Emergency Situation Facing Canadians in Light of the COVID-19 Pandemic Issue Sheets

PHAC Border Measures/ ArriveCAN

Key Messages

• We reviewed several of PHAC’s Privacy Compliance Evaluations,  including those for the ArriveCAN app and web portal, against the OPC Framework
  • We are satisfied they align with PHAC’s authorities under the Quarantine Act, and limited to purposes of reducing the spread of COVID-19 and preventing importation of the virus into Canada.
• PHAC has been receptive to our advice on transparency and oversight; we have also advised that PHAC ensure security assessments for IT systems used to collect, transmit, and retain personal information are undertaken in a timely fashion.
• We would expect to receive further privacy assessments from PHAC, should they implement changes to the ArriveCan app that would allow travellers to submit proof of vaccination.

Background

• Given the need for rapid delivery of programs during the pandemic makes completing full PIAs prior to launch unfeasible, TBS granted PHAC an exception from doing full PIAs during the pandemic.  They continue to use a streamlined approach, and consult with us regularly to address privacy issues as they develop their programs.

• The ArriveCAN app allows travelers to provide information digitally, enabling faster contract tracing. PHAC states that the app reduces the average time between date of entry and the date of disclosure for contact tracing from 9 days to 2 days.
• PHAC is consulting with us on possible updates to the ArriveCAN app to enable fully vaccinated travellers to voluntarily upload proof of vaccination so they can be exempted from certain quarantine measures. PHAC shares information with public health authorities in the province or territory where the person quarantines. Information may be disclosed to the RCMP and other law enforcement bodies in Canada for quarantine enforcement purposes.

Prepared by: GA

---

COVID Alert App

Key Messages

• Our office has been engaging with Health Canada on the COVID Alert App since June 2020 to help ensure its design respected privacy principles laid out in the FPT Joint Statement on contact tracing applications.  We had productive discussions, and the app ultimately does comply with these principles.
• However, the need for privacy law reform was underlined by the government’s assertion that the Privacy Act does not apply to app, despite the potential implications of tracing apps for privacy and democratic values.
• We recommended the app be closely monitored after implementation and the government agreed. We are working with Health Canada on a joint evaluation of the app, examining effectiveness, governance, and continued adherence to the principles of the Joint Statement.

Background

• The app can be used to report a diagnosis in eight provinces: Ontario, Manitoba, Newfoundland and Labrador, New Brunswick, Nova Scotia, Prince Edward Island, Saskatchewan, Quebec, and the Northwest Territories.
  • Alberta, British Columbia Yukon and Nunavut decided against using the federal app.
• Health Canada continues to consult our office on changes to the app, such as the collection of the number of active users and downloads per province or territory.
• GA is working with HC on a joint evaluation of the App that is scheduled for completion by the end of 2021.

Prepared by: GA

---

Interaction with Health Canada/Public Health Agency of Canada

Key Messages

• GA has been meeting regularly with representatives from Health Canada and PHAC since the early days of the pandemic to help ensure privacy is integrated during the design of programs under the Quarantine Act and Mandatory Isolation Order.
• We meet with PHAC and HC Privacy Management Division at least bi-weekly, and sometimes more often, to offer advice and guidance in as nimble a manner as possible, given the tight timelines and urgency of implementation for pandemic related activities.
• Since April 2020, we have received 9 privacy assessments, are expecting several more, and have opened a dozen consultation files.
• OPC is also participating with HC in joint evaluation of the effectiveness and governance of COVID Alert app.

Background

• We expect further assessments for quarantine facilities, vaccine distribution and management systems (VaccineConnect), and potentially for changes to the ArriveCAN app to allow uploading of proof of vaccination.
• Health Canada and PHAC were granted exceptions by TBS from doing full PIAs for a period of 18 months, or six months after the pandemic is declared to be over, whichever is shorter. The policy exception expires on September 30, 2022.
• PHAC indicates the need for rapid delivery of pandemic programs makes completing full PIAs prior to launch unfeasible. PIAs remain key mechanisms for protecting privacy; however, we recognize and support the need for flexibility during a public health emergency.

Prepared by: GA

---

CBSA use of Biometrics

Key Messages

• CBSA has a role under the Temporary Resident Biometrics Program in enrolling fingerprints and digital photos for visa applicants, and in verifying identity by matching live fingerprints at ports of entry.
• We are also aware the Agency is developing a mobile app for a “touchless” digital travel credential (Chain of Trust) driven in part by the pandemic. The app uses facial recognition to identify arriving travellers and allows low risk individuals to clear customs more quickly.
• We are reviewing a privacy assessment for a pilot to test a Chain of Trust prototype; CBSA has committed to undertaking a full PIA if this project is to be expanded.
• We were made aware of CBSA plans to establish an Office of Biometrics and Identity Management through media reports and have reached out to the Agency for more information.

Background

• The CBSA is responsible for enrolling applicants for visitor visas, study or work permits or permanent resident status at port of entry facilities, and for authenticating the identities of biometrically enrolled travellers arriving at ports of entry by scanning and sending their fingerprints to the RCMP for verification.
• We have arranged a consultation meeting for June 22 to discuss the Office of Biometrics and Identity Management and how the CBSA is considering privacy in its establishment.
• The CBSA uses LiveScan electronic fingerprint readers to collect and verify fingerprints at ports of entry. Biometrically enrolled travellers can also use the Primary Inspection Kiosk (PIK) to verify their fingerprints at Canadian airports.

Prepared by: GA

---

OPC position on vaccine passports

Key Messages

• Use of vaccine passports must be necessary and proportionate; that is, evidence-based and necessary for the specific purpose identified.
  • At the core of the vaccine passport discussion is the need to demonstrate effectiveness i.e. that COVID-19 vaccinated individuals are indeed less likely to transmit the virus.
• For businesses to collect vaccination status from an individual as a condition of entrance, the collection would need to be meet the requirement of “appropriate” under 5(3) of PIPEDA.
• There is considerable evidence that a vaccine certification system may disproportionately affect vulnerable populations and certain groups of individuals.
  • For example, access to digital technology, forms of identification, tests and vaccines is already unequal and vaccine passports may reinforce existing inequalities without wider initiatives to address these inequalities

Background

• On April 16, 2021, the PM’s Chief Science Advisor noted that vaccine passports could facilitate a return to normalcy but also noted that evidence of effectiveness of vaccines at preventing further transmission had not been demonstrated.
• On May 19, the FPT Privacy Commissioners released a joint statement emphasizing that necessity and effectiveness are key considerations for vaccine passports in Canada as well as noting that there must be clear legal authority for introducing use of vaccine passports for each intended purpose.
• It also noted that any PI collected through vaccine passports should be destroyed and passports decommissioned when the pandemic is declared over by public health officials or when vaccine passports are determined not to be a necessary, effective or proportionate response to address their public health purposes.
• The Statement also says: “While this may offer substantial public benefit, it is an encroachment on civil liberties that should be taken only after careful consideration.”

Prepared by: GA

---

8(2)(m) disclosures

Key Messages

• Paragraph 8(2)(m) of the Privacy Act allows Deputy Heads of institutions to make disclosures that are in the public interest (8(2)(m)(i)) or that would benefit the individual to whom the information relates (8(2)(m)(ii)).
  • These disclosures are at the discretion of the head of the institution. The OPC is to be notified in writing either before disclosure, or as soon as reasonably practical afterwards.
• 8(2)(m)(i) in particular could apply to disclosures of personal information to Parliamentary Committees by government institutions, particularly where Parliament has not exercised its authority to compel disclosure.
• 8(2)(m)(i) has a very high threshold: the public interest in disclosure must clearly outweigh any invasion of privacy.

Background

• Over the past several months, HESA has sought production of a variety of documents related to the COVID-19 pandemic from various government departments. One notable example is Government of Canada contracts with COVID-19 vaccine suppliers. Some government responses have contained significant redactions.
• OPC periodically receives s. 8(2)(m) notifications from government institutions concerning disclosures to Parliamentary Committees.
• Drawing on remarks made by then Assistant Privacy Commissioner Chantal Bernier in a 2011 appearance before the Standing Committee on Public Accounts, OPC identified its position to PHAC, that Parliamentary Committees have the authority to compel information from government institutions, and we agree that the Privacy Act allows for the disclosure of personal information to a committee

Prepared by: Legal

---

Parliament’s right to compel production of evidence which includes personal information

Key Messages

• OPC recognizes Parliament’s authority to compel the production of documents that contain personal information. This authority is accounted for in s. 8(2)(c) of the Privacy Act.
• In exercising this authority we recommend that Parliament consider ways to ensure the public interest underlying Committee requests is served while reducing risks to individuals.
• Some mechanisms include:
  • limiting personal information sought to only that which is clearly necessary to resolve the public interest at issue
  • holding meetings in camera;
  • Having restrictions and guidelines on documents delivery;
  • Ensuring that there are proper procedures for securing information.

Background

• Over the past several months, HESA has sought production of a variety of documents related to the COVID-19 pandemic from government departments. Some government responses have contained significant redactions.
• According to media reports, some HESA members have suggested that the government’s response is inadequate and verges on contempt of Parliament. The Speaker also recently ruled that PHAC has failed to comply with a motion for production of documents from the Committee on Canada-China Relations. 
• In 2011, then Assistant Privacy Commissioner Chantal Bernier appeared before the Standing Committee on Public Accounts and acknowledged that Parliament has the authority to compel production of documents containing personal information. Drawing on the Committee’s 2009 report, “The Power of Committees to Order the Production of Documents and Records”, Assistant Commissioner Bernier expressed support for the idea that this authority will “seldom be exercised without consideration of the public interest.”

Prepared by: Legal

---

Confidentiality under the Privacy Act

Key Messages

• The OPC has a broad duty of confidentiality under s. 63 of the PA with respect to any information that comes to our knowledge during the performance of our duties and functions under the Act. Other Agents of Parliament or regulators have a similar duty.
• The Commissioner has very limited ability to disclose information about investigations, audits, advice or evaluations concerning government departments, outside of an Annual Report or a Special Report to Parliament under ss. 37(2), 38 and 39.
• The OPC does not currently have discretion under the PA to make disclosures in the public interest, as it has under s. 20(2) of PIPEDA.

Background

• The OPC offers consultation services to federal institutions that develop programs and activities with privacy implications. Institutions regularly engage with us.
• The confidentiality provisions were intended to encourage institutions to be forthcoming and have open discussions with our Office about privacy compliance by broadly protecting information we discover in the course of an investigation or compliance review from disclosure.
• We have been advising institutions on COVID / pandemic matters since March 2020. They have, by and large, been constructive engagements.
• Generally speaking, government institutions are free to speak publicly about the privacy implications of their activities and any consultations with our Office (the confidentiality provision in the Privacy Act places limitations on us doing so).
• s. 64 authorizes disclosure but under very limited and specific circumstances:  if it is in Commissioner’s opinion that disclosure is necessary to carry out an investigation under the Act; OR establish the grounds for findings and recommendations in a Report of Findings.  OR in the course of a prosecution of an offence under the Criminal Code (perjury) or PA or ATIA (obstruction)

Prepared by: Legal

---

FPT Statement on vaccination passports

Key Messages

• In May 2021, our Office issued a joint statement on vaccine passports along with our provincial and territorial counterparts.
• The statement outlined fundamental privacy principles to consider in development of vaccine passports, or any initiative that aims to confirm a person’s vaccination or immunity status.
• Given significant privacy risks with vaccine passports, the statement stressed that any such credential must be demonstrably necessary, effective and proportional before being used.

Background

• Vaccination status, access to services and legal authority: raises serious concerns, both from a privacy and wider rights perspective. As such, before this happens, if restaurants, retail, or music venues were to require a proof of vaccination as a condition of service, we would want to see a specific public health order or other legal authority to ensure that rights are not infringed.
• Importance of consultation: scientific knowledge about COVID-19 and the vaccines is evolving, as are discussions about vaccine passports in many jurisdictions. The purpose of our statement was to ensure consideration of privacy at the earliest opportunity in vaccine passport development.
• Importance of jurisdiction: Organizations considering vaccine passports should consult with the privacy commissioners in their jurisdiction as part of the development process.
  • Several provinces (including Ontario, Alberta, Newfoundland) have laws that specifically protect individuals’ health data.
  • Additionally, BC, Alberta and Quebec have private-sector privacy laws substantially similar to PIPEDA.

Prepared by: PRPA

---

FPT Statement on Privacy and Access to Information Rights During and After a Pandemic

Key Messages

• In June 2021, our Office issued a joint resolution with our provincial and territorial counterparts on Privacy and Access to Information Rights during and after the pandemic.
• In that statement, we call upon governments at all levels to respect Canadians’ quasi-constitutional rights to privacy and access to information.
• The pandemic has had a serious impact on the right of access to information and privacy rights in Canada and governments can take lessons learned to improve these rights.

Background

• Pressing need for reform: The global pandemic has brought to the forefront the pressing need for strong access to information and privacy laws. We note in the Joint Resolution that the pandemic has accelerated trends that were ongoing prior to March 2020, namely concerns about increasing surveillance by public bodies and private corporations, and the slow, inefficient manner in which organizations respond to access requests.
• Ongoing importance of transparency: The pandemic has also highlighted the need to modernize the access to information system by leveraging technology and innovation to advance transparency (e.g. online request portals and/or self-service access to personal files, as recommended in the recent OIC Special Report).
• Privacy and digital transformation: The resolution also emphasised that to address digital transformation appropriately, interpretation of privacy laws must recognize of the fundamental right to privacy.  That means in a way that allows for responsible innovation that is also in the public interest. It can also include prohibiting uses of technology that are incompatible with our rights and values.

Prepared by: PRPA

---

OPC’s Framework for the Government of Canada to Assess Privacy-Impactful Initiatives in Response to COVID-19

Key Messages

• We developed the Framework to help government institutions assess pandemic-related initiatives to ensure respect for privacy as a fundamental right. 
• It provides guidance on key privacy principles, for example:
  • Ensure measures to respond to the pandemic are science-based, necessary for a specific purpose, tailored to that purpose, and likely to be effective.
  • Set strict time-limits on privacy invasive measures implemented in response to the crisis, and around how long personal information is retained after the crisis.
  • Adopt rigorous safeguards for the protection of data, and use de-identified or aggregate data wherever possible;
  • Consider the unique impacts of measures on vulnerable populations; and
  • Ensure there is oversight, accountability, and transparency to enhance trust.

Background

• The OPC issued the framework in April 2020 in response to data-driven initiatives that were rapidly emerging globally to contain and gain insights about COVID-19, some with significant implications for privacy and civil liberties. 
• The Framework reaffirms that privacy protection is not merely a set of technical rules and regulations, but rather represents a continuing imperative to preserve fundamental human rights and democratic values, even in exceptional circumstances. 
• It also stresses that privacy laws can be applied flexibly and contextually, but they must still apply.

Prepared by: PRPA

---