What is personal information and sensitive information?
The Privacy Act regulates the handling of "personal information", which is "information or an opinion about an identified individual, or an individual who is reasonably identifiable". The Privacy Act imposes stronger protections for "sensitive information", which includes "health information" about an individual (ie. information, or an opinion, about the health – including an illness, disability or injury – of an individual).
These provisions mean that information about, for example, whether an individual is or may be infected with COVID-19 will be sensitive information. Related information about the individual's symptoms, treatment or general health status will usually also be sensitive information.
What special provisions are there for employers?
The Privacy Act contains an exemption in relation to "employee records". The exemption applies to an act done, or a practice engaged in, by an organisation that is directly related to:
- a current or former employment relationship between the employer and the individual; and
- an employee record held by the organisation and relating to the individual.
An "employee record" is "a record of personal information relating to the employment of [an] employee" and specifically includes "health information about the employee".
The exemption applies only in respect of an employment relationship; it does not apply to independent contractors or other third parties. Where the employee records exemption applies, organisations are not required to comply with the requirements of the Privacy Act in respect of an act or practice regarding the information. The consequences of information collected being an "employee record" is that the organisation would be exempt from complying with the obligations contained in the APPs, such that there will be no privacy implications under the Privacy Act as a result of it collecting, using and disclosing the personal information for purposes associated with the organisation's COVID-19 response. Obligations may still apply under State and Territory legislation.
Collection of personal information including sensitive information
An organisation generally must not collect personal information unless the information is "reasonably necessary" for one or more of its functions or activities. In relation to sensitive information (such as health information) an organisation must not (unless an exception applies) collect such information unless it has the consent of the individual. An organisation may also collect sensitive information in circumstances including:
- where the collection is required or authorised under Australian law; or
- where a "permitted general situation" exists in relation to the collection of the information. Relevantly, a permitted general situation will exist where:
- it is unreasonable or impracticable for an organisation to obtain an individual's consent to the collection, use or disclosure; and
- the organisation reasonably believes that the collection, use or disclosure is necessary to lessen or prevent a serious threat to the life, health or safety or any individual, or to public health or safety.
If an organisation is unable to obtain an individual's consent to collect their sensitive information, it will likely want to consider whether one of the above circumstances applies.
Use and disclosure of personal information collected
Organisations may seek to use and / or disclose personal information (including sensitive information) collected in relation to a COVID-19 response for a number of reasons, including to devise and / or manage an appropriate response to an outbreak or possible outbreak; to disclose information to other staff members, to health authorities and / or other third parties. In so doing, organisations will need to be aware of the circumstances in which it can legitimately use or disclose the information collected.
Relevantly, if the purpose of collection of an individual's personal information is to manage an appropriate response to the risk of COVID-19 exposure within the organisation, then use / disclosure of the information for that purpose would be a "primary purpose" of collection and therefore is permitted. Organisations will not be able to use or disclose the personal information (including sensitive information) for another purpose (the secondary purpose), unless:
- the individual has consented to the use or disclosure;
- the individual would reasonably expect the entity to use or disclose the information for the secondary purpose, and the secondary purpose is related to the primary purpose (and for sensitive information, "directly related" to the primary purpose);
- the use or disclosure is required or authorised by Australian law; or
- a "permitted general situation" exists in relation to the use or disclosure of the information (as discussed above).
The Office of the Australian Information Commissioner (OAIC), recognising the unprecedented challenges faced by organisations covered by the Privacy Act at this time, has developed privacy guidelines intended to assist organisations understand their privacy obligations to staff during the COVID-19 pandemic.
The key points from the OAIC's guidelines include:
- personal information should be used or disclosed on a "need-to-know" basis;
- only the minimum amount of personal information reasonably necessary to prevent or manage COVID-19 should be collected, used or disclosed; and
- organisations should consider taking steps now to notify staff of how their personal information will be handled in responding to any potential or confirmed case of COVID-19 in the workplace.