Australian Privacy Commissioner offers advice on staff privacy amid COVID-19

Employers given a little reminder that their Privacy Act obligations still apply, even in a global pandemic.

The Office of the Australian Information Commissioner (OAIC) has asked employers across the country to be mindful of their obligations under the Privacy Act 1988 when handling information related to the COVID-19 coronavirus outbreak.

The OAIC said that while it appreciates the unprecedented challenges employers are facing to address the spread of the virus, they still have obligations to maintain a safe workplace for staff and visitors and handle personal information appropriately.

Personal information should be used or disclosed on a need-to-know basis, the OAIC said, adding that only the minimum amount of personal information "reasonably necessary" to prevent or manage COVID-19 should be collected, used, or disclosed.

See also: Canberra coughs up AU$2.4b health package to fight COVID-19

It asked employers to consider taking steps to notify staff of how their personal information will be handled in responding to any potential or confirmed case of COVID-19 , and ensure reasonable steps are in place to keep personal information secure, including where employees are working remotely.

"In order to manage the pandemic while respecting privacy, agencies and private sector employers should aim to limit the collection, use, and disclosure of personal information to what is necessary to prevent and manage COVID-19, and take reasonable steps to keep personal information secure," the OAIC wrote.

Such information collected should be whether the individual or a close contact has been exposed to a known case of COVID-19 and whether the individual has recently travelled overseas and to which countries.

"You may inform staff that a colleague or visitor has or may have contracted COVID-19 but you should only use or disclose personal information that is reasonably necessary in order to prevent or manage COVID-19 in the workplace," it said, adding it may not be necessary to reveal the name of an individual in order to prevent or manage COVID-19.

On consent, the OAIC said it is not necessary if the collection is required or authorised under an Australian law, or where a "permitted general situation" exists.

The OAIC said this includes where the collection is undertaken to lessen or prevent a serious threat to the life, health, or safety of any individual, or to public health or safety.

Regarding staff working remotely, the OAIC urged entities to appreciate that the Australian Privacy Principles (APPs) continue to apply and suggested the use of secure mobile phones, laptops, data storage devices, remote desktop clients, and use of VPNs.