Privacy and Body Temperature Taking During COVID-19

  • May 03, 2021
  • Abby Benattar and Wendes Keung

As the pandemic persists, a health practitioner’s office must maintain measures that protect its community’s safety in the most contactless way possible. Biometric kiosks are one way to achieve this objective. Biometric kiosks instantly read a patient’s body temperature as they enter a waiting room, typically without requesting consent. A reading above normal body temperature (above 38°C or 100.4°F in adults) qualifies as a fever—one of the most suggestive symptoms of COVID-19. An above normal temperature reading assists the health information custodian (“HIC”) in determining whether the patient requires a secondary COVID-19 assessment. This current practice carries a host of privacy concerns regarding the expectation of privacy.

Body Temperature as Personal Health Information (“PHI”)

In Ontario, the Personal Health Information Protection Act, 2004 (“PHIPA”) governs PHI such as body temperature.[1] Privacy legislation does not address biometric technologies, which raises an issue pertaining to one of the most important elements of healthcare: consent.

The requirement to obtain consent, either express or implied, is subject to very narrow exceptions.[2] In a non-pandemic world, the collection, use and disclosure of body temperature through biometric kiosks would require consent. However, PHIPA is silent on its interpretation during a public health emergency. As a result, HICs can likely defer to the federal privacy equivalent, the Personal Information Protection and Electronic Documents Act (“PIPEDA”), to fill the gaps on the question of consent.[3]

Based on a reading of PHIPA and PIPEDA together, it appears that a HIC does not require consent to collect, use and disclose a patient’s body temperature through a biometric kiosk during a public health emergency. In March 2020, the Office of the Privacy Commissioner of Canada (“OPC”) released a notice stating that public health situations may constitute an emergency.[4] Under PIPEDA, organizations do not need to obtain an individual’s consent when acting in respect of an emergency that threatens life or health.[5] The OPC’s notice goes further to declare that “[d]uring a public health crisis, privacy laws still apply, but they are not a barrier to appropriate information sharing.”[6] The federal legislation and notice guidelines may help legitimize and permit the simultaneous collection, use and disclosure of body temperature through a biometric kiosk.