Skip to content

  • Home
  • COVID-19 Guide
  • Podcast library
  • Client results
  • Expertise
  • News & Insights
  • People
  • Our DNA
  • Inclusion and Diversity
  • Join us
  • Contact Us
Home / NEWS & INSIGHTS / Blog / COVID-19: Recommendations and considerations / Privacy Act exceptions
COVID-19: Recommendations and considerations 17 April 2020

Privacy Act exceptions


Introduction

In the context of the COVID-19 pandemic, many organisations are trying to implement policies and practices that involve the collection of health information of their staff and visitors to their sites to ensure the ongoing monitoring and maintenance of healthy workplaces. 

This is an important approach to a public health crisis.  However, there are also naturally concerns about individual privacy in the collection and subsequent use of that information.  Where can the records be shared?  Can individuals who are infected with COVID-19 be identified?  What can staff be told about infection rates across the organisation?

While the Privacy Act 1988 (Cth) is relevant to many organisations’ approach to this issue, it is important to note that these sorts of policies and practices can often be accommodated within lawful data handling regimes.

Importantly, while ‘APP entities’ are required to comply with the personal information handling requirements in the APPs, there are certain exceptions to complying with these requirements.  APP entities can rely on two key exceptions in order to manage and stop of the spread of COVID-19; the ‘permitted general situation’ exception and the ‘employee records’ exception.

Exceptions

The collection of information from individuals relating to COVID-19 will often involve the collection of health information, which is treated as ‘sensitive information’ under the Privacy Act.  It can also involve the collection of government identifiers such as Medicare card details.

In short, APP entities often do not need to comply with certain obligations around the collection of sensitive information and the use and disclosure of personal information and government related identifiers (such as Medicare numbers) if:

  • it is unreasonable or impractical to obtain the individual’s consent to that collection, use or disclosure; and

  • the APP entity reasonably believes that the collection, use or disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety.

This exception is designed to address public health situations like the outbreak of COVID-19. 

Given how broad this exception is, the Office of the Australian Information Commissioner has indicated in its APP Guidelines and its recent guidance on COVID-19 that before relying on it, APP entities must:

  • be able to justify their belief that use or disclosure of personal information is actually necessary (and not just convenient or desirable) to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety; and

  • be able to point to a clear reason why it is unreasonable or impracticable to obtain the relevant individual’s consent to the propose collection, use or disclosure of their personal information.  In making this assessment, APP entities will need to balance relevant considerations, including the urgency of the situation and the potential adverse consequences for the individual concerned if their consent is not obtained before the collection use or disclosure. 

Additionally, APP entities may be able to rely on the ‘employee record’ exception in collecting, using and disclosing the personal information of their employees in connection with their response to COVID-19. 

This exception provides that employee records relating to current or former employment relationships are expressly excluded from the application of the Privacy Act so long as those records are handled in the context of the current or former employment relationship.  It is important to note that its key limitation is that it only applies to ‘employees’, and so it does not apply to non-employee staff like contractors, and does not apply to the collection of information from site visitors.  We would expect this to be relied on less commonly.

So, while there are clear mechanisms that allow COVID-19 responses to be conducted lawfully, APP entities should ensure that they limit the use of these exceptions to what is necessary to prevent and manage the spread of COVID-19.  In this regard, organisations should always seek to minimise the collection of information to begin with, and minimise the level of detail used in subsequent disclosures.  For example, it may be necessary to test the temperature of all visitors to site, but it may not be necessary to record that information against their name (or to only record the exceptions).  Similarly, it may be necessary to notify staff that an employee has tested COVID-19 positive, but it might not be necessary to name the particular individual.  Using a common sense approach that seeks to minimise the collection, publication and dissemination of personal information will help ensure that important social welfare outcomes are achieved while still respecting ongoing privacy obligations.

Thanks to Meena Mutharaman for her assistance in putting this article together.

This publication covers legal and technical issues in a general way. It is not designed to express opinions on specific cases. It is intended for information purposes only and should not be regarded as legal advice. Further advice should be obtained before taking action on any issue dealt with in this publication.

About the authors

  • Alex Hutchens

    Partner

In other news

Reg Tech cloud services agreements – assessing the real risks

23 April 2021Insight

A guide to common capital raising structures in Australia

23 April 2021Insight

The Commissioner’s Emporium: business registration breaking new ground

22 April 2021Insight
The critical importance of critical minerals

The critical importance of critical minerals

20 April 2021Insight

VIEW ALL NEWS & INSIGHTS

BRISBANE

Level 11, 66 Eagle Street
Brisbane QLD 4000
GPO Box 1855
Brisbane QLD 4001
Tel +61 7 3233 8888
Fax +61 7 3229 9949

 

GET IN TOUCH

    Contact form

    We handle your personal information in accordance with our privacy policy.

    Please do not send us any confidential information. By submitting this form, you agree that our review of the information you submit will not create a lawyer-client relationship between you and our firm (or any lawyer in our firm) and it will not prevent us from representing a party in any matter where the information you submit is relevant, even if that information could be used against you.

    sydney

    Level 32, MLC Centre
    19 Martin Place
    Sydney NSW 2000
    GPO Box 462
    Sydney NSW 2001

    Tel +61 2 8241 5600
    Fax +61 2 8241 5699

     

    GET IN TOUCH

      Contact form


      We handle your personal information in accordance with our privacy policy.

      Please do not send us any confidential information. By submitting this form, you agree that our review of the information you submit will not create a lawyer-client relationship between you and our firm (or any lawyer in our firm) and it will not prevent us from representing a party in any matter where the information you submit is relevant, even if that information could be used against you.

      melbourne

      Level 27, 101 Collins Street
      Melbourne VIC 3000
      GPO Box 2924
      Melbourne VIC 3001

      Tel +61 3 9067 3100
      Fax +61 3 9067 3199

       

      GET IN TOUCH

        Contact form

        We handle your personal information in accordance with our privacy policy.

        Please do not send us any confidential information. By submitting this form, you agree that our review of the information you submit will not create a lawyer-client relationship between you and our firm (or any lawyer in our firm) and it will not prevent us from representing a party in any matter where the information you submit is relevant, even if that information could be used against you.

        follow us

        CLIENT LOGIN

        newcastle

        Level 2, 16 Telford Street
        Newcastle NSW 2300
        PO Box 394
        Newcastle NSW 2300

        Tel +61 2 4914 6900
        Fax +61 2 4914 6999

         

        GET IN TOUCH

          Contact form


          We handle your personal information in accordance with our privacy policy.

          Please do not send us any confidential information. By submitting this form, you agree that our review of the information you submit will not create a lawyer-client relationship between you and our firm (or any lawyer in our firm) and it will not prevent us from representing a party in any matter where the information you submit is relevant, even if that information could be used against you.

          canberra

          Level 9, 2 Phillip Law Street
          Canberra ACT 2601

          Tel +61 2 6243 3699
          Fax +61 2 8241 5699

           

          GET IN TOUCH

            Contact form


            We handle your personal information in accordance with our privacy policy.

            Please do not send us any confidential information. By submitting this form, you agree that our review of the information you submit will not create a lawyer-client relationship between you and our firm (or any lawyer in our firm) and it will not prevent us from representing a party in any matter where the information you submit is relevant, even if that information could be used against you.

            © 2017 McCullough Robertson. Site map Disclaimer Privacy Policy Statement of Business Ethics Credit Reporting Policy

            X