OAIC releases new privacy guidelines for employers in response to spread of COVID-19

In brief 3 min read

On 18 March 2020, the Office of the Australian Information Commissioner (OAIC) published a guidance note to assist organisations covered by the Privacy Act 1988 to understand their privacy obligations and handle personal information of staff appropriately in response to the COVID-19 outbreak.

How does it affect you?

• Employers should collect, use and disclose as little information as is reasonably necessary to prevent and manage the spread of COVID-19 in the workplace. This includes taking the temperature of employees and visitors entering the workplace for the limited purpose of preventing or managing COVID-19 risks in the workplace (provided that as little information as is reasonably necessary should be collected for that purpose).
• Employers may collect, use and disclose sensitive information about an individual without the individual's consent if reasonably necessary to prevent the spread of COVID-19 and a 'permitted general situation' exists.
• Employees should adopt adequate security measures to protect personal information of employees working remotely.

Background

Information gathered about an individual that relates to infection or risk of exposure with COVID-19 is classified as 'sensitive information' under the Privacy Act. Generally, employers can only collect, use and disclose 'sensitive information' if the individual gives consent and the information is reasonably necessary to one or more of its functions or activities.

The OAIC's guidance note in response to COVID-19 confirmed an employer can collect, use and disclose health information about individuals without their consent if:

• the employer reasonably believes the collection, use and disclosure of the information is necessary, or directly related to, the employer preventing or managing COVID-19 in the workplace; and

• a 'permitted general situation exists'. A permitted general situation exists where:
  • the collection, use or disclosure is undertaken to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety; and
  • it is unreasonable or impracticable to obtain the individual's consent to the collection, use or disclosure.

The prevention and management of COVID-19 constitutes a 'permitted general situation.'

Key points

• Agencies and private sector employers should limit the collection, use and disclosure of personal information to what is necessary to prevent and manage COVID-19 in the workplace. This includes collecting information which, according to the Department of Health, is necessary to identify risk and implement appropriate controls – such as asking whether an individual has been exposed to COVID-19 or whether an individual has recently travelled overseas and, if so, to which countries.
• Disclosure of personal information should only occur in circumstances and to the extent reasonably necessary to prevent the spread of COVID-19. For instance, if an employee has contracted COVID-19, it may not be necessary to reveal their name or disclosure may only need be made to colleagues on a 'need to know basis.'
• However, consent is not necessary if a 'permitted general situation exists.'

Another facet of workplace privacy covered by the guidance note is the importance of agencies and employers adopting sufficient security measures for employees working from home. Reasonable steps must be taken to protect personal information, such as the use of secure devices and ensuring all Virtual Private Networks and firewalls are updated and have strong passwords.