Privacy considerations for your workplace: Collecting personal information regarding COVID-19
24 March 2020
Agencies and organisations around the world are collecting significant volumes of information relevant to COVID-19. However, despite these unique and unprecedented times, agencies and organisations that are subject to the Privacy Act 1988 (Cth) (Privacy Act)1 or the General Data Protection Regulation (GDPR) 2 must continue to only collect personal information that is reasonably necessary for, or directly related to, one or more of their functions or activities.
Further, agencies and organisations also have obligations to provide a safe workplace and do all that is reasonably practicable to ensure the health and safety of their employees, clients and visitors. As such, subject to some limitations regarding the collection of health information, organisations can collect personal information that is reasonably necessary for the prevention and management of COVID-19.
So what information can we collect?
Agencies and organisations should take guidance from Commonwealth and State Departments of Health as to what specific information they should be collecting to identify risk and put in place appropriate controls for health and safety, and be aware that this may be subject to change at short notice. At the time of publishing, this includes:
- whether an individual has tested positive to COVID-19 or has been exposed to, a known or suspected case of COVID-19; and
- whether an individual or close contact has travelled interstate or overseas, and to which countries.
Agencies and organisations should also be aware that some personal information which they will be collecting in the coming weeks and months will be “health information” (a type of sensitive information) for the purpose of the Privacy Act (for example, any symptoms and diagnosis of individuals or close contacts). The collection, use and disclosure of sensitive information is subject to additional controls under the Privacy Act.
Importantly, agencies and organisations are required to obtain an individual’s consent to collect health information. Whilst you would normally expect individuals to provide this consent, sometimes it may be refused, or otherwise impracticable to obtain. If that occurs, you may be able to rely on an exception contained in the Privacy Act known as a “permitted general situation”. This arises where the collection of sensitive information without consent is necessary for lessening or preventing a serious threat to life, health or safety of any individual or to public health or safety. As time progresses, this is likely to become more and more relevant.
Importantly, the personal information of employees, to the extent it relates to their employment, is excluded from the operation of the Privacy Act. Agencies and organisations could argue that the ability of an employee to work at their office is related to their employment, and therefore consent to provide that information is not required. This will need to be assessed on a case by case basis, and in light of current Government guidelines.
Use and Disclosure of Personal Information – What can we tell our staff and visitors?
Agencies and organisations are permitted to use and disclose sensitive information for the primary purpose for which it was collected, for any purposes where the individual has provided consent or where another exception applies such as a “permitted general situation” as explained above.
The primary purpose for collecting information regarding COVID-19 will be to prevent risk to the health and safety of others. As such, agencies and organisations can disclose to their staff and visitors when an individual has tested positive to or may have been exposed to COVID-19. However, agencies and organisations should limit the use and disclosure of information where possible. The Office of the Australian Information Commissioner recommends use and disclosure of personal information only a “need to know” basis. For example, if an employee or visitor to your workplace tests positive for COVID-19, it may not be necessary to advise your entire workforce of this individual’s identity. It may only be necessary to advise their immediate team members or those with whom they had close contact with.
As noted above, where it is unreasonable or impracticable to obtain consent for use and disclosure of such information, the permitted general situation described above regarding serious threat to life, health or safety of any individual or to public health or safety (or another exception) may apply.
Working from Home
With a significant increase in the number of employees now working remotely or from home, it follows that sensitive and confidential information will be accessed from your employees’ homes as well. Where this occurs, agencies and organisations have an obligation under the Privacy Act to ensure that they have sufficient security measures in place.
The level of security required will be linked to the sensitivity of the information you are holding. For example, medical records will require greater security than general correspondence. It is also important to keep in mind the likely behavior of employees rather than simply applying rigid rules that are not workable in practice, and may lead to individuals seeking to bypass those measures due to their inconvenience.
Some practical steps you may wish to consider include:
- Only work related accounts and devices should be used. If a personal computer is to be used, a secure network connection should be established (via a virtual private network, or a virtual desktop environment).
- Devices and accounts should password controlled and protected, and ideally staff should be instructed to keep them in a secure place when not in use.
- Devices should be subject to timed lock outs for idle use.
- If printing is allowed, or if staff receive hard copy documents as part of their work, practical measures for the safe storage and destruction of those documents should be put in place at the employee’s home. This could be as simple as a secure box to store shredding.
- If printing is not allowed, consider how you will manage staff needs to handle large documents or originals of contracts if required.
Where can I get further information?
The OIAC has released guidance material regarding COVID-19 which can be accessed here: https://www.oaic.gov.au/privacy/guidance-and-advice/coronavirus-covid-19-understanding-your-privacy-obligations-to-your-staff/
Alternatively, please contact one of our team members below.
1 In Australia, this covers Commonwealth Government agencies, individuals or businesses with an annual turnover of more than $3M/year, businesses that provide health services (including fitness and weight loss businesses) and organisations and individuals who deal in data.
2 For Australian companies, this applies to businesses who either monitor Personal Information of individuals in the European Union, or who market or sell products or services to people within the European Union. If you aren’t sure if this applies to you or your business, please seek legal advice.
(08) 8235 3052
(08) 8235 3078
(08) 8235 3044
(08) 8235 3028
The content of this newsletter is for general information purposes only and should in no way be treated as formal legal advice.