Surveillance Creep: Data collection and privacy in Canada during COVID-19

Surveillance Creep: Data collection and privacy in Canada during COVID-19

Concerns about data collection and individual privacy are on the rise as governments and corporations deploy technology to detect and mitigate the spread of COVID-19.
Illustration of green eye on burgundy laptop screen.
​Sarah Villeneuve
Policy Analyst
Darren Elias
Communications Intern
September 2, 2020
Print Page

The pandemic has prompted the use of surveillance technology both to track and reduce transmission of COVID-19 and to monitor individuals as they settle into remote work or return to their physical work spaces. As noted in our recent scan, governments and companies around the world are developing and implementing tools such as contact-tracing and exposure apps, computer-vision physical distancing tools, and wearable quarantine-enforcement technology. In some ways, the means by which data is being shared, collected, and used is unprecedented. In others, primarily workplace monitoring, it can be seen as an acceleration of surveillance trends that existed before the crisis. What risks are associated with these technologies, and how can they be addressed?

Changes to data protection legislation

While no changes have been made to data-protection legislation at the federal level, several provinces, most notably Ontario and British Columbia, have introduced amendments to existing data-protection legislation in the wake of COVID-19. These changes respond to the urgent need for government agencies to marshall data in order to develop effective strategies and responses to the COVID-19 crisis. At a high-level, these amendments make data collection and sharing easier, both within and between government agencies, as well as with the private sector, while attempting to protect individual privacy and provide individuals access to their data.

On March 25, 2020, the Government of Ontario made amendments through Bill 188 to the provincial Personal Health Information Protection Act (PHIPPA). These include the introduction of a new entity, “consumer electronic service providers,” along with the establishment of new de-identification standards and mandatory electronic audit logs. Consumer electronic service providers include mobile device app developers and service providers as well as online portals that process personal health information (such as insurers who use an app or platform for online claim submissions). Previously, consumer electronic service providers had little, if any, PHIPA obligations. Under these amendments, individuals now have the right to access their records held by consumer electronic service providers.

Along with the amendments to PHIPA, Bill 188 also introduced an update to the Freedom of Information and Protection of Privacy Act (FIPPA) that allows non-public sector entities to collect personal health information to help inform the management and allocation of programs, services, and resources. In August 2020, the Ontario government launched consultations to strengthen provincial data protection legislation, seeking input from citizens and businesses on how personal data should be collected and used. 

The Government of British Columbia introduced a new ministerial order on March 17, 2020 to enable the broader use of digital technologies under the provincial Freedom of Information and Protection of Privacy Act (FIPPA). This change enables the use of technologies that would otherwise be restricted by FIPPA’s rules to serve post-secondary institutions and front-line healthcare workers throughout the COVID-19 crisis. (The order was initially set to expire on June 5, 2020, but was extended to be in effect until the end of the year.)

These changes “could have longer-term impact regarding the respective roles of the public versus private sectors in relation to the stewardship of personal information in Ontario.

Alongside changes to data collection and privacy legislation, individuals across Canada have experienced an influx of surveillance and data collection technology as governments and public health authorities work to stamp out COVID-19. This includes government-backed contact tracing and exposure notification apps, along with quarantine monitoring and increased health-related data sharing.

Share

A new norm for workplace surveillance? 

At the same time, the private sector is using similar technologies to track Canadians during the pandemic. As demonstrated by previous BII+E research, the use of workplace surveillance by companies to monitor employees is not new. However, in response to the COVID-19 pandemic, companies in Canada have adopted new surveillance and monitoring mechanisms for both physical workplaces and in remote work settings. Incases of physical workplace monitoring, employers have begun adopting wearable tracking technology to enforce physical distancing and monitor the health of employees. This has led to a rise in demand for workplace surveillance software. Solink, an Ottawa-based smart video security solution for brick-and-mortar restaurants and retail, saw a 70 percent increase in use during the initial lockdown period. Following Canada’s release of the COVID Alert app, the Citizen Lab’s Christopher Parsons raised a concern that private organizations could require workers and customers to reveal their COVID-19 exposure status before entering workplaces or other spaces. This poses challenges for individuals unable to download the COVID Alert app on their smartphone due to the operating system requirement of iOS 13.5 or later on iPhones and 6.0 and up on Android. These individuals may be denied access to certain workplaces or stores.

Since the pandemic began and remote work became the norm, demand for employee-monitoring software has increased significantly. 365 IT Solutions, a Canadian company which helps arrange contracts for employee-monitoring software programs, has experienced a 300 percent increase in demand from employers since the onset of COVID-19, while user activity monitoring software ActivTrak has seen a 35 percent increase in demand from Canadian customers since March 11, 2020. Hubstaff, a similar software, has seen a comparable rise in demand. These employee-monitoring software companies regularly advertise their applications as time-tracking technology for productivity-measuring purposes, but their use extends to the monitoring of website-use, GPS location, mouse activity, and even the use of screenshots. According to Howard Levitt of employment and labour law firm Levitt LLP, this tracking software is legal in Canada as long as employees are informed about its use. However, this raises questions about  the rights  of employees in the face of workplace surveillance technology. Will they have the ability to opt out? Will employees place their jobs at risk if they express discomfort with being tracked? 

Potential pitfalls

Privacy experts have expressed concern that tracking technologies and data collection could be abused by governments and companies alike. In Ontario, the provincial government passed an emergency order in early April 2020 allowing police to obtain the names, addresses, and dates of birth of Ontarians who had tested positive for COVID-19. This culminated in unprecedented data-sharing agreements between police and public health agencies, specifically regarding positive COVID-19 tests. Between April and July 2020, Hamilton police accessed data on positive COVID-19 tests over 10,000 times. However, this emergency order ended recently after a legal challenge was filed by a group of human rights organizations. 

As employment law expert Pauline Kim writes, there is significant risk that these technologies become a route to more extensive, long-term data collection that is unconnected with the current health emergency. Given the rapidly evolving nature of the pandemic, surveillance measures have been enacted without the necessary due diligence process in regards to privacy rights, and in some cases, overall effectiveness. In addition, current privacy regulations do little to safeguard employee privacy. As public policy strategist Vass Bednar highlights: “The Office of the Privacy Commissioner of Canada’s guidelines on privacy at work indicate that an employer’s need for information should be balanced with an employee’s right to privacy, but does not go into detail about how this should be achieved.”

In April 2020, concerns about the abuse of data collected during the pandemic prompted the Office of the Privacy Commissioner of Canada to release a framework for governments. It details key privacy principles to consider when assessing the efficacy of measures proposed to mitigate the spread of COVID-19. They include that any personal information collected during COVID-19 should be destroyed when the crisis is over. However, the destruction of health-related data gathered during the pandemic may also have harmful consequences. This data could have the potential to inform how governments address crises like this in the future, so finding a way to preserve the information, while respecting individual privacy is paramount.

When data-driven technologies are developed and used in times of crisis by the public and private sectors, it is important to have clearly developed and articulated exit plans that demonstrate when and how they will be withdrawn, along with how the data will be deleted or stored.

Considerations for the responsible use of data during and after the pandemic

When data-driven technologies are developed and used in times of crisis by the public and private sectors, it is important to have clearly developed and articulated exit plans that demonstrate when and how they will be withdrawn, along with how the data will be deleted or stored. This requires transparency from the get-go and a clear explanation of how exactly the data will be used to help directly mitigate the spread of COVID-19. 

This includes asking: 

  • What data is necessary to collect? 
  • How will it be collected and used?
  • Who is allowed to access the data? 
  • How long will these surveillance measures be in place? 
  • Do individuals have agency to opt in or out? 
  • Once surveillance is no longer required, should the data be preserved or destroyed? 
  • If the data is kept, where and how will it be stored? 
  • Throughout these processes, what measures will be taken to ensure anonymity and privacy? 

One suggestion for managing pandemic-related health data comes from Element AI’s Public Policy Lead, Philip Dawson, who argues that COVID-19 tracking data should be managed similarly to data trusts where data is accessed, shared, and used in ways that reflect public interest and rule of law. 

As the COVID-19 pandemic continues, governments must consider both the immediate and long-term risks associated with emerging data collection and surveillance practices. Taking action to ensure the responsible collection, use, and storage of pandemic-related data is a critical step to ensure long-term privacy and public trust. 

For media enquiries, please contact Lianne George, Director of Strategic Communications at the Brookfield Institute for Innovation + Entrepreneurship.