Skip Ribbon Commands
Skip to main content

Privacy Rules and COVID-19: Compliance Still Required


Responding to the COVID-19 pandemic requires organizations across all sectors to collect, use and disclose personal information, including sensitive personal health information. Despite being a time of crisis, it is critical for organizations to continue to address key requirements under Canada’s privacy laws. 

There is no need to give up privacy to fight COVID-19. At the same time, privacy laws should not deter you from sharing the information your organization needs to respond to current events effectively and responsibly.

In the context of sharing information during a public health crisis, Canadian privacy legislation provides for exceptions to consent in emergency situations involving threat of life, health of an individual or public at large. However, conditions could vary across the country, so it is important to follow provincial guidance.

For those organizations with the legal authority to collect, use or disclose personal information, following good privacy principles will help ensure privacy is maintained.

  • Collect, use or share only as reasonable or appropriate in the circumstances, informed by guidance from public health authorities and healthcare professionals.
  • Limit the amount of information made public to only what you need to be compliant.
  • Show accountability by updating policies and processes and documenting instances of sharing of private information within the context of the pandemic.
  • Be open and transparent about your policies and practices.

In an employment context, organizations need to ensure they notify their employees that personal information might need to be collected and / or disclosed in case of a pandemic to ensure the organization fulfils its health and safety obligations or as required by heath authorities.

This could include whether employees have tested positive for the COVID-19 virus, travel history or proximity with others who have tested positive for the COVID-19 virus.  

As much as possible when communicating internally, your organization should not disclose the identify of the person or at lease limit the disclosure to those who could be affected. The overall objective is to provide potentially exposed employees with enough information to protect themselves from the risk.

We are here to help you navigate these uncertain times. If you have any questions or concerns about what to do next, contact Danny Timmins, National Leader Cyber Security, at 905.607.9777 or [email protected]. Or contact Adriana Gliga-Belavic, CISSP, CIPM, PCIP, Privacy Lead and Cyber Partner, at 647.480.8489 or [email protected].