The COVID-19 public health crisis has taken a toll on all industries, including the mining sector. Many organisations are taking active measures to contain the spread of the virus, and such measures often result in shifts in the workforce. As we start to see public health restrictions lifted across the world and some employees returning to work, new practices are also being adopted in order to keep workplaces safe and infection free. Inevitably, these workplace adjustments are creating various challenges, including concerns related to privacy and data protection. Where mining companies collect, use and disclose personal information from their employees or others to prevent or manage the risks associated with COVID-19, employers’ actions must be guided by applicable privacy laws.
Privacy legislation 101
Privacy legislation is aimed at protecting “personal information”, which is generally understood to mean information about an identified or identifiable individual.
In the COVID-19 context, and considering that miners cannot work from home and are often confined to work in closed and tight spaces, mining companies have started collecting new types of personal information to safeguard the mine site. This includes the collection of personal information for purposes of contact tracing, health monitoring, and employee surveillance.
Much of the personal information collected in relation to COVID-19, such as body temperature, symptoms and test results, is often considered to be “personal health information” and deemed “highly sensitive” under various privacy legislation. Because of its sensitivity, this type of information typically attracts special obligations when it is collected and used.
What is at stake?
There are at least four types of privacy risks that arise in the COVID-19 context: reputational damage to the organization’s brand or goodwill, regulatory risk in the form of fines and orders levied by regulators, litigation risks from aggrieved parties, and theft and fraud caused by opportunistic cyber criminals or disgruntled employees exploiting inadequate privacy controls for their own gain.
These risks are arguably elevated in light of the circumstances surrounding COVID-19. The vulnerabilities and privacy risks are diverse and include the inadvertent disclosure of personal health information collected from employees or visitors to the mine site, phishing attacks disguised as emails from concerned “clients”, and data breach risks due to employees working remotely and processing personal data from their homes.
Privacy principles to keep in mind
Generally, employees have the right to privacy in the workplace and a legitimate expectation that they can keep their personal lives private. Mine sites are often located in remote locations and employees may live at the work camp for extended periods of time, in close proximity to other workers on site. This reality poses additional concerns about the privacy of such employees and the mining company’s obligations to preserve the safety of employees while on site. While legislation in certain jurisdictions may not offer privacy protections to employees, it is good business practice for mining companies to ensure that the personal information of their employees is adequately protected. In adopting any workplace policy, the role of the mining company is therefore to attempt to balance its own business interests and entitlement to employees’ information with the expectation of employees to their privacy. Any action must be based on the following principles:
- Have a legal basis for the collection, use and disclosure of the personal information (e.g., consent, legitimate purpose, etc.), where required.
- Keep collection, use and disclosure of personal information at a minimum.
- Be clear, open and honest and provide employees and visitors to the mine site with sufficient information to understand what information you collect and why, and the consequences of processing their information.
- Be reasonable, fair and proportionate. If it feels excessive then it probably is and you should not do it. Workplace practices are more likely to be appropriate if they appear reasonable, fair and proportionate to the risks caused by COVID-19.
- Keep the information secure and only for as long as is necessary.
- Inform individuals of their rights, such as the right of access or rectification, where available.
- Always check local rules in your area of operation before proceeding with any action.
Humanity has a common goal: to eradicate the virus as soon as possible. To do that there are certain norms that we all have to respect to stop the spread of the disease. While management and head office staff of mining companies may be able to do their work remotely, workers at the mine site or in a lab are unable to shift to remote work, and it falls on the mining employer to offer protections and impose procedures that minimize the exposure of those individuals to health-related risks.
Besides remote working where possible, mining companies may consider the following solutions to minimize the spread of COVID-19. Since all these solutions entail the collection of personal information from employees, mining companies are strongly encouraged to observe the privacy principles above as a good business practice.
- Contact tracing has been heralded as one of the most effective ways to identify and stop potential outbreaks before they become prevalent. Using this technology on mine sites or facilities allows mining companies to determine whether other employees or mine site visitors may have been exposed to COVID-19, in the event an infected person is identified at the mine site. There are contact tracing solutions that may confine the tracking to the mine site, thus minimizing the impact on the privacy of individuals outside working hours.
- Vital signs monitoring, such as body temperature testing and tracking and symptoms testing, using cameras or wearable technologies. These solutionsdisclose personal health information and monitor the health of mining employees. We caution however that this solution may not be appropriate in all circumstances. Before engaging in such monitoring and testing, consider whether the workplace can be protected by less privacy-intrusive means. If necessary, try to limit such testing and monitoring to employees working inside the mine shaft or within confined spaces and only perform such testing and monitoring when absolutely necessary.
- Employee surveillance may be appropriate in certain situations to monitor whether mining employees are observing health and safety measures and to assist with contact tracing in mining site environments where other means of tracing are not available or difficult to deploy. Be mindful that employees may not always expect to be monitored via video surveillance systems in their day-to-day work, so consider the availability of less privacy-intrusive ways to achieve the same result. Most importantly, post notices conspicuously in the workplace to inform mining employees and visitors to the mine site what information is collected, why you are collecting it, whom you will be sharing it with, and how long you will keep it.
If you become aware of a COVID-19 case at a mine site, you should alert individuals who have been subject to a credible transmission risk, without disclosing details that might identify the individual who caused the COVID-19 transmission risk. Before disclosing personal health information about employees to health authorities, make sure to check public health guidance and any privacy obligations to determine whether there is a legal disclosure obligation.
In light of these changes, mining companies with active mine site operations should consider:
- Reviewing and updating existing guidance and policies affecting privacy obligations, including privacy policies, employee contracts, job postings, as well as on site and remote working policies;
- Reminding staff of the controls the organization has in place to mitigate privacy risk associated with working at the mine site;
- Perform ad hoc training where required for individuals who are not used to working from home or for roles that are not normally performed from home; and
- Raise workforce awareness around key privacy issues, such as any changes to policies as a result of COVID-19 and the COVID-specific privacy threats, such as phishing emails and the inadvertent disclosure of employee information.
A word of caution
The specific rules governing COVID-19 workplace practices vary considerably from one jurisdiction to another, often as granular as orders at city or district level. Therefore, before taking any action, you should check local government guidelines and consult with external advisors to ensure that you are in compliance with the law. You should also consider any specific regulations or requirements within your jurisdiction that may apply outside the privacy context, including employment law as well as general health and safety requirements.
If in doubt, reach out
Dentons Canada’s Privacy and Cybersecurity team has the multidisciplinary knowledge and experience to help you implement these solutions in compliance with applicable rules and legislation while limiting regulatory risks. Please feel free to reach out to us if you have any questions.