New rules for collecting contact tracing info coming amid privacy concerns
Will cover collection, security, retention and destruction of contact information, says Public Health
The New Brunswick government is finalizing guidelines for businesses and other organizations that must collect the personal information of patrons for COVID-19 contact tracing purposes, after the province's privacy commissioner raised concerns about the lack of clarity and risk of a breach.
Charles Murray said his office has been fielding calls from restaurant owners who are confused about how they should gather and store the information, and for how long.
"We're asking the restaurateurs [and others] to do this in the public interest" in the event of an outbreak, he said. So "the onus and the burden must be on the government to clearly state to them, 'This is what we're asking you to do, this is why, and this is how we're asking you to do it.'
"And I don't think they've done a superb job of those things."
Some of the dangers, Murray said, include the information being held longer than it should be, being used for other purposes and falling into the wrong hands.
'Breach waiting to happen'
Brenda McPhail, director of the Canadian Civil Liberties Association's privacy, technology and surveillance project, described it as "a breach waiting to happen."
Under the province's COVID-19 recovery plan, any for-profit, not-for-profit, charity or government entity that admits patrons to a venue at which seating is offered for the purposes of eating, drinking, socialization, celebration, ceremony or entertainment "must maintain a record of the names and contact information of all persons who attend."
The same requirement applies to anyone who hosts, organizes or permits gatherings of more than 50 people, whether seated or standing.
"This will enable Public Health to conduct targeted contact tracing in an expeditious manner should there be a COVID-19 case associated with the facility," the recovery plan states.
The idea is, people who were potentially exposed to the coronavirus can be quickly tested and isolated, thereby limiting the spread.
McPhail said this type of data collection is unprecedented.
"I mean, it's information about us just in case something bad happens, and we don't have the understanding of the rules in place about how it's going to be used, or where it's going to be kept, or again, when it's going to be deleted," she said.
"And those are the things that should have been put in place first, at the beginning of this process because otherwise, this is a breach waiting to happen."
From stalkers to police surveillance
There have already been cases turning up on social media, she said, where young women who have been out at bars are posting about having received texts from "creepy" bartenders without having given them their number.
"So that's one worry, is that the information will be picked up by staff in these organizations or passersby who get their hands on it and use it to intrude on someone's privacy in that kind of stalking way," McPhail said Thursday during a telephone interview from Toronto.
The association also worries about what McPhail called "police fishing expeditions," when a crime occurs in an area and investigators seek the patron lists from nearby establishments to quickly determine who was in that area at a particular time and could be a witness or a suspect.
"Those are the kind of secondary purposes that really should not be allowed if this unusual collection [of information] is truly for purposes of public health," she said.
Parties that collect personal information are required to protect it under privacy legislation. But McPhail said that doesn't go far enough.
She wants to see formal binding guidelines on how to keep the information safe, what it can be used for, and when it needs to be deleted, as well as enforcement and penalties.
Guidelines expected next week
Bruce Macfarlane, communications director for the Department of Health, said Public Health is finalizing guidelines on the "collection, security as well as retention and destruction of the contact information under the mandatory order."
He expects the guidelines will be ready early next week, he said in an emailed statement.
They will "recommend best practices to be implemented to the best of everyone's ability and the document will be designed to support businesses, and all others it may apply to, to better understand their responsibilities."
"The guidelines will not apply if a patron enters to pick up food or drink and immediately leaves the venue (take-out) or passes in the drive-thru," he added.
The privacy commissioner said the guidelines should:
- Ensure people's privacy is protected. For example, if patrons have to sign a list, they should not be able to see other people's information.
- Ensure documents are stored securely.
- Ensure documents are maintained only for as long as necessary, which could include creating a schedule for the routine destruction of records once the risk of transmission has passed, based on the estimated two-week incubation period.
"My hope is that while we're doing what we need to do in the most efficacious manner on the medical side that we don't make shortcuts on the privacy side," said Murray.
With files from Information Morning Saint John