COVID-19 | Managing privacy during a pandemic: practical steps and considerations for businesses

Please note that this information is subject to change as further information and guidance is released by Federal, State and Territory governments.

In recent weeks, Gadens has been assisting clients to deal with a range of privacy challenges which have arisen as a result of the global COVID-19 pandemic.  Businesses are grappling with the obligations relating to the collection of personal information as part of their response to COVID-19.  Can we test our employees, how do we obtain consent, what about visitors and contractors, can we disclose the results of a positive test?  If so, to whom and does the affected individual need to agree to this disclosure?  These are just a few of the issues COVID-19 is raising in a privacy context.  In the current circumstances, it is important that you are aware of your obligations and the rights of individuals under the Privacy Act 1988 (Cth) (Privacy Act) and the Australian Privacy Principles (APPs).

The Office of the Australian Information Commissioner (OAIC) has also recently released guidance, Coronavirus (COVID-19): Understanding your privacy obligations to your staff (Guidance), to provide specific information about privacy obligations in the context of the COVID-19 pandemic.

The Privacy Act and APPs still apply.  Below are some practical steps and considerations to assist businesses navigate their way around the collection, use, disclosure, and handling of personal information and health information during this time.

Can you collect personal (including health) information to screen staff and visitors for COVID-19?

Yes, provided that the collection is limited to information that is reasonably necessary for the management of COVID-19 in respect of the business’s functions and activities.

Only collect such information that is necessary to identify risk and implement controls, e.g. inquiries as to whether the person has been exposed to a confirmed COVID-19 case or if the person is suffering from the known symptoms of COVID-19 could be reasonably necessary in the circumstances.

Personal information collected should be only used or disclosed on a need to know basis.  It should be stored securely and in accordance with the security obligations at APP 11.

As information about COVID-19 is constantly evolving, businesses should continually review resources from the Federal, State and Territory governments for the types of health information your business should consider collecting from individuals, such as the:

• Australian Government Department of Health Coronavirus (COVID-19) – frequently asked questions, which sets out the factors to assess identifying individuals who should be tested for COVID-19;
• Victorian Government Department of Health and Human Services Self-assessment for risk of coronavirus (COVID-19) workflow; and
• New South Wales Government COVID-19 resource which provides information on a range of areas, including the latest public health order updates.

A National COVID-19 Privacy Team has also been established between the OAIC and the Privacy Commissioners and Ombudsmen of each state and territory, so further guidance is likely to also be provided by this team.

Health information, such as information about an individual’s infection and risk of exposure to COVID-19, symptoms, treatment, or general health conditions, fall within the definition of ‘sensitive information’ within the meaning of the Privacy Act.

Generally, the individual’s consent is required to collect, use, disclose, and handle sensitive information, subject to limited exceptions.  Depending on the situation, businesses may not need to obtain consent in the present circumstances.  The COVID-19 pandemic may fall under the ‘permitted general situation’ exception under section 16A of the Privacy Act, on the basis that it is unreasonable or impracticable to obtain consent and the business reasonably believes that the collection of health information may be necessary to lessen or prevent a serious threat to the health of an individual, or to public health. This should be considered on a case-by-case basis.

Whilst businesses may be able to rely on the above exception in the current circumstances, it is best practice to obtain consent (in writing) before collecting, using or disclosing health information and retain the evidence of consent.  A simple form (including a privacy notice) to be completed on entry to premises would suffice.

Does the business have to notify staff and visitors that their personal (including health) information is being collected?

Yes, the obligation under APP 5 to notify individuals of the collection of personal information stands.  This means that your business will need to ensure that:

• all forms through which personal and health information are collected have an appropriate privacy collection notice;
• if relevant, signage setting out an appropriate privacy collection notice is displayed prominently at collection points; and
• individuals are directed to where they can access the business’s privacy collection statement and privacy policy.

What if staff and visitors decline to provide their personal (including health) information?

Businesses should communicate their COVID-19-related policies clearly to staff and visitors, including what it means if staff and visitors do not comply with that policy.  For example, staff and visitors should be made aware that if they are unable or unwilling to cooperate with the business, then they may not be granted access to the premises.

We recommend that any policy relating to COVID-19 should be made readily available to staff and visitors, including displaying appropriate signage at the business’s premises.

What can you do with the personal information collected in relation to COVID-19?

You can use the health information to assess a staff member’s or visitor’s risk of infection of COVID-19, and take other steps reasonably necessary to manage your business’s response to COVID-19.

You cannot use any personal information collected for unrelated reasons.  For example, if you establish that someone has COVID-19 or has been in contact with a COVID-19 case and is going into self-isolation, do not use the information that you collected to promote home delivery of your products to them.

Can we tell staff that a staff member or visitor has or may have contracted COVID-19?

Yes, provided businesses only use or disclose personal or health information that is reasonably necessary to prevent or manage COVID-19 in the workplace and in relation to their functions and activities.

The Guideline indicates that in some circumstances the name of the affected individual may not need to be disclosed, or only disclosed to a limited number of people on a ‘need-to-know basis’.  For example, it may be necessary to identify an affected individual in an internal communication to other relevant staff members (such as those on the same floor) so that they can comply with the Self-isolation (self-quarantine) guidance.

However, it may not be necessary to disclose the name of the affected individual in the business’s press releases or other outward-facing communications, which is the approach used in press briefings from State and Territory leaders where only the affected individual’s age, gender, and the circumstances of how they contracted COVID-19 is disclosed.

What are your obligations in respect of the storage of health information, including with remote working?

Businesses must take reasonable steps to protect personal information from misuse, interference and loss, and unauthorised access, modification or disclosure.  Generally, the greater the amount and/or sensitivity of personal information held, the more steps a business would need to take in order to protect it.

The Australian Cyber Security Centre has issued a reminder about cyber security in light of the increase in individuals working from home and the potential vulnerabilities that could arise in a diffused working arrangement.

Issues to consider with remote working and security of personal information include ensuring that staff only access trusted networks and cloud services, and all virtual private networks and devices are appropriately secured with strong passwords.  Use multi-factor authentication on remote systems and devices.  Do not allow staff to take physical files containing personal information home.

Businesses should consider undertaking privacy impact assessments with respect to remote working arrangements to identify possible privacy issues.

Does the employee records exemption apply to staff personal (including health) information?

Yes, but be careful as the exemption does not apply in all circumstances.  Businesses can generally rely on the employee records exemption under section 7B of the Privacy Act in relation to the holding and use of employee personal information.  However, this exemption applies after personal information is collected from the employees.  Businesses are still required to comply with APP 3 and APP 5 in relation to the collection of employees’ personal information.

Importantly, the employee records exemption does not apply to contractors or subcontractors or to prospective employees.

Next steps

We anticipate that there will be more privacy issues that will arise as Australia continues to deal with the COVID-19 pandemic, including in relation to potential data sharing between the Federal, State and Territory governments with the private sector.  Examples in overseas jurisdictions of data sharing between the public and private sectors are as follows:

• Europe – Vodafone, Deutsche Telekom, Orange and five other telecommunications providers have agreed to share mobile phone location data with the European Commission to track the spread of COVID-19;
• Hong Kong – use of tracking devices, e.g. bracelets, to track movements of individuals during the compulsory self-quarantine period;
• Singapore – use of mobile phone data for a contact tracing application; and
• South Korea – use of GPS phone tracking, credit card records, and surveillance videos to publicly publish the movements of affected individuals prior to their diagnosis with COVID-19.

While urgency is required in the response to the COVID-19 pandemic, businesses should be aware that their treatment of personal information will likely be scrutinised by the OAIC and the public at large.  Ensuring that there are appropriate policies and procedures relating to the collection, use, disclosure, and handling of personal information is a way for businesses to build trust with customers, suppliers, stakeholders, and the public in general.

We will continue to publish updates from time to time.  Please also see our COVID-19 Hub for information on other areas affecting businesses.

Authored by:

Dudley Kneller, Partner
Hazel McDwyer, Partner
Raisa Blanco, Associate