Decisions/Federal (Canada)/Privacy Act/Investigation into COVID-19 vaccination attestation requirements established by Department of National Defence for members of the Canadian Armed Forces

Federal (Canada)Office of the Privacy Commissioner of CanadaPrivacy ActNot well-founded

Investigation into COVID-19 vaccination attestation requirements established by Department of National Defence for members of the Canadian Armed Forces

Organization: Department of National Defence

Decision: May 30, 2023Published: May 30, 2023

Official Decision ↗Bookmark View Governing Law

Plain-Language Summary

This investigation examined the COVID-19 vaccination attestation requirements established by the Department of National Defence (DND) for members of the Canadian Armed Forces (CAF). The Office of the Privacy Commissioner of Canada (OPC) found that DND/CAF had the authority to collect this information under the National Defence Act and Part II of the Canada Labour Code. The use and disclosure of the information were generally consistent with the purposes for which it was collected. Although DND declined to implement a recommendation to strengthen oversight of access controls in the Monitor MASS system, the OPC found no instances of inappropriate access or disclosure. The OPC also determined that DND took reasonable steps to ensure the accuracy of the vaccination status information collected.

Key Issues

Whether DND/CAF's collection of COVID-19 vaccination status information directly related to an operating program or activity of the institution.
Whether the use of collected vaccination status information was authorized under section 7 of the Privacy Act.
Whether the use of the Monitor MASS system resulted in unauthorized disclosure of information.
Whether DND/CAF took reasonable steps to ensure the accuracy of vaccination status information.

Outcome

Complaints not well-founded

Reasoning

The OPC concluded that DND/CAF's collection, use, and disclosure of COVID-19 vaccination status information complied with the Privacy Act. The measures were found to be directly related to the institution's operating programs, such as ensuring workplace health and safety and operational readiness, and were used for the purposes for which they were collected.

AI-generated summary for reference only. Always verify against the official decision ↗

Decision Notes

Recommended action / remedy

The OPC recommended that DND/CAF implement measures to periodically validate that units properly review and revoke permissions that provide access to CAF members' sensitive information in Monitor MASS, but DND declined to implement this recommendation.

Statutory provisions cited

section 4 Privacy Act
section 7 Privacy Act
section 8(1) Privacy Act
section 8(2)(a) Privacy Act
subsection 6(2) Privacy Act
sections 4 and 18 National Defence Act

This summary is informational only and not legal advice.