Legislative Compliance

Everything you need to know about vaccine passports and privacy protection

February 25, 2022

If you are feeling a bit overwhelmed when it comes to privacy laws and vaccine passports, you are not alone. Checking vaccine passports is a responsibility that no business could have imagined a few years ago. Now, it’s part of day-to-day operations for some—which is why it’s so important to understand your responsibilities and your customers’ rights when it comes to privacy.

Here’s what you need to know about personal information and privacy laws in Canada to help you stay compliant as you check vaccine passports.

Private-sector businesses need to comply with PIPEDA or provincial privacy laws.

Canadians have a right to privacy. Privacy legislation exists to protect individuals and maintain that right. The Personal Information Protection and Electronic Documents Act (PIPEDA) is a federal law that governs how private-sector organizations can collect, use, and disclose personal information. The law applies to commercial activities across the country, except for Alberta, British Columbia, and Quebec, which have their own private-sector privacy legislation very similar to PIPEDA.

To comply with PIPEDA, you need to follow the 10 fair information principles on the collection, use, disclosure, and access of personal information.

Personal information is any information about an identifiable individual.

According to PIPEDA, personal information can be factual or subjective and includes age, name, income, blood type, evaluations, credit records, medical records, and more. The definition is purposefully broad to ensure all personal information can be protected.

Vaccine passports are considered personal health information.

Personal health information (PHI) is a subset of personal information. The Canadian Institute for Health Information defines personal health information as “health information about an individual that identifies the specific individual; that may be used or manipulated by a reasonably foreseeable method to identify the individual; or that may be linked by a reasonably foreseeable method to other information that identifies the individual.”

Vaccine passports are considered PHI because they are a form of medical record. They contain information on an individual, when they received their vaccine, and what kind of vaccine it was. This means that if your business is checking vaccine passports, there are specific rules and responsibilities to protect that information.

You need legal authority to check vaccine passports.

Because vaccine passports are considered PHI, businesses that request to see them need the authority to do so, and that authority can only be granted by a government body. Since the introduction of vaccine passports, governments have passed statutes or public health orders that specify which businesses can request or require a vaccine passport and how they can use PHI.

Mishandling vaccine passports puts your customers at risk.

The last thing you want to do is lose customers’ trust or put them in any danger. It is important to keep all personal information private and protected, but PHI is specifically important. PHI that is mishandled, incorrect, or outdated can put an individual’s physical health at risk. If PHI is not protected, information that is typically kept private could be exploited.

How do I protect my customers’ privacy?

From handling vaccine disputes in the workplace to navigating vaccine passports, the pandemic has brought on new challenges for all businesses. But it’s also an opportunity to see how new practices and policies can improve your operations.

When it comes to personal information, it is vital that you protect your customers’ privacy. To help you learn more about how to stay compliant when checking vaccine passports, we have put together a free guide that looks at the principles of privacy, transparency, and accountability, and the limitations to collecting PHI. Download our FREE Guide to Vaccine Passports and Privacy Protection!

Download now!