If you are an entity that is regulated by the Privacy Act 1988 (Cth) ("Privacy Act") then you need to ensure you continue to comply with your privacy obligations even when dealing with employee and consumer information in relation to the COVID-19 pandemic.
Entities should be taking reasonable steps to ensure that they keep the personal information of employees and consumers secure by only collecting, using and disclosing personal information regarding COVID-19 if it is absolutely necessary to prevent and manage COVID-19 within the workplace.
If you or your business is collecting, using or disclosing personal information in relation to COVID-19 then you need to either gain the individual's consent to use their information or ensure that the collection, use or disclosure is reasonably necessary to prevent and manage COVID-19 in the workplace.
For example, it may only be reasonably necessary to collect information if an employee or consumer has been overseas, in contact with a confirmed case of COVID-19 or if they have tested positive to COVID-19. Furthermore, it may not be reasonably necessary to disclose the identity of the individual who has tested positive to coronavirus and instead it may only be reasonably necessary to inform staff and consumers that they will need to be tested and self-isolate. What is considered reasonably necessary to be collected or disclosed will depend on your particular circumstances. To determine what information is necessary to disclose to prevent and manage COVID-19 you should contact the Department of Health.
This is a good time to review your current privacy policy to ensure compliance with the Privacy Act when dealing with the personal information of your staff and consumers. For further information on what to consider within your privacy policy please look at our previous article from June 2019.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
