In response to the COVID-19 pandemic that has rapidly spread across the world, the Office of the Australian Information Commissioner (OAIC) has released guidance detailing how businesses subject to the Privacy Act 1988 (Cth) (Privacy Act) should be dealing with personal information relating to COVID-19 throughout the crisis.
Who does this apply to?
During the COVID-19 outbreak, organisations must comply with the requirements under the Privacy Act if they:
- have an annual turnover of more than $3 million;
- are related to another larger organisation (which has an annual turnover of $3 million); or
- provide a health service and hold health information.
This can include a vast range of organisations across many sectors, including health sector organisations, aged care providers and educational institutions such as private schools.
The key messages from the OAIC guidance are that:
- Information about a person’s infection or risk of exposure with COVID-19 will be sensitive information (a category of personal information) — and higher levels of protection are afforded to this type of information under the Privacy Act which businesses should be mindful of.
- To collect sensitive information, it must be reasonably necessary for the organisation’s functions or activities and the individual must consent to the collection, unless a “permitted general situation” exists, such as lessening or preventing a serious threat to the life, health or safety of any individual, or to public health or safety during the COVID-19 outbreak.
- Sensitive information can only be used or disclosed for the purpose for which it was collected (the “primary purpose”), unless:
- the individual has consented to the secondary use or disclosure;
- the individual would reasonably expect the secondary use or disclosure, and this secondary purpose is directly related to the primary purpose of collection; or
- a “permitted general situation” exists, such as it being unreasonable or impracticable to obtain consent and the organisation believes the use or disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety.
- Personal information should only be used or disclosed on a “need-to-know” basis — meaning that, for example, businesses should consider whether it is strictly necessary (and not contrary to the Privacy Act) to disclose the name of an infected person to staff or others to manage and respond to a COVID-19 infection.
- Flowing on from the above advice, only the minimum amount of information required to effectively deal with the pandemic should be collected, used or disclosed.
- Businesses should ensure that their staff members are kept informed of how their personal information may be used during the pandemic, based on different scenarios.
- Private sector employers’ handling of employee records in relation to a current or former employment relationship will be exempt from the requirements of the Privacy Act if the handling is directly related to the employment relationship and the employee record held by the organisation relating to the individual.For example, a record about an employee’s sick leave used or disclosed for a purpose directly related to the employment relationship between the employer and individual will be exempt.
- In accordance with Australian Privacy Principle 11, businesses should ensure that all personal information collected and held is securely stored.
Keeping data secure
In regards to the final point, we are already hearing anecdotal evidence of hackers taking advantage of the crisis to attempt to breach insecure data systems. Given that many employees are now working from home, the pandemic should act as a strong reminder to businesses of the critical importance of data security and comprehensive privacy policies.
Undertaking a Privacy Impact Assessment, if your business has not yet done so, is an effective way of evaluating the risks new methods of working (such as the bulk of a workforce working from home) may have on the handling of personal information within an organisation.
You can read the OAIC’s statement on COVID-19 here and full guidance here.
How we can help
If you require assistance or advice with privacy or data security related matters, or how best to implement effective COVID-19 policies into your organisation, please contact Andrew Chalet and Stephanie McHugh.
If you would like to stay up to date with Alerts, Insights and upcoming events, you can subscribe to our Corporate & Commercial care mailing list here.