Great questions. Everybody’s so hepped up over mandatory vaccination that they’re overlooking the obvious point that your question raises: Are employers allowed to ASK employees if they’ve been vaccinated? The answer is, in your case, maybe to probably.
Explanation: Whether an employee has been vaccinated is personal medical information that employers aren’t normally allowed to ask their employees to provide. But, as we all know, pandemic is different. Employers DO have leeway to ask about vaccination to serve a compelling workplace health need; and ii. They keep the question as narrow as possible to solicit only the info they need to serve the safety purpose and keep the information confidential. Employers in healthcare have the most leeway as far as compelling need is concerned. But food processing is right up there. As for the second part, the best thing I can do is provide you guidance from the one government agency that has actually addressed this issue, the Sask Office Information Privacy, which works equally well in Ontario or any other part of Canada.
The answer to the second question is pretty much the same as the first. It’s all about a compelling health need. Being in food processing puts you in a stronger position to require vaccination. The fact that you’re only making this demand of employees who have been exposed to a COVID case would really strengthen your case for mandating vaccination. Again, though, the privacy rules would apply.
Here’s the guidance from the Sask OIPC
Can employers ask employees whether they have received the vaccine or request proof of vaccination?
The OIPC did not say that asking employees about their vaccine status, or asking for proof of vaccination, was prohibited. In fact, the OIPC implied that employers may do so in some circumstances and with appropriate privacy protection measures in place. While employers in Saskatchewan, and all provinces, have an obligation to ensure the health, safety and welfare of its workers, this must be balanced with the employee’s right to privacy. Employers should evaluate whether implementing a vaccine verification program is integral to providing a safe workplace and ensure that such a program does not unreasonably infringe on an employee’s privacy expectations.
Key Principles
If an employer determines that a vaccine verification program is integral to the health and safety of its workers, the OIPC advises that, regardless of whether an employer is subject to privacy legislation, the following key principles are best practices:
(1) Establish the purpose and authority for asking for the information and notify employees of the purpose
Employers should determine the purpose for collecting information about an employee’s vaccination prior to implementing any vaccine verification program. Is it to keep the workplace safe? Is it to prevent transmission of COVID-19 being spread from employee to employee, customer or patient?
Once employers have decided to implement a vaccine verification program, the OIPC suggests that employers develop a policy on COVID-19 vaccinations. The OIPC recommends employers use a privacy impact assessment (“PIA”) to assist organizations in assessing whether a proposed measure complies with privacy legislation. However, the OIPC recognizes that current times may demand that employers take a faster approach. So, either a shortened version of a PIA or a policy statement regarding COVID-19 vaccinations is recommended. At minimum, the OIPC says the policy should contain:
- authority for the collection;
- a statement of the purpose;
- a statement as to whether employees will be asked to show a vaccination certificate;
- a statement on possible actions taken based on whether the employee has the vaccination or not;
- a statement on where information will be stored;
- a statement as to who it will be shared with (with public authorities or not); and
- a statement on when the information will be destroyed.
Employers are encouraged to be open and transparent with their employees and should advise them that they will be asking whether the employee has received the vaccine, has a vaccination certificate and inform them of the purpose.
(2) Collect the least amount of information to meet the purpose
Employers should collect only what is necessary to achieve the purpose of implementing the vaccine verification program. Examples given by the OIPC of varying degrees of collection include: (i) accepting an employee’s verbal confirmation that they have been vaccinated, or (ii) requiring proof of vaccination but not making a copy of the vaccination certificate.
(3) Share information with only those who need to know
Employers should check relevant legislation prior to using the information collected for any purpose other than the one identified for implementing the vaccine verification program. The OIPC recommends that very few people will need to know whether an employee has received the vaccination and instead only statistical information as to how many employees have received the vaccination should be shared. Employers should not include names or identify who has or has not been vaccinated. This information should be treated like other sensitive health information and as confidential.
(4) Store the information, keep it secure, and destroy it when no longer needed
The OIPC recommends either storing employee information related to vaccinations: (i) in each employee HR personnel file, or (ii) in a separate folder for all employees. Employers subject to privacy legislation have an obligation to protect and secure this information (such as a locked file cabinet or on a computer that is password protected, encrypted and on a secure network). Employers not subject to privacy legislation should still follow best practices.
Personal information should only be kept in accordance with applicable privacy legislation and should only be kept for as long as required to fulfil the identified purpose.
Generally, it is a good practice to destroy any personal information as soon as it is no longer needed. Holding on to personal information unnecessarily increase the risk of a data breach and the severity of data breach that does occur.
*****
Hope that answers your questions. Glenn