From: Bryan Thomas, Colleen M. Flood, Vivek Krishnamurthy, Ryan Tanner and Kumanan Wilson
To: Canadians Concerned about Vaccine Passports
Date: January 28, 2022
Re: Privacy Rights and Private Sector Vaccination Requirements
In response to the COVID-19 pandemic, federal and provincial governments have imposed vaccination mandates in some workplaces, and proof of vaccination requirements in some non-essential settings, such as air and rail travel and indoor dining at restaurants.
This patchwork of public vaccination requirements leaves key questions unanswered for the private sector. For businesses that are not covered by these requirements, what are the legal restrictions on requiring proof of vaccination from patrons or employees? In this memo, built on our larger paper, we explore the extent to which privacy laws restrict businesses’ ability to verify an individual’s vaccination status.
While Canadian privacy law is notoriously complex and multi-layered, there is an overriding standard of ‘reasonableness’ that can guide us.
Many provinces have health information privacy laws, but these typically apply only to the collection, use and disclosure of personal information by health care professionals (or ‘health information custodians’ as they’re sometimes called in the legislation). This legislation will not apply to situations, outside of the health care setting, where an employer is asking their employee to confirm vaccination status.
Protections for employee privacy are an especially patchy area of Canadian privacy law. The federal Personal Information and Electronic Documents Act (PIPEDA) only protects employee privacy in federally regulated industries (e.g., banking, airlines). Many provinces, including Ontario, have no legislation addressing private sector employee’s privacy rights, while there are protections in place for private sector employees in British Columbia (PIPA), Alberta (PIPA) and Quebec (Act Respecting the Protection of Personal Information in the Private Sector).
Discussions around privacy rights often highlight the importance of individual consent to the collection, use and disclosure of personal information. Consent requirements are certainly an important element of privacy, but employees will doubtless feel strong pressure to consent to their employers’ demands for personal information – particularly when, as in the case of vaccine requirements, a refusal could result in suspension or dismissal. In those sectors and jurisdictions where employee privacy is protected by statute – again, federally regulated industries and select provinces – the crucial legal test is reasonableness.
In unpacking this reasonableness standard, the courts have highlighted factors such as: the sensitivity of the personal information being requested; whether there is a legitimate business need for collecting the information; the availability of less intrusive means to achieve the stated business needs, with comparable costs and benefits.
There is no one-size-fits-all answer to these questions, obviously. Whether a given operation has a legitimate business need to verify employees’ vaccination status will depend on a range of contextual factors. From a health and safety standpoint, ensuring that all workers are vaccinated will be especially important in settings, like restaurant kitchens, where employees exert themselves in close quarters, and less imperative in outdoor or isolated settings.
A related question is whether private businesses can demand proof of vaccination from their patrons, as a condition of entry and service. By now, every province has enacted regulations mandating that specific commercial sectors (e.g., restaurants, theatres, gyms) check vaccine passports, while remaining silent on other categories (e.g., essential services like grocery stores, along with more arbitrary categories such as barber shops and hair salons). These regulations specify that businesses may verify a patron’s proof of vaccination, but that they may not retain that information or use it for any other purpose – under the face of severe penalties.
Assuming that customers consent to disclosing their vaccination status, the legality of such requests by businesses will again hinge on their reasonableness. In the context of an ongoing pandemic caused by a highly transmissible airborne virus, in businesses where close physical proximity to the customer is required for the provision of services (e.g., personal care services) a strong case can be made for the reasonableness of verifying vaccination status.
By contrast, it may seem less reasonable for businesses that provide services from a distance to require their customers to provide proof of vaccination. In all cases, retention of vaccine status information by such businesses is likely to be deemed unreasonable.
Bryan Thomas is Senior Research Associate & Adjunct Professor, Centre For Health Law, Policy & Ethics, University of Ottawa, where Colleen M. Flood is Research Chair in Health Law and Policy, and Vivek Krishnamurthy is Samuelson-Glushko Professor of Law. Ryan Tanner teaches at the Faculty of Law, and Kumanan Wilson is Senior Scientist, Clinical Epidemiology Program, Ottawa Hospital Research Institute and Professor, Faculty of Medicine, at the University of Ottawa.
To send a comment or leave feedback, email us at blog@cdhowe.org.
The views expressed here are those of the authors. The C.D. Howe Institute does not take corporate positions on policy matters.