COVID-19: Data and privacy implications
Managing your privacy obligations and risks
It is important to bear in mind the applicable privacy obligations when managing risks in relation to COVID-19. Federal Government agencies and private sector organisations (including companies, trusts and incorporated, associated and sole traders) with an annual turnover of $3 million or more will need to comply with their obligations under the Privacy Act 1988 (Cth) in relation to any health information or other personal information collected relating to the COVID-19 outbreak.
Most Australian states and territories have privacy laws, or other privacy-related obligations, that apply to government bodies in their state or territory. In addition, there is specific health records legislation in the ACT, New South Wales and Victoria that may apply in some circumstances.
Contact: Michael Park
Last updated: 16 March 2020
Information about the health or medical status of an identified individual (such as whether an individual has been tested for COVID-19 and the results of that testing) is likely to be regarded as health information, which is a type of sensitive information that is generally the subject of additional protections under applicable privacy laws. Government agencies and organisations should carefully consider whether it is necessary to collect, use and disclose health information about identified individuals in the context of the COVID-19 outbreak. Consent from the individual is generally required for a government agency or organisation to collect health information about an individual, subject to some of the exceptions below.
Other information that government agencies or organisations may wish to collect (such as details of any countries an individual has travelled to recently) would not be regarded as health information. However, it would still be subject to generally applicable privacy obligations relating to the handling of personal information, including to give a collection statement setting out how an individual's information will be used, held and disclosed.
Government agencies and organisations can generally use and disclose personal information for:
- the primary purpose for which that information was collected;
- any purpose to which the individual has consented;
- purposes required or authorised by law; or
- related purposes (or directly related purposes, in the case of sensitive information such as health information) that the individual would reasonably expect.
As circumstances continue to evolve, it is likely that COVID-19 may be viewed as a workplace health and safety issue; or that the use and disclosure of health information and other personal information in connection with the COVID-19 outbreak may become reasonably expected by individuals.
Under the Privacy Act 1988 (Cth), Commonwealth Government agencies or organisations can also use and disclose personal information (including health information) without consent if it is unreasonable or impracticable to obtain the individual's consent to the collection, use or disclosure; and the entity reasonably believes that the collection, use or disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety. Depending on the circumstances, this may be a key exception to be relied upon in the context of the COVID-19 outbreak.
The Attorney General or the Prime Minister also has the power to make an emergency declaration, in certain circumstances, to permit the collection, use or disclosure of personal information in ways that would otherwise breach the Privacy Act. This power was used in connection with the recent bushfire crisis, but it remains to be seen whether it will be exercised again in relation to COVID-19.
Other limited exceptions may also apply in some fact-specific circumstances. There is a limited exception for private sector organisations (but not government agencies) that permits the use of disclosure of employee records (including health information about employees) for purposes directly connected with a current or former employment relationship. However, this exception has some limitations, in that only the organisation that is the direct employer of the individual (and not any other entity in a corporate group) can rely on this exception, which does not extend to individual contractors engaged by that organisation.
As the availability of some of these exceptions can be fact-specific, government agencies and organisations should seek specific legal advice about their particular concerns, including in relation to notifying at-risk individuals if an employee or customer is determined to have been exposed to or become infected with COVID-19. For example, it may be necessary to identify the relevant individual/s so that others within an organisation who may have had contact with an infected employee or customer can also be identified for screening purposes.
Government agencies or organisations should ensure that any disclosure of personal information (including health information) about an individual is permitted under one of options discussed above.
Disclosing entities should also consider the extent to which it is necessary to identify any individuals with possible COVID-19 symptoms, including both within and outside the entity. For example, it may be necessary to identify an individual with COVID-19 symptoms in an internal communication to all other employees working on the same floor as that individual (so that co-workers on that floor can identify whether they have had contact with that individual); but it may not be necessary to identify that individual in a company-wide email that is sent to other offices in Australia or internationally. In such a wider communication, it may be sufficient not to identify the individual in question, and instead simply state that an individual on a particular floor in a specific office has developed COVID-19 symptoms and appropriate actions are being taken.
Similar considerations would apply for external communications, including informing potential visitors who may have met with an individual with COVID-19 symptoms, or where an organisation is informed that an external visitor to that organisation has developed COVID-19 symptoms. In such circumstances, keeping comprehensive records of all meeting attendees would be a prudent step. This will ensure that any potential issues can be managed in the future, with an appropriately targeted communication to internal employees and external visitors who may have interacted with an individual who has developed COVID-19 symptoms.
The Office of the Australian Information Commissioner (the OAIC) has recently released guidance on understanding privacy obligations towards staff in light of COVID-19. The OAIC has recommended that Commonwealth Government agencies and private sector employers should aim to limit the collection, use and disclosure of personal information about their employees to what is necessary to limit and manage the COVID-19 outbreak; and take reasonable steps to keep personal information secure, including where employees are working remotely.
Collection, use and disclosure of information
The OAIC recommends that employers should collect as little information as reasonably necessary to limit and manage the COVID-19 outbreak. This includes information needed to identify risks and implement appropriate controls to prevent or manage COVID-19 – eg whether an individual (or a close contact) has been exposed to a diagnosed case of COVID-19 or if they have recently travelled overseas (and to which countries).
Consistent with our comments above, the OAIC's view is that employers may inform staff that a colleague has, or may have, contracted COVID-19 but should only use or disclose personal information as reasonably necessary to limit or manage COVID-19 in the workplace. Whether disclosure is necessary in the circumstances should be informed by the most recent advice from the Department of Health.
Working from home
The Privacy Act 1988 (Cth) does not prevent employees working remotely, but the Australian Privacy Principles will continue to apply. The OAIC suggests that a privacy impact assessment (PIA) may be useful in evaluating and mitigating risks to personal information. The OAIC also notes that Commonwealth Government agencies are required to undertake a PIA where there is a high-privacy-risk project that involves new ways of handling personal information. Other useful tips from the OAIC for protecting personal information when working remotely include:
- keeping up to date with the latest advice from the Australian Cyber Security Centre;
- ensuring continuous compliance with Protective Security Policy Framework requirements (if applicable);
- securing all electronic devices and storing the devices in a safe location when not in use;
- increasing cyber security measures and testing the measures ahead of time;
- ensuring all devices, virtual private networks and firewalls have necessary updates, the most recent security patches and strong passwords;
- using work email accounts for all work-related emails containing personal information;
- implementing multi-factor authentication for remote access systems and resources; and
- accessing and using only trusted networks and cloud services.