COVID-19 on-site compliance verification: Privacy compliance evaluation
Description of program
The Public Health Agency of Canada (PHAC) introduced enhanced border measures under the Quarantine Act to reduce the spread of COVID-19. These measures required certain travellers to create individual quarantine plans and isolate for 14 days on arrival in Canada.
Starting January 29, 2021, travellers had to provide personal information and details of their quarantine plan, including:
- name
- phone number
- email address
- quarantine address
This information was used to email, phone or visit travellers to confirm they were complying with quarantine requirements.
Multiple organizations worked together to collect and follow-up on quarantine requirements, including:
- Public Health Agency of Canada (PHAC)
- Canada Border Services Agency (CBSA)
- Provincial and Territorial Ministries of Health
- law enforcement agencies
- external organizations, such as security contractors and callers
Why a Privacy Compliance Evaluation (PCE) was conducted
The previous Interim Directive on Privacy Impact Assessment allowed the use of a Privacy Compliance Evaluation (PCE) instead of a full Privacy Impact Assessment (PIA) for urgent COVID-19-related initiatives. Privacy Management Division (PMD) is now exempt from the current directive on PIA and has therefore prepared a PCE for the use of compliance evaluations. If this measure continues after the exemption expires, PMD will complete a PIA, which will include this analysis.
Recommendations
The PCE reviewed the collection, use, disclosure and retention of personal information for compliance evaluations. It recommended the following actions to reduce privacy risks:
- determine the purpose for collecting travellers’ contact information
- create an updated privacy notice
- assess the data management plans of third party contractors
- assess processes for collection, use and retention of travellers’ personal information by third party contractors
- determine the need to review legacy information systems for privacy and security requirements
- create an updated Personal Information Bank (PIB)
Page details
- Date modified: