COVID-19 Implications for Retailers
COVID-19 has raised many privacy issues for retailers. These include questions like, what information can be collected from customers and employees during temperature checks, as retailers try to keep stores and staff safe? The pandemic has also raised data sharing issues, such as what can be disclosed for contact tracing reasons with health authorities.
In addition, COVID-19 has accelerated the shift to eCommerce and remote work. It has led to an increase in risk from cyberattacks and an even greater emphasis on data analytics to make marketing and merchandising as effective as possible. As the world recovers from the pandemic’s initial impact and navigates the uncertainties to come, broader privacy and data challenges and opportunities affecting retailers are rapidly evolving.
What are the top five things retailers need to know about data protection and privacy during COVID-19?
1. If you get requests for employee or customer information from someone saying they work at a public health agency, make sure you check that the requestor has legal authority to make that request. It’s unusual for a health authority to be able to request that kind of data from a private company.
2. Choose someone on your team to be specifically accountable for dealing with personal information. They can start by documenting and understanding how you collect and share customer information and should handle requests such as those described in #1 above.
If you choose to pursue customer or employee screening using temperature checks with thermometers, scanners, or thermal cameras, make sure someone is tracking and documenting how you collect, use and disclose all that sensitive personal information.
3. Communicate to people about how you are handling their information, especially in COVID-19 health data situations, and try to provide them with a sense of control over how you use their information where possible.Individual consent is an important privacy principle. While this may not always be possible in a health data sharing situation, it’s generally good practice to make best efforts and at least let the person whose information you have shared know after the fact.
4. Limit the personal information that you collect and only keep what you need to achieve your purpose. Are you currently collecting any personal information that you do not actually need for the purpose for which you’re asking for it? Are you keeping it past when you need it? Stop gathering what you don’t need and consider deleting unnecessary information if you do have it.
5. Assess your cybersecurity. Cyber risk has increased during COVID-19. Assess your cyber health, especially if a lot of your staff are working remotely. If you are considering new technological investments to navigate the new COVID-19 omnichannel sales environment, safeguarding personal data you hold is essential.
Some cyber security considerations:
- Are all employees using up-to-date virus protection?
- Are your video conferences protected?
- What role do your vendors play in your cybersecurity (and privacy) plans?
- The market for cyber insurance is changing rapidly. You may wish to assess your insurance coverage.
Cybersecurity guidance resources:
Answers to Frequently Asked Questions on COVID-19 privacy for retailers
- Generally, collect as little information as possible and keep it for as short a time as possible. Read the order closely. If it says something like, ‘Gather name and phone number from one person per party,” take only that.
- Store the contact information you collect somewhere secure. ‘Analogue’ methods include writing the information in a book and storing that book behind lock and key overnight. If you choose to use a digital method of collection and storage, such as a reservation app, do some quick research to understand more about how this third party will treat your customer information: will they keep it safe without using it for additional purposes? (Generally, retailers can still be held accountable for what happens to personal information that they collect and then share with other companies).
- Delete the information after the required time period
- If someone asks you for this information for contact tracing purposes, make sure you get some evidence from them that they are from a public health authority with the power to make this request. If and when you do share information you’ve collected, it’s wise to document why you did so and who you shared it with. There are privacy regulators empowered to make inquiries if someone complains that you mishandled their personal information, in which case having records and demonstrating good practice could help you.
Retailers may wish to consider cyber insurance, or to assess their current coverage if they already have it. The cyber insurance market is evolving rapidly.
If you choose to improve your cyber maturity during this period, be aware that sensitive communications on cyber risk might be subject to disclosure requirements in regulatory investigations and litigation if a cyber incident occurs. Consider implementing a legal privilege strategy as you navigate cyber risk management so that your communications are privileged, where appropriate. View more information and links to Canadian COVID-19 fraud and cybersecurity guidance.
The pandemic has driven a rapid switch to online transactions, including remote work and web and phone order processing and fulfillment. People can take advantage over the internet of a product’s known vulnerabilities (e.g. old security software), as well as human error and habit (e.g. emails that trick staff into opening malicious links and attachments, called phishing), in order to access sensitive business and personal information.
Phishing, videoconferencing vulnerabilities, malware and simple mistakes are only some of the increased cybersecurity risks. Of course, not all fraud risks are necessarily cyber risks. For example, reported COVID-19 scams include fraudsters posing as public health agencies to get personal information (retailers should always check that someone asking them for this data has legal authority to do so) and posing as vendors selling COVID-19 tests.
Retailers seeking to protect themselves against heightened fraud and cybersecurity risk must look to their people (e.g. training), processes (e.g. Bring Your Own Device (BYOD) policies) and technologies (e.g. updated virus protection, videoconferencing safety).
- View more information and links to Canadian COVID-19 fraud and cybersecurity guidance.
- View federal Privacy Commissioner videoconferencing tips.
Cybersecurity guidance specifically for small and medium businesses exists and could be useful to many independent retailers. View resources.
The Office of the Privacy Commissioner of Canada (OPC) has released general COVID-19 guidance on privacy obligations in information-sharing situations during the pandemic. The OPC guidance also includes links to regional privacy regulators’ resources. This is helpful if you are trying to decide how much of someone’s personal information to collect, e.g.: if they are sick or you think they might be, and when to share their information with another organization.
Even during the pandemic response, normal privacy laws apply unless emergency legislation provides otherwise.
PIPEDA, which applies to many retailers, only allows you to collect, use or disclose personal information based on meaningful consent and for purposes that a reasonable person would consider appropriate in the circumstances. Generally, exceptions apply when (1) a person is critically ill, (2) where a public health authority with legislative authority to request the information is asking (it’s key to check if they’re actually authorized to ask you) , and if (3) you think someone is breaking a quarantine order. View OPC guidance.
Retailers may receive requests from other organizations to share information that would identify an individual. Few circumstances legally require a private company to share someone’s health information with the government.
Before you share any information, verify whether the organization, e.g.: a health authority, has a legal basis for requesting it, or if they are just asking you to cooperate.
If you do share a person’s information, assess the request carefully. Taking care what information you release, why, and to whom will help you reduce regulatory, litigation and reputational risk. Whether you are legally required to share someone’s personal information or not, documenting how you analyzed privacy considerations in the process of deciding to share that information would be wise. Privacy principles such as accountability, transparency, consent and limiting data collection and sharing still apply. View more legal information
Individual screening, such as temperature testing, is technically permissible, yet must be approached very carefully. Be aware that government guidance in this area is sparse yet rapidly evolving. First, avoid any impression of screening customers for any reason beyond a belief that the customer may be exhibiting COVID-19 symptoms. Second, if it is felt that temperature testing is advantageous, take great care to do so in accordance with Canadian privacy principles, e.g. be mindful of consent and of limiting and protecting the personal information that is obtained and shared. Also, staff taking customer temperatures must continue to follow the usual care in observing 2 meter physical distancing limits and other health precautions.