COVID-19: More than ever, a Reminder for Business and Employers that Privacy Obligations still Matter
The Office of the Australian information Commission (‘OAIC’) has released timely guidance for businesses and employers on how an individual’s personal information, relating to COVID-19, should be dealt with in light of the coronavirus pandemic.
The guidance and advice document from OAIC can be found here.
This guidance applies to businesses and organisations that are subject to the Privacy Act 1988 (Cth) (‘regulated entities’). These include but are not limited to:
- Commonwealth and State Government agencies;
- Private organisations (including a sole trader, a body corporate, a partnership, an unincorporated association, or a trust) with an annual turnover of more than $3 million;
- Private sector health service providers including gyms, private hospitals, and pharmacies;
- Private Schools and universities; and
- Credit reporting bodies.
What you need to know
The guidance is concise and the key takeaways include:
- Regulated entities – including businesses and employers – have obligations to maintain a safe workplace for staff and visitors, to handle personal information of employees appropriately, and to already have systems in place that achieve this.
- An employer’s collection, use and disclosure of personal information should be proportionate to the prevention and management of COVID-19. Common sense questions are of course allowed, such as whether an individual has been in close contact with a known case of COVID-19 or whether an individual has recently travelled from overseas.
- Personal information should be used or disclosed on a ‘need to know’ basis. For example, telling another staff member that a colleague’s partner has COVID-19 is allowed in order to prevent or manage COVID-19 in the workplace. Line ball/discretionary calls will need to be made, however, on whether all employees are made aware of this or whether this information is contained to those in a particular area of the business.
- Whether disclosure of an individual’s personal information is necessary should be informed by advice from the Department of Health.
- The Australian Privacy Principles continue to apply to those working from home. Therefore, organisations need to ensure that security measures for working from home are – as far as possible – the same as those that apply in normal circumstances. These include:
(i) Employees using their work email address, not a personal email address, for work related tasks;
(ii) Securing mobile phones and laptops;
(iii) Ensuring devices are kept in a safe location when not in use; and
(iv) Implementing multi-factor authentication for employees to remotely access systems and resources.
- Businesses should be mindful that all personal information collected is to be held in a secure way, pursuant to Australian Privacy Principle 11.
- Employers to know the difference between ‘personal information’ and ‘sensitive information’, the latter, which is afforded higher protection under the Privacy Act. Generally, regulated entities can collect health information about individuals if that individual consents (express or implied) and it is reasonably necessary to, relevantly for current purposes, prevent or manage COVID-19 in the workplace.
- Regulated entities to be aware of their obligations, under Australian Privacy Principle 6, to not disclose information that was collected for a particular primary purpose, for secondary purpose, unless the individual consents or another exception applies.
With standard operating procedures having been thrown out the window for many employers and businesses due to COVID-19, it is essential for these regulated entities to be aware of their privacy and data obligations. These are not abstract principles which can be incorporated or not on a discretionary basis. It is, in fact, necessary for regulated businesses to understand and practically implement them; otherwise fines and civil penalties can apply.
Carroll & O’Dea Lawyers can assist you with drafting a Privacy Impact Assessment (as recommended by the OAIC), undertaking risk analysis, providing advice on privacy and data issues more generally, and assisting businesses and employers in being proactive and – necessarily reactive – on the COVID-19 front.
Our Charles Harrison, Associate, and Martin Slattery, Partner, can provide practical advice in respect of these issues.