During the COVID-19 pandemic, organisations need to balance the need to respect privacy of individuals, whilst keeping sites safe.
The Office of the Australian Information Commissioner (OAIC) has published guidance (which we covered in a previous article here) relating to the steps organisations, subject to the Privacy Act 1988 (Cth), may need to take in respect of specific issues arising during the COVID-19 pandemic.
Many organisations have been implementing or expanding remote working arrangements for employees. Whilst the Privacy Act does not prevent employees from working remotely as a response to COVID-19, the Australian Privacy Principles (APPs) will continue to apply.
This means an organisation will need to continue to manage personal information in accordance with legal requirements.
In general, the OAIC broadly recommends that an organisation that is subject to the Privacy Act:
- only uses or discloses personal information on a "need-to-know" basis
- only collects, uses or discloses the "minimum amount" of personal information reasonably necessary to prevent or manage COVID-19
- considers proactively taking steps to notify staff of how it will handle staff information in respect of any suspected or actual case of COVID-19 in the workplace
- ensures reasonable steps are put in place to keep personal information secure.
Handling employee health information
Under APP 6, if an organisation holds personal information about an individual that was collected for a particular purpose, the organisation must not use or disclose the information for another purpose.
This requirement does not apply if the individual consents to the use or disclosure of the information.
Further, this requirement may not apply in certain other prescribed situations, where an exception is available.
For example, in relation to the "collection, use and disclosure of sensitive information", certain exceptions may apply. In relation to COVID-19, the most relevant exception is where an organisation reasonably believes that the collection, use or disclosure is "necessary to lessen or prevent a serious threat to the life, health or safety of an individual, or to public health or safety."
Can your organisation collect information from employees or visitors in relation to COVID-19?
Yes, provided that, your organisation should seek to only collect the "minimum information" as is reasonably necessary for preventing or managing COVID-19. This may include information the Department of Health says is needed to identify risk and implement appropriate controls to prevent or manage COVID-19 - such as, for example, whether the individual or a close contact has been exposed to a known case of COVID-19 or has recently travelled overseas (and to which countries they have travelled).
Can your organisation tell personnel that a colleague or visitor has or may have contracted COVID-19?
Yes, provided that your organisation should only use or disclose such personal information to the extent reasonably necessary and on a need-to-know basis for the purpose of preventing or managing COVID-19 in the workplace. Whether disclosure is necessary should be informed by appropriate advice, including from the relevant governmental health department.
How can your organisation protect personal information when working from home?
Your organisation may need to consider whether any changes to working arrangements will impact on the handling of personal information. In so doing, steps should be taken to assess any potential privacy risks, and establish appropriate risk-mitigation strategies.
Assessing potential privacy risks may also help reduce the risk of a data breach arising. It is important to ensure that protocols and processes are in place to reduce the risk of loss of, or unauthorised access to (or disclosure of) personal information.
Among other things, reasonable steps should be in place to protect personal information, including appropriate securing of devices, increasing tests for cyber security, reminding employees of appropriate storage and security of devices and documents (including when not in use) and compelling employees to use work email accounts only (not personal accounts) for all work-related emails, including those that may contain personal information.
This publication does not deal with every important topic or change in law and is not intended to be relied upon as a substitute for legal or other advice that may be relevant to the reader's specific circumstances. If you have found this publication of interest and would like to know more or wish to obtain legal advice relevant to your circumstances please contact one of the named individuals listed.