Artboard 1Icons/Ionic/Social/social-pinterest

Privacy update: OAIC guidance on managing employee and visitor health information during COVID-19

29 April 2020

#Corporate & Commercial Law, #Data & Privacy, #COVID-19

Trent Taylor

Published by Trent Taylor, Carl Hinze, Jeanne Vallade

Privacy update: OAIC guidance on managing employee and visitor health information during COVID-19

During the COVID-19 pandemic, organisations need to balance the need to respect privacy of individuals, whilst keeping sites safe.

The Office of the Australian Information Commissioner (OAIC) has published guidance (which we covered in a previous article here) relating to the steps organisations, subject to the Privacy Act 1988 (Cth), may need to take in respect of specific issues arising during the COVID-19 pandemic.

Many organisations have been implementing or expanding remote working arrangements for employees. Whilst the Privacy Act does not prevent employees from working remotely as a response to COVID-19, the Australian Privacy Principles (APPs) will continue to apply.

This means an organisation will need to continue to manage personal information in accordance with legal requirements.

Guidance summary

In general, the OAIC broadly recommends that an organisation that is subject to the Privacy Act:

  • only uses or discloses personal information on a “need-to-know” basis
  • only collects, uses or discloses the “minimum amount” of personal information reasonably necessary to prevent or manage COVID-19
  • considers proactively taking steps to notify staff of how it will handle staff information in respect of any suspected or actual case of COVID-19 in the workplace
  • ensures reasonable steps are put in place to keep personal information secure.

Handling employee health information

Under APP 6, if an organisation holds personal information about an individual that was collected for a particular purpose, the organisation must not use or disclose the information for another purpose.

This requirement does not apply if the individual consents to the use or disclosure of the information.

Further, this requirement may not apply in certain other prescribed situations, where an exception is available.

For example, in relation to the “collection, use and disclosure of sensitive information”, certain exceptions may apply. In relation to COVID-19, the most relevant exception is where an organisation reasonably believes that the collection, use or disclosure is “necessary to lessen or prevent a serious threat to the life, health or safety of an individual, or to public health or safety.”

Can your organisation collect information from employees or visitors in relation to COVID-19?

Yes, provided that, your organisation should seek to only collect the “minimum information” as is reasonably necessary for preventing or managing COVID-19. This may include information the Department of Health says is needed to identify risk and implement appropriate controls to prevent or manage COVID-19 – such as, for example, whether the individual or a close contact has been exposed to a known case of COVID-19 or has recently travelled overseas (and to which countries they have travelled).

Can your organisation tell personnel that a colleague or visitor has or may have contracted COVID-19?

Yes, provided that your organisation should only use or disclose such personal information to the extent reasonably necessary and on a need-to-know basis for the purpose of preventing or managing COVID-19 in the workplace. Whether disclosure is necessary should be informed by appropriate advice, including from the relevant governmental health department.

How can your organisation protect personal information when working from home?

Your organisation may need to consider whether any changes to working arrangements will impact on the handling of personal information. In so doing, steps should be taken to assess any potential privacy risks, and establish appropriate risk-mitigation strategies.

Assessing potential privacy risks may also help reduce the risk of a data breach arising. It is important to ensure that protocols and processes are in place to reduce the risk of loss of, or unauthorised access to (or disclosure of) personal information.

Among other things, reasonable steps should be in place to protect personal information, including appropriate securing of devices, increasing tests for cyber security, reminding employees of appropriate storage and security of devices and documents (including when not in use) and compelling employees to use work email accounts only (not personal accounts) for all work-related emails, including those that may contain personal information.

For more information on managing your employment law obligations, see our most recent Q&A here.

At Holding Redlich, we are assisting a number of clients with managing privacy during the COVID-19 pandemic.  Please contact us if you need any further information on privacy matters and appropriate management of personal information.

Authors: Jeanne Vallade, Trent Taylor & Carl Hinze

Disclaimer
The information in this publication is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, we do not guarantee that the information in this newsletter is accurate at the date it is received or that it will continue to be accurate in the future.

Trent Taylor

Published by Trent Taylor, Carl Hinze, Jeanne Vallade

Share this