In brief 5 min read
COVID-19 has highlighted the unique challenges a health crisis can pose for the resources sector, with complex and overlapping health, social and economic implications. Whilst technology and data tools have proved effective in assisting businesses to reduce the associated risks at sites and minimise disruption to operations, businesses need to be aware of a range of privacy and surveillance issues when using these tools as part of any response to a health crisis.
Key takeaways
- Monitoring, screening and tracing technology continues to expand and evolve, and will play an ongoing role in businesses' response to new and emerging workplace health and safety risks beyond COVID-19.
- Businesses should only collect, disclose and use personal information that is reasonably necessary to manage and prevent workplace health and safety risks.
- Businesses should develop and implement robust policies and protocols to support them to navigate and comply with privacy and surveillance laws when responding to a health crisis.
Workplace health and safety obligations
Businesses have general obligations to provide safe workplaces and ensure the health and safety of workers and others attending their sites, so far as reasonably practicable. This means taking all reasonable steps to identify, assess and eliminate or minimise those risks, by assessing safety hazards and developing and implementing safe systems of work. These obligations were reinforced in the National COVID-19 Safe Workplace Principles.
As part of any response to a health crisis such as COVID-19, and to monitor and control risks of infection, businesses may need to collect information from employees, contractors, suppliers and site visitors regarding their potential exposure. Health screening questionnaires, temperature testing and contact tracing are some of the measures increasingly deployed by businesses to ensure they provide a safe workplace and to prevent the risk of a shutdown of operations. These measures involve the collection of personal and health information, triggering multiple privacy and surveillance legal considerations.
Privacy obligations
When collecting personal information during a health crisis, businesses should:
- only collect personal information that is reasonably necessary to prevent and manage the health and safety risks;
- limit use and disclosure of the personal information to the extent necessary to prevent and control the risks, and only on a 'need to know' basis; and
- notify employees, contractors, suppliers and any other site visitors how their personal information will be handled in responding to the health and safety risks.
Information about a person that relates to infection or risk of exposure constitutes 'sensitive personal information', as does information about an individual's symptoms or general health status. Strict protections apply to sensitive information under privacy laws. Generally, employers must obtain a person's express consent to collect, use and disclose sensitive information. Consent is not required where:
- it is unreasonable or impracticable to obtain consent; and
- the information is necessary to reduce or prevent a serious threat to the life, health or safety of an individual, or to public health and safety.
The Office of the Australian Information Commissioner has confirmed that COVID-19 falls within the scope of this exemption, providing some useful guidance on how a future health crisis or emergency might also trigger this exemption. This means, for instance, that businesses could require employees to be temperature tested without their consent in circumstances where they refuse, and it is reasonable or necessary to prevent the risk of COVID-19 spreading.
In some cases the information may be covered by the employee records exemption, which exempts private sector employers from compliance with the Privacy Act when handling an employee’s personal information for a purpose directly related to the employment relationship. However, this exemption is limited and does not extend to information about the employee's close contacts, or to contractors, suppliers or other people attending the site.
Surveillance considerations
Some digital contact tracing tools may constitute a form of 'tracking surveillance'. If used via a mobile phone or other device, they will likely be covered by state monitoring and surveillance legislation. In some states, it is unlawful to 'track' a device without the consent of the person in possession or control of the device. In WA, penalties of $5,000 and/or 12 months' imprisonment apply to individuals, and $50,000 to companies.
Consent is also a fundamental principle of the Federal Government's COVIDSafe app. Requiring a person to download or use the app is prohibited, and may constitute a criminal offence with fines of up to $63,000 and/or five years' imprisonment. This means businesses cannot:
- require, pressure or give incentives to workers to download or use COVIDSafe; or
- purport to make it compulsory as a condition for returning to work, or entering a worksite.
Recommendations
When designing and implementing a plan to address a health crisis:
- clearly identify the workplace health and safety risks created by the health crisis;
- ensure your response plan appropriately balances compliance with workplace health and safety obligations and privacy and surveillance considerations;
- monitor developments closely and adjust the response plan as required on the basis of advice from government and public health authorities;
- only collect personal information to the extent required to eliminate or minimise the identified risks created by the health crisis;
- obtain consent when collecting personal information wherever practicable;
- communicate early and often, with clear information about the rationale for collecting personal information and how it may be used or disclosed;
- only disclose personal information on a 'need to know' basis, even if the worker has provided consent, to avoid the risk of discrimination or harassment; and
- develop and implement robust policies and protocols with clearly defined roles and responsibilities regarding data management and information security processes.