On 18 March 2020, the Office of the Australian Information Commissioner (OAIC) issued guidelines for businesses dealing with the handling of personal information in the time of the COVID-19 crisis.
Who must comply with the Privacy Act?
The Privacy Act obligations apply to businesses that have an annual revenue of $3 million or more, as well as health service providers and those whose core business involves trading in personal information. The Act also applies to government agencies. The obligations do not apply to most small businesses with a revenue of under $3 million.
How does the COVID-19 crisis affect privacy law?
The Australian Privacy Principles (APPs) contained in the Act continue to apply to the collection, use or disclosure of personal information during this crisis. However, the OAIC has clarified how these apply in these times, confirming that, “the Privacy Act will not stop critical information sharing”.
Government agencies and private sector employers (including private health service providers) continue to have important obligations to maintain a safe workplace for staff and visitors and handle personal information appropriately. The OAIC guidelines state that businesses should aim to limit the collection, use and disclosure of personal information to what is necessary to prevent and manage COVID-19, and take reasonable steps to keep personal information secure.
The guidelines acknowledge that businesses may have an increased requirement to know the health status (or other pertinent personal information) of employees and others with whom they interact. However, and critically, only the minimum amount of personal information reasonably necessary to prevent or manage COVID-19 should be collected, used or disclosed.
The OIAC recommends business take steps to notify staff of how their personal information will be handled in responding to any potential or confirmed case of COVID-19 in the workplace.
Working remotely brings new issues
Businesses should consider whether any changes to working arrangements (for example, working from home) will impact on the business’ handling of personal information, including that of customers and clients, assess any potential privacy risks and put in place appropriate mitigation strategies. For example, employers should direct their staff on how to deal with and safely dispose of documentation that might disclose personal information, while working away from the office.
Permitted use and disclosure of information in time of COVID-19
Businesses are entitled to collect and, to the extent necessary, disclose information that is needed to identify risk and implement appropriate controls to prevent or manage COVID-19. For example, whether the individual or a close contact has been exposed to a known case of COVID-19, or the individual has recently travelled overseas and to which countries.
A business operator may inform staff that a colleague or visitor has or may have contracted COVID-19 but they should only use or disclose personal information to the extent that is reasonably necessary in order to prevent or manage COVID-19 in the workplace. For example, in some cases it may not be necessary to reveal the name of an infected individual in order to prevent or manage COVID-19, or the disclosure of the name of the individual may be restricted to a limited number of people on a ‘need-to-know basis’.
The guidelines also offers tips for limiting the risk of a data breach while staff are working remotely, with organisations being advised to keep updated with the latest information security advice from the Australia Cyber Security Centre and ensuring all devices, VPNs and firewalls have all necessary updates and the most recent security patches applied, and implement multi-factor authentication for remote access systems.
For advice on any employment-related issues that may arise in these challenging times, please contact a member of our Employment and Workplace Relations team on (03) 8600 8888.
Note: This update is a guide only and is not intended to constitute legal advice.