As COVID vaccines roll out across Canada, more and more employers and businesses are grappling with how to manage vaccinated and unvaccinated employees and/or customers. With uneven vaccine distribution, vaccine refusals, and vaccine hesitancy, and medical contraindications, employer demands for proof of vaccination may be met with privacy complaints and lawsuits, employment law claims and/or claims of discrimination under human rights legislation. At the same time, employers have a duty to provide a safe workplace, especially as employees may start returning to physical work spaces.

Businesses face similar challenges, both with respect to their own employees, as well as to their customers.

Recent privacy guidance

The Office of the Privacy Commissioner of Canada, along with other provincial and territorial privacy commissioners, just released a joint statement in respect of Privacy of COVID-19 Passports (Canadian Privacy Commissioners’ Statement). The Privacy Commissioners’ Statement appears to be aimed primarily at governments but does contain some information helpful to private sector businesses. However, it is worth noting that federal Office of the Privacy Commissioner of Canada does not have jurisdiction over private sector employee personal information, and the Canadian Privacy Commissioners’ Statement is not binding. However, employers may wish to consider applying the principles in the Canadian Privacy Commissioners’ Statement.

The Canadian Privacy Commissioners’ Statement builds on work already done elsewhere. The Office of the Information and Privacy Commissioner of Saskatchewan (SK OIPC) released an advisory on questions regarding COVID-19 vaccines for organizations, employers and health trustees (Advisory) in March. Similarly, the United Kingdom’s Information Commissioner’s Office has released guidance for employers and organisations on collecting, storing and sharing personal information related to the COVID-19 vaccine (UK ICO Guidance).

While the latter two are not directly applicable to Canadian private-sector employers and business, both provide helpful, detailed approaches to the privacy issues employers and businesses may be facing in respect of the COVID-19 vaccine.

Can an employer ask an employee whether they have received the vaccination for COVID-19? Can a business ask its customers?

The Advisory notes that, generally speaking, under the provincial employment Acts, employers have an obligation to make a workplace safe to work in within reasonable limits. Some employers may be considering whether they will meet this obligation by requiring their employees to receive the vaccine or provide a vaccination certificate for COVID-19.

Requiring a vaccine or proof of vaccination will not be appropriate for every workplace. In deciding whether to require proof of vaccination (which, in effect, amounts to requiring vaccination), employers should ask themselves the following questions:

  • Necessity: Is there a clearly defined necessity for requiring vaccination, in relation to a pressing concern (in other words, some substantial, imminent problem that vaccination/proof of vaccine seeks to address)?
  • Proportionality: Is vaccination carefully targeted and suitably tailored, so as to be viewed as reasonably proportionate to the privacy rights of the individual being curtailed?
  • Effectiveness: Has vaccination been shown to be empirically effective at treating the issue, and so is clearly connected to solving the problem?
  • Minimal intrusiveness: Is vaccination the least invasive alternative available (in other words, have all other less intrusive avenues been investigated and exhausted).

For example, in a production facility in which there is no possibility to work from home, and which requires workers to be in close proximity to one another, requiring vaccination (and proof thereof) may meet all of the above tests. However, in a workplace in which it is possible for the majority of employees to work from home, and for which on-premises work is limited to a few, widely spaced individuals, requiring vaccinations is likely to fail the minimal intrusiveness leg of the test. In that setting, social distancing measures, diligent work surface sanitizing and wearing masks is likely to be an equally effective, less invasive measure.

The UK ICO Guidance takes a similar approach, and notes that data protection is only one of many factors to consider when employers are thinking about asking employees whether they have received the COVID-19 vaccine. Employers should take into account:

  • Employment law and contracts with employees;
  • Labour agreements and union obligations;
  • Health and safety requirements;
  • Sector- or industry-specific requirements (e.g., cruise lines, airlines);and
  • Human rights issues.

The UK ICO Guidance emphasizes that “the collection of this information must not result in any unfair or unjustified treatment of employees and should only be used for purposes they would reasonably expect.” Employers should treat staff fairly and if the collection of this information is likely to have a negative consequence for an employee, the employer must be able to justify it. When considering fairness, employers should remember that different people are offered the vaccine at different times and some people may not yet have been offered a vaccination.

For the private sector, the Canadian Privacy Commissioners’ Statement uses a slightly different test, which lists only the first three elements (necessity, effectiveness, proportionality). Notably, the Canadian Privacy Commissioners’ Statement states that to get past the “effectiveness” leg of the test, “vaccine passports must be likely to be effective at achieving each of their defined purposes at the outset and must continue to be effective throughout their lifecycle”. However, the Canadian Privacy Commissioners’ Statement then goes on to say “[s]o far we have not been presented with evidence of vaccine effectiveness to prevent transmission”, suggesting that the privacy commissioners are of the view that – at least right now – vaccine passports are a violation of privacy laws.

Should employers just ask employees if they have been vaccinated – or can they require proof? Can businesses require proof from customers?

Employers will need to determine what form of proof will be acceptable for re-entry to the workplace. Will the employer accept the employee’s word that the vaccination was received? If the employee is required to provide proof, will the employer visually examine it or make a copy of it? If so, by whom and for what purpose (and is it demonstrably justified)?

The UK ICO Guidance states that the reason for recording employee vaccination status must be “clear and compelling”. If an employer has no specified use for this information and is recording it on a ‘just in case’ basis, or if the employer can achieve its goal without collecting this data, it is unlikely to be able to justify collecting it.

For employers that do decide to keep information about vaccine status, the Advisory notes that personal information about vaccine status, as well as copies of certificates and identity documents, are required to be accessible on request under applicable private sector privacy laws. An employer would be wise to collect only the bare minimum of personal information necessary to reduce compliance risk, and decrease the impact of any potential breach.

What is the purpose of the employer asking whether an employee has gotten a vaccination or requiring a vaccination certificate?

The Advisory notes that the employer must determine the purpose for which it is requiring vaccinations and the purpose for requiring a copy of the vaccination certificate. Typically, the purpose will be to keep the work place safe by preventing the transmission of COVID-19.

However, this question may be more complicated than it seems – whether the purpose is appropriate may depend on the nature of the workplace. It may be appropriate to ask if the workplace is a production facility that has 400 employees on the production floor; it may not be appropriate where the workplace is a home-based call centre operation.

As the Advisory notes, it is important that the employer not expand the purpose after the fact.

For the private sector, the Canadian Privacy Commissioner’s Statement suggests that legal authority will be the only valid basis for demanding vaccine passports:

“There must be clear legal authority for introducing use of vaccine passports for each intended purpose. Public and private sector entities that require or request individuals to present a vaccine passport in order to receive services or enter premises must ensure that they have the legal authority to make such a demand or request. Clear legal authority for vaccine passports may come from a new statute, an existing statute, an amendment to a statute, or a public health order that clearly specifies the legal authority to request or require a vaccine passport, to whom that authority is being given, and the specific circumstances in which that can occur.”

Absent such order or law, the Canadian Privacy Commissioners’ Statement concludes that consent may provide sufficient authority to proceed, but only if such consent “meets all of the following conditions, which must be applied contextually given the specifics of the vaccine passport and its implementation:

  • Consent must be voluntary and meaningful, based on clear and plain language describing the specific purpose to be achieved;
  • The information must be necessary to achieve the purpose;
  • The purpose must be one that a reasonable person would consider appropriate in the circumstances;
  • Individuals must have a true choice: consent must not be required as a condition of service.”

As a practical matter, this will likely be unworkable for most businesses that provide on-premises services (such as restaurants) as the entire point of asking for vaccination status is to minimize COVID-19 transmission risk by excluding those who are unvaccinated from the premises.

Businesses grappling with this will need to think of alternate service delivery models (for instance, in the restaurant scenario above, one option could be to provide online/curbside pick up to those who are unvaccinated or who decline to show a vaccine passport). Appropriate signage and notices will be essential. 

Note, too, that consent does not solve the problem in Quebec. As the Canadian Privacy Commissioners’ Statement points out, in Quebec, “consent cannot form the legal basis for vaccine passports. In that jurisdiction, requesting their presentation would require that the information is necessary to achieve a specific purpose, one that is serious and legitimate.”

Can an employer ask vaccination-status questions in a pre-employment interview?

The above questions could be asked of existing employees. Another question is what employers might want to as of people applying for a job. Employers will need to decide whether they ask any questions or no questions at all. Generally speaking, non-union employers, at least in Ontario, are at liberty to impose, as a condition of hire, that a job applicant be vaccinated and provide proof of vaccination, as long as the employer provides medical and religious accommodations. The law varies from province to province however, and before implementing such measures, employers should consult with counsel.  

How should employers notify their employees of the purpose?

According to the Advisory, employers “should advise staff that they will be asking whether the employee has received the vaccine, has a vaccination certificate and inform them of the purpose. Later, at the time of collection of the vaccination certificate, [employers should] tell employees the purpose of the collection, what will be collected, who it will be shared with and how long the information will be stored.”

As the Advisory notes, employees will likely be particularly interested in whether the employer is sharing the information with other third parties, why and under what legal authority. Employers should understand their obligations (and limitations) and have an appropriate response ready.

The Advisory states that “[g]enerally speaking, an employer can provide other staff with non-identifying statistical information (e.g., how many employees have been vaccinated) but should not be sharing names or identify employees who were or were not vaccinated. Doing so without authorization is very likely a privacy breach.”

In the private sector, the Canadian Privacy Commissioners’ Statement emphasizes transparency, saying that individuals “should be informed about the purposes and scope of vaccine passports and about the collection, use, disclosure, retention and disposal of their personal health information for the purposes of vaccine passports.” It does not specify the manner of conveying such information.

What information can the employer collect?

Asking an employee whether they have had the vaccination and requesting a vaccination certificate is a collection of personal information (and in some cases, may be a collection of personal health information). Employers should collect the least amount of information necessary to achieve the purpose.

Collection of documentation or other information may not actually be necessary. In many circumstances, it may be appropriate for an employer to simply accept the employee’s verbal statement that they have had the vaccination (possibly backed up with an attestation as to the truth of that statement). In other circumstances, it may be appropriate to request that the employee to show a vaccination certificate. In most cases it will be difficult to justify making and retaining an actual copy of such a certificate, and organizations should consider carefully before doing so.

The UK ICO reminds employers that even if they are able to justify recording whether staff have had the vaccine, they must be transparent. Employers must make sure their employees understand why the employer needs to collect this information, and what it is using it for.

In the private sector, the Canadian Privacy Commissioners’ Statement also emphasizes data minimization, saying that “[t]he collection, use, disclosure and retention of personal health information should be limited to that which is necessary for the purposes of developing and implementing vaccine passports. Active tracking or logging of an individual’s activities through a vaccine passport, whether by app developers, government, or any third party, should not be permitted. Also, the creation of new central databases of vaccine information nationally or across jurisdictions should not be permitted, other than the local databases necessary for the administration and verification of the vaccine.”

For businesses, this suggests that a centralized national customer database that contains vaccination status may be forbidden (for example, a hotel chain would be able to keep vaccination status information locally at each hotel, but could not record such information in its national customer records management (CRM) system.

The UK ICO also notes that employers are likely have an obligation to accurately record the information that they collect and to ensure that the collection and storage is secure (further discussion of that below). In the shifting context of lockdowns and shutdowns and opening up plans, the UK ICO’s guidance notes that employers should “regularly review whether they still have grounds for the collection and retention of this information as the vaccination roll-out progresses and more people receive the vaccine. This should include monitoring the latest government and scientific advice on the vaccine roll-out and coronavirus restrictions.”

What if an employee refuses to be vaccinated?

If an employee refuses to get the vaccination, refuses to confirm that they had the vaccination or refuses to provide a vaccination certificate, employers will need to determine an appropriate way in which to manage such refusal. Typically, it may mean the employer will require the employee to wear a mask at work, or work from home – but imposition of such requirements could be a constructive dismissal. In certain rare cases, an employer may decide the appropriate course of action is to send the employee home without pay or end the employment relationship, but in most workplaces a termination for refusing to be vaccinated will not be just cause for dismissal. Employers should consult with counsel to determine how best to manage refusals.

Can the employer use the vaccination information for any other purpose? Can the business?

The short answer is no in both cases. As the Canadian Privacy Commissioners’ Statement notes, “[s]econdary uses of personal health information collected, used or disclosed through vaccine passports must be limited to only those required or authorized by law”. This would preclude most all other uses.

In the employment context, the employer must determine its authority to collect the information for a defined purpose, and only collect the information for that purpose). The employer should check the relevant legislation before using that information for any other purpose (for instance, health or emergency orders, disclosure to law enforcement, etc.) without first getting the consent of the employee.

As the Canadian Privacy Commissioners’ Statement points out, however, in Quebec, “consent cannot form the legal basis for vaccine passports. In that jurisdiction, requesting their presentation would require that the information is necessary to achieve a specific purpose, one that is serious and legitimate.”

With whom can the employer share the information? What about the business?

As the Advisory points out, sharing of vaccination information should be on a “need to know” basis. This is true for both employers and businesses. Generally, very few people within an organization will have a true need to know. Often, statistical information as to how many employees (or customers) have received the vaccination will be sufficient for most purpose. The names of employees or customers who refuse vaccines or do not want to provide proof of vaccination will generally not need to widely known.

Vaccination status, especially during pandemic, is sensitive personal information and must be treated as highly confidential. Employees who have a demonstrated need to know, and have access to such information, should be reminded about their obligations in handling such information.

Sharing information about vaccination status of an employee or customer outside the organization will generally be prohibited unless express consent has been obtained, or the employer or business is required by law (e.g., public health order) to make such a disclosure.

Where can an employer or business store this information?

In some cases, there may be no need for an employer or business to store the information; it may be the case that it is sufficient that employee or customer simply state they have received the vaccination each time they enter the work place or business. If the information is being collected and stored, the Advisory indicates that for employers, “[t]he choices are storing on the employees HR personnel file or storing in a separate folder for all employees, containing all information regarding vaccination of employees or refusal to vaccinate. There is probably no need to store it anywhere else.”

Is an employer or business obliged to secure the information?

Under privacy legislation, there is an obligation for an employer to protect and secure the information collected and stored. If an employer is not subject to privacy legislation, best practice would nonetheless suggest the information be protected – even in the absence of a statutory obligation there may still be risk of a common law breach of privacy claim.

The Canadian Privacy Commissioners’ Statement is clear, and states that “[t]echnical, physical and administrative safeguards must be put in place that are commensurate with the sensitivity of the information to be collected, used or disclosed through vaccine passports. Processes must be put in place to regularly test, assess and evaluate the effectiveness of the privacy and security measures adopted.”

Your organization must make reasonable security arrangements to protect personal information in its custody or under its control. For example, if the collected information is in paper form, it should not be left in a publicly accessible area. Rather, it should be stored in a locked file cabinet. If you are storing the list on a computer, make sure the computer is password protected, encrypted, and on a secure network. Position computer monitors so that personal information displayed on them cannot be seen by visitors.

The Information and Privacy Commissioner of British Columbia published guidance for restaurants and bars collecting and securing contact tracing information of patrons – many of the practices identified in that guidance hold true for safeguards for vaccine status information.

How long should an employer keep the information?

Employers will need to develop a policy with respect to the management of vaccine status information, including destruction guidelines. It may be the case that such information collected is adequately addressed by existing retention policies and it will be destroyed in accordance with those policies. More likely, the destruction of vaccine status information will need to be destroyed earlier than an employer’s standard procedure, as the purpose of the collection will very likely be time-limited (especially once public health orders and other restrictions are lifted).

The Canadian Privacy Commissioners’ Statement contains similar advice, explicitly stating “[a]ny personal health information collected through vaccine passports should be destroyed and vaccine passports decommissioned when the pandemic is declared over by public health officials or when vaccine passports are determined not to be a necessary, effective or proportionate response to address their public health purposes. Vaccine passports should not be used for any purpose other than COVID-19.”

Do employers or businesses need to develop a policy on COVID-19 vaccinations?

Once an employer has made a decision, the employer should consider developing a policy. The Advisory suggests any such policy should contain:

  • Authority for the collection;
  • A statement of the purpose;
  • A statement as to whether employees will be asked to show a vaccination certificate;
  • A statement on possible actions taken based on whether the employee has the vaccination or not;
  • A statement on where information will be stored;
  • A statement as to who it will be shared with (with public authorities or not); and
  • A statement on when the information will be destroyed.

As part of the “accountability principle” in private sector privacy legislation, the Canadian Privacy Commissioners Statement suggests policies are necessary, and should inform individuals about “who to contact to request access to, and correction of, any information available through vaccine passports or to make an inquiry or complaint about vaccine passports.”

For more information about Denton’s data expertise and how we can help, please see our Transformative Technologies and Data Strategy page and our unique Dentons Data suite of data solutions for every businessincluding enterprise privacy audits, privacy and technology program reviews and implementation, and training in respect of personal information and COVID-19 programs. Subscribe and stay updated. 

Subscribe and stay updated
Receive our latest blog posts by email.
Stay in Touch
, ,
Kirsten Thompson

About Kirsten Thompson

Kirsten Thompson is a partner and the national lead of Dentons’ Privacy and Cybersecurity group. She has both an advisory and advocacy practice, and provides privacy, data security and data management advice to clients in a wide variety of industries.

Full bio

RELATED POSTS