Provincial Health Officer Dr. Bonnie Henry’s order that allowed British Columbia restaurants, cafes and bars to reopen for table service on May 19 includes a clause to gather customer contact information “if practicable.”
Along with mandatory physical distancing protocols and limits on capacity, Henry is requiring establishments to “retain contact information for one member of any party of patrons for 30 days in the event that there is a need for contact tracing on the part of the medical health officer.”
B.C. eateries and drinking establishments range from mom and pop-owned bistros to multinational fast food and premium casual chains. Many already handle customer information before service — namely, reservations. Henry’s order is intended to make it easier for public health officials to find customers and staff who may have been exposed to the virus, to prevent further spread of COVID-19.
Information and Privacy Commissioner Michael McEvoy said that it is mandatory for such post-meal information to be limited and handled carefully.
His office will issue formal, straightforward instructions within days. Until then, McEvoy told theBreaker.news that proprietors have a duty under B.C. laws to collect only the minimal amount of information necessary.
“A name and an email address or name and a phone number is probably a sufficient, obvious means to communicate with people, it has to be collected only for that purpose,” McEvoy said in an interview.
“It shouldn’t be used for other purposes, marketing or some other selling, that information for the third party should only be used for the purpose, if contacted by the PHO because there may have been someone with an infection or at risk. That is the only purpose for which it is used.”
McEvoy said personal information must be properly secured and then securely destroyed at the end of 30 days.
“It is not going to be left out somewhere, it has to be under lock and key,” he said. “The requirement is at law that it is retained for up to 30 days, the expectation is that it would be securely destroyed at the end of that period.”
McEvoy’s office enforces the Personal Information Protection Act, which governs how businesses, corporations, unions, political parties and not-for-profits collect, use and disclose personal information. Under the law, the maximum fine is $100,000.
A recent trend has been toward so-called ransomware attacks, in which hackers have stolen information, from businesses such as LifeLabs and Craftsman Collision, and demanded payment in exchange for not publishing.
McEvoy and Ontario information and privacy commissioner Brian Beamish are collaborating on an investigation about the LifeLabs breach that affected up to 15 million Canadians.
The NDP government has not followed through on a 2017 campaign promise to enact mandatory privacy breach reporting and disclosure.
Support theBreaker.news for as low as $2 a month on Patreon. Find out how. Click here.