A How-To Guide for Restaurants and Small Businesses: How to Do Contact Tracing and Other COVID Precautions Without Breaching Privacy Laws
Posted on August 26, 2020
With the COVID-19 pandemic, restaurants and other small businesses are facing a number of new requirements for contact tracing and to keep their employees and customers safe, all while dealing with financial hardship from closures and reduced business. This article will give you some background on the privacy laws that apply, and the best ways to implement those in relation to issues that are likely coming up for your business now.
Background: Why Do Privacy Laws Matter?
All businesses in BC are bound by the Personal Information Protection Act, commonly called PIPA. That act sets out what businesses can do with the personal information of customers, employees, and anyone else.
Personal information includes any information that can identify an individual. That means it includes not only a person’s name, but also contact information (such as telephone numbers or email addresses) and health information. This kind of personal information is considered to be very sensitive.
There are five main principles underlying PIPA which apply to contact tracing obligations and other COVID safety measures.
- Collect, use and disclose only information that is necessary to achieve your goal.
- Collect, use or disclose only the smallest amount of information necessary to do so.
- Do not collect, use or disclose information without the person’s consent, other than as required by law (e.g. as required by public health officials).
- Do not use the information for any other purpose.
- Keep the information you collect secure.
- Destroy the information once you no longer need it.
If you do not comply with PIPA, you are at a higher risk of a privacy breach, which can lead to lawsuits or action by the Information and Privacy Commissioner, or other regulatory proceedings.
BC businesses are also bound by Canada’s Anti-Spam Law, also called CASL, which sets out when a business can send email or other electronic marketing messages, such as marketing text messages. Generally, you can send emails or texts only to individuals who have agreed to receive them. There are some exceptions to this, including sending marketing messages to individuals with whom you have done business within the previous two years.
Breaches of CASL can result in substantial fines, into the hundreds of thousands of dollars.
Contact Tracing: What To Do and Not Do
Restaurants, cafes, bars, and other food service establishments and event organizers have been ordered by the Public Health Officer to maintain lists of customers for contact tracing requirements. Other businesses may also be doing so.
This means that you are collecting sensitive personal information: a person’s name and contact information. Because of that, it is important that you follow the principles set out above.
Specifically, you should:
- Explain to customers that you are required to collect contact information for contact tracing purposes.
- Collect the name and contact information for only one person from each table.
- Collect only one method of contacting the person, such as their telephone number or email address. Do not collect their address, workplace, or other contact information.
- Do not use the contact information for marketing or any other purpose, unless you expressly ask the person to consent to using it for other purposes. Consent in writing would be best.
- Keep the information secured. Exactly how you secure it will depend on how you are collecting it. For instance, if you collect it in hardcopy, keep the records in a locked filing cabinet. If you collect the information electronically, make sure that your computer security settings are up to date.
- Keep the information for 30 days, and then destroy it. If you have the information in hardcopy, you can shred the hardcopies. Electronic destruction is more complex, and you may need advice from an electronic security specialist.
If your business is not covered by a provincial health order, you may ask customers to provide their name and contact information, but you cannot require it as a condition of providing services.
The Office of the Information and Privacy Commissioner has also released a guidance document on complying with privacy laws while collecting contact tracing information. You can read it here.
Health Checks are OK, Temperature Checks Likely Are Not
Many businesses are also implementing health checks of customers and employees, including temperature checks using forehead thermometers. Privacy laws apply to this too.
Under PIPA, simply asking a person about their health or scanning their forehead with a thermometer qualifies as “collecting” their personal information. The information does not need to be stored in any way for it to be “collected”.
The principle that is most applicable here is the limit on collecting any more information than is necessary to achieve the goal of keeping your customers and employees safe. “Necessary” in this context is based on what the Public Health Officer, or public health officials, consider necessary to prevent infections and contain the spread of COVID-19.
Many businesses have implemented a health questionnaire, where the customer is asked to confirm that they are not suffering from any COVID symptoms, are not COVID positive, have not been in contact with someone who is COVID positive, and have not travelled outside of Canada in the last 14 days.
These questions likely are necessary, as defined by the Public Health Officer.
From a privacy standpoint, businesses are at less risk if this questioning takes place orally rather than in writing. If your business does collect this information in writing, make sure to store it securely and follow the other recommendations for contact information.
Temperature checks, however, are likely a breach of PIPA, even if the customer agrees to it. Body temperature is a person’s health information, which is considered to be highly sensitive. Taking a temperature reading is also a medical test which is still invasive even if only a forehead reading.
Taking all of your customers’ temperatures involves collecting a large amount of very sensitive information. For PIPA to allow that collection, it would have to be absolutely necessary. As it currently stands, the medical evidence is that temperature screening may not be effective, because many people may have mild symptoms or be asymptomatic.
Under PIPA, you also cannot deny services to a customer if they refuse a temperature check, for all the same reasons.
Disclosing Employee or Customer COVID-19 Positive Status
The principle that is again the most applicable here is the limit on collecting any more information than is necessary to achieve the goal of keeping your customers and employees safe, based on advice from public health officials.
If you learn that an employee or customer has tested positive for COVID-19, you do have obligations under the Public Health Act. Contact the BCCDC or your local health authority. Follow their advice regarding what information to provide to them, and what to provide to other customers or employees directly.
However, it is also important to respect the privacy rights of the person who tested positive. Do not disclose any information about a positive COVID-19 test to anyone until you have spoken with public health officials. Follow the advice of public health officials on any disclosure after that.
In particular, if public health officials determine that you do not need to do any notification or disclosure, do not do any. If you are contacted by customers or other employees, reassure them that public health officials are contacting all the people who are at risk.
If public health officials do recommend that you disclose information about a positive COVID-19 test, disclose the least information possible. Under no circumstances should you disclose the person’s name. If recommended by public health officials, you can disclose the dates and times during which exposure may have occurred at your business.