Nothing can stop us from talking about privacy, including a pandemic! Yesterday, the Office of the Australian Information Commissioner (OAIC) issued guidance on the collection, use and disclosure of personal information during the COVID-19 pandemic (Guidance).
It mainly serves as a reminder to organisations that even in these pressing times, they must comply with the Australian privacy regime. However, it also highlights what organisations can collect and do with personal information for the purposes of preventing and managing the spread of COVID-19.
Our key takeaways highlight what organisations can collect and what they then can do with the information. These include:
- Primary purpose of collection – organisations can collect personal information, including sensitive health information, from their employees or visitors and then use or disclose it if the use or disclosure is related to the primary purpose of collection. In these circumstances, organisations collecting health information for the purpose of preventing or managing the risk and/or reality of COVID-19 can use and disclose that information to ensure that necessary precautions are adopted in relation to that individual and any other individuals.
- Permitted general situation – a ‘permitted general situation’ exists where the collection is undertaken to ‘lessen or prevent a serious threat to the life, health or safety of any individual, or to the public health or safety’. In the current pandemic environment, organisations can collect, use and disclose necessary health information of its employees and visitors if in doing so the aim is to assist in preventing the spread of COVID-19.
- Employee exemption – organisations can also rely on the employee records exemption under the Australian privacy regime which exempts organisations from having to comply with the requirements of the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles.
While organisations may have wide powers to collect, use and disclose personal information from their employees and visitors to assist containing the pandemic, the Guidance reinforces that organisations must still ensure that they limit the collection, use and disclosure of personal information to only what is necessary to prevent and manage the spread of COVID-19. Organisations should therefore avoid collecting information which go beyond what is reasonably necessary for this purpose, and must still take reasonable steps to keep the information secure from unauthorised disclosure and access.