Advertisement

Privacy experts raise red flags as Ontario first responders get access to COVID-19 info

Saskatoon paramedics asking all patients to wear surgical masks
Saskatoon’s Medavie Health Services West paramedics will be asking all patients to wear a surgical mask during the COVID-19 pandemic. File / Global News

Ontario’s new emergency order allowing first responders to obtain someone’s personal information and COVID-19 status doesn’t do enough to protect that personal data, privacy experts say.

The text of the new regulation doesn’t specify how the identifiable data should be handled or what happens to it after the province’s state of emergency ends, said Ann Cavoukian, the province’s former information and privacy commissioner.

“I want some clear limitations on what people are permitted to do with it,” Cavoukian said in an interview Tuesday.

“Maybe they are authorized to receive it, but they should not be permitted to disclose it. There should be very, very firm boundaries around who they can share it with — and ideally, but they’re not permitted to share this data.”

Zoom privacy and security concerns
Zoom privacy and security concerns

The Ontario government announced Monday it’s allowing first responders across the province to request and obtain someone’s name, address, birth date and whether they’ve tested positive for the novel coronavirus from licensed labs and medical officers of health.

Story continues below advertisement

In a news release, the government said it’s “crucial” those frontline workers have access to that “critical information” to protect themselves and the public when responding to an emergency.

Police officers, other members of police forces, First Nations constables, firefighters, employees of a fire department, paramedics and communication officers (as defined by the Ambulance Act) are all listed as people authorized to request COVID-19 status information.

‘Kind of a blanket authorization’

Teresa Scassa, a law professor specializing in privacy at the University of Ottawa, said she’s concerned the regulation only specifies who can access the data and not for what purposes the information can be disclosed,

[ Sign up for our Health IQ newsletter for the latest coronavirus updates ]

“It’s a kind of a blanket authorization.”

“It does not specify that it is for the specific purposes of responding to a call, enforcing a law or any of those things linked to their specific duties,” she said.

“My concern is that by leaving it open-ended, there’s actually nothing in this regulation that would stop one of the designated persons from just calling up and asking about their next-door neighbours.”

Without that clarity, it would also be difficult for someone to ever prove whether their information was improperly disclosed under this order, said Scassa, who holds Canada Research Chair in Information Law at uOttawa.

Story continues below advertisement

READ MORE: Google releases location data from billions to show if coronavirus lockdowns working

Scassa said she’d also like to see the regulations specify that a log of these COVID-19 status requests will be kept — including when the information was requested, why and by whom — to ensure “oversight and accountability.”

“It’s those kinds of things that prevent abuse,” she said. “I don’t have anyone specific in mind in suggesting that there may be abuse. But the reality is that all of these systems are abused.”

Coronavirus outbreak: WHO searches for balance between privacy and protecting communities
Coronavirus outbreak: WHO searches for balance between privacy and protecting communities

The new emergency measures also place no restraints on how the people who obtain the data handle it and how the data is stored after it’s been obtained, Cavoukian argued.

“There should be deadlines,” she said. “If you’ve made use of the information, then delete it securely. It cannot continue indefinitely.”

There’s also no mention of penalties in the regulation for sharing the identifiable data with people not authorized to see it, argued Cavoukian, who leads the Privacy by Design Centre of Excellence at Ryerson University.

Government has ‘confidence’ emergency services will protect info

In announcing the measures Monday, the government said: “Strict protocols will be enforced to limit access to this information and will only be used to allow first responders to take appropriate safety precautions to protect themselves and the communities they serve.”

Story continues below advertisement

Asked for more information about those protocols on Tuesday, a spokesperson for the Ministry of the Solicitor General said police, fire and paramedic services have “well-established processes in place regarding the protection of personal information as required under provincial privacy laws.”

“We have complete confidence in these emergency services to take appropriate steps to protect an individual’s personal health information and use that information only for the purpose of protecting frontline responders,” Brent Ross said in a statement to Global News.

READ MORE: Ontario launches online portal to recruit health-care workers

The Ministry of the Solicitor General and the Ministry of Health are working together to develop an “information portal” to carry out the “time-limited” emergency order.

The COVID-19 status information will be “made inaccessible to first responders” once the state of emergency has been lifted and any personal information collected, used or disclosed under the order will be subject to “all applicable laws with respect to privacy and confidentiality when the emergency is over,” Ross said.

Order lacks ‘firm end date’, Cavoukian argues

Cavoukian said the lack of “a firm end date” for the order makes her “nervous.”

Under Section 7.0.8 of the Emergency Management and Civil Protection Act, emergency orders only stay in effect for 14 days, but a subsection allows the government to extend them during an emergency for periods of two weeks.

Story continues below advertisement

Another subsection permits the government to extend an order for 14 days after an emergency is terminated if the extension is “necessary to deal with the effects of the emergency.”

READ MORE: Clearview AI: When can companies use facial recognition data?

In this case, the new order on sharing COVID-19 information with first responders is set to be revoked on April 17, unless it’s extended. But the length of the emergency could be “extensive,” Cavoukian argued.

“That’s my fear here, is that whatever measures they introduce will just continue,” she said.