B.C. restaurants must protect personal information collected from customers as ordered by provincial health officer (PHO) Dr. Bonnie Henry May 22.
Henry's May 22 order tells food and drink establishment operators they "must collect the first and last name and telephone number or email address of one member of every party of patrons and retain this information for 30 days, in the event that there is a need for contact tracing on the part of the medical health officer." The date of the restaurant visit is also recorded.
However, the collection of that personal information is subject to provincial privacy laws.
"The purpose of collection is for the local medical health officer to conduct contact tracing if someone who visited the establishment is diagnosed with COVID-19," provincial Information and Privacy Commissioner Michael McEvoy said in a guidance.
He said that data should be collected from one member of a party, not the information of all members of that party.
"At the time of collecting a patron's contact information, clearly explain what information you are collecting and why," McEvoy said, suggesting a copy of Henry's order be kept handy.
"Do not collect a patron's physical address or other contact information such as where they work," McEvoy said. "Do not use or disclose the collected information other than to provide to the PHO upon request."
If information is shared with the PHO (the only organization with which it should be shared), details of that transaction should be recorded.
And, McEvoy stressed, "do not use the collected information for other purposes, such as marketing or analytics."
Any collected information should be kept for only 30 days.
"Routinely and securely destroy information collected after 30 days," McEvoy said. "A suggested practice would be to delete 31-day old information at the same time you add daily contact information. Any papers containing personal information should be securely shredded rather than just placing them in a garbage can or recycling bin."
And, before the information is destroyed, it must be secured.
"It should be stored in a locked file cabinet. If you are storing the list on a computer, make sure the computer is password protected, encrypted, and on a secure network. Position computer monitors so that personal information displayed on them cannot be seen by visitors."