Privacy Act exceptions
Introduction
In the context of the COVID-19 pandemic, many organisations are trying to implement policies and practices that involve the collection of health information of their staff and visitors to their sites to ensure the ongoing monitoring and maintenance of healthy workplaces.
This is an important approach to a public health crisis. However, there are also naturally concerns about individual privacy in the collection and subsequent use of that information. Where can the records be shared? Can individuals who are infected with COVID-19 be identified? What can staff be told about infection rates across the organisation?
While the Privacy Act 1988 (Cth) is relevant to many organisations’ approach to this issue, it is important to note that these sorts of policies and practices can often be accommodated within lawful data handling regimes.
Importantly, while ‘APP entities’ are required to comply with the personal information handling requirements in the APPs, there are certain exceptions to complying with these requirements. APP entities can rely on two key exceptions in order to manage and stop of the spread of COVID-19; the ‘permitted general situation’ exception and the ‘employee records’ exception.
Exceptions
The collection of information from individuals relating to COVID-19 will often involve the collection of health information, which is treated as ‘sensitive information’ under the Privacy Act. It can also involve the collection of government identifiers such as Medicare card details.
In short, APP entities often do not need to comply with certain obligations around the collection of sensitive information and the use and disclosure of personal information and government related identifiers (such as Medicare numbers) if:
- it is unreasonable or impractical to obtain the individual’s consent to that collection, use or disclosure; and
- the APP entity reasonably believes that the collection, use or disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety.
This exception is designed to address public health situations like the outbreak of COVID-19.
Given how broad this exception is, the Office of the Australian Information Commissioner has indicated in its APP Guidelines and its recent guidance on COVID-19 that before relying on it, APP entities must:
- be able to justify their belief that use or disclosure of personal information is actually necessary (and not just convenient or desirable) to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety; and
- be able to point to a clear reason why it is unreasonable or impracticable to obtain the relevant individual’s consent to the propose collection, use or disclosure of their personal information. In making this assessment, APP entities will need to balance relevant considerations, including the urgency of the situation and the potential adverse consequences for the individual concerned if their consent is not obtained before the collection use or disclosure.
Additionally, APP entities may be able to rely on the ‘employee record’ exception in collecting, using and disclosing the personal information of their employees in connection with their response to COVID-19.
This exception provides that employee records relating to current or former employment relationships are expressly excluded from the application of the Privacy Act so long as those records are handled in the context of the current or former employment relationship. It is important to note that its key limitation is that it only applies to ‘employees’, and so it does not apply to non-employee staff like contractors, and does not apply to the collection of information from site visitors. We would expect this to be relied on less commonly.
So, while there are clear mechanisms that allow COVID-19 responses to be conducted lawfully, APP entities should ensure that they limit the use of these exceptions to what is necessary to prevent and manage the spread of COVID-19. In this regard, organisations should always seek to minimise the collection of information to begin with, and minimise the level of detail used in subsequent disclosures. For example, it may be necessary to test the temperature of all visitors to site, but it may not be necessary to record that information against their name (or to only record the exceptions). Similarly, it may be necessary to notify staff that an employee has tested COVID-19 positive, but it might not be necessary to name the particular individual. Using a common sense approach that seeks to minimise the collection, publication and dissemination of personal information will help ensure that important social welfare outcomes are achieved while still respecting ongoing privacy obligations.
Thanks to Meena Mutharaman for her assistance in putting this article together.
This publication covers legal and technical issues in a general way. It is not designed to express opinions on specific cases. It is intended for information purposes only and should not be regarded as legal advice. Further advice should be obtained before taking action on any issue dealt with in this publication.
