The Office of the Information and Privacy Commissioner (OIPC) has received several questions from organizations and individuals about keeping a customer list or contact log during the COVID-19 pandemic, particularly in retail locations and at restaurants.
The following are some considerations to ensure that organizations comply with Alberta’s Personal Information Protection Act (PIPA) when making and keeping lists of customers and their contact information.
Consent and Notice
Organizations must generally obtain an individual’s consent to collect that individual’s personal information (sections 7 and 8). An organization must also notify an individual about why the personal information is being collected – before or at the time of the collection (section 13). Both consent and notification can be done in writing or orally.
In addition to notifying customers about the purpose for collecting personal information, an organization must also be prepared to provide a customer with the name or position of a person who is able to answer questions on behalf of the organization about the collection of personal information.
Businesses can make customers aware of their personal information collection practices and the purpose for the collection through websites, social media pages, or posters at entrances or other highly visible locations. Another option may be to provide a staff member with a script to describe the personal information collection practice and the reason for the collection at the time of the collection. Other options may be available to a business.
If an organization decides to collect customer information during the COVID-19 pandemic, they are advised to understand their authority to collect personal information and be able to cite their authority under PIPA.
Further, section 7(2) of PIPA says that an organization shall not, as a condition of supplying a product or service, require an individual to consent to the collection of personal information beyond what is necessary to provide the product or service. Organizations should determine whether it is necessary for a customer to provide contact details in order to shop in a store or eat at a restaurant. If it is not necessary, then the organization cannot require the individual to provide the information.
There are circumstances in which consent may not be required, such as if a public health order requires the collection of personal information. Organizations are advised to keep up to date on public health orders, which may require that personal information of customers be collected by some businesses or in certain circumstances. In such a scenario, organizations should also be prepared to notify customers why they are required to collect personal information.
Reasonable Purpose and Extent
PIPA requires that organizations collect personal information only for purposes that are reasonable and only to the extent reasonable for meeting those purposes (section 11).
For example, an organization may decide as a health and safety measure for employees and customers to collect personal information in order to assist contact-tracing efforts during the COVID-19 pandemic. The organization can only collect personal information that would be reasonably required to meet the purpose. For example, it might be reasonable to collect an individual’s name, cellphone number or email address, and the date and time the customer attended the store or restaurant. It is unlikely that it would be reasonable to collect other types of personal information that are not required for the purposes of contact tracing.
Secondary Use Restrictions
Organizations cannot use information collected for one purpose for another, different purpose, unless the individual consents to the new use, or the new use is otherwise authorized by PIPA (section 17). This means, for example, that an organization cannot use personal information collected to contact a customer in the event of exposure to COVID-19 to add them to a mailing or subscription list. The organization would have to obtain consent for this additional purpose.
Another example may be a restaurant that uses an online platform for booking reservations. If the restaurant intends to use the information collected for booking reservations to assist with contact tracing in certain circumstances, they may have to get consent and notify customers before or at the time of the collection that the information may also be used to assist contact tracing efforts during the COVID-19 pandemic. The business may also need to get consent for this new use of information prior to disclosing the customer’s contact information.
If an organization collects a list of customers and associated personal information, it will need to consider how long to retain the information. The organization might want to consider factors such as the period of time public health authorities say it takes for COVID-19 virus to present itself in individuals and how long it might take for someone to be tested and diagnosed with COVID-19 (e.g. Alberta Health’s contact-tracing app retains contact logs for 21 days). PIPA prohibits an organization from retaining the information longer than is necessary for legal or business purposes.
When the information is no longer required for those legal or business purposes, the organization is required to destroy the information or render it non-identifying (section 35).
Organizations subject to PIPA are required to make reasonable security arrangements to protect personal information against unauthorized access, collection, use, disclosure, copying, modification, disposal or destruction (section 34).
Using a single customer sign-in sheet can disclose personal information about one customer to others.
Organizations should consider how they can collect and retain the customer’s personal information in a manner that does not disclose it to others, and ensure that access to this information is strictly controlled by certain employees (e.g. not all employees have access to the information).
If a customer is unclear about why they are being asked to provide personal information, they can ask in what circumstances their information will be used and disclosed. Customers also have a right under PIPA to request access to their own personal information. They may also make a complaint to the OIPC if they believe that their personal information was improperly collected, used or disclosed.