The Office of the Australian Information Commissioner (OAIC) has now released comprehensive guidance aimed at Australian government agencies and businesses on their privacy obligations under the Privacy Act 1988 (Cth) (Privacy Act) in the context of COVID-19. The OAIC guidance can be found here.
The OAIC has provided guidance on the handling of information, particularly health information which is considered sensitive information and afforded higher protections under the Privacy Act, as well as addressing frequently asked questions.
For organisations subject to the Privacy Act, the key take-aways are to:
- Carefully consider the types of information you are collecting, using or disclosing in relation to COVID-19, and the basis of that collection, use or disclosure. As a general rule, personal information (including health information) should be used or disclosed on a ‘need-to-know’ basis and only as reasonably necessary to manage COVID-19. Consider if any exceptions might apply to the information you collect, such as the employee records exemption under the Privacy Act.
- Review, update and communicate business policies and procedures around securing personal information, particularly if employees are working remotely. We recommend reviewing your computer and device use policy, cyber security strategy and any staff training policies.
For any assistance, or to discuss the privacy law implications of the COVID-19, please contact our team.
For more information on specific employment law implications of COVID-19, please see our client alert here.
Thank you to Sarah Lee, Associate for her help in preparing the alert.