An Organisation’s Privacy Obligations During the COVID-19 Pandemic

COVID-19 has provided a plethora of new issues to be considered, as well as old issues needing to be addressed in new ways. Privacy is at the fore of this, as organisations consider issues of working from home, worker safety, and potential staff stand-downs. Health information needs to be collected to keep workers safe, and inappropriate disclosure of personal information can still cause serious harm. Organisations need to balance all these considerations on a daily basis, while factoring in delays where workers may be working remotely and in isolation.

To mark Privacy Awareness Week, we canvas the key issues and discuss what organisations should be doing.


Collection of COVID-19 Information by the Organisation

As the Office of the Australian Privacy Commissioner (OAIC) points out in relation to the COVID-19 pandemic circumstances:

“The Privacy Act will not stop critical information sharing. Agencies and private sector employers (including private health service providers) have important obligations to maintain a safe workplace for staff and visitors and handle personal information appropriately…”

This certainly does not imply a freedom to act without boundaries, however an organisation, in fulfilling its duty of care and health and safety responsibilities as an employer, can feel at liberty to ask workers and visitors:

  • whether the individual or a close contact has been exposed to a known case of COVID-19
  • whether the individual has recently travelled overseas, and to which countries.

A collection notice could include wording to the effect that:

The purpose of collecting personal information from a worker or visitor is to prevent or manage the risk of COVID-19, as a communicable disease, and to ensure that necessary precautions can be taken in relation to that individual and any other individuals who may be at risk.


Disclosure of Information Relating to COVID-19

As a general principle, the OAIC advises that only personal information that is reasonably necessary in order to prevent or manage COVID-19 in the workplace may be used or disclosed. The OAIC approves informing workers that a colleague or visitor has or may have contracted COVID-19 but only to the extent that is necessary, so it may not be necessary to reveal the name of an individual in order to prevent or manage COVID-19, or the disclosure of the name of the individual may be restricted to a limited number of people on a needs basis.

With respect to informing the wider community of a suspected or actual case, an organisation should consider:

  • first, what information is reasonably necessary to prevent or manage COVID-19 in the organisation and community
  • second, if providing information will identify an individual, whether it is appropriate to seek their consent.

Advice should be sought from public health officials about the information that should be provided and to whom.

If it is reasonably necessary to provide identifying information about an affected individual to others who may have been in contact with them, it is preferable to obtain the affected individual’s consent. If obtaining consent is unreasonable or impracticable, the Privacy Act provides an exemption for a “permitted general situation”. This exception applies where the organisation reasonably believes that the collection, use or disclosure of this sensitive personal information “is necessary to lessen or prevent a serious threat to the life, health or safety of an individual, or to public health or safety” and it is unreasonable or impracticable to obtain the individual’s consent. The organisation should consider carefully before proceeding without consent.


The ‘App’

How Does ‘the App’ Work?

Arguably the biggest issue in relation to privacy at the moment is the Federal Government’s COVIDSafe tracking app. The App has been developed to trace people who may have been exposed to someone who has tested positive to COVID-19, those “people” being defined as those who have spent 15 minutes or more with the potentially infected person while within a distance of 1.5 metres and who also have the app. If a person with the App tests positive to COVID-19, they would be asked to download the encrypted log on their phone and send it to a central server, where the relevant federal and state/territory public health officials could access and decrypt it. The person’s local health department would then call anyone who had been in contact with a COVID-19 case. This would be supplemented by public health officials asking for the names and contact details of anyone with whom the individual recalls having been in contact for the requisite time and within the requisite distance. The log on the phone is deleted on a 21-day rolling cycle. The App does not record the location of the App holders, nor request to access any personal or location information from the user’s device; rather, it uses Bluetooth to measure proximity to the devices of other users who have also installed the App.

Can People Be Forced to Download ‘the App’?

It should also be noted that under the terms of the Biosecurity (Human Biosecurity Emergency) (Human Coronavirus with Pandemic Potential) (Emergency Requirements—Public Health Contact Information) Determination 2020 (Cth) a person cannot be required to download and operate the App, or be refused entry to premises or to participate in an activity, or to have “adverse action” taken against them in their employment if they do not download it. In other words, an organisation cannot force workers or any visitors to ‘have the App’ before entering work premises.


While the App has been approved by the Australian Privacy Commissioner, it is recommended that anyone considering downloading the App should ensure that they only do so from official channels, such as through the Apple App Store or Google Play Store, and if they receive phone or email requests for additional information, that the authenticity of the caller/sender is checked before sharing any private information.


Information Requests from Public Health Officials

In tracking down contacts of people infected with COVID-19, public health officials may contact the organisation to request information. This information may be very personal, but once again, its collection is carried out under the auspices of the Federal Government’s emergency powers in order to lessen or control the impact of a threat to public health.

If approached and asked to provide this type of information, the organisation would be prudent to ask the public health officers to identify themselves and to confirm their authority to require the information to be provided.

The organisation should record the request, the information disclosed, and any follow up actions by the public health authority or the organisation.


Working from Home

Workers should have regular reminders to maintain their work on password protected devices, set automatic locking on their devices if they have not been used after a few minutes, separate work-related information on devices from their personal work wherever possible, keep hard copy personal information securely, and to conduct phone calls and video calls in private.

It is also recommended that organisations monitor online servers and systems to ensure that only the appropriate workers have access to it. This will probably need to be done with the assistance of IT departments, rather than expecting managers to perform such a multiplicity of tasks while carrying out the rest of their regular duties from home or in an otherwise limited capacity.

For the purposes of due diligence, organisations should also check Zoom’s recently updated international privacy policy.


What Should Organisations Do?

Organisations should:

  • regularly remind workers and the community that privacy is still important, taken seriously by the organisation, and must be observed
  • develop protocols for responding to frequently asked questions to the organisation
  • provide training to frontline workers about how to manage requests for different categories of information
  • ensure that any more complex or difficult queries (or difficult people) can be referred easily to an appropriately qualified and trained person - usually the organisation’s privacy officer
  • keep a record of disclosures made in relation to COVID-19, including the relevant circumstances and to whom the personal information was disclosed
  • increase monitoring of all electronic traffic on work equipment including video conferences.

If you are interested in finding out more about our Privacy Program and related Training, please contact CompliSpace on 1300 132 090 to discuss.




Svetlana Pozydajew

Svetlana is a Senior Consultant at CompliSpace. She has over 20 years of experience in strategic and operational human resource management, occupational health and safety, and design and implementation of policies and change management programs. She has held national people management responsibility positions in the public and private sectors. Svetlana holds a LLB, Masters in Management (MBA), Master of Arts in Journalism, and a Certificate in Governance for not-for-profits.


Hugh Bortolotti

Hugh is a Senior Associate in our Corporate and Financial Services team in Sydney. Hugh holds a Bachelor of International and Global Studies and a Juris Doctor, both from the University of Sydney. He has spent 5 years working in Banking and Finance, and worked in Commercial Law prior to joining CompliSpace.

Financial Services Updates

Financial Services Updates