Office of the Privacy Commissioner Submits Brief Outlining Privacy Principles For Government Institutions Acting In An Emergency

On January 30, 2023, the Office of the Privacy Commissioner of Canada (OPC) announced that it had provided the Joint Chairs of the Special Joint Committee on the Declaration of Emergency with a brief (the Brief), which outlines the key principles for government institutions to follow during an emergency to ensure that privacy rights are respected.

In the Brief, the OPC recognized that emergencies evolve rapidly and may require swift and effective response. However, the OPC noted that even in an emergency, public institutions must still operate under lawful authority and act responsibly, especially when handling sensitive information. To assist with this matter, the OPC outlined seven principles that government institutions should consider when evaluating measures proposed during an emergency that may impact the privacy of Canadians:

1. Legal Authority: Institutions should identify the legal authority being relied on to collect, use, and disclose personal information.

2. Necessity and Proportionality: Measures taken by institutions to address a public order emergency should be necessary and proportionate. “Necessary” measures are seen as those based in evidence and likely to be effective in the specific context, while “proportionate” measures should be rationally connected to the specific purpose to be achieved. This principle applies to both existing measures and in deciding on new actions to be taken to address a crisis.

3. Purpose Limitation: Institutions should ensure that personal information collected for an emergency is not used or disclosed for any other reason and, unless an exception applies, is disposed of when the emergency ends.

4. De-Identification and other Safeguarding Measures: Institutions should ensure that personal information is protected by administrative, technical, and physical safeguards, including enhanced protection for sensitive information. They should also consider whether identifiable information is needed, or de-identified information is sufficient for the situation.

5. Openness and Transparency: To protect transparency, institutions should provide individuals with ongoing updates about new and emerging measures.

6. Oversight and Accountability: New measures specific to the emergency should provide express provisions relating to oversight and accountability.

7. Time Limitation: Institutions should impose strict time limits on emergency measures, where such measures will end when they are no longer needed.

The OPC concluded by highlighting that it is important for a clear privacy governance framework to be developed and implemented during any emergency to ensure government institutions and private sector entities can effectively meet their obligations under the Privacy Act and the Personal Information Protection and Electronic Documents Act. 

Summary By: Victoria Di Felice