In response to the coronavirus pandemic and to help ‘stop the spread’ we have seen several organisations and government departments seek additional information from staff and visitors, including as a condition of entry. These questions can include whether the person has been overseas in the last 14 days, whether they have flu like symptoms or whether they have come into contact with anyone who has had a confirmed case of COVID-19. Whilst these may seem like relatively inoffensive questions, they are personal. Where do organisations stand in relation to their privacy obligations when capturing this additional sensitive information? What are people’s rights of refusal? Do organisations have a duty of care to staff and visitors?
In this article, Intellectual Property Partner, Andrew Nicholson, answers five commonly asked questions around an organisation’s obligations under the Privacy Act during the coronavirus pandemic.
Can we collect information from employees or visitors in relation to COVID-19?
Yes. Consistent with the collection of all personal information under the Privacy Act, you should collect as little information as is reasonably necessary for preventing or managing COVID-19. That might include whether the person has, or has been exposed to a known case of COVID-19, or has a close contact who has been exposed.
Note that the collection of employee records is an exemption under the Privacy Act, but policies can be implemented addressing the obligations of staff in relation to COVID.
Are there additional obligations?
Yes. Personal information relating to the health of an individual is regarded as sensitive information and is subject to additional obligations under the Privacy Act.
In particular, an entity can collect health information about individuals if:
- the individual gives consent (express or implied) to its collection, and
- the information is reasonably necessary or directly related to, one of its functions. In most cases that will include the duty to prevent or manage COVID-19.
Consent is not necessary if a ‘permitted general situation’ exists, which will include where the collection is undertaken to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety.
Can we inform others that an employee or visitor may have contracted COVID-19?
Yes. Individuals can consent to the disclosure of sensitive information and it is always preferable to obtain consent from the individual involved before making that disclosure. If consent isn’t provided, then it will be necessary to assess the position under the Act.
Generally, it will be permissible to inform staff that a colleague or visitor has or may have contracted COVID-19 but you should only disclose personal information that is reasonably necessary in order to prevent or manage COVID-19. For example, depending on the circumstances, it may not be necessary to reveal the name of an individual in order to prevent or manage COVID-19, or the disclosure of the name of the individual may be restricted to a limited number of people on a ‘need-to-know basis’.
Care should be taken before considering whether to disclose the identity of an individual and advice can be sought from the Department of Health (Qld).
Should we be proactive?
Yes.
Relatively simple steps can be taken by, for example, publishing an addendum to an existing privacy policy to notify interested persons (staff and visitors) how their personal information will be treated in relation to COVID-19. That could be posted to a website and also at relevant points within a facility.
Staff policies may also be implemented as noted above.
Are there any additional steps that organisations should be taking where they collect information from people as a condition of entry?
Organisations collecting information from people as a condition of entry (such as asking people to identify themselves, have their temperature checked, declare whether they have travelled overseas recently, declare they have no current health issues, or provide evidence of an up to date flu vaccination) need to notify people they are collecting this sensitive health information and obtain consent from the individual.
If an organisation is collecting that information and keeping a record of it (which no doubt they would) then it will amount to the collection of sensitive (health) information. The consent of persons should be obtained for the collection of sensitive personal information, and this should preferably be obtained in writing.
People should also be notified that the information is being collected. This can be done by various means, including by placing notices and referring them to a website. The consent should be specific and consistent with the existing policies of the organisation.
If someone doesn’t (or refuses) to consent, then the collection of the information may still be a permitted general exemption exists – including where the information is collected to lessen or prevent a serious threat to the life, health or safety of an individual or to the public health or safety. That is also consistent with duties of care to staff and visitors.
Once the information is collected it should only be retained for as long as is necessary – so there may need to be a review of procedures if records aren’t regularly removed.
In summary
Most organisations will be able to adequately address the position in relation to the collection of additional personal information by incorporating an addenda to their privacy policy and staff policies.
Those addenda should be specific and provide for the consent from individuals to the collection and use (in the event that it is necessary to disclose a COVID event) of the information.
No doubt organisations will need to consider those requirements in line with their duty of care obligations to staff, visitors and others. We can expect that to be the new normal for a number of months – at least while Government impose restrictions remain active.
