Australia: Privacy and COVID-19: Your get-out-of-jail-free card

You learn a customer/client/employee/courier who delivered new heels to your office has tested positive for COVID-19. Intense panic ensues. After you've washed your hands (for 20+ seconds) and sanitised everything in sight, your next step in damage control is establishing who had contact with the infected person. That will inevitably involve outing them.

One potential problem: privacy laws. Under the Privacy Act an entity generally can't disclose personal information about an individual without their consent. And the rules are even stricter when it comes to health information, which falls into the special category of sensitive information; and a positive COVID-19 test result is the most sensitive of sensitive. You can only disclose health information if it is in accordance with the primary purpose for which you collected it, or a secondary purpose if the individual would reasonably expect you to disclose that information. Here neither of those apply.

However, there is a very helpful loophole in the Privacy Act which comes to your rescue. Entities can collect, use or disclose personal information without an individual's consent if it reasonably believes it is necessary to do so to lessen or prevent a serious threat to the life, health or safety of an individual, or to public health and safety. So, basically everything COVID-19. There is a proviso that it must be unreasonable or impractical to obtain the consent of the individual, however considering the urgency with which you should act to track potential infections we think this will almost always be satisfied.

You still must act reasonably in using or disclosing the information and limit it to managing the spread of the infection. Tweeting the person's name and test results is a no-no.

If the infected person is your actual employee, the privacy laws don't apply anyway. As long as you're using and disclosing information related to the person's employment (which this is), you'll be fine.

TL;DR?

If you find a COVID-19 positive person in your workspace don't worry too much about privacy implications; focus on tracking and limiting the spread of the virus and the health of your people.

We do not disclaim anything about this article. We're quite proud of it really.