Reopening your store can create new privacy considerations
For many businesses, the personal information of its customers is crucial to providing goods and services. Certain information is simply necessary to complete a transaction. As Manitoba begins to reopen its economy and businesses reopen their doors, new forms of personal information are becoming important in the context of a pandemic, and new purposes are served by the usual personal information.
In our increasingly digital world, we tend to focus on privacy protection online. However, the Personal Information Protection and Electronic Documents Act (“PIPEDA”) also applies to personal information collected in person. Personal information is defined broadly as information about an identifiable individual.
In taking the necessary precautions to reopen your business safely, it is important to consider the privacy implications related to these precautions. For example, are there new data collection processes taking place that are not accounted for in your current privacy policies?
Consent and Purpose, Use and Disclosure
To obtain meaningful consent under PIPEDA, businesses must disclose specific information to individuals at the time their personal information is collected, or at least prior to such information being used. Businesses must disclose the purpose for which the personal information is being collected, how it will be used, and to whom it may be disclosed. If a business has collected personal information for one reason, but now wants to use it for another, fresh consent is required.
Businesses that previously collected names and contact information to deliver products ordered online may find themselves collecting the same information for contact tracing purposes when customers walk into their brick and mortar stores. This means that there are new purposes for the collection of information as well as new uses, retention requirements and possible disclosures.
Many businesses will find themselves collecting information for the purposes of contact tracing which may be disclosed to the public health authority. Under current health orders, certain types of businesses are obligated to collect this information. While this may be obvious in the context of a pandemic, it is not usually expected in the ordinary course of business.
In collecting information for contact tracing purposes, this purpose must be disclosed to individuals prior to making any use of their personal information. It is also necessary to clearly inform individuals that their personal information may be disclosed to the public health authority in the event of a confirmed COVID-19 case. Retention periods for this information will also be significantly shorter than in other circumstances. While the sensitivity of the information collected does impact appropriate retention periods, the purpose of the information is the driving factor. Personal information should only be retained for as long as is reasonably necessary to complete the purpose for which the information was collected. Under current health orders, information that is collected for contact tracing purposes must be retained for 21 days, and then destroyed. Finally, it is important to limit the information collected to that which is absolutely necessary to the purpose for which it was collected.
Evaluating your privacy protection practices becomes even more important where you are subjecting customers to some form of scrutiny that may reveal personal health information, as that is considered a very sensitive form of personal information. Consider developing clear policies about what your employees need to be telling customers as they collect that personal information, how and where that information is stored, and how and when it is destroyed.