June 24, 2021
Business owners throughout the Province are excited at the prospect of their operations returning to normal over the coming weeks and months. However, they are also keenly aware of the need to manage the transition in a manner that reduces the risk of COVID-19 transmission associated with increased customer contact.
Obviously, one of the keys to managing this risk is COVID-19 vaccination in our communities.
This leaves many businesses wondering how to manage contact with customers who may be unable or unwilling to be vaccinated. A common question is whether a business can lawfully request proof of vaccination from customers and, if so, whether they may refuse service to those who do not confirm that they have been vaccinated.
ABLE BC Associate Member and Employment Lawyer Ryan Anderson and his firm (Mathews, Dinsdale & Clarke LLP) offer some guidance, as follows.
Can We Ask Customers To Confirm Their Vaccination Status?
The short answer is, yes, but only if the applicable human rights and privacy-related obligations are carefully considered and adhered to.
Human Rights Obligations
Businesses in B.C. generally have the right to refuse service to customers, but in some circumstances this right is limited by provincial human rights legislation.
In B.C., the Human Rights Code (the “Code”) prohibits the refusal of services or facilities customarily available to the public where that refusal is based on certain “protected grounds”. Protected grounds include disability and religion.
Since a refusal to receive a vaccine may be validly based on a protected ground – i.e. for reasons associated with a disability or one’s religion – a policy that treats non-vaccinated individuals differently by refusing to provide them goods or services could be considered unlawful discrimination. Businesses considering such policies should be aware of their duty to accommodate customers who have remained unvaccinated for reasons protected under the Code.
To address this concern, businesses should carefully consider whether customers who indicate they have not been vaccinated could be provided access to the goods or services they are seeking in other ways. A refusal to consider any form of accommodation – i.e., a total denial of service – will only be justifiable if the business can establish that there is no reasonable accommodation available without imposing an undue hardship on the business.
For private businesses in B.C., the Personal Information Protection Act (“PIPA”) governs the collection, use and disclosure of personal information. A customer’s vaccination status constitutes personal information under PIPA and a business may only collect and use such information for purposes that a reasonable person would consider appropriate in the circumstances, and if the customer has provided valid consent. Note that consent can be implied where the purpose for collection is obvious to a reasonable person and the individual voluntarily provides their personal information.
If a business seeks disclosure of a customer’s vaccination status, it must provide notice to the customer and explain the purpose for which the information is being collected. Merely asserting that a request for proof of vaccination is required for “health and safety purposes” may not be considered sufficient, particularly if other measures that do not require the collection of personal information could be just as effective (e.g. physical distancing, masks and other hygiene practices).
Importantly, PIPA prohibits a business from requiring an individual to consent to providing their personal information as a condition of supplying a product or service, unless doing so is “necessary” to safely provide the product or service – i.e., there are no equally effective and less privacy-intrusive measures available.
In the current context of the pandemic, for many businesses it would seem plausible that there is no other measure that could be nearly as effective as a vaccine. That said, federal, provincial and territorial privacy commissioners have adopted a fairly strict view of the statutory obligations associated with privacy rights.
In a joint statement released by the privacy commissioners, in the context of the potential use of “vaccine passports”, it was indicated that requesting disclosure of personal health information in exchange for goods, services and/or access to a business would only be permissible under the applicable privacy legislation if the collection of such information was “necessary” and likely to be effective, and where the risks of making such requests are proportionate to the public health purpose of the requests.
Notably, the statement also indicates that consent may provide sufficient authority for private businesses to require proof of vaccination to enter a premises or receive a service, if that consent meets all of the following conditions:
- it is voluntary and meaningful, based on clear and plain language describing the specific purpose to be achieved;
- the information is necessary to achieve the purpose;
- the purpose is one that a reasonable person would consider appropriate in the circumstances; and
- individuals are given a true choice, i.e. consent is not required as a condition of service (this likely means that an alternative means of service must be provided, if possible).
To mitigate the risks associated with collecting customer vaccination status, businesses should consider the following best practices:
- Carefully assess all available accommodation measures – that is, consider alternative ways the business might provide goods or services to unvaccinated customers in a manner that addresses the safety concern.
- Conduct an objective assessment of the COVID-19 transmission risk associated with customer contact and determine whether:
- there is a reasonable purpose for collecting proof of vaccination; and
- whether collecting proof of vaccination is necessary to achieve this purpose and proportionate to the risk being addressed.
- Prepare a clear statement for customers that:
- notifies them of the purpose for which proof of their vaccination is being collected;
- confirms that the customer’s vaccination status will only be used for this purpose;
- emphasizes that disclosure of vaccination status is voluntary and gives them a reasonable opportunity to refuse; and
- where appropriate, accommodates customers who indicate they have not been vaccinated, or have chosen not to disclose their status, by directing them to alternative processes for accessing the services or product(s) the business is offering.
- Designate one or only a few employees who are trained to collect vaccination status information and will be available to answer questions from customers about the collection of their personal information.
- Consider only requesting to view proof of vaccination, without recording or retaining such information.
- If information is being retained, securely store it only for as long as necessary and then delete any record of it.
In sum, businesses should be cautious when considering whether to request proof of vaccination from customers. Without careful forethought and planning, the collection of vaccination status information could result in claims of discrimination under the Code or risk violating applicable privacy legislation.
The information provided above is purposefully general in nature and does not constitute legal advice. A customer vaccination status policy should always take into account all of the specific circumstances of the business and its operations. It should also be noted that future legislative or other policy changes, as well as the general risk of community transmission, may later impact the assessment of whether a business may require proof of vaccination from customers. Ultimately, it is always prudent to seek legal advice to address the unique nature of each case.
If you have any questions or concerns or would like assistance in drafting a policy for your workplace, we encourage you to contact Ryan: firstname.lastname@example.org or 604-638-2042.