Many business owners are uncertain about their rights and responsibilities in relation to collecting and handling health information about employees and workplace visitors in the context of the coronavirus pandemic.
Common questions include: (1) am I permitted to collect this information, (2) how much can I reveal to others about the information collected, and (3) in the case of employees, does the employee record exemption in the Privacy Act in some way alleviate my responsibilities as an employer?
Collection
“Health information” falls within the definition of “sensitive information”, which is regulated by the Privacy Act 1988 (Cth). “Sensitive information” is a subset of “personal information” but is subject to more stringent rules.
Australian Privacy Principle (APP) 3.3(a) provides that a private sector organisation may not collect sensitive information unless the individual consents and the information is “reasonably necessary” for one of the organisation’s functions or activities.
It may be that in most instances it is “reasonably necessary” for any business to ascertain whether an employee or visitor has been exposed to COVID-19. Ultimately, this will not be the point – the individual’s consent is required either way.
Some may point to APP 3.4(a) and (b) which permit the collection of sensitive information without an individual’s consent if a “permitted general situation” or a “permitted health situation” exists. These concepts are defined in sections 16A and 16B respectively.
Section 16A embraces the collection of information where this is necessary to “prevent a serious threat to life, health or safety of any individual, or to public health and safety”. However, this exemption is only applicable where it is “unreasonable or impractical to obtain the individual’s consent”, a scenario unlikely to apply in most cases to an employee or visitor seeking access to business premises. The scenario could arise, nevertheless, if an employer was advised by a third party that their employee was a person at risk who had failed to self-isolate.
In any event, the Australian Information Commissioner suggests that appropriate information to collect might be as simple (and as limited) as whether:
- the individual or a close contact has been exposed to a known case of COVID-19; and
- the individual has recently travelled overseas and to which countries.
Section 16B, dealing with “permitted health situations”, is of less relevance to most businesses, being essentially confined to circumstances involving the provision of a health service or the conduct of health research.
To be classified as “reasonably necessary”, the information collected from individuals must be the minimum reasonably required for the purposes of the business. In this regard, the Australian Information Commissioner has surmised:
“In order to manage the pandemic while respecting privacy, agencies and private sector employers should aim to limit the collection, use and disclosure of personal information to what is necessary to prevent and manage COVID-19, and take reasonable steps to keep personal information secure.”
Businesses collecting such information should also remain aware of APP 5 – at the time of collection, individuals should be given, amongst other things, contact details of the collecting organisation if they do not already have them, the purpose of collection and the consequences of not consenting (i.e. refusal of admission to the premises, or some other outcome). In this regard, the Australian Privacy Commissioner suggests that business owners should consider taking steps in advance to notify staff of how their personal information will be handled in responding to any potential or confirmed case of COVID-19 in the workplace.
Disclosure
APP 6 sets the parameters for how personal information may be used once it has been lawfully collected. Essentially, it must be used only for the “primary purpose of collection” or a reasonably related “secondary purpose”.
According to the Australian information Commissioner, the “primary purpose of collection” of information regarding a person’s health, and more specifically about whether someone may have been exposed to COVID-19, is “to prevent or manage the risk and/or reality of COVID-19 to ensure that necessary precautions can be taken in relation to that individual and any other individuals that may be at risk”. The information can only be used for that purpose or for a secondary purpose which the individual would reasonably expect and which is related to the primary purpose.
Again, an exception to the constraints on disclosure applies where a “permitted general situation” exists, as defined in section 16A.
Security
Once lawfully collected, any information pertaining to an individual’s COVID-19 status must be held by the business in accordance with the APPs.
There is a risk that curiosity will drive some workmates to seek access to, or to disclose, information regarding the identity of a COVID-19 sufferer within the business. The release of any such information must be handled by management in a structured way which complies with APP6.
In particular, businesses should be aware that, in addition to a distinct obligation of confidence owed to the individual, APP 11.1 requires that reasonable steps be taken to avoid the misuse of the information or any unauthorised access to or disclosure of the information.
APP 11.2 requires the information to be destroyed or de-identified when no longer required. The Privacy Act will not require deletion of health information from an employee record, however, due to the employee record exemption (discussed below), although in applicable States and Territories deletion may be required from an employee record by virtue of their health records legislation (also discussed below).
Small business exemption
Not every business is bound by the Privacy Act. Businesses with an annual turnover of $3 million or less are, with some exceptions, totally exempt from compliance with the Act by virtue of section 6C. This exemption does not extend to health care providers. Also, it does not extend to the handling of health information by small businesses in jurisdictions which are subject to additional health records legislation, as discussed below.
Employee record exemption
By virtue of section 7B(3) of the Privacy Act, an act or practice engaged in by an organisation is, in most instances, exempt from regulation under the Act if it is directly related to an employee record of a current or former employee.
Health information recorded by the employer in relation to an employee falls within the definition of “employee record” in section 6 of the Act. The exemption only applies, however, where the record is used in the context of the employment relationship, so careful thought should be given as to whether any proposed collection – or more particularly disclosure – of health information attached to an employee record is taking place in this context.
The scope of the employee record exemption must also be considered in light of the possible application of State or Territory health records legislation, however.
Health records legislation
It is necessary to take account of health records legislation which exists in Victoria, New South Wales and the ACT. Under this legislation, known in Victoria (by way of example) as the Health Records Act 2001, an additional layer of regulation may apply to health information collected or managed within the workplace.
Health Privacy Principles, which in a broad sense mirror the APPs, constrain the use of health information in much the same way as the APPs – but significantly, they will apply regardless of the employee record exemption and regardless also of the small business exemption.
OAIC Guide
On 1 April 2020, the Office of the Australian Information Commissioner published a Privacy Guidance in relation to the handling of personal information in the context of the coronavirus pandemic. This can be accessed here.