As more individuals receive COVID-19 vaccinations, some organizations may be considering asking customers to provide proof of vaccination in order to receive discounts, access goods or services, or enter a store.
This advisory provides guidance for organizations subject to the Personal Information Protection Act (PIPA) that are considering asking for or requiring proof of vaccination from customers for these or similar purposes.
This advisory does not provide guidance for employers who may be considering requiring proof of vaccination from employees, and it does not address proof of vaccination for the purpose of international travel or domestic air travel as border services and airlines are subject to federal laws and oversight.
Proof of vaccination is information about an individual’s health history, and is personal information as defined in PIPA. Proof of vaccination may include much more information than just an individual’s vaccine status, including their name, date of birth, address, phone number and personal health number.
Proof of vaccination may be in paper or digital format. For example, an individual may receive a paper or digital record from Alberta Health Services or their pharmacist at the time of vaccination. Individuals may also access their immunization history online (for example, My Health Records accounts for registered users provide immunization history).
Organizations that wish to collect proof of vaccination must ensure they have a reasonable purpose for doing so (section 11). In some cases, this may be relatively straightforward. For example, it may be reasonable for an organization to offer a customer a discount, or even complimentary goods and services, if the customer can show they have been vaccinated.
In other cases, the assessment of whether an organization has a reasonable purpose for asking for proof of vaccination may be more complex. For example, if an organization wants to collect proof of vaccination for “health and safety purposes” before allowing a customer to enter a store, it may need to consider a range of factors in determining whether this purpose is reasonable, including:
If an organization can establish that it has a reasonable purpose for collecting proof of vaccination, it will also need to consider the extent of collection (section 11(2)), and specifically whether it needs to record information or if viewing proof of vaccination is sufficient.
Personal information does not need to be recorded or written down in order for PIPA to apply; viewing a certificate or proof of vaccination is a collection of personal information that is subject to PIPA. An organization may be able to accomplish its purpose reasonably by viewing proof of vaccination, and may not need to make a record of the customer’s vaccination.
Before or at the time of collecting personal information, such as proof of vaccination, from an individual, an organization is required to provide notice of its purpose for collecting the information. The organization must also be prepared to provide a customer with the name or position of a person who is able to answer questions the individual may have about the collection of personal information (section 13).
Businesses can make customers aware of their personal information collection practices and the purpose for collection through websites, social media pages, or posters at entrances or other highly visible locations. Another option may be to provide a staff member with a script to describe the personal information collection practice and the reason for the collection at the time of the collection.
In addition to the above obligations with respect to reasonable purpose and notice, organizations will generally require an individual’s consent to collect proof of vaccination (section 7).
Consent under PIPA can be written or oral, and can take many forms (section 8) including an express statement (for example, “I consent to the collection of my personal information for the purpose of...”).
Consent can also be deemed where the purposes for collection are obvious and the individual voluntarily provides their information, or opt-out where an individual is told an organization will collect their personal information for a particular purpose and the individual has a reasonable opportunity to decline or object to the collection.
Organizations should note that PIPA prohibits requiring an individual to consent to the collection of personal information beyond what is necessary to provide the product or service (section 7(2)).
This means an organization cannot require an individual to provide proof of vaccination in order to enter a store or to eat in a restaurant, unless collecting proof of vaccination is necessary to meet the organization’s purpose. The threshold for an organization to establish that it is necessary to collect proof of vaccination for a particular purpose, such as store entry, is higher than establishing that it is reasonable. If it is not necessary to collect personal information to provide the service, then the organization cannot require the individual to provide the information and cannot deny the service if the individual refuses to consent.
PIPA prohibits an organization from retaining personal information longer than is required to meet legal or business purposes (section 35). If an organization does not require a record of vaccination for its purposes, it should not create and retain one. If it does record proof of vaccination, it must securely destroy this information once its business purpose has been achieved. It is unlikely that an organization collecting proof of vaccination in order to offer a discount will need to create a record, or retain it for any length of time.
Organizations are also cautioned that if personal information, such as proof of vaccination, is collected for a specific purpose, the information cannot be used for any other purpose, unless the organization obtains the individual’s consent. For example, an organization cannot collect proof of vaccination to offer a free drink or meal, and then add a customer to a mailing list to receive promotional or marketing materials, unless the organization obtains consent and advises individuals of this new purpose.
Customers may make a complaint to the OIPC if they believe that their personal information was improperly collected, used or disclosed.
Copyright 2021 OIPC. All rights reserved.