Skip to main content

Volunteer medical staff deliver COVID-19 booster shots in Ottawa, on Dec. 20, 2021.Justin Tang/The Canadian Press

Brace yourselves, business leaders. Your pandemic pandemonium is entering its next wave.

Tracking booster shots, protecting employee privacy and detecting vaccine passport fraud are among the emerging risks facing businesses as COVID-19 case counts surge yet again.

Many companies, including airlines, banks and telecoms, have already adopted vaccine mandates that require workers to be fully vaccinated as a condition of employment. But those policies were conceived when a two-dose series was the recommended protocol for most COVID-19 vaccines.

These days, however, provinces are ramping up the delivery of booster shots, reimposing pandemic restrictions and strengthening proof-of-vaccination rules to slow the spread of the highly transmissible Omicron variant of the coronavirus. Those moves will, in turn, force businesses of all kinds to update their own workplace policies and procedures.

Board members, senior executives and company lawyers all have a role to play in pandemic risk management. But let’s face it, in practice, enforcement of corporate policies, such as vaccine mandates, will ultimately fall to already-stretched human resources departments.

25 million Canadians need a COVID-19 booster – and they need it now

The Omicron COVID-19 variant has sparked global concern and prompted new travel restrictions. Here’s everything you need to know

“HR is the pointy end of the stick, typically, in dealing with this,” said John Moore, founder and vice-president of sales and marketing at Assurify Inc., which helps companies carry out vaccine mandates. “They don’t want to have to spend all of their time managing COVID.”

Unfortunately, as Mr. Moore correctly points out, many pandemic policy issues that businesses faced during earlier waves of infections are returning to the forefront.

Companies that have vaccine mandates, for instance, will have to decide whether their definition of a fully-vaccinated employee should be revised to include booster shots now that some provinces are expediting the rollout of third doses for adults.

Businesses must also again decide whether they will rely on employee attestations or if they will also require workers to provide updated vaccination passports as proof of status. Since the timing of booster shots can vary by province and be influenced by other factors such as vaccine shortages, companies must think carefully about setting deadlines for workers to provide such documentation.

Companies that require proof of booster shots will also have to decide whether it is sufficient to visually review those updated vaccine passports and if there is a legitimate reason to retain copies.

The trouble is, even if a business can justify storing the personal health information of its employees, it’s unclear how long the company should keep that data. That’s because no one knows how long this pandemic will last or when vaccine mandates will expire, if ever.

Even so, privacy watchdogs have already offered some guidance on the matter.

“Any personal health information collected through vaccine passports should be destroyed and vaccine passports decommissioned when the pandemic is declared over by public health officials or when vaccine passports are determined not to be a necessary, effective or proportionate response to address their public health purposes,” federal, provincial and territorial privacy commissioners wrote in a joint statement this past May. “Vaccine passports should not be used for any purpose other than COVID-19.”

That’s why it is crucial for companies to ensure that their data management policies and practices comply with provincial, territorial and federal privacy laws.

Similarly, businesses can’t afford to be caught flat-footed by impending legislative changes. Prime Minister Justin Trudeau, for one, has already signalled his government’s intention to strengthen privacy protection for consumers.

“Vaccine certificates are personal health information, so that’s among the most sensitive data that you hold. It’s not something that you would want shared,” said John Heaton, a cybersecurity partner at KPMG in Canada. “The same with, if you had an exemption, you wouldn’t want that shared widely with everyone else because maybe you have a particular condition – you have a reason.”

He advises employers to think carefully about whether they really need to retain copies of vaccine certificates. What’s more, they must restrict who within the company has access to those employee health records. Tiered access, as it is known, should probably be limited to HR professionals.

Companies that have operations in other countries, including the United States, should also be mindful of jurisdictional differences, Mr. Heaton said. The state of Florida, for instance, passed a law on Nov. 18 banning vaccine mandates.

And if that wasn’t enough for businesses to contend with during this stage of the pandemic, vaccine passport fraud by customers and employees is also creating challenges.

Some businesses are already conducting spot checks to validate provincially-issued QR codes, Mr. Moore said. But will companies require other tools in the future to detect fake vaccine certificates?

The prevalence of vaccine documentation fraud is unknown. But it is enough of a problem that the Ontario government, for example, is extending the use of its COVID-19 passport program and will require all vaccine certificates to include a digital QR code to cut down on forgeries.

“The complexity of managing those things as an employer to make sure that everybody is compliant gets a little unwieldly,” Mr. Moore said.

So folks, be extra kind to your company’s HR professionals. Sure, it’s easy to slag them as corporate villains, but there’s no doubt they’ll be stuck in pandemic policy purgatory over the coming months.

Your time is valuable. Have the Top Business Headlines newsletter conveniently delivered to your inbox in the morning or evening. Sign up today.