Investigation into COVID-19 vaccination attestation requirements established by certain separate employers of the federal public service

Complaints under the Privacy Act

May 29, 2023

---

Description

We examined whether the vaccination attestation requirements established by certain federal government institutions (“separate employers”) that are not part of the core public administration, for their employees, in response to the COVID-19 pandemic complied with the collection, use, and disclosure provisions of the Privacy Act (the Act). Additionally, we examined the necessity and proportionality of the measures considering the circumstances under which they were established.

Takeaways

• The separate employers examined had the authority to collect information on employees’ COVID-19 vaccination status under their enabling legislation and Part II of the Canada Labour Code; and uses and disclosures of such information were generally consistent with the purposes for which it was collected.
• Though the principle of necessity and proportionality is not currently a requirement of the Privacy Act, limiting the collection of personal information to what is demonstrably necessary is a requirement of the Treasury Board of Canada Secretariat's (TBS) Directive on Privacy Practices. In this case we found the collection of personal information under the measures implemented by these institutions was necessary, effective, and proportional, under the circumstances.
• Institutions should assess and document necessity and proportionality in a structured way when introducing or modifying privacy-invasive programs, in order to provide confidence that the privacy interests of Canadians are being respected.
• When setting access permissions for sensitive employee information institutions should consider what types of information constitute a “need to know” requirement for any given support employee with access.

---

Report of Findings

Overview

Following the introduction, in October of 2021, of COVID-19 vaccination mandates and associated vaccination status attestation requirements for employees of separate employers^{Footnote 1} in the federal public service, our office received multiple complaints from affected employees against Business Development Bank of Canada (“BDC”), Canada Post Corporation (“CPC”), Canada Revenue Agency (“CRA”), Canadian Food Inspection Agency (“CFIA”), National Research Council of Canada (“NRC”), and Parks Canada (“PC”), collectively referred to as “the respondents” or “the employers” in this report.

Our office also received complaints against the Treasury Board of Canada Secretariat (“TBS”) and institutions of the core public administration by employees who are subject to TBS’s Policy on COVID-19 Vaccination for the Core Public Administration Including the Royal Canadian Mounted Police (“TBS’s Policy”) as well as complaints against the Department of National Defence by members of the Canadian Armed Forces (CAF), who are not subject to TBS’s Policy but are subject to a similar directive, the CDS Directive on CAF COVID-19 Vaccination. Those complaints are addressed in separate reports.

Several complainants alleged that the collection of employees’ vaccination status, and in some cases religious or medical information in support of an accommodation request to be exempted from the requirements of their employer’s policies, was unreasonable. After investigation and analysis, we found that the respondents’ collection of personal information, under their respective policies, complied with the requirement of section 4 of the Privacy Act (the “Act”) as it relates directly to the respondents’ operating programs or activities, namely, their workplace health and safety responsibilities during a national emergency situation as a result of the COVID-19 pandemic. Our investigation did not assess whether the vaccination requirements were an unjustified infringement of individuals’ right to be secure against unreasonable search or seizure, guaranteed by the Canadian Charter of Rights and Freedoms.

Certain complainants also alleged that the respondents inappropriately disclosed personal information relating to their vaccination status. We determined that disclosures of this information by the respondents were consistent with the purposes for which it had been collected and, as such, complied with section 8 of the Act.

Based on the above, we concluded that the respondents’ COVID-19 policies were implemented in conformity with the legal requirements of the Act.

Additionally, although not a requirement under the Act, we also examined the principles of necessity and proportionality as they pertain to the collections established under the respondents’ policies. We determined that, in the context of the global COVID-19 pandemic, these policies were, overall, necessary and proportional given the emergency situation that existed. Federal employers have clear obligations under the Canada Labour Code to protect the health and safety of their employees in the workplace and we are satisfied that, based on the conditions and public health guidance at the time, vaccination and the associated attestation requirements were the most effective method to prevent infection and serious disease from COVID-19 in order to ensure the health and safety of employees and the individuals they serve.

As such, we are satisfied that the respondents’ policies addressed the necessity and proportionality principles in the context of the global COVID-19 pandemic. However we did recommend that all institutions undertake a structured analysis of necessity and proportionality when implementing or modifying potentially privacy-invasive programs. All respondents agreed to this recommendation.

Background

1. On 6 October 2021, the Government of Canada announced that all public servants in the core public administration would need to attest to being fully vaccinated against COVID-19 or be put on leave without pay unless accommodated for medical reasons or on the basis of a prohibited grounds of discrimination. These requirements were formalized for employees of the core public administration under the TBS’s Policy.
2. Separate employers within the federal public service, were asked to implement substantially similar policies for their employees. As a result, these separate employers established their own policy direction for their employees that reflected similar objectives and established vaccination requirements consistent with those of the core public administration, including requirements for attestation by employees of their COVID-19 vaccination status.
3. The respondents established the following policy instruments to formalize COVID-19 vaccination requirements for their employees:
   1. BDC: BDC Vaccination Directive
   2. CPC: CPC Mandatory Vaccination Practice
   3. CRA: Policy on COVID-19 Vaccination for the Canada Revenue Agency
   4. CFIA: Policy on COVID-19 Vaccination for the Canadian Food Inspection Agency
   5. NRC: Policy on COVID-19 Vaccination for the National Research Council
   6. PC: Policy on COVID-19 Vaccination for the Parks Canada Agency
4. Following the announcement of COVID-19 vaccination requirements for employees of separate employers, we received complaints from affected employees against the respondents. Our examination of these complaints and their associated allegations establishes the basis for this report of findings.

Jurisdiction

5. Several complainants alleged that requiring vaccination and attestation of vaccination status constituted a contravention of their rights guaranteed by the Canadian Charter of Rights and Freedoms (“the Charter”), and that therefore the requirements were unlawful. However, making findings on Charter compliance is outside of the scope of our Office’s jurisdiction and thus outside the scope of this report’s analysis.

Methodology

6. Our office investigated the allegations against each institution individually and obtained representations from each institution. Based on these discrete investigations, our office believes that the complaints relating to separate employers have issues in common and are most effectively addressed in a single report rather than separate reports for each respondent.
7. Given that separate employers were asked to align with the requirements of TBS’s Policy and that, as such, the policy largely informed the broad requirements of their related policies, we have relied additionally upon TBS’s representations in relation to TBS’s Policy. We refer readers to the Report of Findings for our Investigation into COVID-19 vaccination attestation requirements established by the Treasury Board of Canada for employees of the core public administration for additional background and context.

Analysis

Issue 1: Was the information collected by the respondents related directly to an operating program or activity of the institution as required by the Act?

8. Many of the complainants allege that their employers required them to provide, on a mandatory basis, personal information relating to their COVID-19 vaccination status and, in certain cases in order to obtain an accommodation from these requirements, information about their religious beliefs or medical history. These complainants allege that this collection is being done without proper authority and that it represents an unreasonable infringement of their privacy rights.
9. A listing of the information for COVID-19 vaccination attestations collected by respondents can be found in Appendix 1 of this report.
10. Section 4 of the Act requires that institutions only collect personal information about individuals if that information relates directly to an operating program or activity of the institution. These programs or activities are normally established through legislation which authorizes the program or activity in question. Section 4 does not require that a collection be “necessary”, just that there be “a direct, immediate relationship with no intermediary between the information collected and the operating programs or activities of the government.”^{Footnote 2}
11. While certain complainants alleged that their vaccination status was being collected without their consent, it should be noted that the Act does not include a general requirement that institutions obtain individuals’ consent for the collection of their personal information.
12. All respondents referred, either in their written responses to our Office or in their policies, to Part II of the Canada Labour Code ( “the Code”) which establishes occupational health and safety requirements for employers in federally regulated workplaces to prevent or limit workplace-related accidents and injuries, including those that could result from occupational diseases such as exposure to COVID-19, in the workplace. Employers establish occupational health and safety programs to oversee and implement their obligations under Part II of the Code.
13. In the context of the global COVID-19 pandemic, we accept that the collection of information relating to employees’ COVID-19 vaccination status reasonably relates to the employers’ occupational health and safety programs because it allows the employers to understand which employees are protected against severe outcomes resulting from potential exposure to the virus. Additionally, this information informs the employer about which employees are available to attend the workplace, if required.
14. Employers are also required to accommodate employees who cannot be vaccinated due to a medical contraindication, religious ground, or any other prohibited ground of discrimination as defined in the Canadian Human Rights Act (“CHRA”). To that end, employers request information from their employees about the nature of the grounds under which the employee is requesting an accommodation in order to make decisions about granting accommodations and to determine accommodation measures.
15. Collecting personal information to evaluate a request for accommodation is directly related to a government institution’s responsibilities under the CHRA to avoid discriminating against employees based on prohibited grounds of discrimination.^{Footnote 3} There is an immediate and direct relationship between this responsibility and collecting information from employees to justify their request for accommodation on the basis of one of these grounds. In this context, it is difficult to see how employers could be expected to make a decision about an accommodation request without obtaining additional information about the nature of the employee’s circumstances.
16. In addition to the authorities and responsibilities described above, many respondents have certain specific authorities for the establishment of conditions of work, which may include the collection of personal information relating to individuals’ COVID-19 vaccination status.
17. BDC is governed by the Business Development Bank of Canada Act. Section 10 of this act authorizes BDC to employ officers and employees and to “fix the terms and conditions of their employment or hiring.”
18. CPC indicated in their representations to our office that they establish conditions of work for employees under section 12 of the Canada Post Corporation Act, which authorizes CPC to “fix the terms and conditions of their employment or engagement, as the case may be”.
19. CRA indicated that it has the authority to determine “the terms and conditions of employment of persons employed by the Agency” under paragraph 30(1)(d) and to “determine and regulate the pay to which persons employed by the Agency are entitled for services rendered, the hours of work and leave of those persons and any related matters” under paragraph 51(1)(i) of the Canada Revenue Agency Act.
20. Subsections 13(1) and (2) of the Canadian Food Inspection Agency Act provide the President of CFIA with the power to “[a]ppoint the employees of the agency”, and to “set the terms and conditions of employment for employees of the Agency and assign duties to them.”
21. NRC has the authority to employ individuals under subsections 5(1)(b), 5(1)(g), and 5(1)(h) of the National Research Council Act. NRC also referred us to section 8 of the NRC Act which establishes that “[t]he President is the chief executive officer of the Council and has supervision over and direction of the work of the Council and of the officers, technical and otherwise, appointed for the purpose of carrying on the work of the Council.” NRC further specified in their representations that the President of the National Research Council “has overall responsibility for the work of the NRC, as a separate agency. Terms and conditions of employment apply to members. With the NRC being a separate employer, the President is responsible for the proper management of the terms and conditions of employment.”
22. The Chief Executive Officer of PC has the authority under paragraph 13(3)(b) of the Parks Canada Agency Act to, ”set the terms and conditions of employment, including termination of employment for cause, for employees and assign duties to them”.
23. Based on the above, we are satisfied that the information collected by the respondents relates directly to an operating program or activity as is required under section 4 of the Act. Specifically, we accept that the information was collected in support of the respondents’ occupational health and safety programs. We are also satisfied that respondents did have sufficient authority to establish these collections as a condition of employment. Accordingly, we find the allegations with respect to inappropriate collection of information relating to employees’ vaccination status, including information in support of requests for accommodation, to be not well-founded.

Issue 2: Were uses and disclosures of information relating to employee vaccination status and requests for accommodation authorized under sections 7 and 8 of the Act?

24. Section 7 of the Act requires that personal information under the control of a government institution shall not, without the consent of the individual to whom it relates, be used by the institution except for the purpose for which the information was obtained or compiled by the institution or for a use consistent with that purpose; or for a purpose for which the information may be disclosed to the institution under subsection 8(2).
25. Subsection 8(1) of the Act requires that personal information under the control of an institution shall not, without the consent of the individual to whom it relates, be disclosed by the institution except in accordance with the conditions identified in subsection 8(2). Paragraph 8(2)(a) allows for disclosure “for the purpose for which the information was obtained or compiled by the institution or for a use consistent with that purpose”.
26. Certain complainants alleged that there had been inappropriate uses or disclosures of information collected under institutions’ policies resulting from the use of systems to collect, process and monitor employee vaccination attestations. We examined whether institutions had taken appropriate steps to limit use and disclosure of the information in these systems for purposes authorized under section 7 and 8. We also examined specifically, for those institutions using the Government of Canada Vaccination Attestation Tracking System (“GC-VATS”), whether the use of GC-VATS may have resulted in inappropriate disclosures of information either within individuals’ own institution or to staff at TBS as the operator of the GC-VATS system. We did not find any use or disclosure contraventions associated with the general handling of vaccination attestation information, accommodation requests or the use of GC-VATS by separate employers.
27. We separately investigated complaints of a breach of employees’ COVID-19 vaccination status information, relating to CPC, where such information was disclosed to other employees of CPC, in error, for which there was no authorized purpose under section 8 of the Act.
28. We obtained, from all respondents, representations describing how they collect information relating to their employees’ vaccination status, with specific attention to the safeguards (including access restrictions and related safeguards) implemented to protect the information collected.

GC-VATS (used by CFIA and PC)

29. Both CFIA and PC used TBS’s GC-VATS to collect vaccination attestations from their employees. Access to individual employee data within GC-VATS is restricted to authorized individuals within the employee’s own institution. Specifically, an employee’s immediate supervisors have full access to the individual employee’s vaccination attestation, including: (i) vaccination status as attested to by the individual employee, (ii) the result of a verification as recorded by the individual employee’s immediate supervisor, and (iii) the reason for accommodations if/as requested by the individual employee. Higher-order managers (i.e. superiors to the employee’s immediate supervisor, including all senior officials within the organizational structure in which the employee works) have access only to: (i) the individual employee’s vaccination status as attested to by the individual employee and (ii) the result of a verification as recorded by the individual employee’s immediate supervisor.
30. Certain other specific individuals within an employee’s own institution with a role in fulfilling responsibilities under the policy (i.e. health and safety officials or human resources staff) who have been pre-identified as having a “need to know” also have access via GC-VATS to individual employees’ attestation data through departmental reporting.
31. TBS has indicated to us, in the context of our investigation into vaccination attestation requirements in the core public administration, that specific individuals at TBS do have access to anonymized vaccination attestation data aggregated at a departmental-level via GC-VATS for the purposes of statistical analysis and reporting. According to TBS, these individuals do not have access to individuals’ personal information through this reporting mechanism. We do note that aggregated and deidentified data can sometimes be considered personally identifiable information. We did not examine whether this was the case here, as ultimately the uses were determined to be consistent with the collection.
32. TBS has also indicated that certain specific individuals within the technical team supporting the GC-VATS solution may be given access to the underlying GC-VATS data for the purposes of diagnosing reported technical defects in order to support the proper functioning of the solution.
33. We find that the uses and disclosures described above, relating to the use of GC-VATS, are consistent with the purpose for which the information was collected, specifically, to implement COVID-19 vaccination mandates and obtain vaccination attestations from employees in support of workplace health and safety; and they are therefore permitted under section 7 and paragraph 8(2)(a) of the Act.

BDC

34. BDC collected vaccination attestations using its Workday Human Capital Management System (Workday). BDC informed us that Workday is BDC’s system of record for all information related to its human resources and that it had created a specific “Vaccination Covid-19 module” within Workday to collect and store the information collected as part of their vaccination status attestation process. Access to vaccination attestation information in Workday is restricted using role-based access controls and only employees added to specific “need-to-know” groups have access to information in the Vaccination Covid-19 module.
35. BDC has indicated that access to the information provided by employees as part of the vaccination status attestation is limited to employee members of the following groups:
    1. HR Employee Relations
    2. HR Business Partners
    3. Workday system access control (i.e. those who assign access rights in Workday)
36. BDC did not explain specifically why the groups indicated above needed access to this information. However, we accept that BDC has flexibility to determine which individuals within the institution require access to this information to support the implementation of BDC’s Vaccination Directive, and that the stated roles above are inherently related to that supporting function.
37. We find that the information sharing described above, relating to individuals’ vaccination status within BDC, are consistent with the purpose for which the information was collected, specifically, to implement BDC’s Vaccination Directive and obtain vaccination attestations from employees in support of workplace health and safety; and they are therefore permitted under paragraphs 7(a), and 8(2)(a) of the Act.

CPC

38. CPC used a combination of methods to collect vaccination attestations from employees. A phone-based system (“1-800-attestation line”) was used for most employees, as well as a digital attestation portal for deaf and hard of hearing employees. CPC provided representations identifying that several groups within CPC have access to information relating to employee vaccination status. This access is based on a determination by CPC of the internal program areas that need access to the information in order to properly administer the CPC’s Mandatory Vaccination Practice (CPC MVP).
    1. Team leaders have access only to ‘Compliant’ or ‘Non-Compliant’ status for individuals within the team leader’s organization to verify compliance with the CPC MVP. The details of how employees are, or are not, compliant are not accessible to these individuals.
    2. Certain members of the Human Resources team have access to ‘Compliant’ or ‘Non-Compliant’ status at the national level for the purposes of establishing new hire and staffing processes in respect of individuals’ compliance to the CPC MVP. The details of how employees are, or are not, compliant are not accessible to these individuals.
    3. Certain members of CPC’s Production Control and Reporting (“PC&R”) team have access to ‘Compliant’ or ‘Non-Compliant’ status at the national level to prepare operations reporting and impact analysis. The details of how employees are, or are not, compliant are not accessible to these individuals.
    4. Certain members of the Security & Investigation Services (“S&IS”) team have access to data on non-compliant employees in order to manage access to CPC facilities.
    5. Certain members of the Business Analytics team have full access to all information collected in order to manage and support the attestation reporting data with employee information. CPC did not specify why full access, rather than more limited access or use of aggregated data was needed for these individuals.
    6. Certain members of the National Health and Safety Compliance and Policy team have full access to all information collected in order to monitor compliance with the CPC MVP across CPC.
    7. Certain members of the National Disability Management team have access to all information collected in order to process requests for medical accommodations from employees who cannot be vaccinated and for preparing relevant reports. CPC did not specify why access to “all information collected” was needed or whether this access was limited to information of individuals who had requested an accommodation under medical grounds.
    8. Certain members of the Human Rights team have access to all information collected in order to process accommodation requests under religious or other human rights grounds from the employees who cannot be vaccinated, and for preparing relevant reports. CPC did not specify why access to “all information collected” was needed or whether this access was limited to information of individuals who had requested an accommodation on religious or other human rights grounds.
    9. Certain members of the Safety Audit and Compliance team have access to information on the employees randomly selected for audits only, which may include proof of vaccination records.
39. We find that the information sharing described above, relating to individuals’ vaccination status within CPC, are consistent with the purpose for which the information was collected, specifically, to implement the CPC MVP and obtain vaccination attestations from employees in support of workplace health and safety; and they are therefore permitted under paragraph 7(a) and 8(2)(a) of the Act.
40. Notwithstanding the above, given the breadth of support units to which access was provided, we are concerned as to why full access (i.e. “all information collected”) was given to each authorized member within the units. We recommended that in such circumstances consideration be given as to what types of information constitute a “need to know” requirement for any given support employee with access. CPC has agreed to this recommendation.

CRA

41. CRA collected employee vaccination status attestations using an attestation solution that is hosted in its Corporate Administration Systems (“CAS”). CAS is used for collecting and storing employee administrative information such as staffing information, leave information, performance evaluations, etc. CRA has indicated that the attestation solution is authorized to operate at the Protected B level, having gone through a security assessment and authorization process in accordance with CRA and TBS security policies.
42. CRA explained in its written representations that the attestation solution in CAS uses organizational structure information to restrict access to view the employee’s attestation to only the employee, the employee’s direct supervisor, and that supervisor’s direct manager.
43. CRA has also indicated that the attestation solution allows certain individuals, who have defined roles, to view this information for reporting or system administration purposes. These roles are restricted to only a few employees who are responsible for providing people management data in the Agency. CRA has established an approval process wherein justification for this access is needed to assign new individuals to these roles.
44. CRA has further explained that Agency-level centralized reporting for the purposes of policy and program oversight is limited to de-identified, statistical data and that data suppression techniques are applied to data required for basic monitoring.
45. For employees who were unable to record their attestation in CAS, CRA required that those employees complete a manual attestation form (in PDF format) and send it by encrypted email to a generic inbox managed by a limited number of employees in the Labour Relations (“LR”) program. Once received, those LR employees recorded the attestation into CAS for the employee and stored the PDF form in a folder of the generic inbox to limit access.
46. We find that the information sharing described above, relating to individuals’ vaccination status within CRA, are consistent with the purpose for which the information was collected, specifically, to implement the Policy on COVID-19 Vaccination for the Canada Revenue Agency and obtain vaccination attestations from employees in support of workplace health and safety; and they are therefore permitted under paragraphs 7(a) and 8(2)(a) of the Act.

CFIA

47. In addition to the disclosures listed above relating CFIA’s use of GC-VATS, CFIA also explained that, for employees who do not have access to GC-VATS, the attestation was documented via paper form and sent by the employee’s manager to an email account with restricted access. The information was then recorded in an Excel document and loaded into CFIA’s Records, Document and Information Management System (“RDIMS”), with access limited to those involved in the tracking/reporting of compliance to CFIA’s Policy on COVID-19 Vaccination for the Canadian Food Inspection Agency.
48. Data stored in CFIA’s RDIMS system (which is authorized for storing information up to the Protected B level) is restricted to a limited number of CFIA’s HR representatives who are directly involved in the monitoring of compliance to CFIA’s policy, as well as those required to take actions based on the attestation status of individuals. CFIA has indicated that the full list of employee attestations is limited to the small HR team involved in monitoring compliance to CFIA’s policy as a whole, with specific portions of the data being provided only on an “as required basis” to specific users (i.e. human resources professionals directly involved in the implementation of the Policy on COVID-19 Vaccination for the Canadian Food Inspection Agency).
49. CFIA identified three specific lists that were collated based on employee attestations and shared in support of the implementation of their policy:
    1. A list of partially vaccinated employees and employees requesting accommodation was shared with the HR Professionals responsible for distribution of rapid-testing kits;
    2. A list of employees who were not in compliance with the policy was provided to select pay and labour relations specialists in human resources to facilitate the placement of these employees on administrative leave without pay; and,
    3. A list of employees randomly selected for verification of their attestation was provided to an HR team of three people involved in roll out of the attestation verification process.
50. We find that the information sharing described above, relating to individuals’ vaccination status within CFIA, are consistent with the purpose for which the information was collected, specifically, to implement the Policy on COVID-19 Vaccination for the Canadian Food Inspection Agency and obtain vaccination attestations from employees in support of workplace health and safety; and they are therefore permitted under paragraph 7(a) and 8(2)(a) of the Act.

NRC

51. NRC collected vaccination attestations from their employees using NRC-VATS, which is based on TBS’s GC-VATS application but is a separate application implementation by NRC.
52. NRC has indicated that access to personal data collected in NRC-VATS has been limited to those individuals needing the information to fulfill an administrative purpose related to the implementation of NRC’s Policy on COVID-19 Vaccination for the National Research Council. NRC has identified the following roles and access privileges in NRC-VATS:
    1. An “Individual (employee)” is able to access their attestation as well as their employee attestation and accommodation review. Individuals can input and view their own information to verify that it is up-to-date and that it accurately reflects their vaccination status. The individual is able to revise their own information if it is not correct (i.e. up-to-date).
    2. An “Approving Director” has team-level access. Approving Directors can view the attestation details of only their team members. They are able to document accommodations proposed for individual staff members.
    3. An “HR Administrator” has an all staff-level of access. HR Administrators can view all NRC employee attestations and accommodations by type. Full access is provided for statistical and policy-related reporting purposes; as well as for trouble-shooting purposes to resolve issues and questions.
    4. A “System Administrator” has system-level of access. System Administrators have access to the database via the server log-in. Full access is required to maintain system operations and troubleshoot as needed to assist with any technical issues.
53. NRC has also indicated that statistical, non-personal information from NRC-VATS was shared outside of NRC, to TBS and to Innovation, Science and Economic Development Canada (“ISED”) for policy reporting purposes. NRC did not specify how this information was determined to be, or rendered, “non-personal”.
54. NRC has further explained that a paper-based form was made available to NRC employees who were not willing to provide their attestation in NRC-VATS, as an alternate means for collecting their vaccination status attestations. After the forms were filled-in to collect the information required under their policy, the completed forms are stored by NRC Human Resources in accordance with NRC’s information management and security protocols.
55. We find that the information sharing described above, relating to individuals’ vaccination status within NRC and the sharing of statistical information about vaccination rates for NRC’s employees with TBS and ISED, are consistent with the purpose for which the information was collected. The information was disclosed to implement the Policy on COVID-19 Vaccination for the National Research Council and obtain vaccination attestations from employees in support of workplace health and safety; and they are therefore permitted under paragraphs 7(a) and 8(2)(a) of the Act.

PC

56. In addition to the uses and disclosures listed above relating PC’s use of GC-VATS, PC also explained that because some PC employees did not have access to GC-VATS that electronic or paper forms were used to collect vaccination attestations. These could be submitted electronically via email or via letter mail.
57. Forms that were completed digitally or scanned after completion were to be submitted to a generic email account to which access was limited to certain members of PC’s Corporate Labour Relations Team. Once the digital form was processed, they were placed in PC’s GC DOCS (i.e. electronic records) repository where only three members of the Labour Relations Team had access.
58. Paper forms that were mailed into PC, were opened and processed by only one employee and placed in confidential boxes provided by PC’s secure storage facility service provider in a locked room to which no other people have access. Similarly, for paper forms that were submitted digitally, any printed copies were filed in the same central location and shipped to PC’s secure storage facility.
59. We find that the uses and disclosures described above, relating to individuals’ vaccination status within PC, are consistent with the purpose for which the information was collected, specifically, to implement the Policy on COVID-19 Vaccination for the Parks Canada Agency and obtain vaccination attestations from employees in support of workplace health and safety; and they are therefore permitted under paragraphs 7(a) and 8(2)(a) of the Act.

Accommodation Requests

60. Several complainants raised general concerns that unreasonable disclosures of their personal information within their institution could have occurred in the process reviewing accommodation requests. We consequently obtained representations from all respondents describing what measures, if any, were taken to limit access to, and disclosure of, accommodation-related information to those who needed to know in order to manage the accommodation processes. We saw no indications of issues with respect to processes and systems to prevent inappropriate disclosures associated with the general handling of accommodation requests.
61. Several complainants also raised a concern that their colleagues, or other employees, such as those managing pay, could infer information about them, such as their vaccination status, from the fact that they were put on leave. However, as noted above, the Privacy Act permits disclosures “for the purpose for which the information was obtained or compiled by the institution or for a use consistent with that purpose”. In our view, the fact that an individual is on leave, which can occur for a variety of reasons, is information obtained or compiled for the purpose of managing the employee and their work. Therefore, proactive disclosure to relevant employees – such as those processing pay, or colleagues whose workload may be affected – that an individual is on leave is a consistent use with this original purpose and permitted under 8(2)(a) of the Act.
62. Given that the uses and disclosures described above are for the purpose for which the information was obtained, i.e. to implement COVID-19 vaccination mandates and obtain vaccination attestations from employees in support of workplace health and safety, or for consistent uses with those purposes, we found no indications of contraventions of section 7 or 8 of the Act. Accordingly, we find the allegations with respect to the unauthorized use and disclosure of information relating to employees’ vaccination status, including information in support of accommodation requests, to be not well-founded.

Other

Was the information collected necessary and proportional?

63. Our office also considered the necessity and proportionality of the vaccine mandates and the vaccination attestation measures put in place by federal institutions during the COVID-19 pandemic. Given that separate employers were asked to align with TBS’s Policy, our analysis here focuses largely on any significant differences between the necessity and proportionality for the employers and the core public administration.
64. To guide institutions in considering necessity and proportionality, our Office advocates a four-part test^{Footnote 4} that calls for institutions to ask themselves the following questions when establishing particularly privacy-invasive programs and services:
    • Is the measure demonstrably necessary to meet a specific need?
    • Is it likely to be effective in meeting that need?
    • Is there a less privacy-intrusive way of achieving the same end?
    • Is the loss of privacy proportional to the need?
65. The respondents did not provide evidence that they had performed a structured analysis of the necessity and proportionality of their vaccine mandates and related vaccination status attestation measures prior to implementation. We do, however, acknowledge that separate employers were asked by the Government of Canada to align with TBS’s Policy and, as such, did benefit from the examination of public health guidance and studies that informed TBS’s implementation of that policy.
66. With respect to the first point of the four-part test, necessity, we have considered that the requirements were instituted during the global COVID-19 pandemic which represented an exceptional set of circumstances to which the Government of Canada, including separate employers, had to respond. All respondents identified that they had responsibilities under the Canada Labour Code to prevent or limit workplace-related accidents and injuries, including those that could result from COVID-19 infection. We are satisfied that the measures mandated under the respondents’ policies were connected to the pressing and substantial goals of ensuring the health and safety of employees in the workplace; and, as such, were connected to the respondents’ occupational health and safety programs. Additionally, respondents indicated that all employees could potentially be required to attend the workplace onsite on an ad-hoc basis in response to operational needs.
67. With respect to the second part of the test, all respondents indicated that they were following public health measures or advice from public health agencies. CRA, CFIA and NRC further specified that they also consulted guidance^{Footnote 5} from Health Canada's Public Service Occupational Health Program. In our analysis of this matter, given that separate employers were asked to align to TBS’s Policy, we have additionally referred to the evidence we received from TBS in the context of our investigation of vaccination attestation requirements for the core public administration. Based on that information, which demonstrated the effectiveness of vaccines in preventing severe illness, hospitalization and death from COVID-19, we are satisfied that there was evidence of the effectiveness of vaccination in ensuring the health and safety of employees in the workplace at the time the vaccination mandates and attestation requirements were put in place in the fall of 2021. We accept, on this basis, that a vaccination mandate was effective in meeting the objectives of promoting workplace health and safety; and, that the collection of vaccination status to implement this mandate was therefore also effective in meeting those objectives. Additionally, the collection of vaccination status information from employees would be an effective means to determine which employees would be available to attend on-site at the workplace should the need arise.
68. With respect to the third element of the test, the necessity and proportionality principle requires a consideration of whether less privacy-intrusive measures could achieve the same end. This element requires institutions to demonstrate that less privacy-intrusive measures would not have been able to achieve their important objectives of protecting the health and safety of their employees. We were not provided with any significant information that the respondents had considered any potentially less intrusive alternatives (such as rapid testing). However, we are satisfied that vaccination was the most effective means available to ensure that individuals who attended onsite workplaces were protected from COVID-19.
69. We received analysis developed by the Public Health Agency of Canada, supported by references to external evidence, demonstrating that at the time Government of Canada announced its plans for introducing vaccination mandates that there was a substantial body of evidence on the efficacy of vaccines for protecting individuals coming into contact with others, such as in a shared workspace, from severe illness.
70. Conversely there was relatively limited evidence of the effectiveness of potential alternative measures, including rapid testing, in protecting individuals from severe illness resulting from COVID-19. In reviewing Canadian jurisprudence on mandatory vaccination policies we found a number of cases that^{Footnote 6} have considered public health advice with respect to rapid testing as an alternative to mandatory vaccine mandates. These cases dealt with situations where affected individuals are largely required to be in shared physical spaces. The decision makers in these cases upheld mandatory vaccination policies that did not permit individuals to freely choose rapid testing as an alternative, citing relevant public health advice. These decisions cited provincial medical authorities in two cases, and expert epidemiological testimony in the another two. These sources noted that: (i) in contrast with the strong body of evidence for the protective effect of vaccines, there is a lack of concrete evidence, such as observational studies or controlled trials, demonstrating that rapid testing regimes reduce transmission, and (ii) rapid testing regimes do not prevent serious illness from infection where such infections occur.
71. While we accept that vaccines are effective in this context, we also noted that Court and tribunal decisions that have considered vaccine requirements to date, have emphasized the importance of assessing the relevant operating context, including whether employees work onsite or from home.^{Footnote 7}
72. Respondents advanced arguments that all employees, including those working full-time from home, needed to be available to attend at the office on short notice, for example, to participate in ad-hoc on-site meetings, to access sensitive material, or because of IT support requirements.
73. While we would have expected more fulsome and forthcoming responses from respondents with respect to our questions on this issue, we are of the view that some deference is owed to employers with respect to their assessment of their needs for employee onsite presence during this unprecedented public health emergency. We accept that, should the need indeed arise for onsite presence, that the time needed for an unvaccinated employee to become fully vaccinated could be problematic for operational purposes. We also accept, based on this, that employers do need to know which employees are, at any given time, available to attend on site – and that this would likely necessitate collecting the vaccination status of all employees. For these reasons we accept that it was reasonable, under the circumstances, to require all employees to attest to their vaccination status.
74. With respect to the fourth part of the four-part test: is the loss of privacy proportional to the need, we had expected that the respondents would be able to demonstrate that they had analyzed whether the potential privacy impacts to employees resulting from the collection of information relating to their COVID vaccination status were proportional to the benefits that would result from the collection but we received little evidence from any of the respondents demonstrating that they undertook a structured proportionality assessment.
75. It should be noted that the respondents’ policies required the disclosure of limited information about an individual’s vaccination status, information that at the time these measures were first instituted, was also required to be disclosed to access many services in a number of provinces, including restaurants. Nevertheless, it remains medical information (sensitive by nature) and in certain cases could entail the disclosure of additional sensitive personal information for employees making accommodations requests.
76. This loss of privacy must be measured against the benefits of the measures. For the reasons set out in the assessment of the third element, we are satisfied that the benefits of these measures were to protect the health and safety of the respondents’ employees while ensuring that the respondents retained the ability and flexibility to require the onsite presence of its teleworking employees to respond to emergencies or for other compelling reasons.
77. When measured against this objective, we find that the loss of privacy was proportional to the benefits in the context of this emergency situation.
78. Based on the evidence and representations before us, we are satisfied that the vaccination attestation measures implemented by the respondents reasonably addressed the principles of necessity and proportionality.
79. We did however recommend that, in the future, all institutions explicitly consider necessity and proportionality in a structured way^{Footnote 8} when introducing or modifying privacy-invasive programs, in order to provide confidence that the privacy interests of Canadians, in this case their employees, are being respected. We were pleased that all respondents in this report have agreed to this recommendation.

Conclusion

80. We conclude that the respondents’ requirements relating to vaccination attestation by their employees were implemented in conformity with the legal requirements of the Act. The complaints examined in this report are therefore not well-founded.
81. We did however recommend to CPC that when granting access to sensitive personal information to all members within units, that consideration be given as to what types of information constitute a “need to know” requirement for any given support employee with access. CPC has agreed to this recommendation.
82. We also recommended that all institutions explicitly consider necessity and proportionality in a structured way when introducing or modifying privacy-invasive programs. All respondents agreed to this recommendation.

Appendix 1 – Listing of vaccination attestation information collected by respondents

GC-VATS (used by CFIA and PC)

GC-VATS is prepopulated with the following information on individuals which was already collected by the employer:

• Last name
• Given name
• Manager’s Name
• Department
• Place of work (country)
• Place of work (province or territory)
• Group
• Level
• Position number
• PRI (paper attestations only)
• Email address
• Date of Birth (paper attestations only)
• Manager’s PRI (paper attestations only)
• Manager’s DOB (paper attestations only)

Additionally, GC-VATS collects the following the specific information from individuals as part of the attestation process:

• Employee acceptance
• Attestation of vaccination status
• Verification status
• Manager’s verification confirmation

BDC

BDC collected the following information via their “Vaccination Covid-19 module” in Workday:

• Vaccination Status (options: “Fully Vaccinated”, “Partially vaccinated” or “Unvaccinated”)
• Date of last dosage, if fully or partially vaccinated
• Intention of getting an additional dose if partially vaccinated (options: “Yes” or “No”)
• Date of additional dose
• Reason for accommodations

CPC

CPC collected the following information through the 1-800-attestation line:

• Employee ID and year of birth (for authentication)
• Vaccination status, where options were:
  • Fully vaccinated;
  • Partially vaccinated;
  • Unable to be vaccinated due to medical reason;
  • Unable to be vaccinated due to religious or other grounds; or,
  • Unwilling to be vaccinated

CPC initially collected the following information through the digital attestation portal for deaf and hard of hearing employees:

• Vaccination status, where options were:
  • fully vaccinated, with attested dates and brand(s) of vaccines
  • partially vaccinated, with attested date and brand of vaccine
  • unvaccinated, and if intended to be or not (until February 3, 2022)

As of February 3, 2022, the available selections via the digital attestation portal are identical to those in the 1-800 attestation line.

CFIA

See information collected in GC-VATS (used by CFIA and PC), above.

CRA

The following related tombstone data was already being collected in CAS:

• Name
• PRI
• Manager’s name

Employees were required to select their vaccination status from the following options and, based on their status, make additional selections as follows:

• Fully Vaccinated
  • Enter dates of vaccination
• Partially Vaccinated
  • Enter dates of vaccination
• Unvaccinated – Request Accommodation
  • Due to a medical contraindication – Requires written documentation from the employee’s treating medical physician or nurse practitioner indicating the grounds for not receiving or delaying the COVID-19 vaccine.
  • Under grounds of discrimination
  • Religion – Requires a sworn affidavit signed before a commissioner for taking affidavits, providing information about the sincere religious belief that prohibits full vaccination.
  • Other (Canadian Human Rights Act) – Requires specific information for the reason that the employee is unable to be vaccinated
• Unvaccinated – Unwilling

NRC

The following information was collected via NRC-VATS

• Employment Status (continuing vs non-salaried worker)
• Vaccination Status for COVID-19
• Date received first vaccine (COVID-19)
• Accommodation Requested-medical
• Accommodation Requested-religious
• Accommodation Requested-other prohibited grounds
• Accommodation Decision (Approved / Denied) for the individual
• Accommodation Proposed (Telework / Regular Testing) for the individual
• Individual’s Acceptance / Rejection of Proposed Accommodation
• Individual’s Response Submitted to NRC-VATS
• Individual’s compliance / non-compliance with rule 4.3.2 of the Policy
• Individual’s non-compliance with the Policy, as defined in section 6.1

PC

See information collected in GC-VATS (used by CFIA and PC), above.