Navigating privacy issues involving contact tracing data: A checklist for Australian businesses

Navigating privacy issues involving contact tracing data: A checklist for Australian businesses

Navigating privacy issues involving contact tracing data: A checklist for Australian businesses

It has become commonplace during the COVID-19 lockdown phase for businesses to require contact tracing information from visitors to their premises. Contact tracing is “a way of slowing the spread of infections by identifying people who have been in contact with an infected person”[1]

Information sought by businesses from visitors may involve just a name and contact details, or it might extend to temperature checks or particulars of symptoms which have become synonymous with the coronavirus.

Whilst many businesses have been conscientious in procuring this information, not all may be aware of their rights and obligations in handling that information once collected.

This paper focusses on the extent to which privacy restraints apply to contact tracing information collected by organisations in the private sector. A surprising number of factors require consideration.

RELEVANT AUSTRALIAN LEGAL PRINCIPLES

Australia has a complex statutory framework regulating privacy and data protection rights and obligations.

Of primary significance is the Privacy Act 1988 (Cth) (Privacy Act) which, through the 13 Australian Privacy Principles (APPs) appearing in Schedule 1, establishes the fundamental rules to be observed by the private sector and Commonwealth public sector when handling personal information.

For the purposes of this discussion, the key APPs are APP 3, APP 6 and APP 11.  Put very simply:

  • APP 3 (Collection of solicited personal information) provides that an entity must not collect personal information unless it is necessary for one or more of its functions;
  • APP 6 (Use or disclosure of personal information) provides that an entity must only use personal information in a manner consistent with the primary purpose or reasonably related secondary purpose of collection, other than in exceptional situations such as where the individual has consented[2] or where the use or disclosure is authorised under an Australian law[3]; and
  • APP 11 (Security of personal information) provides that an APP entity must take reasonable steps to protect information from misuse, interference, loss, unauthorised access, modification or disclosure.[4] It must also destroy or de-identify personal information when it is no longer needed in connection with the original purpose of collection.[5]

The Privacy Act does not seek to regulate the activities of State and Territory public sector agencies.  For this reason, most State and Territory governments (with the exception of Western Australia and South Australia) have enacted their own legislation in relation to personal information held by their respective agencies.[6]  This paper will focus just on the private sector which is subject to the Privacy Act.

As discussed below, there are various situations in which the Privacy Act does not apply.  Nevertheless, the handling of personal information in such circumstances may be subject to other legislation in some jurisdictions, the prime example being health records legislation which operates in Victoria, NSW and ACT.

The checklist below is designed to assist businesses in navigating this complex field.

CHECKLIST FOR AUSTRALIAN BUSINESSES

Fourteen issues of potential relevance to the collection of contact tracing information are set out below.

(1)  Determine whether the collecting organisation is a small business

This is a fundamental question from a privacy perspective because businesses with an annual turnover of $3 million or less are, with some exceptions[7], totally exempt from the Privacy Act.[8]  This does not, however, mean it is exempt from other legislation, such as health records legislation (where applicable).

(2)  Determine whether the individual is an employee, contractor, service provider, patron, visitor or other

This distinction is important because an organisation is not required to comply with the Privacy Act in relation to the handling of “employee records” in matters directly related to a current or former employment relationship.[9] Again, this does not mean the organisation is exempt from other legislation which may impact the handling of employees’ information, such as health records legislation (where applicable).

(3)  Consider the implications of collecting health information (e.g. temperature or symptoms)

 This consideration is important for two reasons: first, the Privacy Act (where applicable) applies additional constraints to the handling of health information, and secondly, the handling of health information which forms part of a health record (whether or not the Privacy Act is applicable) may be subject to specific privacy constraints under health records legislation.

Under the Privacy Act, “sensitive information” is a sub-category of “personal information”. “Health information”[10] falls within the definition of “sensitive information”.[11] Additional controls applicable to the handling of “sensitive information” include the fact that it can only be collected with the consent of the individual unless, inter alia, the collection is authorised by an Australian law.[12]

Where health information is retained in a “health record”, it will be the subject of specific data protection regulation under legislation in force in Victoria, NSW and ACT.[13] Significantly, this legislation contains in each case Health Privacy Principles, not dissimilar to the Australian Privacy Principles, which will apply to the handling of health records even in circumstances which would otherwise be exempt under the Privacy Act (such as where the collector of the information is a small business, or the data subject is an employee of the collector).

(4)  Ensure the collection of contact tracing data is lawful

APP 3.5 requires that personal information must only be collected by lawful and fair means. This means, among other things, that the reason for collection must be justifiable and transparent, and the means of collection must not be surreptitious.

Under APP 3.3, collection of personal information from an individual is not lawful unless “the information is reasonably necessary for one or more of the entity’s functions or activities”. This generally means that there must be a logical collection between information which an entity collects, and the business which the entity runs.

The justification for collection is not necessarily confined to purposes associated with the entity’s specialist business activity, however. It also embraces the work environment.

Businesses have a statutory obligation to maintain a safe workplace.[14] This means providing and maintaining, as far as is reasonably practicable, a working environment which does not pose risks to the health of employees, and this in turn extends to controlling risks associated with COVID-19 in the workplace.[15] In the absence of any other justification, this will generally legitimise the collection of contact tracing data.

Collection will also be lawful where it is specifically authorised, or mandated, by law. This is particularly relevant in the context of the response of Australian governments to the coronavirus pandemic. Numerous workplace-specific laws have been enacted, as discussed below in relation to “prescribed businesses”.

(5)  Consider whether, and to what effect, express or implied consent accompanies the collection

Many restrictions on the handling of personal information can be circumvented with the consent of the individual. This includes the collection of sensitive information[16], together with the use or disclosure of personal information[17], in circumstances which would not be authorised by APP 3 or APP 6 respectively.

Consent may, for these purposes, be express or implied.[18] Either way, it must be voluntary and informed.[19]

Businesses must be very clear as to how they will use the information collected. In appropriate circumstances, it may be possible to provide a written summary to the individual before the information is collected.

Consent can be implied if an individual proceeds to volunteer the information after being provided with a full explanation of the intended use, even if the individual opts not to read or absorb it.  Individuals must, however, be given a genuine opportunity to fully inform themselves and must remain free to decline to provide the information. At the same time, admission to premises may be denied to a person who declines to cooperate.

(6)  If you are a small business, consider the implications of including health information in contact tracing data

For the reasons stated above:

(a) except in the case of health information, the collection of personal information by a small business is not regulated by the Privacy Act;

(b) if health information is collected, and if it is collected in Victoria, NSW or the ACT, that information must nevertheless be handled in accordance with the applicable health records legislation.

(7)  When collecting from an employee, consider the implications of including health information

For the reasons stated above, if contact tracing information is collected from the employee of a business:

(a) except in the case of health information, the collection of personal information is not regulated by the Privacy Act;

(b) if health information is collected from the employee, and if it is collected in Victoria, NSW or the ACT, that information must be handled in accordance with the applicable health records legislation.

(8)  When collecting from a non-employee, be aware of both privacy and health principles

For the reasons stated above, if contact tracing information is collected by a business from a contractor or other non-employee seeking to enter its premises:

(a) the collection and handling of that information is subject to the Privacy Act and, in particular, APPs 3, 6 and 11; and

(b) if health information is collected from the contractor as part of the contact tracing information, and if it is collected in Victoria, NSW or the ACT, that information must also be handled in accordance with the applicable health records legislation.

(9)  Be aware of any additional privacy obligations applicable to a “prescribed business”

For the purposes of this paper, a “prescribed business” is a business of a type which is subject to specific laws enacted in response to the COVID-19 pandemic. By way of one example, restaurants in Victoria have been the subject of directions issued by the Chief Health Medical Officer which have statutory force.[20]

Unless and to the extent that the business is subject to the small business exemption or the collection of information is subject to the employee record exemption, the business must comply with APPs 3, 6 and 11 in its handling of the information.

If health information is collected by the business from individuals located in Victoria, NSW or ACT, it must also comply with its obligations under the applicable health records legislation.

Additional obligations may also arise, however, by virtue of the statutory instrument which applies specifically to a business of that nature. Hence, again using Victorian restaurants as an example, rules applicable following the end of the first lockdown included[21] the mandatory collection of the name and telephone number of each patron; retention of the information for 28 days but no longer; and a prohibition on disclosure to any third party other than the Victorian Department of Health and Human Services.

Care must be taken by businesses in this category to familiarise themselves with their current obligations in the fluid coronavirus legal environment. Continuing with the restaurant example, businesses were required to “use reasonable endeavours to implement recommendations by the Victorian government to manage public health risks arising out of the operation of the facility”. This wording raised questions as to what constitutes “reasonable endeavours” and what constitutes a “recommendation”.

(10)  Only release contact tracing data to a third party with consent or as authorised by law

As mentioned above, many statutory privacy restrictions can be circumvented with the consent of the individual concerned.

Under APP 6, personal information may only be used in connection with the original purpose of collection or a related secondary purpose.

APP 5 requires that, at the time of collection, an individual is informed as to whether the information may be released to a third party and, if so, to whom.[22]

Accordingly, an individual should be made aware at the time of collection how their contact tracing information may be used, including whether it will be disclosed to a third party. If the individual would not reasonably expect their information to be used or disclosed in a particular manner at the time it was collected, that usage or disclosure is not permitted unless a law subsequently comes into force mandating its disclosure to, say, the Department of Health or other government agency.

(11)  Ensure appropriate security mechanisms are in place

Contact tracing information collected by a business from an individual must, like any other personal information, be kept secure. The business must take “reasonable steps” to protect the information from, amongst other things, loss or interference.

In practical terms, this means that the information should be stored in a responsible manner; lists of collected information should not be left visible to the public; and when no longer required, the information should be destroyed or effectively de-identified.[23] Disposal of hard-copy lists of information in a recycle bin, for example, may not satisfy these requirements.

(12)  Only retain contact tracing information whilst it remains relevant or as otherwise required by law

Contact tracing information should not be retained by a business indefinitely. APP 11.2 requires that it be destroyed or de-identified when no longer required in connection with the original purpose of collection. It cannot be retained purely as a historical record or in anticipation that it “might” be required by a government agency or medical authority “if the law changes in the future”.

Again, much depends upon the expectations of the individual, as imparted by the business at the time of collection. In the absence of an understanding between the business and the individual to the contrary, however, and in the absence of a legally binding determination mandating retention for a specific period, contact tracing data can generally be assumed to have passed its relevant period of retention after 28 days.[24]

(13)  Consider parallel confidentiality constraints

It should be borne in mind that privacy legislation may not be the only source of restriction on the disclosure of personal information collected for contact tracing purposes. Confidentiality obligations may also apply.

Privacy and confidentiality are different concepts from a legal perspective. Privacy laws regulate the use of personal information whether or not that information is in the public domain; equitable confidentiality obligations apply to information which is not in the public domain and which is disclosed in the expectation that it will not be released to an unauthorised third party.

Whilst the use of contact tracing information in a manner consistent with the express or implied consent of the individual is unlikely to raise privacy or confidentiality issues, a breach of privacy may simultaneously constitute a breach of confidentiality, and the exposure of a business to a claim for damages by the individual could be more significant.

(14)  Do not insist that an individual download the COVIDSafe app

On 15 May 2020, amendments in the form of a new Part VIIIA were introduced into the Privacy Act to accompany the rollout of the Commonwealth government’s COVIDSafe contact tracing app.[25] The amendments regulate the use of “registration data” and “COVID app data” and in large part are designed to reassure the public that the data will not be misused by government agencies.[26]

Of relevance to the collection of contact tracing data by the private sector, it is important to note the potential effect of the new section 94H of the Act. Section 94H creates an offence punishable by up to 5 years’ imprisonment in circumstances where one person requires another person to download the COVIDSafe app.

As a consequence, employers need to avoid mandating a download by their employees, and businesses need to be cautious about limiting admission to their premises to persons who can demonstrate that they have downloaded the app, although in the latter case it may be not be an offence if the individual has a realistic option or alternative to entering the premises.

*Dr Hughes is update editor of Trade Secrets and Privacy (update service, Thomson Reuters), author of Dean’s Law of Trade Secrets & Privacy (3rd ed., Lawbook Co 2018) and co-author with Prof Margaret Jackson of Private Life in a Digital World (Thomson Reuters, 2015). 

[1] Health Direct, https://www.healthdirect.gov.au/contact-tracing#:~:text=Contact%20tracing%20is%20a%20way%20of%20slowing%20the,to%20help%20prevent%20the%20spread%20of%20the%20condition.

[2] APP 6.1(a)

[3] APP 6.2(b)

[4] APP 11.1

[5] APP 11.2

[6] Privacy and Data Protection Act 2014 (Vic), Privacy and Personal Information Protection Act 1998 (NSW), Information Privacy Act 2009 (Qld), Personal Information Protection Act 2004 (Tas), Information Privacy Act 2014 (ACT), Information Act (NT). South Australia does not have legislation but does have an administrative instruction, PCO12 – Information privacy Principles Instruction

[7] This exemption does not extend to small businesses engaged in certain activities, including the provision of health care, the provision of credit reporting services, the sale of personal information for profit, businesses which are providing a service to the Commonwealth and businesses which are specifically proscribed by the Attorney-General in consultation with the Privacy Commissioner: see s 6D(4).

[8] Privacy Act s 6C.  Specifically, s 6C excludes “small business” from the definition of “organisation”, and s 6D(1) defines “small business”.

[9] Privacy Act s 7B(3)

[10] Privacy Act s.6 (definitions)

[11] “Health information” is defined in s 6FA of the Act

[12] APP 3.4(a)

[13] Health Records Act 2001 (Vic); Health Records and Information Privacy Act 2002 (NSW); Health Records (Privacy and Access) Act 1997 (ACT)

[14] Each State and Territory has its own occupational health and safety legislation: e.g. Occupational Health and Safety Act 2004 (Vic), Work Health and Safety Act 2011 (NSW), Work Health and Safety Act 2011 (Qld), Occupational Health and Safety Act 1984 (WA), Work Health and Safety Act 2012 (Tas), Work Health and Safety Act 2012 (SA), Work Health and Safety Act 2011 (ACT), Work Health and safety (National Uniform Legislation) Act 2011 (NT)

[15] See Worksafe Victoria, Exposure to coronavirus in workplaces, https://www.worksafe.vic.gov.au/safety-alerts/exposure-coronavirus-workplaces

[16] APP 3.4(a)

[17] APP 6.1(a)

[18] Privacy Act s.6 (definition of “consent”)

[19] See OAIC, Australian Privacy Principles Guidelines, paras B34 – B58

[20] The state of emergency issued by the Victorian government gave the Chief Medical officer the power to make directions under the Public Health and Wellbeing Act 2008 (Vic).  Other businesses which have been the subject of COVID-19 specific restrictions include recreation facilities, community facilities, libraries, stadiums, hairdressers, places of worship. swimming pools, auction houses and museums.

[21] See Restricted Activity Directions (No 12)

[22] APP 5.2(f)

[23] For guidance, see, e.g., OIAC, Privacy Business Resource 4 – De-identification of Data and Information

[24] Twenty-eight days is recommended by the Victorian Department of Health and Human Services.  See DHHS, Record keeping for contact tracing- information for business, https://www.dhhs.vic.gov.au/record-keeping-contact-tracing-covid-19

[25] Privacy Amendment (Public Health Contact Information) Act 2020 (Cth)

[26] See, specifically, Privacy Act s 94D

Previous article Privacy obligations of video teleconference providers Next article Cybercrime: Managing data breaches in Australia