Privacy during the pandemic: Workplace and digital contact tracing
What it means to “clock in” has transformed radically in many workplaces. Where once a flash of an ID or scan of a badge and maybe a nod to a security guard sufficed to get workers past the gate, now workers are being interrogated on their health status, recent social interactions and some are even subject to temperature scans.
On a wider scale, COVID infection is being tracked with digital contact tracing. Alberta is the first government in Canada to develop and offer this type of tool, which uses Bluetooth technology to detect other users in proximity — which can then help determine if a COVID-19-infected user may have transmitted the disease.
The global pandemic has elicited the unifying slogan of “We’re in this together,” a rejection of isolation and detachment, but which also raises the question: what about personal privacy?
“If you did a quick public survey and talked to individuals about how they feel about some encroachments on their privacy — liberties – in the name of public health and safety, I think you would get a pretty consistent response from Canadians to say that privacy is not really at the forefront. Let's do what's right for the country. Let's get ourselves healthy,” says Sylvia Kingsmill, national data protection and privacy leader at KPMG Canada and former chief of staff to the privacy commissioner at the Information and Privacy Commission of Ontario.
“At the same time, I think that not thinking about privacy will be detrimental, in terms of long-term consequences, because, right now, we see governments pushing new technologies into the marketplace really hastily. Decisions that sometimes take months or years to deliberate are being made overnight. If we don't think about the long-term consequences of data being used for a different purpose than originally intended, which is the ‘purpose limitation’ rule in privacy law, I think we might have a trust crisis on our hands afterwards.”
Although any read of the room will tell policy-makers that “long-winded privacy assessments” are undesired, Kingsmill says it’s important that governments assure the public that data collected through contact tracing technology will be anonymized, will not be kept and will not be later put to other uses — such as surveillance. She adds that earning trust is necessary because contact tracing is only effective if it is widely adopted.
To prevent infection and spread in workplaces across Canada, employers are implementing proactive screening mechanisms, to control access to their facilities, says Daniel Michaluk, who advises employers on information security, cyber security, data management and privacy at Hicks Morley Hamilton Stewart Storie LLP. Active screening often involves a questionnaire to determine through their recent history whether an employee is a risk to others in the workplace, and Michaluk says the privacy issues emanating from the practice have been “a constant source of work” for him and his colleagues.
The threshold employers need to meet is whether active screening is “reasonably necessary,” says Michaluk. He adds that while consent is also required, employers can make entry into their facility conditional on providing it. There is also protocol on storing records and how a temperature test is administered.
When an employee tests positive for COVID-19, that’s when things get more interesting, he says. Pre-pandemic, when a worker called in sick, the employer would not get involved unless it was a long-term absence, and even then, the specifics of the disease would not be known right away. Now, a positive COVID-19 diagnosis creates the impetus for the employer to know immediately and gather information on who the employee could have infected, he says. Overreacting runs the risk of shutting down operations unnecessarily and losing money, but disclosing too much information may bring a privacy complaint, a grievance if it is a unionized workplace or — although rare — a legal claim, Michaluk says. Responding with precision is helped with contact tracing apps, which Michaluk says are a frequent source of client inquiries.
“Generally, employers want to know where people are in the workplace now more than ever,” he says.
On May 7, provincial and territorial privacy commissioners put out a joint statement, calling on governments to respect the following principles in their plans to use contact tracing applications: consent and trust, legal authority, necessity and proportionality, purpose limitation, de-identification, time limitation, transparency, accountability and appropriate legal and technical security safeguards. Apps must be voluntary, the data extracted must be done so because it is scientifically necessary and likely to be effective in preventing COVID spread and data must be extracted in a minimally intrusive way, the commissioners state.
But as more is learned about the novel coronavirus, the standards of “necessary” and “effective” are not static. Whether it be contact tracing or workplace policies tracking sensitive employee health data, Stikeman Elliott LLP privacy lawyer David Elder says, “The big grey area right now is the legitimacy of the objectives and the effectiveness of the measures.”
Elder, who is chairman of the communications and privacy and data protection groups, says it is difficult for organizations to determine which measures are necessary or effective because society’s understanding of the virus is constantly developing. For example, it is unclear whether a temperature scan is effective because of the multitude of reasons a person would have an elevated temperature, he says.
“Taking somebody's temperature every time they show up for work or visit a facility . . . a lot of people would consider that to be a fairly intrusive collection of personal information,” Elder says.
Being quizzed on personal health information and the social interactions a person has had is also sensitive information, not unusual for an international border but quite unusual to ask a customer or salesperson visiting a facility, he says.
As to how organizations are using contact tracing and active screening, Elder says the official guidance privacy with which lawyers are working is “very general.”
“In some ways, that's understandable because it's moving in real time, what we know and what could be effective and what isn't effective,” he says. “It's also very context-specific. What's permissible in one type of facility might not be permissible in another type of facility, depending on the type of contact people are likely to have within the facility.”
With the level of uncertainty among organizations as to their privacy requirements, Elder says, he expects privacy commissioners to allow leeway to organizations operating in good faith who implemented measures to prevent viral spread in their workplace, based on the knowledge available at the time. It likely won’t be a “gotcha exercise” from the authorities, he says.
“I think that they recognize this as a very unusual situation,” Elder says.
On the other hand, implementing intrusive measures without the concrete objective of reducing the spread of the virus but done for appearance’s sake or for customer peace of mind will be viewed unfavourably by privacy commissioners, he says.
“To the extent that it involves people's personal information, if there's no real reason to collect it other than make people feel better, I don't know that that would necessarily pass muster,” Elder says.
ABTraceTogether is the contact tracing app launched by the Alberta government. Elder says the app, which uses Bluetooth to identify other users and allows Alberta Health to track who infected users have contacted, balances the privacy implications and effective viral spread prevention “fairly well.”
“It's Bluetooth only. Very minimal collection of data. It's voluntary. There's no central storage of information. It’s just stored locally,” he says. “They did a pretty good job and they have a website up. Kind of remarkable that it got pulled together that quickly.”
Other contact tracing apps use GPS, which give health officials a more extensive view of where the virus has touched. The privacy tradeoff is greater, says Elder, because user movement is always being tracked.
Accepted Privacy Act complaints against governmental institutions
Correctional Service Canada: 30 per cent
RCMP: 19 per cent
National Defence: 9 per cent
Canada Border Services Agency: 8 per cent
Accepted PIPEDA complaints, by sector
Financial: 20 per cent
Telecoms: 13 per cent
Services: 11 per cent
Internet: 10 per cent
Source: Office of Privacy Commissioner annual report
Joint statement from provincial and territorial privacy commissioners
Privacy principles for contact tracing apps