- Businesses must remember their privacy obligations when collecting vaccination status information (and other sensitive information) about employees, contractors and other visitors to the workplace.
- Unless collection is required or authorised by law, informed consent is generally required for the collection of sensitive information.
- Businesses must provide a Collection Notice to all individuals, including employees, even if consent to collection is not required.
- Only the minimum amount of personal information reasonably necessary to prevent or manage COVID-19 or required by law should be collected, used or disclosed.
Byline: Emma Simpson
Our latest news and insights
A collection of case studies and articles highlighting the latest in legal news.

Vaccination status and the Privacy Act

Misleading or deceptive claims in advertising
In a high-profile reminder that claims made in advertising need to be properly substantiated and supported by evidence, the Federal Court has ordered Lorna Jane to pay $5 million in penalties for making false and misleading representations to consumers, and engaging in conduct liable to mislead the public, in connection with its “LJ Shield Activewear”.

Ensure promotional material complies with Australian Consumer Law
This article was first published on 29 June 2021 by AMTIL.
Regardless of how you promote products and services to consumers, it is critical to ensure that all product packaging, advertising materials and marketing collateral complies with Australian Consumer Law (ACL), explain Ian Rosenfeld, Emma Simpson and Ian Liu.

Privacy Week: Australians lose confidence in big brands data protection policies
As Privacy Awareness Week 2021 draws to a close, Rigby Cooke Lawyers are sharing the results of research recently undertaken by Kantar Australia on behalf of the firm, and what this means for businesses.

HR Hot Tip – Is your business doing enough to protect workers’ personal information?
Welcome to our series of HR interviews with Lawyer Monika Nosal who answers some of the most common questions asked by HR managers regarding employees’ legal entitlements.

Myth v Fact – We only have to worry about a data breach if we get hacked
A data breach occurs when personal information is subject to unauthorised access or disclosure or if information is lost in circumstances where unauthorised access or disclosure is likely. A breach must be notified to the Office of the Australian Privacy Commissioner (OAIC) and all affected individuals when one or more individuals are likely to suffer serious harm as a result of the breach.

Myth v Fact – When we share our customers’ personal information with our contractors, their handling practices are not our problem
Turn your mind to the other businesses with which you share personal information – they may be based in Australia or overseas, they may receive personal information about a single customer (for example, to facilitate delivery of an order), or whole databases (for example, to carry out marketing campaigns or store your CRM).

Myth v Fact – We don’t collect sensitive information, so we don’t need to worry
It is a common misconception that ‘personal information’ is a reference to sensitive information like health, medical or financial information. This is not true. Personal information captures any information about an identifiable person.

Privacy Week wrap up – What have we learnt?
As Privacy Awareness Week 2020 draws to a close we reflect on what businesses can do to ‘Reboot your privacy’ as well as some current hot topics in the Australian privacy space:

Data Breach – the first “Class Action” complaint made against Optus
- Many Australian businesses must disclose when they have been affected by a data breach
- While reputational damage is a critical risk for businesses, there is also the threat of monetary penalties of up to $2.1 million and orders of uncapped compensation
- A representative complaint – similar to a class action – has been made against Optus on behalf of a group of individuals affected by an alleged breach in 2019.

Myth v Fact – Small Business and the Privacy Act
We’re a small business. The Privacy Act and Notifiable Data Breach Scheme don’t apply to us.
Generally, businesses do not need to comply with the Privacy Act until their annual turnover reaches $3 million. However, some businesses are required to comply regardless of their size.

Privacy and Working From Home
- Privacy Awareness Week – an opportunity for all organisations to ‘Reboot your privacy’
- Organisations are responsible for the actions of their employees – this calls for innovation when ensuring the security of personal and confidential information in the “home office”
- To be effective, privacy and security arrangements must include appropriate training, clear and documented policies and procedures and management oversight.

Landlords, take advantage of COVID-19 insolvency legislative reform: now is the time to register security interests in cash security deposits on the PPSR
- Landlords should register security interests on the PPSR in cash security deposits or cash bonds paid under a commercial or retail leases

Notifiable Data Breaches scheme – do you know when you need to notify?
The Commonwealth Notifiable Data Breaches (NDB) scheme has now been in place for over 18 months and has been widely publicised. Your organisation should be aware of its obligations and have a data breach response plan in place so that quick action can be taken if a breach occurs or is suspected to have occurred.