Special Notification – April 2020
On 18 March 2020, the Office of the Australian Information Commissioner (OAIC) published Coronavirus (COVID-19): Understanding your privacy obligations to your staff, which provides guidance on the handling of personal information in the workplace in the context of the COVID-19 pandemic.1
This guidance was released to assist entities regulated by the Privacy Act 1988 (Cth) (Privacy Act). The Privacy Act contains the Australian Privacy Principles (APPs). The APPs govern the handling of identifying personal information, including its collection, use, disclosure and storage.
In general terms, the APPs apply to Commonwealth agencies, organisations with an annual turnover of more than $3 million, and certain other organisations, including private hospitals, private sector health service providers, and community health centres. Public health services are not subject to the APPs.
While public health services are not subject to the APPs, the information handling requirements in the APPs are like those found in certain State and Territory health records legislation. For example, in Victoria, public health services are subject to the Health Privacy Principles (HPPs) contained in the Health Records Act 2001 (Vic), and the HPPs are substantially similar to the APPs. Accordingly, the OAIC guidance may also provide useful guidance to public health services.
The OAIC guidance makes clear that the Privacy Act will not stop critical information sharing in the context of the pandemic, but notes that organisations have obligations to handle staff and visitor personal information appropriately and in accordance with the Privacy Act.
The OAIC guidance
The OAIC guidance provides the following key points:
- Personal information should be used or disclosed on a ‘need-to-know’ basis.
- Only the minimum amount of personal information reasonably necessary to prevent or manage COVID-19 should be collected, used or disclosed.
- Consider taking steps now to notify staff of how their personal information will be handled in responding to any potential or confirmed case of COVID-19 in the workplace.
- Ensure reasonable steps are in place to keep personal information secure, including where employees are working remotely.
We discuss the specific scenarios covered in the OAIC guidance below.
Collection of information from employees or visitors in relation to COVID-19
The OAIC guidance provides that organisations should collect from employees or visitors as little personal information as is reasonably necessary for preventing or managing COVID-19, such as information that the Department of Health says is needed to identify risk and implement appropriate controls to prevent or manage COVID-19.
For the purposes of the Privacy Act, personal information includes ‘sensitive information’, which is subject to more robust protections under the Privacy Act. ‘Health information’ is a type of sensitive information, and includes identifying information about the health (including any illness) of an individual, and any personal information collected in providing a health service to an individual. For example, health information would include test results for COVID-19 which identifies any staff member or visitor, information gathered about an individual that relates to infection and risk of exposure with COVID-19, and related information about the individual’s symptoms, treatment or general health status.
Collection of health information is governed by APP 3. APP 3 allows an organisation to collect an individual’s health information where:
- the individual gives consent (express or implied) to its collection; and
- the information is reasonably necessary for one or more of its functions or activities,2 such as to prevent or manage COVID-19 in the workplace.
However, consent to the collection is not required if, relevantly, the collection is required or authorised under by or under an Australian law (APP 3.4(a)), or a ‘permitted general situation’ exists (APP 3.4(b)). This includes where the collection is undertaken to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety, as, depending on the circumstances, could be claimed in respect of the COVID-19 pandemic.
Telling staff that a colleague or visitor has or may have contracted COVID-19
The OAIC guidance provides that organisations may inform staff that a colleague or visitor has or may have contracted COVID-19, but in doing so it should only use or disclose personal information that is reasonably necessary in order to prevent or manage COVID-19 in the workplace, and this should be informed by advice from the Department of Health (for example, if there is a directive to contact all persons who were in contact with a person with COVID-19). The OAIC guidance states that, depending on the circumstances:
… it may not be necessary to reveal the name of an individual in order to prevent or manage COVID-19, or the disclosure of the name of the individual may be restricted to a limited number of people on a ‘need-to-know basis’. Whether disclosure is necessary should be informed by advice from the Department of Health.
The use of personal information (e.g. such as internal discussion or decision making using that information) by an organisation, and the disclosure of personal information to third parties, such as visitors, is governed by APP 6.
Under APP 6, if an organisation holds personal information about an individual that was collected for a particular purpose (the main purpose or primary purpose), the organisation must not use or disclose the information for another purpose (a secondary purpose) unless the individual has consented, or a specified exception under APP 6 applies (see discussion below).
As reflected in the OAIC guidance, the primary purpose of collection is the specific function or activity for which the organisation collects the personal information. In relation to COVID-19, if personal information is collected from a staff member or visitor for the primary purpose of preventing or managing the risk of COVID-19 in the workplace and in respect of any person in contact with the workplace, then in that case the information may be used or disclosed for this purpose.
However, if the information is used or disclosed for any other purpose (a secondary purpose), such as where the organisation wants to disclose the information to a government department or authority, or to other third parties, then the organisation must consider whether the secondary purpose use or disclosure is permitted by an exception under APP 6. APP 6 permits a secondary purpose use or disclosure in circumstances including:
- where this is required or authorised under an Australian law (APP 6.2(c). This may include where notification of COVID-19 and patient details must be made to the relevant government health department under public health legislation;3 or
- where a permitted general situation applies (APP 6.2(c)), such as where it is unreasonable or impracticable to obtain consent, and it is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety, again as could be claimed depending on the circumstances in respect of COVID-19.
Regarding staff working at home
The OAIC guidance states that the Privacy Act does not prevent employees from working remotely as a response to COVID-19, however the APPs will continue to apply in that environment, and employers ‘need to consider similar security measures for employees working remotely as those that apply in normal circumstances’.
The OAIC guidance notes that a ‘Privacy Impact Assessment’ is a useful tool for evaluating and mitigating risks to personal information. The OAIC website provides guidance on undertaking Privacy Impact Assessments.4
In addition, APP 11 requires that organisations take reasonable steps to protect personal information it holds from misuse, interference and loss, as well as unauthorised access, modification or disclosure.
The OAIC guidance provides the following tips for making sure reasonable steps are in place to protect personal information:
- Keep up to date with the latest advice from the Australian Cyber Security Centre;
- Agencies should ensure continued compliance with Protective Security Policy Framework requirements;
- Secure mobile phones, laptops, data storage devices and remote desktop clients;
- Increase cyber security measures in anticipation of the higher demand on remote access technologies, and test them ahead of time;
- Ensure all devices, Virtual Private Networks and firewalls have necessary updates and the most recent security patches (including to operating systems and antivirus software) and have strong passwords;
- Make sure devices are stored in a safe location when not in use;
- Use work email accounts not personal accounts for all work-related emails that contain personal information;
- Implement multi-factor authentication for remote access systems and resources (including cloud services);
- Only access trusted networks or cloud services.
Employee records exemption
It should be noted that under the Privacy Act, there is an exemption relating to ‘employee records’. An ‘employee record’ means a record of personal information relating to the employment of an employee (e.g. a personnel file), and may also include an employee’s health information. The handling of personal information is exempt from the requirements of the Privacy Act and APPs if it is directly related to a person’s current or former employment relationship with the organisation, and their employee record.
However, personal information held in employee records will still be protected through State or Territory health records legislation in relation to any health information (e.g. the HPPs will still apply to that information in Victoria). Where employee records contain health information, this information must be handled in accordance with any applicable State or Territory health records legislation.
If you have any questions arising out of this article, please contact Giovanni Marino on (03) 9865 1339, or email Giovanni.email@example.com.
View our other Covid-19 Resources here.
2 Or directly related to these functions or activities for Commonwealth agencies.3 See, e.g. the Victorian Department of Health and Human Services website here: https://www2.health.vic.gov.au/about/news-and-events/healthalerts/2019-Coronavirus-disease–COVID-19, which provides that COVID-19 is a notifiable condition under the Public Health and Wellbeing Regulations 2019 (Vic). (At the time of writing the Regulations in print were yet to be updated to provide for this.)