On April 14, 2020, the Commission d'accès à l'information du Québec (CAIQ) released a document on the issues related to privacy and personal information protection raised by the current pandemic.
This document does not take a position on the compliance of the various technology tools likely to be used to curb the pandemic (e.g. geolocation, contact tracing, tracking bracelets and tools to assess a person's level of risk of infection, etc.), but instead provides a framework for analysis to address certain issues raised by the use of these tools.
The document drafted by the CAIQ is divided into two parts. The first part focuses on the possibility of limiting the right to privacy in the context of a pandemic, while the second part deals with the principles and best practices applicable to the management of personal information.
The CAIQ framework is highly relevant and useful given that many organizations are considering various measures to regulate access to public places and the workplace as lockdown rules are being eased.
1. Possibility of limiting the right to privacy in the context of a pandemic
Although the right to privacy is a fundamental right, the CAIQ reminds us that it is not an absolute right. According to the CAIQ, the question whether the use of the technology tools mentioned above is consistent with constitutional principles must be the result of a two-step analysis.
The first step pertains to the objective sought by the technology solution considered. This objective must be significant enough to justify restricting the right to privacy. The objective must be legitimate and address urgent and real social concerns. In other words, we have to ask ourselves whether the use of various technology tools seems "necessary" in the circumstances.
Should we come to the conclusion that the use of technology tools is necessary, we then need to consider how these tools will be used. The CAIQ raises the question of whether the infringement of privacy rights resulting from the use of these technology tools is "proportional" with respect to the objective sought and the concrete benefit arising from these solutions. The CAIQ mentions that the issue of proportionality can be broken down into three sub-questions.
First, there must be a "rational connection" between the objective sought and the proposed solution. This raises the question of how the proposed collection, use or disclosure of personal information would achieve the objective sought.
Second, the privacy breach must be "minimal" and prevail in the absence of other effective, less intrusive solutions. The CAIQ points out that the nature of the information used will have a major impact on this assessment. The use of sensitive information, such as a person's health data or their whereabouts, are in fact more intrusive than information of another kind or aggregated information.
Third, the true benefits of the proposed solution must exceed the adverse consequences resulting from its use. In other words, the benefits for public good must outweigh the infringement of fundamental rights.
In addition to proposing a framework for determining the appropriate use of certain technology tools in light of fundamental rights principles, the CAIQ also underscores the importance of certain principles and best practices with respect to the management of personal information.
2. Principles and best practices with respect to the management of personal information
The document published by the CAIQ highlights the importance of respecting the principles and best practices for the collection, use, disclosure and retention of personal information. The CAIQ points out the following principles:
Prevention: the legal compliance of a technology tool must be determined before it is used.
Collection limits: only necessary personal information may be collected. This rule cannot be circumvented by obtaining the consent of the person concerned. If sensitive information must be collected (e.g. on people's health or whereabouts), the measures implemented to minimize the privacy breach will have to be more substantial.
Transparency: the company or organization must show transparency with respect to its personal information management practices. For example, the person concerned must be able to know what information is collected and for what purposes.
Limitations of use: the use and disclosure of personal information must be limited to the purposes for which it has been collected. This principle invites us to de-identify or anonymize the personal information whenever possible.
Consent: the consent of the person concerned must be free, informed, specific, manifest and time-limited. The validity of the consent may be cast in doubt if the use of a technology solution constitutes a requirement for entry into a building, a business or at work.
Artificial intelligence: if the use of an artificial intelligence system involving the use of personal information is contemplated, the CAIQ considers it important to perform an algorithmic impact assessment.
Geolocation data: the CAIQ points out that section 43 of the Act to establish a legal framework for information technology (the Act) stipulates that "unless otherwise expressly provided by law for health protection or public security reasons, a person may not be required to be connected to a device that allows the person's whereabouts to be known."
Biometric information: the CAIQ points out the rules set out in sections 43 to 45 of the Act regarding the use of biometric information.
Destruction of personal information: According to the CAIQ, personal information must be destroyed when the purposes for which it was collected have been fulfilled.
Exercise of the rights of the person concerned: The CAIQ asks businesses and public bodies to take into account the rights of the person concerned to have access to personal information concerning them when a specific technology solution is selected or used.
Although the CAIQ document does not address compliance of the various technology tools likely to be used to curb the COVID-19 pandemic, the legal principles it sets out remain relevant in terms of focusing on the complex issues concerning the legal validity of these technology solutions.
About Norton Rose Fulbright Canada LLP
Norton Rose Fulbright is a global law firm. We provide the world's preeminent corporations and financial institutions with a full business law service. We have 3800 lawyers and other legal staff based in more than 50 cities across Europe, the United States, Canada, Latin America, Asia, Australia, Africa, the Middle East and Central Asia.
Recognized for our industry focus, we are strong across all the key industry sectors: financial institutions; energy; infrastructure, mining and commodities; transport; technology and innovation; and life sciences and healthcare.
Wherever we are, we operate in accordance with our global business principles of quality, unity and integrity. We aim to provide the highest possible standard of legal service in each of our offices and to maintain that level of quality at every point of contact.
For more information about Norton Rose Fulbright, see nortonrosefulbright.com/legal-notices.
Law around the world
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.