or activity of the institution.
- To determine whether the CBSA and PHAC acted in compliance with the Act, we will first identify the personal information collected by the institutions, then state the operating program/activity for which the information was collected, and finally determine whether such an operating program/activity should be considered legitimate for the respective institutions.
Personal information collected
- Individuals were obligated to provide to employees of the CBSA acting as screening officersFootnote 9, and to employees of PHAC acting as screening officers, quarantine officersFootnote 10 and as delegates of the Minister of HealthFootnote 11, the following information/evidence:
- their COVID-19 test resultsFootnote 12;
- their quarantine planFootnote 13, which notably included the civic address of their place of quarantine;
- their contact informationFootnote 14;
- the countries where they had resided/visited during the previous 14 daysFootnote 15;
- information related to and evidence of their COVID-19 vaccination statusFootnote 16;
- responses to any relevant questions posed by the screening officer or quarantine officerFootnote 17;
- for those who were required to quarantine, confirmation that they had arrived at their place of quarantine and daily updates on their health status while in quarantineFootnote 18; and
- notification that they had developed signs and symptoms of COVID-19 or that they had received a positive COVID-19 test result.Footnote 19
- Since November 21st, 2020, travellers were requiredFootnote 20 to use the ArriveCAN mobile and web applications (“ArriveCAN”) to electronically submit the informationFootnote 21 listed above. Approximately 200 data elements were collected and retained by the CBSA for each ArriveCAN submission, such as the traveller’s trip information, submission metadata, quarantine information, symptoms, and vaccination information. In some cases, the CBSA collected information from travellers at the port of entry and had inputted it directly into the ‘Contact Trace Desktop App’, an information management system which contained the same data fields as ArriveCAN. While most information was collected directly from the incoming traveller, some values were generated by ArriveCAN itself, such as the “ocr_result” and “qr_result”.
- The “ocr_result” was generated in response to an optical character recognition (“OCR”) check of the traveller’s uploaded proof of COVID-19 vaccination credential (also referred to as a ‘proof of vaccination credential’, ‘proof of vaccination’ or ‘vaccination credential’) completed within ArriveCAN to assist the CBSA in their review of each traveller’s submission. This OCR check verified that the image or PDF file of the credential contained the requisite elements, based on a fixed set of criteria. If a traveller’s credential did not meet the OCR check or if the check was pending, ArriveCAN would flag to the CBSA screening officer that the vaccination credential needed to be examined. Conversely, if the OCR check was successful, the vaccination credential would not typically be viewed or accessed by a screening officer. That said, a screening officer could override the outcome of the OCR check from ArriveCAN by updating the traveller’s record in the Contact Trace Desktop App. Finally, we note that the OCR feature of ArriveCAN was the subject of an algorithmic impact assessmentFootnote 22, as prescribed by the Directive on Automated Decision MakingFootnote 23, conducted by PHAC with the collaboration of the CBSA.
- If a proof of vaccination credential contained a quick response code (“QR code”), ArriveCAN could authenticate and validate this credential by decoding its contents and verifying its encrypted signatures using the SMART Health Cards Framework protocolFootnote 24, thus generating a “qr_result”. To complete this process, ArriveCAN would have required the credential issuer’s public key. Accordingly, any communication between ArriveCAN and entities which issued proof of vaccination credentials (e.g., provincial health authorities) would have been limited exclusively to the daily download of public encryption keys by ArriveCAN/the CBSA. The CBSA advised our Office that they did not disclose any personal information to issuing entities for the purposes of verifying and authenticating proof of vaccination credentials.
- The information from ArriveCAN and the Contact Trace Desktop App would be consolidated and delivered to PHAC in a ‘combined report’. This combined report contained 114 distinct data elements, which notably included the traveller’s name, date of birth, passport/travel document number, contact information, address while in Canada, purpose of travel and vaccination information.
- In addition to what was received from the CBSA, PHAC also collected quarantine compliance information, health / symptoms updates, and COVID-19 test results from:
- travellers providing information directly to quarantine officers and other PHAC staffFootnote 25;
- the Royal Canadian Mounted Police (“RCMP”) and contracted security officersFootnote 26, who would conduct compliance verification visits post-border at the traveller’s place of quarantine;
- hotels designated as places of quarantine / government authorized accommodationFootnote 27;
- Employment and Social Development Canada and their contracted service provider, Accenture, who: (i) received calls to report compliance with quarantine measures and health status / symptom updates and (ii) proactively made calls to verify quarantine compliance; and
- COVID-19 test providersFootnote 28.
Operating program or activity
- The personal information acquired by the CBSA and by PHAC was collected for, and thus directly related to, the administration and enforcement of the Emergency Orders, which themselves were issued pursuant to section 58 of the Quarantine Act.
- The Emergency Orders assigned responsibilities to the CBSA, as screening officersFootnote 29, and to PHAC, as screening officers, quarantine officersFootnote 30 and as delegates of the Minister of HealthFootnote 31, which included the collection of personal information.Footnote 32
- Previous versions of the Emergency Orders had withstood judicial scrutinyFootnote 33, primarily on Charter grounds, in Spencer v. Canada (Health), 2021 FC 621, though we note that this case only assessed the obligation to quarantine, and not the requirements to submit personal information.
- Accordingly, we consider the administration and enforcement of the Emergency Orders, which appear to have been issued by the competent authority and which had not otherwise been declared invalid, to be a legitimate operating program/activity of both the CBSA and PHAC.
- Additionally, the Quarantine Act grants the CBSA, as screening officers, and PHAC, as screening officers, quarantine officers and delegates of the Minister of Health, the authority to request and receive a broad spectrum of information/records:
“15 (1) Every traveller shall answer any relevant questions asked by a screening officer or quarantine officer and provide to the officer any information or record in their possession that the officer may reasonably require in the performance of a duty under this Act.
[…]
55 The Minister [of Health] may collect relevant medical information in order to carry out the purposes of this Act.”Footnote 34
- Furthermore, the collection of personal information, including travellers’ vaccination status, was related to both the CBSA’s and PHAC’s core operating mandates, as outlined in their respective administrative statutes. For example, the CBSA is responsibleFootnote 35 for providing integrated border services that support public safety by administering program legislation, such as the Quarantine Act and the Customs Act. PHAC, for its part, may exerciseFootnote 36 any of the powers, duties and functions that the Minister of Health is authorized to exercise or perform under any Act of Parliament, which notably include the protection of the people of Canada against risks to health and the spreading of diseases, the monitoring of diseases, and the collection of information relating to public health.
Finding I
- For the reasons outlined above, we therefore consider the personal information collected by the CBSA and by PHAC to: (i) be directly related to the administration and enforcement of the Quarantine Act and the Emergency Orders, (ii) be explicitly authorized by the Quarantine Act and the Emergency Orders, and (iii) be rationally connected to the institutions’ core, statutory mandates. As such, the CBSA and PHAC acted in compliance with section 4 of the Act, and we find the collection aspect of the complaints to be not well-founded.
Issue 2: Was the personal information used or disclosed for the purpose for which it was compiled/obtained, or in accordance with an Act of Parliament?
- Several complainants have argued that the personal information collected by the CBSA and by PHAC should not have been used to deny travellers entryFootnote 37 into Canada, or for the imposition of fines. Others were concerned by the disclosure of their information to provincial and international health authorities, and some suspected that their information would be misused or accessed unlawfully.
- Sections 7 and 8 of the Act allow institutions to use and disclose personal information, without the consent of the individual to whom the information relates for, among other reasons,
- the purpose for which the information was obtained or compiled by the institution or for a use consistent with that purpose; or
- any purpose in accordance with any Act of Parliament or any regulation thereunder that authorizes its use/disclosure.
- In the analysis that follows, we will first describe who could access the personal information held by the CBSA, the CBSA’s uses and disclosures of that personal information, and how those activities may be interpreted under sections 7 and 8 of the Act. The same process will subsequently be repeated for the uses and disclosures by PHAC.
CBSA
Uses and disclosures related to Emergency Orders
- The personal information that the CBSA collected was stored on the Protected B CBSA Amazon Web Services cloud environment, which is aligned with Treasury Board of Canada Secretariat and Shared Services Canada security requirements. Access to the data was controlled via data access profiles monitored by the CBSA.
- CBSA officers, as screening officers, accessed the personal information in the cloud environment through the Contact Trace Desktop App, and used it to determine whether travellers at a port of entry had satisfied the requirements of the Emergency Orders. Based on the information received and on the conditions/exceptions in force at the time, screening officers provided quarantine instructions to individuals entering CanadaFootnote 38. As previously mentioned, this assessment conducted by CBSA officers involved automated processes, such as the OCR scan and QR code verification of the vaccination credential. When warranted, the information received would be used by the CBSA to refer a traveller to PHAC’s quarantine officers. CBSA officers, as screening officers, were required to notify quarantine officers of certain events, as prescribed by the Quarantine ActFootnote 39 (e.g., if a screening officer had reasonable grounds to suspect that a traveller might have a communicable disease).
- As explained in paragraph 11, the CBSA disclosed a subset of the collected information to PHAC in a ‘combined report’ for every border crossing. This disclosure enabled PHAC to continue administering and enforcing the Emergency Orders, in their role as screening officers, quarantine officers and delegates of the Minister of Health, and was thus made to support the public health follow-up and compliance verification activities mandated by the Orders.
- Lastly, the CBSA provided PHAC with data analytics. For example, ArriveCAN information would be presented in charts to illustrate the number of travellers that had arrived on a particular date, or in a map that showed the self-reported locations of symptomatic travellers.
- In our view, the CBSA’s uses and disclosures of personal information, described above, were for the purpose for which the information was obtained or compiled: to administer and enforce the Quarantine Act and the Emergency Orders. By using the personal information collected to screen travellers and by disclosing information to PHAC, the CBSA ensured that they fulfilled their role as screening officers, that PHAC fulfilled their role as screening/quarantine officers, and that individuals adhered to the applicable quarantine regime/requirements.
Other uses and disclosures
- In addition to the administration and enforcement of the Emergency Orders, the CBSA technical support team, the CBSA Cloud Operations team and the CBSA ArriveCAN development team used personal information to support travellers in resolving technical issues and to assist in ArriveCAN troubleshooting.
- The CBSA also used depersonalized ArriveCAN information to inform operational planning. This included statistics related to traveller types (e.g., exempt vs. not exempt from quarantine and testing), traveller flows, and travel volumes. Staffing at certain ports of entry, for example, would be adjusted based on the amount of traffic they had received and expected to receive.
- While the purposes of these activities were not entirely related to the purpose for which the information was originally obtained or compiled, we consider them to be consistent with the original purpose, as the uses are sufficiently connected to the purpose of collection that an individual would reasonably expect that the information could be used in such a mannerFootnote 40. For example, individuals requesting technical assistance would be aware, and thus reasonably expect, that their personal information could be accessed by the CBSA. Likewise, innocuously using travellers’ data from ArriveCAN to adjust staffing and optimize screening efficiency would directly benefit those travellers and would not, in our view, fall outside travellers’ reasonable expectations.
- Lastly, the CBSA indicated that information collected for the purpose of administering the Emergency Orders was not used for any additional purposes, such as informing customs or immigration related matters.
PHAC
- The information collected by PHAC was accessed, used and disclosed in accordance with the ArriveCAN privacy notice, which, during the period that the Emergency Orders were in effect, stated the following:
“The information required before, when, and after you enter Canada will be used and disclosed for the following purposes:
- for public health follow-up (including disclosure for this purpose to the province or territory where you will be in quarantine/isolation)
- for monitoring and verifying compliance with the Quarantine Act and the Emergency Orders made under it (including disclosure for this purpose to law enforcement including, in particular, peace officers)
- to help determine eligibility for new border measures and to support a public health response to COVID-19”
Access
- Personal information collected from travellers entering into Canada, including the information submitted through ArriveCAN, is populated automaticallyFootnote 41 in PHAC’s Quarantine Case Management System (“QCMS”). PHAC had conducted multiple security assessments of the QCMS, obtaining an Interim Authority to Operate in 2020. Security controls were implemented in a phased approach as part of each release, and notably included:
- supervisor approval of all Dynamics QCMS license assignments to PHAC staff;
- creation and assignation of a unique designation number for each PHAC officer with access to the QCMS;
- mandatory completion of the Health Canada/PHAC online privacy training module and of QCMS training by all users prior to gaining access;
- signing of the QCMS user agreementFootnote 42;
- restricting access to clinical information to users with clinical designations and certifications (i.e., quarantine officers and nurses); and
- multi-factor authentication for each QCMS login.
- QCMS users within PHAC were assigned roles and permissions to access data relevant to their function, which were adjusted/removed as necessary. These roles did not typically restrict the number of accessible records, only the content of certain records (e.g., medical information was restricted to quarantine officers, nurses and other professional staff).
- Besides contracted nurses working at designated quarantine facilities, no external parties could directly access the QCMS. That said, PHAC shared a minimum amount of personal information from the QCMS with other entities to enable them to fulfil their associated roles (as described below in further detail), without granting these parties access to the QCMS. For example, PHAC provided select personal information to the RCMP, contracted security agencies and to Service Canada to enable them to assist in compliance and enforcement. On August 1st, 2022, there were a total of 1,082 internal users and 145 external nursing contractorsFootnote 43 with access to the QCMS.
Referral to quarantine officer and public health follow up
- Referrals to a PHAC officer occurred for screening, public health follow-up, or cases of non-compliance.Footnote 44 Besides compliance related matters, the information collected was used by PHAC quarantine officers to assess and mitigate a given traveller’s public health risk. For example, the personal information of individuals who tested positive on arrival or during their quarantine was shared with local public health authorities, as referenced in previous versions of the ArriveCAN Privacy Notice:
“As part of Government of Canada’s response to the COVID-19 pandemic, your medical information may also be shared with provincial, territorial, municipal governments or organizations as well as their institutions for contact tracing, public health management, following up on cases, and/or for situational awareness.”
- PHAC disclosed individuals’ accommodation requirements, COVID-19 status, health evaluation and voluntarily provided special accommodation needs to contracted entities, such as nurses and other medical personnel, responsible for the traveller’s stay at a designated quarantine facility. The purpose of this disclosure was to deliver services (e.g., provision of accommodations, food and transportation) and to enhance situational awareness at the facility.
Compliance verification – Applicable border measures (port of entry)
- Like the CBSA, PHAC employees used the information collected to determine each traveller’s applicable entry and quarantine requirementsFootnote 45, based on the version of the Emergency Order in effect at the time, and verifying whether the traveller met their pre arrival requirements (e.g., providing a pre-arrival COVID-19 test result or a proof of vaccination credential).
Compliance verification – Quarantine and testing (post-border)
- As indicated in the ArriveCAN Privacy Notice, the personal information held by PHAC was used to verify and enforce compliance with the Emergency Orders’ post-border requirements:
“After your entry to Canada, verification that you have arrived at your place of isolation or quarantine and/or your COVID-19 test results (if applicable) will be used to monitor and verify your compliance with the Quarantine Act and the Emergency Orders made under it, and this information may be further disclosed for this purpose to law enforcement. Symptom information, where required during your quarantine, will be used and/or disclosed to the Province or Territory where you will be in quarantine or isolation for public health follow-up.
Personal information may be disclosed to contractors working for the Public Health Agency of Canada and Service Canada as well as to the following entities: other government institutions, as well as provincial, territorial, municipal governments or international health organizationsFootnote 46 as well as their institutions for these purposes.”
- Service Canada, a program operated by Employment and Social Development Canada, managed a contract with a third-party call centre, Accenture, which was used by PHAC to verify that travellers were following quarantine/isolation requirements through automated calls (also referred to as ‘robocalls’), live agent calls and compliance promotion emails. Based on their responses during these communications, a traveller’s compliance with the Emergency Order’s requirements was assessed against a risk matrix. Call centre employees were trained and designated as screening officers under section 5 of the Quarantine Act.
- Local law enforcement officers and security contractors also physically visited quarantine locations, established contact with travellers, verified their identity and confirmed that they were in the place of quarantine/isolation that they had indicated in their pre-entry submission. As was the case for the call centre employees, contracted security workers were designated as screening officers under section 5 of the Quarantine Act.
- A record was created in the QCMS every time that a compliance verification activity (e.g., robocall, live call, security visit, police visit, etc.) occurred. By July 14th, 2022, the QCMS contained over 18.2 million compliance monitoring and verification records, which pertained to:
- 2.4 million automated promotional calls;
- 4.6 million live compliance verification calls;
- 8.1 million automated compliance verification calls;
- 2.4 million referrals to the RCMP and to security companies;
- 550,000 in-person compliance verification visits by security companies; and
- 150,000 in-person compliance verification visits by law enforcement.
Compliance enforcement
- The information was also used for compliance enforcement. In cases of suspected non-compliance, an investigation would be triggered using the information collected. When non-compliance was confirmed, enforcement action could be taken by PHAC, such as issuing a warning or a fine. By July 14th, 2022, there had been over 16,000 recorded enforcement actions. The total number of fines issued in response to contraventions of the Emergency OrdersFootnote 47, broken down by province and by contravention, has been published on the Government of Canada’s COVID-19: Summary data about travellers, testing and compliance pageFootnote 48. We note that the most common fine was for the maximum amount of $5,000, which was issued 6,632 times.
- In limited circumstances and at the discretion of PHAC officers or of law enforcement, non-compliant travellers could face summary conviction or arrest. By August 1st, 2022, there had been 17 summary convictions and 9 arrests.
Program evaluation
- Finally, PHAC used the information under their control, in combination with other available evidenceFootnote 49, to develop/adjust border policies, to evaluate the effectiveness of current measures, and to support a public health response to COVID-19. This use was explicitly mentioned in previous versions of the ArriveCAN privacy notice, though its description was somewhat vague:
“The information required before, when, and after you enter Canada will be used and disclosed for the following purposes:
[…]
- to help determine eligibility for new border measures and to support a public health response to COVID-19
[…]
Personal information may also be used for program evaluation.”
- When evaluating the Emergency Orders, PHAC considered testing data collected from incoming travellers, a summary of which has been shared on the COVID-19: Summary data pageFootnote 50. For example, when testing data showed a disproportionally higher number of cases among individuals travelling on flights originating from India and Pakistan, the Government of Canada suspendedFootnote 51 all direct commercial and private passenger flights from those two countries for 30 days, effective April 22nd, 2021.
Purposes of uses and disclosures
- For all the activities described above, PHAC used and disclosed the personal information under their control for the same purpose for which the information was originally obtained or compiled: to administer and enforce the Emergency Orders, which notably required incoming travellers to provide information pre-arrival, to quarantine, to undergo a COVID-19 test, and to report on their health status. Individuals were informed of the purposes for which their information would be used and disclosed through the ArriveCAN Privacy Notice, which was presented to them at the moment of collection. As a result, we find these uses and disclosures to have been compliant with paragraphs 7(a) and 8(2)(a) of the Act.
Finding II
- As such, we find the use and disclosure aspect of the complaints, for both the CBSA and PHAC, to be not well-founded.
Issue 3: Was the personal information disposed of in accordance with the Privacy Regulations and the Directive on Privacy Practices?
- Certain complainants have requested that the personal information collected by the CBSA and by PHAC, notably through ArriveCAN, be disposed of.
- Subsection 6(3) of the Act requires government institutions to dispose of personal information under their control in accordance with the Privacy Regulations and with any directives or guidelines issued by the President of the Treasury Board.
- In turn, paragraph 4(1)(a) of the Privacy Regulations requires government institutions to retain personal information for at least two years following its last use for an administrative purpose (i.e., a decision making process that directly affects an individualFootnote 52), unless the individual to whom the information concerns consents to its disposal.
- While the Treasury Board Secretariat has issued the Directive on Privacy Practices, its disposal requirements are not particularly prescriptive, and simply require institutions to apply their respective disposition standards/practicesFootnote 53.
CBSA
- In their representations to our Office, the CBSA indicated that they had finalized their data retention and disposal standard operating procedures for information collected in ArriveCANFootnote 54 in the fall of 2022, and are now disposing of all travel related health data that is more than two years old, with exceptions for: (i) data pertaining to active or upcoming investigation/litigation cases, and (ii) for data which may be removed/disposed of directly through ArriveCAN by the user, such as:
- their ArriveCAN login informationFootnote 55;
- their ArriveCAN profile information;
- their ArriveCAN ‘Saved Traveller’ profiles; and
- their active, re-usable ArriveCAN submissions.
- The CBSA has automated its disposition of travel related health data, with purges occurring once a month since September of 2022. The CBSA also stated that they would dispose of all travel related information collected via ArriveCAN upon receiving a formal, written disposal request by the concerned individual. Such a request may be sent to the CBSA’s ‘Information Sharing, Access to Information and Chief Privacy Office’ or through the electronic form found on the CBSA’s ‘Compliments, comments and complaints’ web page.
PHAC
- Using Library and Archives Canada’s Generic Valuation ToolsFootnote 56 (“the Tools”) and complying with the two year minimum retention period prescribed by the Privacy Regulations, PHAC had created a retention and disposition schedule for the information collected pursuant to the Emergency Orders. In short, based on the Tools’ assessment, PHAC decided to retain certain categories of information for two years, and other categories for five years. This retention and disposal schedule, as well as a disposition authorization held by PHAC, have been approved by Library and Archives Canada.
- PHAC indicated to our Office that they are currently refining their processes and systems to ensure that the information collected is disposed of in a comprehensive and coordinated manner. PHAC indicated that it was unwilling to act on requests for disposal before the end of the applicable retention period, out of concern that the information could be needed to examine an individual’s travel and/or compliance history, and to inform future compliance activities. There is currently no formal procedure for individuals to request that PHAC dispose of their personal information.
Finding III
- Based on both the CBSA’s and PHAC’s actions and policies described above, there was nothing to suggest that either institution contravened the disposal requirements prescribed by the Act, the Privacy Regulations or the Directive on Privacy Practices. As such, we find the retention and disposal aspects of the complaints to be not well-founded.
- Lastly, we would like to highlight that: (i) the Act does not provide a right for individuals to request that their personal information be disposed of, (ii) that institutions may dispose of personal information with the consent of the concerned individual prior to the expiry of the mandatory two-year retention period, though are not required to do so, and that (iii) the Act prescribes a considerable minimum retention period of two years, and no maximum retention period. Upon future review of the Act, we would recommend that these limitations be addressed by Parliament.Footnote 57
Compliance related matters not explicitly raised by complainants
- While not the subject of any specific complaints, the representations received during the course of this investigation demonstrated that the CBSA and PHAC were compliant with sections 5 and 10 of the Act, given that the personal information was collected directly from the incoming travellers and described in the ‘Quarantine Program’ Personal Information Bank (PHAC PPU 071)Footnote 58, and that the ArriveCAN privacy notice informed individuals of the purposes for which the information was being collected.
Other: Was the collection of personal information under the Emergency Orders necessary and proportional?
- Multiple complainants raised concerns over the necessity and the proportionality of the measures enacted by the Emergency Orders. Some believed that COVID-19 vaccines were ineffective and that COVID-19 did not present a health risk that would justify intrusions on their rights and freedoms.
- Though not a requirement of the Act, necessity and proportionality is a privacy principle that our Office strongly endorses and one that is embedded in the privacy laws of many jurisdictions, including several Canadian provinces. Limiting the collection of personal information to what is demonstrably necessary is also a requirement of Treasury Board Secretariat’s Directive on Privacy PracticesFootnote 59.
- This principle is all the more important when institutions must respond quickly in times of crisis to implement measures that are intended to promote and protect public health, given the elevated potential for the measures to infringe on individuals’ privacy rights. In April of 2020, our Office published a Framework for the Government of Canada to Assess Privacy-Impactful Initiatives in Response to COVID-19 and in May of 2021, the Federal, Provincial and Territorial Privacy Commissioners issued a joint statement entitled Privacy and COVID-19 Vaccine Passports. Both of these publications highlighted the importance of considering necessity and proportionality in the development of measures to address COVID-19, and that doing so would not be a barrier to effective public health management. Several complaints specifically asked us to consider whether institutions had complied with the public guidance promoted by our Office. Consideration of necessity and proportionality was also a key element of the advice we provided to PHAC when it consulted the OPC on the development and implementation of the Emergency Orders’ border measures. Given its importance, we thus examined the necessity and proportionality of the collection of personal information mandated by the Emergency Orders.
- To guide institutions in considering necessity and proportionality, our Office advocates a four-part testFootnote 60 that calls for institutions to ask themselves the following questions when establishing particularly privacy-invasive programs and services:
- Is the measure demonstrably necessary to meet a specific need?
- Is it likely to be effective in meeting that need?
- Is there a less privacy-intrusive way of achieving the same end?
- Is the loss of privacy proportional to the need?
- We found that CBSA and PHAC’s collection of personal information under the Emergency Orders was necessary and proportional. However, as detailed in the section on less privacy intrusive measures below, we identified gaps in PHAC’s assessment of potentially less privacy invasive alternatives, and related issues with respect to clarity of the objectives, in the final six months of the Orders.
Necessity
- With respect to the first part of the four-part test, necessity, we expect institutions to be able to explain, in detail, how a privacy-intrusive initiative is rationally connected to a defined, pressing and substantial goal, and how the proposed collection or use of personal information will serve to meet the goal. This requires empirical evidence in support of the initiative and should preclude the collection of personal information for speculative or “just in case” scenarios.
- We will first note that the Emergency Orders’ enabling provision, section 58 of the Quarantine Act, outlines the pressing and substantial goal that the Orders must strive to address, which is to prevent the introduction or spread of a communicable disease that would pose an imminent and severe risk to public health in Canada:
“The Governor in Council may make an order prohibiting or subjecting to any condition the entry into Canada of any class of persons who have been in a foreign country or a specified part of a foreign country if the Governor in Council is of the opinion that
- there is an outbreak of a communicable disease in the foreign country;
- the introduction or spread of the disease would pose an imminent and severe risk to public health in Canada;
- the entry of members of that class of persons into Canada may introduce or contribute to the spread of the communicable disease in Canada; […]”
- Similarly, the purpose of the Quarantine Act itself, as stated in section 4 of that Act, is to “protect public health by taking comprehensive measures to prevent the introduction and spread of communicable diseases.”
- According to the explanatory notes which accompanied each of the Emergency Orders in their Canada Gazette publications, the objective of the Orders was to “decrease the risk of introducing and spreading COVID-19 and its new variants into Canada, in order to protect the health of Canadians and mitigate potential burden on the health care system.”Footnote 61
- Based on these statements, we have determined that the Emergency Orders pursued two interrelated goals:
- the specific goal of “decreasing the risk of introducing and spreading COVID-19 and its new variants into Canada”, which in turn served
- the broader or overarching goal of “protect[ing] the health of Canadians and mitigate potential burden on the health care system”, i.e., an imminent and severe risk to public health in Canada.
- PHAC declined to share the evidence considered prior to the issuance of the Emergency Orders on the basis that such material consisted of confidences of the Queen’s Privy Council, which are explicitly exempt from our Office’s production powers under subsection 34(2) of the Act. That said, PHAC did point our Office to the Orders’ explanatory notes and other publicly available resources, which supported the Government’s rationale for issuing the Orders.
- The last Emergency Order’s explanatory notesFootnote 62 reported facts which suggested that, with the passage of time, the risk posed by the introduction or spread of COVID-19 was reduced and that the need had therefore become less pressing and substantial:
- Omicron, the dominant COVID-19 variant of concern circulating when the complaints were received, had with time proved to be less severe than previous variants, and vaccines continued to be effective, especially against severe outcomes;
- By April of 2022, the domestic Omicron wave had peaked;
- Domestic availability of COVID-19 vaccines and high levels of vaccination coverage among the people of Canada provided protection against infection and severe disease;
- Therapeutics to treat circulating variants were effective and had become increasingly available; and
- COVID-19 spread and severity indicators, including daily case counts, lab test positivity, and wastewater signals, were stabilizing with most areas continuing to decline.
- On the other hand, the same explanatory notes also included the following facts, which suggested the continuing need to “decrease the risk of introducing and spreading COVID-19 and its new variants into Canada, in order to protect the health of Canadians and mitigate potential burden on the health care system”:
- COVID-19 can be a severe, life-threatening respiratory disease, which can cause widespread illness if not controlled;
- Many countries continued to experience COVID-19 transmission and had different levels of vaccination coverage, factors which could have led to the emergence of new and potentially unpredictable variants of concern;
- With the emergence of the Omicron variant of concern in late November 2021, test positivity among both unvaccinated and fully vaccinated travellers entering Canada increased, peaking in early January 2022;
- Omicron, being a more transmissible variant, seriously strained public health resources in Canada once introduced;
- The unexpected emergence of new variants of concern remained a serious public health concern given the potential for a resurgence of travel-related and domestic cases in Canada in the fall of 2022; and
- Some areas in Canada continued to experience relatively higher cases, severity and/or demands on the local health care system. Canada had also been seeing increased spread of several Omicron sub-lineages.
- It was therefore reasonable for PHAC to be of the opinion that there was: (i) an imminent and severe risk to public health in Canada, as required by section 58 of the Quarantine Act, and (ii) a pressing and substantial need for the Emergency Orders, and thus for the collection of person information. Despite indicators which suggested that the impact of the virus had waned by the spring of 2022, the risks posed by COVID-19 and its variants continued to loom over Canada’s public health, as recent historical trends have demonstrated.
Effectiveness
- With respect to the second part of the four-part test, effectiveness, we considered whether the personal information collection implemented under the Emergency Orders were effective in meeting the specific need identified above.
- To reiterate, the goal of the Emergency Orders was to decrease the risk of introducing and spreading COVID-19 and its new variants into Canada in order to protect the health of Canadians and mitigate the potential burden on the health care system.
- In order to achieve this objective, the Emergency Orders imposed requirements (that changed over time) on some or all travellers entering Canada. These included pre-arrival COVID-19 tests as well as quarantine and post-arrival testing. These measures were supported by evidence of efficacyFootnote 63 for decreasing the risk of introducing and spreading COVID-19: (i) by delaying entry of travellers testing positive, (ii) by allowing both the traveller and any notified public health authorities to become aware of and mitigate active COVID-19 cases detected on or after entryFootnote 64, and (iii) by limiting contact of recently arrived travellers, who could be incubating COVID-19, with others.
- PHAC explained that when vaccines were introduced, they were shown to be effective at preventing infection. Therefore, non-fully vaccinated travellers presented a higher risk of importing COVID-19 into Canada compared to fully vaccinated travellers. PHAC highlighted that from July to November 2021 border test positivity was markedly lower among fully vaccinated international travellers compared with non-fully vaccinated travellers. With the emergence of the Omicron variant in late November 2021, the difference in COVID-19 test positivity between these two traveller groups narrowed but remained two to four times higher in the non-fully vaccinated traveller group. This trend persisted through to the end of March 2022.
- The collection of individuals’ vaccination status served to distinguishFootnote 65 between fully vaccinated travellers and non-fully vaccinated travellers, who were, in light of the above, each subject to different entry and post-entry requirements. From January of 2022, when our Office received the first complaint about the Emergency Orders, to September of 2022, when the last Emergency Order expired, travellers who did not qualify as fully vaccinated were required to undergo pre-arrival, on-arrival and post-arrival COVID-19 testing, and to quarantine for 14 days after entering Canada, whereas fully vaccinated travellers could enter into Canada largely uninhibitedFootnote 66. To effectively apply these disparate regimes, it was necessary to collect each traveller’s vaccination status.
- In our view the collection of vaccination status was thus effective as it enabled quarantine to be imposed on this group of travellers who presented a higher risk of having COVID-19 on entry - and therefore a higher risk of spreading the disease into Canada. Given that unvaccinated travellers were also more likely to fall seriously ill and to be hospitalized, preventing unvaccinated foreigners from entering Canada, and incentivizing Canadians to become vaccinated to avoid quarantine requirements, was likely also effective in mitigating the burden on the health care system as a whole.
Less Privacy Intrusive Measures
- With respect to the third part of the four-part test, we assessed whether less privacy-intrusive measures could have achieved the Emergency Orders’ stated objective of ‘decreasing the risk of introducing and spreading COVID-19 into Canada’. For this specific context, and based on the concerns raised by the complainants, this assessment will include an analysis of the following sub-questions:
- Would the measures have been as effective and less privacy intrusive if the personal information was collected through alternative means (i.e., other than through ArriveCAN)?
- Would the measures have been as effective if less personal information was collected (specifically individuals’ vaccination status)?
Would the measures have been as effective and less privacy intrusive if the personal information was collected through alternative means?
- Firstly, many complainants expressed frustration with the mandatory use of ArriveCAN, and the fact that they were not presented with the option of submitting the requisite information to a border officer. However, the alternative proposed by the complainants would not have been ‘less privacy intrusive’, as travellers would have been required to submit the same information in person as they would have shared over ArriveCAN. The loss of privacy in both scenarios would therefore have been equivalent.
- Additionally, the Emergency Orders’ explanatory notes from the summer of 2021 suggest that it would have been difficult to effectively administer the Orders, and thus decrease the risk of introducing COVID-19, without ArriveCAN, given the application’s marked efficiency in collecting information:
“The Government of Canada has replaced inefficient paper-based processes at Canada's ports of entry with electronic means, including the ArriveCAN app and website, to reduce the public health risks of traveller backlogs and to allow for timely oversight and tracking by public health officials of travellers entering Canada. Traveller volumes are expected to increase significantly in the coming months; however, this increase is expected not to exceed the capacity of ArriveCAN. Therefore, there is no reasonable alternative to the increasing mandatory use of ArriveCAN to allow travellers to submit COVID-19 related information electronically in advance of their arrival.”Footnote 67
- For these reasons, we find that the measures would not have been less privacy intrusive or as effective had the information been collected through a medium other than ArriveCAN.
Would the measures have been as effective if less personal information was collected?
- Some complainants stated that they were upset by the mandatory collection of their vaccination status, and the use of this information to impose stricter entry requirements on those who were not fully vaccinated. Accordingly, our Office was asked to consider whether the measures could have been as effective if providing proof of vaccination status had not been mandatory.
- One less privacy intrusive alternative proposed by certain complainants was permitting travellers to enter Canada (without quarantine) based on providing either proof of vaccination or a pre-arrival COVID-19 test.
- In this respect it is notable that from July 5, 2021 to April 1, 2022, the Emergency Orders, with certain exceptions, required travellers to provide both proof of vaccination and a pre-arrival COVID test as conditions of entry without quarantine. As noted in paragraphs 77 above, PHAC’s border testing data showed that when both vaccinated and non-fully vaccinated travellers needed a negative pre-arrival test to enter Canada, fully vaccinated travellers had consistently lower COVID-19 positivity rates in on-arrival testing. Permitting entry without quarantine for travellers who provided just a pre-arrival test would have been less privacy intrusive than requiring both a pre-arrival test and proof of vaccination. However, the evidence does not suggest it would have been as effective in reducing the chance that any given traveller had COVID-19 (and could therefore risk spreading it to others).
- However, as of April 1, 2022, pre-arrival tests were no longer required for fully vaccinated international travellers while the requirement remained in place for non-fully vaccinated travellers. From this date through to the end of the Orders in September 2022, PHAC told OPC that test positivity rates at land ports of entry were relatively similar between the two traveller groups and for travellers entering Canada by air, COVID-19 test positivity was consistently higher among non-tested, fully vaccinated travellers than among tested, non-fully vaccinated travellers.Footnote 68 PHAC noted that this suggests the effectiveness of pre-arrival testing in reducing the importation of COVID-19 into Canada. In subsequent correspondence, notwithstanding this higher positivity rate, PHAC advised our office that it was not in a position to validate the proposition that, as of April 1st, 2022, pre-arrival testing alone was more effective at reducing the importation of COVID-19 into Canada, for air entries.
- In our view it is a positive step that PHAC both collected and reflected on evidence about the effectiveness of pre-arrival testing alone in reducing the importation of COVID-19 into Canada - once it was determined that both pre-arrival testing and proof of vaccination were no longer warranted in order to enter Canada without needing to quarantine.
- However, PHAC did not demonstrate to our office that it considered less privacy intrusive alternatives such as permitting travellers to choose whether to provide a pre-arrival test or proof of vaccination in order to enter without quarantining, in light of its own data suggesting the effectiveness of pre-arrival testing in reducing importation of COVID-19 into Canada.
- Nonetheless, later Emergency Orders’ explanatory notes, which acknowledged the waning effectivenessFootnote 69 of vaccines in preventing infection, also highlighted the continued protection they provided against severe illness, serving to protect the health of Canadians and mitigate the burden on the health care system:
“The COVID-19 vaccines are effective at preventing severe illness, hospitalization, and death from COVID-19. Against earlier variants of concern such as Delta, two doses of the vaccine decreased symptomatic and asymptomatic infection and hence could reduce the risk of transmission of SARS-CoV-2; however, effectiveness varied depending on the COVID-19 vaccine product received and decreased over time, following vaccination. […] Against Omicron and its sub-lineages, a primary vaccine series provides some protection against symptomatic or asymptomatic infection though for a modest period of time, but still offers reasonable protection against severe disease. A booster dose increases protection against severe disease, as well as against infection but protection remains lower than the protection against earlier variants such as Delta.”Footnote 70
- As previously mentioned, section 4 of the Quarantine Act states that: “The purpose of this Act is to protect public health by taking comprehensive measures to prevent the introduction and spread of communicable diseases.” It does not explicitly identify broader health goals such as mitigating the burden of communicable diseases on the healthcare system. Further, the Emergency Orders in place from April 1, 2022 to September 30, 2022 were framed as being for the purpose of decreasing the risk of introducing and spreading COVID-19 and its new variants into Canada, “in order to” protect the health of Canadians and mitigate potential burden on the health care system; rather than “and” to protect the health of Canadians and mitigate potential burden on the health care system. However, PHAC is of the view that “comprehensive measures to prevent the introduction and spread of communicable diseases” necessarily include steps to reduce the seriousness or impact of an illness that is introduced or spread in Canada when it has not been possible to completely stop its introduction or spread, and that to do otherwise would in fact run counter to the statute’s goals. As such, PHAC submitted that preventing individuals from falling seriously ill and being hospitalized as a result of the introduction or spread of a communicable disease in Canada and mitigating the associated burden on the health care system are integral to the purpose of the Quarantine Act.
- In support of this interpretive position, the federal government’s public messaging during the pandemic consistently indicated that increasing vaccination coverage to protect the health of Canadians and mitigate the potential burden on the health care system was an overall goal.
- The continuing quarantine requirement imposed on non-fully vaccinated individuals after April 1, 2022 likely incentivised vaccination. We therefore accept, in line with PHAC’s broad interpretation above, that the Emergency Orders had “protecting the health of Canadians and mitigating the potential burden on the health care system” as a direct objective. We consider that permitting pre-arrival testing alone as an optional alternative to proof of vaccination alone, while less privacy intrusive, would not have been as effective in achieving this broader objective as it would not have incentivized individuals to become vaccinated, or prevented unvaccinated foreigners (with the related higher risk of serious illness and hospitalization) from entering Canada.
- However, in light of the insufficient demonstration to OPC that PHAC considered less privacy invasive alternatives, and the lack of clarity of the framing of the breadth of the objectives, we recommended that if PHAC considers similar mandatory collections for the purpose of addressing a pandemic in the future, it specifically examine and document its assessment of potentially less privacy-intrusive alternatives against clearly delineated objectives. Further, should the Quarantine Act be reviewed in the aftermath of the Pandemic, we would encourage Parliament to consider explicitly clarifying the scope of the purpose of the Quarantine Act.
- PHAC committed to implement the recommendation with respect to examining potentially less privacy intrusive alternatives and confirmed that should the Quarantine Act undergo review it will take the OPC’s comments into consideration.
Proportionality
- With respect to the fourth part of the four-part test, whether the loss of privacy is proportional to the need, we analyzed whether the potential privacy impacts to travellers were proportional to the benefits that would result from the collection of their personal information.
- In administering the Emergency Orders, the CBSA and PHAC collected a range of personal information, including, in addition to information that would generally be collected by CBSA when a traveler crosses the border, information which many consider to be particularly sensitive, such as travellers’ medical information (vaccination status and COVID-test results) and quarantine address. Some complainants were especially troubled by the collection of their vaccination information. This loss of privacy must be measured against the benefits of the collections under the Emergency Orders.
- In this case, entry of travellers into Canada risked the importation of COVID-19 into Canada, including potentially novel variants of concern. During the period when vaccinated travellers were also required to provide a pre-arrival COVID-19 test, but were not required to quarantine, PHAC’s border testing consistently showed that non-fully vaccinated travellers were at least 2 to 4 times more likely to test positive for COVID-19. In our view, reducing this risk of spreading COVID-19 into Canada by requiring non-fully vaccinated travellers to quarantine brought meaningful benefits to Canadians.
- During the final six months of the Emergency Orders, after PHAC had determined that pre-arrival tests for vaccinated travellers were no longer warranted, the proportionality of continuing to require travellers with pre-arrival tests to also provide proof of vaccination (or be subject to quarantine) was less clear cut, given the data suggesting the effectiveness of pre-arrival testing from this point forward. Nonetheless, individuals who may have been incentivised to get vaccinated by the quarantine measures benefitted from the demonstrated protection against severe disease offered by vaccines, and the health care system likely benefitted from the reduced risk of hospitalization for vaccinated individuals. Accordingly, we believe the benefits to Canadians from the collection of personal information under the Emergency Orders were proportional to the loss of privacy travellers suffered in disclosing their related personal information.
Conclusion
- In sum, we found the collection, use, disclosure, retention and disposal of information by both the CBSA and by PHAC, for the purposes of administering and enforcing the Emergency Orders, to be compliant with the Act, and all related complaints to therefore be not well-founded.
- While not a requirement of the Privacy Act, we also assessed the necessity and proportionality of the mandatory collection of vaccination status by CBSA and PHAC under the Emergency Orders. We found that overall, CBSA and PHAC’s collection of personal information under the Emergency Orders was necessary and proportional. However, we identified gaps in PHAC’s assessment of potentially less privacy intrusive alternatives, and related issues with respect to clarity of the objectives, in the final six months of the Orders.
- Given the evidence that vaccination continued to reduce the risk of serious disease to infected individuals, with its related burden on the health care system, we determined that the mandatory collection of vaccination status therefore contributed to the broader goal of protecting the health of Canadians and mitigating the burden on the health care system. PHAC indicated that this broad objective was necessarily included under the purpose clause of Section 4 of the Quarantine Act. We therefore ultimately concluded that the collections of personal information under the Emergency Orders met the necessity and proportionality test.
- Nonetheless, in light of the insufficient demonstration to OPC that PHAC considered less privacy intrusive alternatives, and the lack of clarity of the framing of the breadth of the objectives, we recommended that if PHAC considers similar mandatory collections for the purpose of addressing a pandemic in the future, it specifically examine and document its assessment of potentially less privacy intrusive alternatives against clearly delineated objectives. Further, should the Quarantine Act be reviewed in the aftermath of the Pandemic, we would encourage Parliament to consider explicitly clarifying the scope of the purpose of the Quarantine Act.
- PHAC committed to implement the above recommendation with respect to examining potentially less privacy intrusive alternatives and confirmed that should the Quarantine Act undergo review it will take the OPC’s comments above into consideration.
- Date modified: