The COVID-19 pandemic has forced privacy regulators around the world to issue guidance to organisations about what information can be released to protect public health without breaching or otherwise adversely impacting the privacy of individuals.
The European Data Protection Board (EDPB) issued initial guidance on 16 March and the Australian regulator, the Office of the Australian Information Commissioner (OAIC) released on 18 March 2020 a guide to understanding the privacy obligations owed to staff (accessible here).
This guidance centred around the balancing of public health issues such as notifying health authorities and others if any individual with a risk of COVID-19 had been on the premises, and also the ability to contact and warn others who had been in contact with a confirmed or suspected case of COVID-19.
The Privacy Act 1988 (Cth) contains an exemption for certain circumstances such as this in section 16A, known as the permitted general situation exemption. If a permitted general situation exists, then an organisation is entitled to collect, use and disclose personal information without applying the general rules relating to consent. The relevant permitted general situation here is the “lessening or preventing a serious threat to the life health or safety of any individual, or to public health or safety”.
Accordingly, if an organisation needs to share information about an infected individual, or to share contact details to deal with suspected cases, or to advise of a need to self-isolate, it can. Generally, this will be by sharing with health authorities. The OAIC guidance confirms this position.
However, it is important to remember that the disclosure of any information, including sensitive information such as the existence of a contagious disease, should only be used or disclosed on a need-to-know basis and only the minimum amount of information reasonably necessary to prevent or manage the risks to public health or safety should be used or disclosed.
As a result of the current health threat, many people are working remotely and many organisations are seeking to keep track of individuals who attend their premises so that they can contact them in the event there is any risk. The records in relation to location and identity around this time need to be managed having regard to the general obligations to keep information secure.
The EDPB announcement on 16 March was followed up by a formal statement on 19 March (accessible here), which included consideration of the use of location data. Some media reports from other countries have considered the issue of using mobile phone location data to track the spread and potentially avoid it. The formal EDPB statement notes that public authorities should first seek to process location data in an anonymous way so there is no personal information in tracking trends and if it is going to use individual personal information then it should ensure that adequate safeguards are in place and that the least intrusive solutions are employed.
Clearly, these are challenging and unprecedented times and the use of technology to assist in preventing the public health crisis is a resource that should be utilised. However, the risk is that by rushing through new measures in a time of crisis, adequate safeguards will not be put in place.
As the next phase of social distancing, remote working and increased remote connection becomes the norm, it will be important to ensure that there is no accidental overstepping of boundaries and that individuals and their basic human right to be able to have a private home life is not interfered with.
For the moment, however, the focus is on engaging technology to the extent it can assist in ensuring that the worst form of public health crisis is averted.
Author: Lyn Nicholson
The information in this publication is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, we do not guarantee that the information in this newsletter is accurate at the date it is received or that it will continue to be accurate in the future.