Is your organisation moving fast to respond to COVID-19 from a privacy law perspective?
The Office of the Australian Information Commissioner (OAIC) has published guidance for organisations regulated by the Privacy Act 1988 (Cth) on privacy obligations in the face of the unprecedented COVID-19 crisis.
Here are three key things you should know from the OAIC guidance.
- Managing COVID-19 risk - you can disclose, collect and use the minimum amount of personal information necessary to prevent and manage COVID-19
You can collect information about employees or visitors to your organisation as needed to identify and manage COVID-19 risks. The information collected must be as limited as reasonably necessary and can include information advised by the Department of Health as required to contain the spread of COVID-19. This may include information such as whether a person:
Generally, the collection of such information would require the relevant individual's consent. However, if the collection will lessen or prevent COVID-19 then consent is not necessary as it is for the purpose of "lessening or preventing a serious threat to the life, health or safety of any individual, or to public health and safety".
The OAIC has advised that, in many instances, the handling of employee health information will be permitted under the Privacy Act 1988 (Cth) under the "employee records exemption", which allows a private sector employer to handle its current or former employee's records without being required to comply with the obligations contained in the Australian Privacy Principles. If however, you intend to use an employee's information to identify and manage COVID-19 risks we recommend notifying the employee prior to use of such information. Depending on the location of your operations, your handling of employee health information may also be subject to obligations under State or Territory health privacy laws.
- Disclosing personal information - you can disclose individuals' personal information on a need-to-know basis to prevent and manage COVID-19
Your organisation can share an employee's personal information if it is critical information to prevent and manage the spread of COVID-19. This right extends to the personal information of employees, their family members and visitors to your organisations premises, customers and the general public.
You have the right to inform your employees that a colleague or visitor has or may have contracted COVID-19. You can also disclose that person's personal information, which includes sensitive information relating to their infection and risk of exposure to COVID-19 and any related information such as the individual's symptoms, treatment and general health status.
However, when doing so you can only disclose an individual's personal information if it is necessary to prevent or manage COVID-19 in your workplace. For example, it may not be appropriate to inform all global offices of an employee's name but limited disclosure may be required to those who 'need-to-know'. Whether the information is being shared on a 'need-to-know' basis will be informed by Department of Health recommendations. For example, it may be necessary to disclose personal information to those who have been in close contact with an infectious person at least 24 hours before they developed symptoms.
- Working from home - let your employees know how their personal information will be used if there is a potential or confirmed COVID-19 case in your workplace
has returned from overseas in the past 14 days;
- has been in close contact with someone diagnosed with COVID-19 in the past 14 days;
- has travelled on a cruise ship (either as a passenger or crew) in the 14 days before developing symptoms;
- is a health care, aged care or residential care worker; or
- lives in an area that has a higher risk of community transmission (as defined by the local public health unit).
You should create an internal policy and plan to identify and manage the risks posed by COVID-19 in the unfortunate event that there is a potential or confirmed COVID-19 case in your workplace. The Australian Privacy Principles will continue to apply, so you will need to implement data security measures to protect your employees' personal information as you would in the ordinary course of business.
To protect the personal information of your employees, OIAC recommends that you and your employees:
- secure mobile phones, laptops, data storage devices and remote desktop connections;
- update virtual private networks and firewalls (including to operating systems and antivirus software);
- implement multi-factor authentication for remote access systems (including cloud services);
- set-up strong passwords and access codes;
- use work-emails (not personal emails) for work related activities; and
- store devices in safe and secure locations when not in use.
If you have a proposal (related to personal information) that has national implications, it can be submitted to the National COVID-19 Privacy Team (comprised of OAIC and state and territory privacy regulators).