In my last post, I discussed whether private employers and other entities can require proof of vaccinations (spoiler alert: I concluded they can, subject to human rights requirements). In this post, I consider how normal expectations of privacy in the workplace are giving way to requirements intended to control the spread of Covid-19.
Increasingly, businesses are requiring employees to get vaccinated (and in some cases, this requirement extends beyond employees to contractors, visitors and others). (For examples, see these stories in The Globe and Mail here and here) For instance, The Globe and Mail reports, Seneca College is requiring proof of vaccination from students, staff, contractors, visitors and parents who visit their children on campus. One estate and family law firm has instituted a vaccine mandate, ready to terminate employees who do not comply, giving them severance.
This route to controlling the spread of Covid in the workplace has become more common in the United States. However, it has also led to tensions in the workplace. (See, for example, this story in The New York Times (“NYT”).) Assuming that employers implement the mandatory proof of vaccination policy, with the required protections for individual employees, we can expect some of the same divisions here (although perhaps to a lesser extent). Expectations about workplace norms around privacy may be threatened by the desire to keep the workplace and employees safe and to avoid future lockdowns.
Some employers are more constrained than others in their ability to identify and distinguish between employees who have been vaccinated and those who are not because they are subject to legislation governing privacy.
In Ontario, the Personal Health Information Protection Act, 2004 (“PHIP”) prevents institutions subject to it from disclosing health information. These are institutions that provide health-care (for example, hospitals) or analogous institutions (such as long-term care homes). The statute does not apply to private employers unless they are providing health care (pharmacies are covered, for instance).
Ontario’s Freedom of Information and Protection of Privacy Act (“FIPPA”) applies to a wide range of public sector institutions, as listed in the Schedule under R.R.O. 1990, O. Reg 460. The province’s Municipal Freedom of Information and Protection of Privacy Act (“MFIPPA”) applies similar provisions to municipal institutions, identified under section 2(1) of the MFIPRA and under O.Reg. 372/91 to the Act.
In addition, the federal Personal Information Protection and Electronic Documents Act applies to organizations within federal jurisdiction, including employers. The federal Privacy Act applies to federal public institutions. Both statutes cover health or medical information.
All these statutes prohibit disclosure of information without the individual’s consent as the norm, but permit it under specified conditions.
For example, section 3 of PHIP identifies a “health information custodian” as someone who has control of health information in the specified institutions. PHIP prohibits disclosure of personal health information by health information custodians without the consent of the individual whose information it is except under certain conditions. Among other reasons, section 40 of PHIP provides as follows: “A health information custodian may disclose personal health information about an individual if the custodian believes on reasonable grounds that the disclosure is necessary for the purpose of eliminating or reducing a significant risk of serious bodily harm to a person or group of persons.”
Under section 11, FIPPA allows for disclosure under its freedom of information provisions “to the public or persons affected if the head has reasonable and probable grounds to believe that it is in the public interest to do so and that the record reveals a grave environmental, health or safety hazard to the public”, but must give notice to the person whose information it is.
Whether these or other provisions would permit an explicit disclosure of vaccination status in the workplace is beyond the purpose of this post. I note, however, that the province has instituted a requirement that long-term care homes (covered by the PHIP under section 3) establish mandatory vaccination policies.
There is also a common law right of privacy. In Jones v. Tsige , the Ontario Court of Appeal recognized a particular aspect of the tort of invasion of privacy, “intrusion upon seclusion” or infringement of one’s private affairs (para. 65). Justice Sharpe, speaking for the Court, reviews various acknowledgements of the importance of the right to privacy. These include the Supreme Court of Canada’s deciding that section 8 of the Canadian Charter of Rights and Freedoms guarantees a right to privacy in Hunter v. Southam and R. v. Dyment (Jones v. Tsige, paras. 39 and 40) and that international human rights documents explicitly identify a right to privacy (Jones v. Tsige, para. 44).
Justice Sharpe refers to La Forest J.’s comment about information privacy in Dyment:
In modern society, especially, retention of information about oneself is extremely important. We may, for one reason or another, wish or be compelled to reveal such information, but situations abound where the reasonable expectations of the individual that the information shall remain confidential to the persons to whom, and restricted to the purposes for which it is divulged, must be protected. (R. v. Dyment, para. 22)
Implicitly, the Ontario Court of Appeal also seems to be ready to accept, where appropriate, the tort of “[p]ublic disclosure of embarrassing private facts about the plaintiff” (Jones v. Tsige, para. 18). (One may better view this as a form of the more general privacy tort rather than a separate tort.)
I am not reviewing the legislative and judicial provisions and commentary relating to privacy beyond these brief references. None of them addresses the specific situation of a private employer’s revealing that someone connected to the workplace has not received Covid-19 vaccinations. I refer to them simply to indicate that concerns about privacy have been treated seriously by the legislature and by the courts and that employers need to be aware of both the restrictive and permissive provisions.
An employer deciding to implement a proof of vaccination policy needs to consider several factors, such as existing workplace policies or collective agreement provisions that govern the situation; the relationship between the nature of the workplace and the risk (in absolute and degree terms) unvaccinated individuals pose to those associated with the workplace; the broader coronavirus environment; and the possible necessity and ability to accommodate those who refuse to get vaccinated or provide proof of vaccination; the willingness to terminate employees who do not comply. All these and other variables may influence the extent to which an employer can justify the terms of a proof of vaccination policy.
One perhaps less obvious issue proof of vaccination policies raise is that the system put in place to address the failure to provide proof may indirectly reveal whether individuals have been vaccinated or not.
At the same time as the increase in employers’ proof of vaccination policies, there are more and more jurisdictions establishing “vaccine passports” or “vaccine certificates”. Quebec has decided to implement a vaccine passport where covid transmission is high; the premier of Nova Scotia has announced the government will initiate a “ScotiaPass” if his party is re-elected.
The difference between these passports and employers’ proof of vaccine requirements is that the former apply to non-essential services, while the latter applies to employment, essential to people’s lives. Proof of vaccination policies in most workplace situations do pose a more serious issue for most people who do not or cannot get a vaccination than whether they can attend a concert. At the same time, those who are vaccinated and perhaps also take care to minimize exposure are in the same situation: for them, their work is essential and they may be willing to forego the concert until the pandemic is under control.
Two questions thus arise: where does the equity lie? and what is the impact on the workplace when employees may be distinguished on the basis of vaccination status? For while the employer may not announce or post lists of who is vaccinated, the options available to the unvaccinated may reveal their status.
Regardless of whether any of the statutory or common law considerations apply, social norms also govern the employer’s actions relating to privacy in the workplace. No employer should reveal to anyone else information about a specific employee (or someone else), short of an overriding reason. This may be reflected in legislation (see, for example, revealing personal information in the case of risk of violence in the workplace under section 32.0.5 of Ontario’s Occupational Health and Safety Act), but the circumstances, such as an emergency, may justify it independently of any legislative permission.
In order to comply with human rights legislation, employers requiring proof of vaccination are likely to establish alternatives to vaccination for those entitled to an exemption under the human rights protections (such as masks or testing or both or working remotely), depending on the nature of the workplace. In some cases, those who object may be moved to a different position that does not pose the same risks (although most positions would pose risks to other employees, presumably).
However, those who cannot make such a claim may be in a different situation: they may face termination if they are not willing to satisfy alternate approaches. (It may also be the case that alternate approaches are inadequate as a substitute; for example, employers may require both vaccination and masks; vaccination prevents serious effects from the virus, while Covid tests reveal someone has Covid after the fact and an employee may have been spreading the virus for a day or two, depending on how often they’re tested.)
The New York Times article to which I referred earlier suggests there may be responses to alternate methods that lead to disgruntled employees or to tension in the workplace. Employers may not explicitly disclose these employees’ vaccination status, but the recourse to other approaches indirectly reveals it. If an employer requires an employee to wear a mask, while the other employees are not wearing masks, it more or less reveals that the person has not been vaccinated. As one employee says in the NYT piece, “this is kind of like a big visual marker of the kind of belief I have…I don’t want this stuff broadcasted out to the world'”.
Nevertheless, the protection of other workers and others who enter the workplace must also be weighed against this individual’s embarrassment or invasion of privacy. Employees and others associated with the workplace may well question why they are put at risk because others insist on their freedom or on the safeguarding of their privacy.
Increasingly, as the pandemic continues and people continue to refuse to be vaccinated (for non-medical reasons), the civility of the workplace, the importance of maintaining privacy of individuals’ personal information may be outweighed by two objectives: keeping the workplace safe; and in conjunction with other policies (such as requiring vaccine passports to engage in non-essential activities), exerting increased control over the spread of the virus. Since the beginning of the pandemic, we have experienced a range of restrictions designed to limit the virus’s impact. The imposition of proof of vaccine policies may be viewed as another one. Put another way, the norms that we accept — explicitly or implicitly– as protecting the individual’s private space may have to give way to the communal good.