Investigation into COVID-19 vaccination attestation requirements established by the Treasury Board of Canada for employees of the core public administration
Complaints under the Privacy Act
May 29, 2023
Description
We examined whether the vaccination attestation requirements established by the Treasury Board of Canada for employees of the core public administration, in response to the COVID-19 pandemic, complied with the collection, use and disclosure and transparency provisions of the Act. Additionally, we examined the necessity and proportionality of the measures considering the circumstances under which they were established.
Takeaways
- Federal institutions had the authority to collect information on employees’ COVID-19 vaccination status under the Financial Administration Act and Part II of the Canada Labour Code; and systemic uses and disclosures of such information were consistent with the purposes for which it was collected.
- In accordance with section 11 (1) of the Act, personal information banks and classes of personal information not contained in personal information banks, must be included in a public index updated at least annually. Where personal information has been under the control of a government institution for more than a year, and there has been no update to the public index, this will be evidence of non-compliance with section 11 of the Privacy Act.
- Though the principle of necessity and proportionality is not currently a requirement of the Privacy Act, limiting the collection of personal information to what is demonstrably necessary is a requirement of the Treasury Board of Canada Secretariat’s (TBS) Directive on Privacy Practices. We identified weaknesses in TBS’s assessment and documentation, but found that the collections under the measures, implemented by institutions at TBS’s direction, were necessary, effective, and proportional, under the circumstances.
- Institutions should assess and document necessity and proportionality, including consideration of potentially less privacy invasive alternatives, in a structured way when introducing privacy-invasive programs, in order to provide confidence that the privacy interests of Canadians are being respected.
Report of Findings
Overview
Following the Government of Canada's announcement in October of 2021 that employees of the core public administration (“CPA”) would be required to be fully vaccinated against COVID-19 and to attest to their vaccination status, the Office of the Privacy Commissioner of Canada (“OPC” or “our office”) received 40 complaints against 19 institutions in the core public administration. These institutions were Canada Border Services Agency; Canadian Space Agency; Correctional Service Canada; Employment and Social Development Canada / Service Canada; Finance Canada; Fisheries and Oceans Canada; Health Canada; Immigration, Refugees and Citizenship Canada; Indigenous Services Canada; Innovation, Science and Economic Development Canada; Justice Canada; National Defence; Public Health Agency of Canada; Public Safety Canada; Public Services and Procurement Canada; Royal Canadian Mounted Police; Shared Services Canada; Statistics Canada; and Treasury Board of Canada Secretariat.
Our office received additional complaints against separate employers which will be addressed in separate reports. The requirements for mandatory vaccination and attestation of vaccination status for employees of the CPA were established by the Treasury Board of Canada under the Policy on COVID-19 Vaccination for the Core Public Administration Including the Royal Canadian Mounted Police (“the Policy”). The Policy was suspended on 20 June 2022.
The complainants’ main allegations were that the collection of employees’ vaccination status, and in some cases religious or medical information in support of an accommodation request to be exempted from the requirements of the Policy, was unreasonable. After investigation and analyses we found that institutions’ collection of personal information under the Policy complied with the requirement of section 4 of the Privacy Act (“the Act”) as it related directly to an institution’s operating programs or activities, namely, TBS’s health and safety responsibilities as employer during a national emergency situation as a result of the COVID-19 pandemic.
Certain complainants also made allegations about transparency and inappropriate incidental disclosures of personal information, either in relation to the TBS operated Government of Canada Vaccine Attestation Tracking System (“GC-VATS”) system used to collect the vaccination attestations, or in relation to individual institutions’ handling of personal information.
With respect to transparency, we found no contraventions of subsection 5(2) of the Act which requires that individuals be informed of the purpose of collection of the personal information. However, we found that TBS contravened subsection 11(1) of the Act by not updating its index of personal information to reflect information collected under the Policy within a year of institutions beginning this collection. TBS has now published a personal information bank description for the COVID-19 Vaccination Attestation and Worksite Testing Program.
We also found no indications of contraventions on a systemic level of the disclosure provisions of the Act (i.e. section 8) with respect to GC-VATS or the handling of personal information collected under the Policy.
Our investigation also considered whether all aspects of the Policy were necessary and proportional to the attainment of its objectives. ‘Necessity’ is not a legal requirement under the Act, which requires a lesser threshold of “relates directly to”, but it is a key privacy principle embedded in privacy laws in many jurisdictions including several Canadian provinces.
In May of 2021, Federal, Provincial and Territorial Privacy Commissioners recommended in a Joint Statement that governments and businesses consider the principles of necessity, effectiveness and proportionality, in relation to the establishment of vaccine mandates. TBS’s own Directive on Privacy Practices requires that institutions limit the collection of personal information to what is demonstrably necessary. These related provisions and considerations contribute to and reflect a heightened expectation of privacy among Canadians.
In April 2020, the OPC issued a Framework for the Government of Canada to Assess Privacy-Impactful Initiatives in Response to COVID-19 (the Framework) and shared it with government institutions in an effort to outline key privacy principles, including necessity and proportionality, that should factor into their assessment of measures proposed to combat COVID-19 that have an impact on the privacy of Canadians.
Accordingly, given its importance, particularly in the context of privacy invasive measures contemplated in a public health crisis, we examined whether the collections under the Policy were necessary and proportional, recognizing that, as stated in the OPC’s Framework, the urgency of limiting the spread of the virus was understandably a significant challenge for government and public health authorities and the COVID-19 crisis was a rapidly evolving situation that required swift and effective responses to address extraordinary public health needs.
After careful review, we determined that, while the TBS’s responses to certain of our questions could and should have been more fulsome and forthcoming, under the circumstances in which it was developed and implemented, the Policy overall was necessary and proportional. We base this determination on emergency situation that existed and the central role of the TBS and federal public servants in supporting the federal government’s response to the pandemic, including the protection of the heath and safety of Canadians and the provision of important and often vital government and public services during this unprecedented public health crisis.
With respect to the complainants’ argument that each department should have been able to adopt different policies in order to exempt teleworking employees from the vaccination requirements, we accept that it was necessary and prudent for the TBS to retain the ability and flexibility to require the onsite presence of its employees on short notice (including employees who regularly worked from home during the pandemic) in order to deal with emergency and other unforeseen situations during the pandemic. We further find that, particularly in the context of the rapidly evolving pandemic situation, it would have been unfeasible for the TBS or individual Deputy Ministers to establish different policies for each of the institutions in the federal government.Footnote 1
Given the importance of the issue, we have recommended to TBS that it assess any contemplated vaccination measures against the four-part test detailed in this report in advance of any potential future decision to reinstate some or all of the requirements of the Policy. We were disappointed that the TBS did not agree to implement this recommendation, which we feel is consistent with the TBS’s own policy on the preparation of privacy impact assessments and is a proven, effective and efficient approach to ensuring that the considerations of necessity and proportionality are imbedded in a program upfront, to optimize the protection of Canadians’ privacy rights. We reiterate this recommendation in this final report and would ask the TBS to reconsider its earlier response.
We take note of the TBS’s commitment to meet its obligations under the Privacy Act and related policy instruments and would remind the TBS that these policy instruments would require the preparation of a Privacy Impact Assessment that would assess the necessity and proportionality of any potentially privacy intrusive measures.
Background
- On 6 October 2021, the Government of Canada announced that all public servants in the CPA must attest to being fully vaccinated against COVID-19 or be put on leave without pay unless accommodated for medical reasons or on the basis of a prohibited grounds of discrimination. These requirements were formalized for employees of the CPA under the Treasury Board of Canada’s Policy on COVID-19 Vaccination for the Core Public Administration Including the Royal Canadian Mounted Police (“the Policy”). The Canadian Armed Forces and other separate federal public service employers were asked to implement substantially similar policies for their employees. Complaints against these other employers will be addressed in separate reports of findings.
- Under the Policy, all employees,Footnote 2 regardless of whether they were working remotely or in a government office, were required to attest to their vaccination status to their respective institutions and, if warranted, request an accommodation. Failure to disclose one’s vaccination status resulted in an employee being placed on leave without pay. The same consequence was imposed on employees who were not vaccinated after a grace period or whose request for accommodation was denied.
- The Policy lists three separate objectives, all of which are related to protecting the health and safety of employees. They are:
- “To take every precaution reasonable, in the circumstances, for the protection of the health and safety of employees. Vaccination is a key element in the protection of employees against COVID-19.”
- “To improve the vaccination rate across Canada of employees in the core public administration through COVID-19 vaccination.”
- “Given that operational requirements may include ad hoc onsite presence, all employees, including those working remotely and teleworking must be fully vaccinated to protect themselves, colleagues, and clients from COVID-19.”
- In order to collect vaccination attestations from employees of the CPA, government institutions were required to use a system called the Government of Canada Vaccine Attestation Tracking System (“GC-VATS”) developed by the Treasury Board of Canada Secretariat (“TBS”). GC-VATS is web platform within the TBS Application Portal.
- Generally, employees of the CPA submitted their vaccination attestations through GC-VATS unless they were unable to do so electronically, in which case paper forms could be used. The paper forms were then scanned and uploaded to GC-VATS. A listing of the information stored in GC-VATS can be found in Appendix 1 of this report.
- For individuals who requested an accommodation from the requirements of the Policy, supporting information was collected and retained directly by the home department of the individual rather than within the GC-VATS system.
- Under the Policy, the Office of the Chief Human Resources Officer, a unit within TBS, is required to review the need for the Policy, at a minimum every 6 months, and report the results to the President of the Treasury Board.
- On 14 June 2022, the Government announced that effective 20 June 2022 the vaccination requirement for the CPA would be suspended. This announcement followed the six-month review of the Policy by the Treasury Board. As part of the announcement, TBS indicated that, "[t]he government will continue to closely monitor domestic and international scientific evidence to assess the need for additional public health measures, including the possible reintroduction of vaccination mandates."
Jurisdiction
- Several complainants alleged that requiring vaccination and attestation of vaccination status constituted a contravention of their rights guaranteed by the Canadian Charter of Rights and Freedoms (“the Charter”) and that therefore the requirements were unlawful. However, making findings on Charter compliance is outside of the scope of our Office’s jurisdiction and thus outside the scope of this report’s analysis.
Methodology
- In coming to our conclusions over the course of the investigation, the OPC considered information from both individual institutions as well as from TBS, which functions as the official employer for staff within the CPA under the Financial Administration Act. Since individual institutions were directed by TBS, under the Policy, to collect the information from their employees relating to COVID-19 vaccination status as well as accommodation requests, in addition to seeking representations from these individual institutions, we sought and relied significantly on representations from TBS.
Analysis
Issue 1: Was the information collected by institutions related directly to an operating program or activity of the institution as required by the Act?
- Many of the complainants allege that their respective institutions, pursuant to the Policy, required them to provide, on a mandatory basis, personal information relating to their COVID-19 vaccination status and, in certain cases, religious beliefs or medical history, and that this collection represents an unreasonable infringement of their privacy rights.Footnote 3
- Section 4 of the Act requires that institutions only collect personal information about individuals if that information relates directly to an operating program or activity of the institution. These programs or activities are normally established through legislation which authorizes the program or activity in question. Section 4 does not require that a collection be “necessary”, just that there be “a direct, immediate relationship with no intermediary between the information collected and the operating programs or activities of the government.”Footnote 4
- Though some complainants alleged that their vaccination status was being collected without their consent, it should be noted that the Act does not include a general requirement that institutions obtain individuals’ consent for the collection of their personal information.
- TBS indicated that the lawful authority for the collection of personal information pursuant to the Policy stems from sections 7 and 11.1 of the Financial Administration Act (“FAA”). These sections of the FAA grant the Treasury Board the authority to act for the Queen’s Privy Council for Canada on all matters relating to human resources management in the federal core public administration, including the determination of the terms and conditions of employment of persons employed in it. In relation to its responsibility over human resources, Treasury Board is authorized to provide for “any other matters, including terms and conditions of employment not otherwise specifically provided for in [section 11.1 for the FAA], that it considers necessary for effective human resources management in the public service.”
- Additionally, we note that federal institutions are responsible, under section 124 of Part II of the Canada Labour Code, to “ensure that the health and safety at work of every person employed by the employer is protected”. Subsection 3.1.1 of the Policy identifies that it is an objective of the Policy, “[t]o take every precaution reasonable, in the circumstances, for the protection of the health and safety of employees. Vaccination is a key element in the protection of employees against COVID-19.”
- In support of the Policy, TBS submitted evidence from the Public Health Agency of Canada, dated August 2021, demonstrating that among other things:
- The Delta variant of COVID-19, which was becoming dominant at the time, was more transmissible than previous variants and risked leading to more hospitalizations and deaths in the midst of what was then Canada’s fourth wave of the global pandemic;
- The approved COVID-19 vaccines were very effective at preventing severe illness, hospitalization and death; and
- The approved COVID-19 vaccines also appeared to be somewhat effective at preventing outbreaks and the transmission of the virus, although further research was required on the level of effectiveness against the Delta variant.
- Based on this evidence, we are satisfied that, at the time the Policy was put in place, the collection of information relating to the vaccination status of employees by institutions subject to the Policy related directly to the responsibilities of the institutions to implement TBS policies aimed at ensuring the health and safety of employees in the workplace.
- The Policy fell within TBS’s legal authority to set working conditions for the CPA, including health and safety measures. Furthermore, we are satisfied that knowing the vaccine status of employees was positively and immediately related to ensuring the health and safety of the workplace. The evidence from the Public Health Agency of Canada is that vaccines were effective at preventing severe illness and transmission and that COVID-19 continued to pose serious risks at the time the Policy was put in place.
- As noted above, on 14 June 2022 TBS suspended the vaccination requirement under the Policy after conducting a review of the Policy in light of the evolving environmental context. It noted that "[t]he government will continue to closely monitor domestic and international scientific evidence to assess the need for additional public health measures, including the possible reintroduction of vaccination mandates." In this context we note that this review exercise, and future periodic reviews should the requirements of the Policy be reintroduced, are critical to ensuring that any future related collections of personal information meet the threshold of being related directly to operating programs or activities – in this case, ensuring health and safety in the workplace.
- The Policy also allowed for individuals to request an accommodation from the requirement to be fully vaccinated, “based on a certified medical contraindication, religion, or another prohibited ground for discrimination as defined under the Canadian Human Rights Act.”Footnote 5
- In order to obtain an accommodation, subsection 4.3.4 of the Policy indicates that individuals are required to provide “their manager with complete and accurate information necessary to identify appropriate accommodation, including information on relevant limitations, restrictions, and if they are partially vaccinated.”
- The Treasury Board Directive on the Duty to Accommodate further specifies that “persons employed” are responsible for, “4.3.2 [p]roviding their manager with the information necessary to identify appropriate accommodation, including information on relevant limitations and restrictions” and “4.3.3 [c]ooperating and collaborating in good faith with their organization’s representative(s) to find one or more means to accommodate such needs, taking into consideration issues of health, safety and cost”.
- We are of the view that collecting personal information to evaluate a request for accommodation under the Policy is directly related to a government institution’s responsibilities under the Canadian Human Rights Act to avoid discriminating against employees based on prohibited grounds of discrimination.Footnote 6 By its nature, assessing if an individual’s accommodation request is validly linked to a prohibited ground of discrimination will include collecting highly sensitive information such as medical conditions and religious beliefs. However, there is an immediate and direct relationship between the responsibility to avoid discrimination and collecting information from employees to justify their request for accommodation on the basis of one of these grounds. Indeed, it is difficult to see how a government institution could be expected to make a decision about an accommodation request without obtaining additional information, including, in some cases, intimate details about the nature of the employee’s circumstances.
- Based on the above, we conclude that the collections required under the Policy related directly to existing programs or activities, that being: (i) TBS’ responsibilities as an Employer; and, (ii) for institutions that were subject to the Policy, their internal services / human resources activities. We found no instances of collections that were not directly related to implementing the Policy. Therefore, we find the allegations with respect to this issue to be not well-founded.
Issue 2: Did institutions properly meet the transparency requirements of the Act?
- Certain complainants alleged that they were not informed by their institutions about how information relating to their COVID-19 vaccination status would be used once collected. Certain complainants also alleged that TBS failed to publish a description of the “TBS central personal information bank (under development)” referenced in the GC-VATS Privacy Statement before collecting employees’ vaccination attestations - which impeded their ability to understand what information was being collected.
- Subsection 5 (2) of the Act requires that individuals be informed of the purpose for which their personal information is being collected under certain circumstances, while Section 11 of the Act requires TBS to “cause to be published,” at least once a year, periodically an index of personal information banks (“PIBs”) describing each PIB and including certain prescribed elements.
- With respect to compliance with subsection 5 (2), the Privacy Statement that was presented to individuals when providing their vaccination status via GC-VATS, and on paper/electronic forms for those who were unable to use GC-VATS does describe the purpose of collection as required by subsection 5 (2). Specifically, the following information was included in the Privacy Notice presented by GC-VATS in October 2021:
The personal information collected will be used to confirm your vaccination status and to consider requests for accommodation for those unable to be vaccinated. The personal information will be used, in conjunction with additional COVID-19 preventative measures, including rapid testing, to determine if you will be granted on-site access to the workplace and to determine whether you may report to work in person or remotely. Your personal information will also be used by your organization and TBS to monitor and report on the overall impact of COVID—19 and compliance with the vaccination program both within the organization and for the Core Public Administration, as described in standard personal information bank PSE 907, Occupational Health and Safety.
- The information provided in the GC-VATS Privacy Notice, in conjunction with the Policy itself, which was readily available on the Government of Canada’s website, is reasonable and sufficient to enable individuals to understand the purposes for which their information is being collected and therefore we do not find a contravention of subsection 5 (2).
- With respect to compliance with Section 11, Subsection 11 (1) of the Act requires that TBS causes to be published on a periodic basis not less frequently than once each year, an index of all personal information banks,Footnote 7 and all classes of personal information not in personal information banks , under the control of any government institution. The index must describe the PIBs and classes of information and set forth certain mandatory elements such as which institution controls the information, and, for information that has or could be used for an administrative purpose, what the information may be used for and the retention and disposal standards that apply to it.Footnote 8
- Vaccination attestation collection began in October 2021. We therefore expected the necessary update to the index would occur before the personal information in question had been under the control of government institutions for more than a year. However, TBS did not include the PIB description for COVID-19 Vaccination Attestation and Worksite Testing Program in the Personal Information IndexFootnote 9 until December 22, 2022.
- The fact that personal information collected about employees to administer the Policy was not included in TBS’ personal information index for well over a year demonstrates non-compliance with section 11.
- In this case, most of the information required to be included in the Index was included directly in the Privacy Notice above. That said, the notice did not include a statement outlining the retention and disposal standards applied to personal information in the bank, which is a required element under s. 11(1) of the Act.
- Given the contravention of subsection 11 (1), and TBS’s subsequent publication of the PIB description, we find the transparency complaints relating to PIBs to be well-founded and resolved.
Issue 3: Were disclosures of personal information collected under the Policy authorized under section 8 of the Act?
- Subsection 8 (1) of the Act requires that personal information under the control of an institution shall not, without the consent of the individual to whom it relates, be disclosed by the institution except in accordance with the conditions identified in subsection 8 (2). Paragraph 8 (2) (a) allows for disclosure “for the purpose for which the information was obtained or compiled by the institution or for a use consistent with that purpose”.
- Certain complainants alleged that there had been inappropriate disclosure of information collected under the Policy. We examined allegations that the processes for handling accommodations request, and the use of GC-VATS, may have resulted in inappropriate disclosure of information either within individuals’ own institution or to staff at TBS as the operator of the GC-VATS system. We did not find any disclosure contraventions associated with the general handling of accommodation requests or the use of GC-VATS – as detailed further below.
- General concerns with accommodation requests process: Several complainants raised general concerns that unreasonable disclosures of their personal information within their institution could have occurred in the process reviewing accommodation requests. We consequently obtained representations from all the respondents subject to the Policy describing how they limited access to accommodations related information to those who needed to know in order to manage the accommodations process. We saw no indications of issues with respect to processes and systems to prevent inappropriate disclosures.
- In a few cases, we separately investigated allegations of specific disclosure incidents. Except in these cases where we had a specific set of facts to investigate we did not systematically audit the processes and systems in place for handling accommodation request information. We caution all institutions to ensure due diligence in protecting the information of individual employees when managing processes involving the information of many employees.
- Several complainants also raised a concern that their colleagues, or other employees, such as those managing pay, could infer information about them, such as their vaccination status, from the fact that they were put on leave. However, as noted above, the Privacy Act permits disclosures “for the purpose for which the information was obtained or compiled by the institution or for a use consistent with that purpose”. In our view, the fact that an individual is on leave, which can occur for a variety of reasons, is information obtained or compiled for the purpose of managing the employee and their work. Therefore, proactive disclosure to relevant employees - such as those processing pay, or colleagues whose workload may be affected - that an individual is on leave is a consistent use with this original purpose and permitted under 8(2)(a) of the Act.
- Concerns with the use of GC-VATS: With respect to the allegations related to GC-VATS, TBS represented that in general, access to individual employee data within GC-VATS is restricted to authorized individuals within the employee’s own institution. Specifically, an employee’s immediate supervisors have full access to the individual employee’s vaccination attestation, including: (i) vaccination status as attested to by the individual employee, (ii) the result of a verification as recorded by the individual employee’s immediate supervisor, and (iii) the reason for accommodations if/as requested by the individual employee. Higher-order managers (i.e. superiors to the employee’s immediate supervisor, including all senior officials within the organizational structure in which the employee works) have more limited access to: (i) the individual employee’s vaccination status as attested to by the individual employee and (ii) the result of a verification as recorded by the individual employee’s immediate supervisor.
- Certain other specific individuals within an employee’s own institution with a role in fulfilling responsibilities under the policy (e.g. health and safety officials or human resources staff) who have been pre-identified as having a “need to know” also have access to individual employees’ attestation data through departmental reporting.
- Specific individuals at TBS do have access to anonymized vaccination attestation data aggregated at a departmental-level in order to fulfill TBS’ responsibilities under the Policy. TBS has indicated that these individuals do not have access to individuals’ personal information through this reporting mechanism. TBS indicated that only specific individuals within the technical team supporting the GC-VATS solution may be given access to the underlying GC-VATS data for the purposes of diagnosing reported technical defects.
- Given that all of the disclosures permitted by the access controls on GC-VATS are for the purpose for which the information was obtained, i.e. to implement the Policy, or for consistent uses with that purpose as described in the privacy notice given to individuals, we found no indications of contraventions of section 8 of the Act with respect to GC-VATS. Accordingly, we find the allegations with respect to this issue to be not well-founded.
Other
Was the information collected necessary and proportional?
- Multiple complainants raised concerns about the necessity and the proportionality of the measures established under the Policy.
- Though not a requirement of the Act, necessity and proportionality is a privacy principle that our Office strongly endorses and is embedded as a requirement in privacy laws in many domestic and international jurisdictions including multiple Canadian provinces. Limiting the collection of personal information to what is demonstrably necessary is also a requirement of TBS’s own Directive on Privacy Practices.Footnote 10
- This principle is all the more important when institutions must respond quickly in times of crisis to implement measures that are intended to promote and protect public health and safety, given the elevated potential for the measures to infringe on individuals’ privacy rights. In May 2021, prior to the introduction of the Policy by the Government of Canada, Federal, Provincial and Territorial Privacy Commissioners issued a joint statement entitled, “Privacy and COVID-19 Vaccine Passports”, which highlighted the importance of considering necessity and proportionality in the development of COVID-19 vaccine passports, and that doing so need not be a barrier to effective public health management.
- Given its importance, we examined the necessity and proportionality of the Policy requiring all employees to attest to their vaccination status and to provide information to support decision-making on providing accommodations from the requirements of the Policy.
- To guide institutions in considering necessity and proportionality, our Office advocates a four-part testFootnote 11 that calls for institutions to ask themselves the following questions when establishing particularly privacy-invasive programs and services:
- Is the measure demonstrably necessary to meet a specific need?
- Is it likely to be effective in meeting that need?
- Is there a less privacy-intrusive way of achieving the same end?
- Is the loss of privacy proportional to the need?
- In our view the Policy is sufficiently privacy invasive to warrant careful consideration against these four questions, as it requires the collection of vaccination status from all federal employees and, where an accommodation is sought by an employee, additional information (including medical contraindications or religious beliefs) to support the request for accommodation. While an individual’s attestation of their vaccination status is limited in nature, it nevertheless reveals personal health information, which our Office views as being a personal information category of elevated sensitivity. For those individuals who make accommodation requests, more invasive information relating to their religious beliefs or medical conditions must also be collected.
- In reviewing the Policy, we kept in mind the reality that, as stated in the OPC’s Framework for the Government of Canada to Assess Privacy-Impactful Initiatives in Response to COVID-19, the urgency of limiting the spread of the virus was understandably a significant challenge for government and public health authorities and the COVID-19 crisis was a rapidly evolving situation that required swift and effective responses to address extraordinary public health needs.
- Given that the information was collected by institutions in response to requirements established by TBS under their authority to establish conditions of work for the core public administration, we expected that TBS, as the policy authority, would be able to describe how it considered necessity and proportionality in the development of the Policy, and be able provide evidence and analysis supporting its conclusions.
- With respect to the first point of the four-part test, necessity, we expect institutions to be able to explain, in detail, how a privacy-intrusive initiative is rationally connected to a defined pressing and substantial goal, and how the proposed collection or use of personal information will serve to meet the needs. This requires empirical evidence in support of the initiative and should preclude the collection of personal information for speculative or “just in case” scenarios.
- Section 3.1 of the Policy states the following objectives:
- “To take every precaution reasonable, in the circumstances, for the protection of the health and safety of employees. Vaccination is a key element in the protection of employees against COVID-19.”
- “To improve the vaccination rate across Canada of employees in the core public administration through COVID-19 vaccination.”
- “Given that operational requirements may include ad hoc onsite presence, all employees, including those working remotely and teleworking must be fully vaccinated to protect themselves, colleagues, and clients from COVID-19.”
- In its representations to our Office, TBS provided, as noted in paragraph 15, evidence that the requirements established under the Policy were based on public health advice and scientific studies. Given that the requirements were instituted during the global COVID-19 pandemic, we are satisfied that the measures mandated under the policy were connected to the pressing and substantial goal of the “protection of the health and safety of employees”.
- With respect to the second element of the four-part test, whether the measures implemented under the Policy would be effective in meeting the objectives, we are satisfied that there was evidence of the effectiveness of vaccination in achieving the objectives in light of the circumstances present at the time the Policy was put in place. We accept, on this basis, that a vaccination mandate was effective in meeting the objective, and that the collection of vaccination status to implement this mandate was therefore effective in meeting the objectives that were established by TBS.
- With respect to the third element, the necessity and proportionality principle requires a consideration of whether less privacy-intrusive measures could achieve the same end. This element requires TBS to demonstrate that less privacy-intrusive measures would not have been able to achieve TBS’s important objective of protecting the health and safety of its employees.
- Some complainants argued that rapid tests should have been offered to all as a less privacy-intrusive measure. Although OPC asked about reasonable alternatives to the Policy (including rapid testing), TBS did not provide us with information with respect to its consideration, if any, of such an option.
- That said, in reviewing Canadian jurisprudence on mandatory vaccination policies we found a number of cases thatFootnote 12 have considered public health advice with respect to rapid testing as an alternative to mandatory vaccine mandates. These cases dealt with situations where affected individuals are largely required to be in shared physical spaces. The decision makers in these cases upheld mandatory vaccination policies that did not permit individuals to freely choose rapid testing as an alternative, citing relevant public health advice. Some cases cited provincial medical authorities in two cases, and expert epidemiological testimony in the other two cases. These sources noted that: (i) in contrast with the strong body of evidence for the protective effect of vaccines, there is a lack of concrete evidence, such as observational studies or controlled trials, demonstrating that rapid testing regimes reduce transmission, and (ii) rapid testing regimes do not prevent serious illness from infection where such infections occur.
- As a result, we are satisfied that rapid tests would not have been a valid alternative in the circumstances.
- TBS provided analysis from the Public Health Agency of Canada, supported by references to external evidence, demonstrating that at the time it put the Policy in place there was a substantial body of evidence on the efficacy of vaccines for protecting individuals coming into contact with others, such as in a shared workspace, from severe illness.
- We accept in this regard that vaccination was demonstrated to be the most effective means to ensure that employees who attended onsite were protected from COVID-19.
- However, the complainants argued that proof of vaccination status should not have been required for those employees on telework with no reasonably foreseeable need to work onsite on a permanent or ad hoc basis.
- We note that Court and tribunal decisions that have considered vaccine requirements to date have emphasized the importance of assessing the relevant operating context, including whether employees work onsite or from home.Footnote 13
- TBS confirmed that the decision to require employees to be present on-site on an ad hoc basis or more regularly was left to Deputy Heads and/or individual managers to determine based on their operational needs. Further, TBS also confirmed that it did not consult with Deputy Heads prior to implementing the Policy about plans to require employees to return to the office or whether, indeed, there were reasonably foreseeable operational requirements that could require all of their employees to have to attend onsite.
- We confirmed with several institutions that they had no immediate, broad, return-to-office plans. Indeed, many employees have been working remotely for two years and have not been in their offices since March of 2020. Some complainants have alleged that they have never actually set foot in their institution’s offices as they were appointed during the pandemic and have been working remotely since their first day with the institution.
- TBS justified the application of the Policy to all employees on the basis that the operating model for government operations prior to the pandemic was based on a requirement for onsite presence and that while telework provisions had been put in place as a business continuity approach during the pandemic, all employees could at any time be required to be present on-site on an ad hoc basis for operational needs (such as attending the office for security or other reasons, opening and managing mail, processing information on enhanced secure networks, urgent requirements that require immediate onsite presence, or technical problems with the employee’s ability to work remotely). The TBS added that it would have been impractical to only seek to confirm a teleworking employee’s vaccination status when such presence was required given the long delay that would have entailed for unvaccinated employees to become vaccinated in order to provide services to the public.
- The TBS indicated that many public servants were in the front lines providing in-person services to Canadians during the pandemic and that the TBS could not wait for emergencies or other type of unforeseen situations to then require and verify vaccination for teleworking employees, especially given the overall operations of the federal public service.
- While we would have expected a more fulsome and forthcoming response from the TBS with respect to our questions on this issue, we are of the view that some deference is owed to the TBS with respect to its assessment of its needs for employee onsite presence during this unprecedented public health emergency.
- The TBS and the federal government were on the front lines protecting the health and safety of Canadians and providing important and often vital services during a rapidly evolving situation. In the absence of evidence to the contrary, we accept that in this context it was necessary and prudent for the TBS to retain the ability to require the onsite presence of its employees on short notice (including employees who regularly worked from home during the pandemic) in order to deal with emergency and other unforeseen situations during the pandemic. We further find that, particularly in the context of the rapidly evolving pandemic situation, it would have been unfeasible for the TBS to ensure workforce availability and interoperability had deputy heads of institutions been assigned the responsibility for establishing vaccination policies specific to the operational context of their own institutions across the federal government.Footnote 14
- For all these reasons, we conclude that TBS Policy has met the third element of the four-part test.
- With respect to the fourth part of the four-part test: is the loss of privacy proportional to the need, we had expected that TBS would be able to demonstrate that they had analyzed whether the potential privacy impacts to employees resulting from the collection of information relating to their COVID vaccination status were proportional to the benefits that would result from the collection.
- It should be noted that the Policy required the disclosure of limited information about an individual’s vaccination status, information that at the time the Policy was first instituted, was also required to be disclosed to access many services in a number of provinces, including restaurants. Nevertheless, it remains medical information (sensitive by nature) and in certain cases could entail the disclosure of additional sensitive personal information for employees making accommodations requests.
- This loss of privacy must be measured against the benefits of the Policy. For the reasons set out in the assessment of the third element, we are satisfied that the benefits of the Policy were to protect the health and safety of all TBS employees while ensuring that the TBS retained the ability and flexibility to require the onsite presence of its teleworking employees to respond to emergencies or other unforeseen situations when providing public services to Canadians during a global pandemic.
- When measured against this objective, we find that the loss of privacy was proportional to the benefits in the context of this emergency situation.
- Based on the evidence and representations before us, we are satisfied that the Policy met the necessity and proportionality requirements.
- While the vast majority of the personal information collected under the Policy was collected in the fall of 2021, additional personal information continued to be collected (such as from newly recruited staff), and employees who refused to provide the requested personal information continued to be subject to administrative consequences including being placed on unpaid leave status until the Policy was suspended on 20 June 2022. An important aspect of assessing necessity and proportionality, particularly in a rapidly evolving public health context, is the need to reassess on a timely basis as circumstances evolve. We note, importantly, that the Policy acknowledged this by setting a six-month review, which commenced in April, 2022. As a result of this review, the measures established under the Policy were suspended when TBS deemed that they were no longer warranted based on the current public health situation.
- We asked TBS to provide information relating to its assessment of necessity and proportionality as part of the review process it undertook prior to suspending the Policy in June 2022. In response it provided hyperlinks to a range of public studies on the effectiveness of vaccines against omicron variants of COVID-19 without any contextual analysis, but declined to provide further information citing cabinet confidences. We therefore cannot comment on the integrity of TBS’s review process.
Recommendations
- Given the importance of the issue, we have recommended to TBS that it assess any contemplated vaccination measures against the four-part test detailed in this report in advance of any potential future decision to reinstate some or all of the requirements of the Policy. We were disappointed that the TBS did not agree to implement this recommendation, which we feel is consistent with the TBS’s own policy on the preparation of privacy impact assessments and is a proven, effective and efficient approach to ensuring that the considerations of necessity and proportionality are imbedded in a program upfront, to optimize the protection of Canadians’ privacy rights.
- We note that the TBS has a leadership role within the federal administration in their application of privacy policy and promotion of compliance, and we reiterate the above recommendation and would urge the TBS to reconsider its earlier response.
- We take note of the TBS’s commitment to meet its obligations under the Privacy Act and related policy instruments. We would remind the TBS that these policy instruments would require the preparation of a Privacy Impact Assessment that would assess the necessity and proportionality of any potentially privacy intrusive measures.
Conclusion
- We conclude that the Policy was largely implemented in conformity with the legal requirements of the Act, with the exception of TBS’s failure to update its index of personal information to reflect personal information collected to administer the Policy within the timeframe required under the Act.
- On a policy level and although not currently a legal requirement, we also conclude that the TBS policy was necessary and proportional. However, we would have expected more fulsome and forthcoming responses from the TBS during this investigation and we encourage the TBS to put in place measures to fully assess and document how it meets the necessity and proportionality requirements when assessing potentially privacy-intrusive measures.
- We believe that this investigation highlights the need to better reflect the principle of necessity and proportionality in public sector privacy law, as the government advances their plans to modernize the Privacy Act in the near future.
Appendix 1 – Listing of information collected in GC-VATS
GC-VATS is prepopulated with the following information on individuals which was already collected by the employer:
- Last name
- Given name
- Manager’s Name
- Department
- Place of work (country)
- Place of work (province or territory)
- Group
- Level
- Position number
- PRI (paper attestations only)
- Email address
- Date of Birth (paper attestations only)
- Manager’s PRI (paper attestations only)
- Manager’s DOB (paper attestations only)
Additionally, GC-VATS collects the following the specific information from individuals as part of the attestation process:
- Employee acceptance
- Attestation of vaccination status
- Verification status
- Manager’s verification confirmation
- Date modified: