Privacy law issues in response to COVID-19

By Alison Baker

Organisations are facing unprecedented challenges to address the spread of COVID-19. In doing so, organisations are likely to be handling more and different personal information than normal. It is important that when designing and implementing measures in response to the coronavirus pandemic, organisations understand their privacy obligations.

Information gathered about an individual that relates to infection and risk of exposure with COVID-19 will be sensitive information under the Privacy Act 1988 (Cth). This includes information about the individual's symptoms, treatment or general health status. However, for private sector organisations, where that information relates to an employee, the employee records exemption will apply to obviate the requirement for compliance with the Australian Privacy Principles to the extent the information is used or disclosed in a manner directly related to the employment relationship. The Office of the Australian Information Commissioner (OAIC) has advised that employers should limit the collection, use and disclosure of personal information to what is necessary to prevent and manage COVID-19. This includes information that the Department of Health says is needed to identify risk and implement appropriate controls to prevent or manage COVID-19, for example:

• whether the individual or a close contact has been exposed to a known case of COVID-19; and
• whether the individual has recently travelled overseas and to which countries.

Organisations also need to ensure that the personal information of customers and clients remains secure during the COVID-19 crisis, particularly when a large number of employers have shifted to a working from home model. When implementing a work from home model, employers should first assess any potential privacy risks and put in place appropriate mitigation strategies as part of business continuity planning. As suggested by the OAIC, important practical considerations for employers include:

• whether changes to working arrangements will impact on the handling of personal information;
• increasing cyber security measures in anticipation of the higher demand on remote access technologies;
• providing employees with secure mobile phones, laptops, and data storage devices;
• ensuring those devices, software, Virtual Private Networks and firewalls are regularly updated and have the most recent security patches (including to operating systems and antivirus software);
• requiring employees to store devices and hard copy documents in a safe location when not in use;
• the implementation of multi-factor authentication for remote access systems and resources (including cloud services); and
• requiring employees only access trusted networks or cloud services.