Advisory from the Office of the Information and Privacy Commissioner of Saskatchewan on questions, screening or testing by employers regarding COVID-19
May 27, 2020 – Ron Kruzeniski, Information and Privacy Commissioner
Our province is gradually phasing in our economy. Businesses, organizations and government offices are gradually opening up. Employers are contemplating the return of their employees to the workplace. Employers and employees will have questions. This advisory attempts to answer a number of those questions.
Can an employer test for COVID-19?
Some employers may be considering whether they will require all employees to answer questions, be screened or be tested for COVID-19. Employers have an obligation to make a workplace safe to work in within reasonable limits. The Saskatchewan Employment Act provides:
General duties of employer
3‑8 Every employer shall:
(a) ensure, insofar as is reasonably practicable, the health, safety and welfare at work of all of the employer’s workers;
(h) ensure, insofar as is reasonably practicable, that the activities of the employer’s workers at a place of employment do not negatively affect the health, safety or welfare at work of the employer, other workers or any self-employed person at the place of employment; and
Each employer will have to make a fundamental decision as to whether requiring all employees to answer questions, be screened or be tested would make the workplace safer.
Prior to considering what privacy legislation might apply, employers need to seriously consider whether they want to require employees to answer questions, be screened or be tested for COVID-19. This is a fundamental issue and can be controversial. It gets us into the issue of whether employers can or should require medical tests in the workplace. There has been considerable debate and court challenges over testing for drugs in the workplace. Employers need to know that requiring employees to answer questions, be screened or be tested for COVID-19 might result in a court challenge.
The Privacy Commissioner of Canada in “A Matter of Trust: Integrating Privacy and Public Safety in the 21st Century” stated:
Following the enactment of the Canadian Charter of Rights and Freedoms in 1982, the Supreme Court of Canada formulated a methodological test to determine whether the violation of a Charter right is nonetheless justifiable in a free and democratic society. Stemming from the case R. v. Oakes, this became known widely as the Oakes test. It requires:
- Necessity: there must be a clearly defined necessity for the use of the measure, in relation to a pressing societal concern (in other words, some substantial, imminent problem that the security measure seeks to treat),
- Proportionality: that the measure (or specific execution of an invasive power) be carefully targeted and suitably tailored, so as to be viewed as reasonably proportionate to the privacy (or any other rights) of the individual being curtailed,
- Effectiveness: that the measure be shown to be empirically effective at treating the issue, and so clearly connected to solving the problem, and finally,
- Minimal intrusiveness: that the measure be the least invasive alternative available (in other words, ensure that all other less intrusive avenues of investigation have been exhausted).
The balance of this advisory presumes an employer has made the decision and understands the legal risks of a challenge, but intends to proceed.
What privacy legislation might apply?
If an employer decides to ask questions, screen or test its employees for COVID-19, that employer needs to know what privacy legislation applies to that employer. The Freedom of Information and Protection of Privacy Act (FOIP) applies to government institutions which include Crown corporations, boards, agencies and other prescribed organizations. Part IV of FOIP deals with the collection, use, disclosure, storage and protection of personal information.
The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) applies to local authorities which include cities, towns, villages, municipalities, universities and the Saskatchewan Health Authority. Part IV of LA FOIP deals with the collection, use, disclosure, storage and protection of personal information.
The Health Information Protection Act (HIPA) applies to health trustees which includes government institutions, the Saskatchewan Health Authority, a licenced personal care home, a health professional licenced under an Act, a pharmacy, and licenced medical laboratories. Parts III and IV of HIPA deal with collection, use, disclosure, storage and protection of personal health information.
If an employer falls into one of the above categories, then that particular statute will apply to the collection, use, disclosure, storage and protection of information. To be sure, an employer should check each of the Acts to see if it has any application.
Regulations under each of the Acts can also prescribe government institutions, local authorities or health trustees.
A further issue is that after the questions are asked, are the responses recorded? If so, by whom and for what purpose? If recorded, the record may be accessible under HIPA, FOIP or LA FOIP.
If an employer continues to be in doubt, you may want to obtain legal advice. If an employer does not fall under any of the three Acts, it is possible you, as an organization, may be bound by the Personal Information Protection and Electronics Documents Act (PIPEDA). For information on this, an employer can check the website of the Federal Privacy Commissioner. In some cases, PIPEDA provides rules and protection for employee personal information and in others, it does not. Whether an employer in Saskatchewan fits any of the above definitions, the advice below can be considered best practice and an employer can choose to follow it.
What is the purpose of doing the tests for COVID-19?
Before embarking on questioning or a testing program, an employer needs to define the purpose for collecting the Q&A and test information. Is it to keep the workplace safe? More specifically is it to prevent workers who test positive or have had COVID-19 from being in the workplace? Is it to prevent the spread of COVID-19 to other workers in the workplace? It is important that the employer define the purpose at this early stage and not expand after the fact as would be function creep and may not be authorized.
How should employers notify its employees of the purpose of collection?
Employers should be open and transparent. They should advise staff that they will be asking questions, screening or testing employees as they arrive for work and inform them of the purpose. Later at the time of collection, tell employees the purpose of collection, what will be collected, who it will be shared with and how long the information will be stored. Employees will particularly want to know if the employer is sharing the information with other third parties and why. As discussed below, the employer should advise employees that positive tests for COVID-19 will be shared with the medical health officer.
If staff test positive or have COVID-19, the employer can provide other staff with statistical information, such as how many have been tested and how many tested positive. The employer should not give out names or identify the ones who tested positive as this may be considered a privacy breach. If very few employees test positive or have COVID-19, the employer needs to determine whether by giving the statistical information, the employee can be identified. If this might be the case, the employer can ask the consent of the employee affected, to release, postpone the release or provide less information that prevents identification.
What information will the employer collect?
Asking an employee a series of questions and obtaining the answers is collection of information. Screening by visual examination or temperature checks is collection of information. Requesting an employee to take a test and recording the results, is a collection of information. An employer needs to define the questions asked, the screening and the test required and ensure those questions, screening and test results are consistent with the purpose. Employers should collect the least amount of information necessary to achieve the purpose. This is referred to as the data minimization principle, that is, only collect what is needed to achieve the purpose.
For example, if an employee tests positive for COVID-19, what is an employer going to do? The assumption is an employer will require the employee to stay home and self-isolate. Thus, once an employer knows the person tested positive, there is no need to know anything more other than if the medical health officer’s follow up efforts will impact the employer. You are the employer, not the doctor. If the staff member indicates they already have COVID-19, an employer will need to consult the organization’s doctor to determine whether the staff member should be allowed to come to work or is required to stay home. Again, an employer should not collect more information, only tell the employee that they can or cannot work and they should go home. If the test comes back “negative” an employer still is obliged to comply with any requirements of the Chief Medical Health Officer in terms of taking protective procedures in the workplace.
The Information Commissioner (ICO) of Great Britain has stated:
In order to not collect too much data, you must ensure that it is:
adequate – enough to properly fulfil your stated purpose;
relevant – has a rational link to that purpose; and
limited to what is necessary – you do not hold more than you need for that purpose.
Can the employer use the information for any other purpose?
The employer has defined a purpose, authority to collect and has collected information for that purpose. The employee has provided the information for that purpose. The employer cannot use that information for any other purpose without getting the consent of the employee.
If an employee tests positive, who can the employer share the information with?
Since the employer has collected the information that the employee tested positive or has had COVID-19, the employer needs to determine who in the organization needs to know. If the employee is going home, very few people need to know. Just like other sensitive health information, it is confidential, the employer should prohibit the employee from sharing the information with other staff.
Where does an employer store this information?
The choices are storing on the employees HR personnel file or storing in a separate folder for all employees, containing all information regarding questions, screening and testing. There is probably no need to store it anywhere else.
The information the employer has collected, must be stored in a secure place. Once the employer collects personal information about an employee, it is the employer’s obligation to ensure it is protected.
Is an employer obliged to secure the information?
Under privacy legislation, there is an obligation for an employer to protect and secure the information collected and stored. If an employer is not subject to the privacy legislation, best practice would suggest the information be protected anyway. Other resources have made suggestions on securing information and a few tips are given by the British Columbia Information and Privacy Commissioner:
Your organization must make reasonable security arrangements to protect personal information in its custody or under its control. For example, if the collected information is in paper form, it should not be left in a publicly accessible area. Rather, it should be stored in a locked file cabinet. If you are storing the list on a computer, make sure the computer is password protected, encrypted, and on a secure network. Position computer monitors so that personal information displayed on them cannot be seen by visitors.
When should the employer destroy the information?
How long is an employer going to keep this information? Will it get destroyed in accordance with the destruction of documents policy? Should it have a special destruction period, shorter than the normal? Could it or should it be destroyed within 30 days? Employers need to decide whether they will develop a policy including destruction guidelines. There has been media coverage about people’s fear of having COVID-19 and the stigma that comes along with that. Maybe a year from now, there will be an approved treatment and vaccination, which might reduce the stigma and the fear. Maybe the information collected can be destroyed earlier than an employer’s standard procedure.
Should employers share information with the medical health officer?
The Public Health Act, 1994 provides:
Responsibility to report
32(1) The following persons shall report to a medical health officer any cases of category I communicable diseases in the circumstances set out in this section:
(a) a physician or nurse who, while providing professional services to a person, forms the opinion that the person is infected with or is a carrier of a category I communicable disease;
(b) the manager of a medical laboratory if the existence of a category I communicable disease is found or confirmed by examination of specimens submitted to the medical laboratory;
(c) a teacher or principal of a school who becomes aware that a pupil is infected with or is a carrier of a category I communicable disease;
(d) a person who operates or manages an establishment in which food is prepared or packaged for the purposes of sale, or is sold or offered for sale, for human consumption and who determines or suspects that a person in the establishment is infected with, or is a carrier of, a category I communicable disease.
(3) A report submitted pursuant to subsection (1) must include:
(a) the name, sex, age, address and telephone number of the person who has or is suspected to have, or who is or is suspected to be a carrier of, a category I communicable disease; and
(b) any prescribed information.
(4) In addition to the report required by subsection (1), the manager of a medical laboratory shall submit to the medical health officer or the co-ordinator of communicable disease control a copy of the laboratory report that identifies the disease.
The Disease Control Regulations lists COVID-19 as a category 1 communicable disease.
If an employer intends to ask a series of questions or do screening by a non-health professional section 32 above would not apply. In that case, if the questions result in their being indications of COVID-19, I would expect the employer would request that the employee be tested for COVID-19 at a nearby testing centre and the employee be advised to go home until testing is done and results are received.
If an employer has an examination done for a test taken by a doctor or nurse, it is clear that, pursuant to section 32, the doctor, nurse or manager of a medical lab must report a communicable disease such as COVID-19 to the medical health officer.
Thus, best practice would be for an employer to advise employees being examined or tested that if the test is positive for COVID-19, it will be reported to the medical health officer. The employer should indicate in their statement of purpose that they will comply with the requirements of The Public Health Act, 1994. Being transparent with staff and telling them at the beginning that their information will be shared with public health authorities is important.
Do employers need to document their questions and testing plan?
Once an employer has made a decision, the employer should consider some documentation of the plan. In normal times, my office would recommend a privacy impact assessment (PIA). In these unique times, an employer might move very quickly and my office would still recommend either a shortened version of a PIA or a policy statement regarding question asking, screening and testing plan. Whatever the form of the document, it should contain:
- a statement of the purpose;
- a listing of the questions to be asked;
- a statement of the screening and the tests to be performed;
- a statement on possible actions taken based on the test results;
- a statement where information will be stored;
- a statement as to who whom it will be shared with (with public authorities or not); and
- a statement when the information will be destroyed.
The principles are simple, establish the purpose, authority, and collect the least amount of information to meet the purpose, share it only with those who need-to-know, store it, keep it secure and destroy it when no longer needed. This is good advice whether an employer is subject to access and privacy legislation or not.
The Information Commissioner’s Office in Great Britain has issued a document regarding “Work Testing – Guidance for Employers”. Although British legislation is different from the legislation in Saskatchewan, the principles set out are good ones and may have some application to public bodies and health trustees in Saskatchewan.
Ronald J. Kruzeniski
Information and Privacy Commissioner