The Office of the Australian Information Commissioner (OAIC) released a statement and privacy guidelines on 18 March 2020 to assist government agencies and private sector employers keep workplaces safe and handle personal information appropriately as part of their COVID-19 response.
In line with announcements from other data protection authorities, the OAIC confirmed that privacy laws are not an impediment to "critical information sharing". Notably, in the private sector, we have been reminded that the employee records exemption in section 7B(3) of the Privacy Act 1998 (Cth) (Privacy Act) will apply in many instances to permit the handling of employee health information. The example given is a record about an employee's sick leave, which falls within the exemption when it is used or disclosed for a purpose directly related to that employee's current or former employment relationship between the employer and the individual.
The OAIC's privacy guidelines follow the same structure as recent guidance from the UK Information Commissioner's Office, setting out key reminders that apply to all regulated APP entities followed by an ‘Frequently Asked Questions’ section. We have distilled the key take-away points from the FAQ section below:
- The Australian Privacy Principles (APP) will continue to apply to the collection, use or disclosure of personal information. When assessing what information can be collected from employees or visitors in relation to COVID-19, organisations should consider the types of information that the Australian Department of Health states are required to identify health risks and implement prevention and management controls, including whether an individual or a close contact has been exposed to a known case of Covid-19, or has recently travelled overseas, and to which countries.
- It is reasonable to inform staff if a colleague or visitor has or may have contracted Covid-19, but organisations should take a proportionate approach, and only use or disclose personal information that is reasonably necessary to prevent or manage COVID-19 at their workplace.
- With a large portion of the workforce now working from home, government agencies and private sector employers need to ensure that adequate security measures are available, as would apply in normal circumstances. Organisations can keep up to date with the latest information security advice from the Australia Cyber Security Centre, and should ensure all devices, VPNs and firewalls have necessary updates and the most recent security patches applied, and implement multi-factor authentication for remote access systems.
- Under APP 3, APP entities may collect sensitive information about the health of individuals (including information about symptoms, treatment or general health status) if the individual has provided consent (express or implied), and the information is reasonably necessary, or directly related to, one of its functions or activities, "such as to prevent or manage COVID-19 in the workplace". Importantly, consent is not required if the collection is required or authorised under an Australian law (APP 3.4(a)) or a 'permitted general situation' exists (APP 3.4(b)).
- Remember: certain APP requirements in relation to the collection, use and disclosure of sensitive information do not apply if a 'permitted general situation' exists (as defined in Section 16A of the Privacy Act). According to the OAIC, the most relevant permitted general situation during the COVID-19 outbreak is "lessening or preventing a serious threat to the life, health or safety or any individual, or to public health or safety".
In summary, the overarching principle from the OAIC is that government agencies and organisations regulated by the Privacy Act alike should only collect, use or disclose personal information that is reasonably necessary in order to prevent or manage COVID-19 in the workplace. We also note that in determining reasonable necessity, the principle of data minimisation should be considered - that is, whether an agency or organisation may be able to prevent or manage the spread of COVID-19 without collecting the relevant personal information, or by collecting a lesser amount of personal information.
Written by Grace Loukides