Insights / April 3rd, 2020

COVID-19: Privacy in a Pandemic

COVID-19 is presenting new challenges across the board and privacy is no exception.

Privacy laws seek to protect the privacy of personal information – information that can reasonably identify an individual – which can include a COVID-19 diagnosis. In addition, information about an individual’s symptoms, treatment or diagnosis is classified as health information which is afforded further protections under privacy laws as it is treated as ‘sensitive information’.

Employers need to strike the right balance between handling sensitive information, in accordance with existing legal obligations, and providing a safe workplace. As a general rule the Office of the Australian Information Commissioner (OAIC) has issued guidance that:

Only the minimum amount of personal information reasonably necessary to prevent or manage COVID-19 should be collected, used or disclosed”.

What information can you collect?

Firstly, if you are a private sector employer you will have the employee records exemption at your disposal. This exempts the application of the Privacy Act 1988 (Cth) where you collect and use personal information for a purpose directly relating to an employment relationship, including providing a safe workplace. However, the OAIC still recommends collecting the minimum amount of information reasonably necessary in the circumstances.

The Department of Health has indicated a few factors necessary to identify risks and implement controls, such as:

  • Whether an individual or close contact has been exposed to a known case of COVID-19; and
  • Whether an individual has recently travelled overseas and to which countries.

Keep up to date with the Department of Health’s guidance to ensure you are collecting appropriate information.

Disclosing information

You can inform staff that a colleague or visitor has, or may have, contracted the COVID-19 virus but you should consider what information is reasonably necessary to prevent or manage the risk of COVID-19.

In some cases, simply disclosing that there has been a diagnosis – omitting the individual’s name – will achieve the desired preventative result and drive the necessary precautions. Where it is necessary to disclose an individual’s name, you must ensure that this is limited on a ‘need-to-know’ basis.

Next steps

  1. Ask yourself: What information is reasonably necessary to prevent and manage COVID-19 risks?
  2. Keep staff in the loop. Consider letting your staff know how you plan to handle their personal information in light of a confirmed COVID-19 case in the workplace.
  3. More generally, are there new risks to personal information? Consider whether any changes in your working arrangements will impact how you handle personal information and your IT resilience. If this presents any new risks you should establish mitigation processes to address them.

If you would like advice on how you can take proactive measures to ensure you comply with the privacy obligations, or would like further information on what obligations apply to you, Contact Us.

This publication has been prepared for general guidance on matters of interest only and does not constitute professional legal advice. You should not act upon the information contained in this publication without obtaining specific professional legal advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication and to the extent permitted by law, Cowell Clarke does not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting or refraining to act in relation on the information contained in this publication or for any decision based on it.