The pandemic has prompted the use of surveillance technology both to track and reduce transmission of COVID-19 and to monitor individuals as they settle into remote work or return to their physical work spaces. As noted in our recent scan, governments and companies around the world are developing and implementing tools such as contact-tracing and exposure apps, computer-vision physical distancing tools, and wearable quarantine-enforcement technology. In some ways, the means by which data is being shared, collected, and used is unprecedented. In others, primarily workplace monitoring, it can be seen as an acceleration of surveillance trends that existed before the crisis. What risks are associated with these technologies, and how can they be addressed?
Changes to data protection legislation
While no changes have been made to data-protection legislation at the federal level, several provinces, most notably Ontario and British Columbia, have introduced amendments to existing data-protection legislation in the wake of COVID-19. These changes respond to the urgent need for government agencies to marshall data in order to develop effective strategies and responses to the COVID-19 crisis. At a high-level, these amendments make data collection and sharing easier, both within and between government agencies, as well as with the private sector, while attempting to protect individual privacy and provide individuals access to their data.
On March 25, 2020, the Government of Ontario made amendments through Bill 188 to the provincial Personal Health Information Protection Act (PHIPPA). These include the introduction of a new entity, “consumer electronic service providers,” along with the establishment of new de-identification standards and mandatory electronic audit logs. Consumer electronic service providers include mobile device app developers and service providers as well as online portals that process personal health information (such as insurers who use an app or platform for online claim submissions). Previously, consumer electronic service providers had little, if any, PHIPA obligations. Under these amendments, individuals now have the right to access their records held by consumer electronic service providers.
Along with the amendments to PHIPA, Bill 188 also introduced an update to the Freedom of Information and Protection of Privacy Act (FIPPA) that allows non-public sector entities to collect personal health information to help inform the management and allocation of programs, services, and resources. In August 2020, the Ontario government launched consultations to strengthen provincial data protection legislation, seeking input from citizens and businesses on how personal data should be collected and used.
The Government of British Columbia introduced a new ministerial order on March 17, 2020 to enable the broader use of digital technologies under the provincial Freedom of Information and Protection of Privacy Act (FIPPA). This change enables the use of technologies that would otherwise be restricted by FIPPA’s rules to serve post-secondary institutions and front-line healthcare workers throughout the COVID-19 crisis. (The order was initially set to expire on June 5, 2020, but was extended to be in effect until the end of the year.)
These changes “could have longer-term impact regarding the respective roles of the public versus private sectors in relation to the stewardship of personal information in Ontario.
Alongside changes to data collection and privacy legislation, individuals across Canada have experienced an influx of surveillance and data collection technology as governments and public health authorities work to stamp out COVID-19. This includes government-backed contact tracing and exposure notification apps, along with quarantine monitoring and increased health-related data sharing.