The Office of the Privacy Commissioner of Canada (OPC) has released general COVID-19 guidance on privacy obligations in information-sharing situations during the pandemic. The OPC guidance also includes links to regional privacy regulators’ resources. This is helpful if you are trying to decide how much of someone’s personal information to collect, e.g. if they are sick or you think they might be, and when to share their information with another organization.
Even during the pandemic response, normal privacy laws apply unless emergency legislation provides otherwise.
PIPEDA, which applies to many retailers, only allows you to collect, use or disclose personal information based on meaningful consent and for purposes that a reasonable person would consider appropriate in the circumstances. Generally, exceptions apply when (1) a person is critically ill, (2) where a public health authority with legislative authority to request the information is asking (it’s key to check if they’re actually authorized to ask you), and if (3) you think someone is breaking a quarantine order. View OPC guidance.