personal information

Protecting personal information in a pandemic

26 March 2020

All Australian organisations are facing unfamiliar challenges and pressures as they manage and adapt their business operations in these unprecedented times. It is definitely not “business as usual”.

However, it is important for businesses not to lose sight of their privacy and data protection obligations during this time. This is particularly so as businesses are collecting more detailed and sensitive information about employees, contractors, visitors and other individuals that interact with their business to help manage the spread of COVID-19 and many workplaces have moved to remote working arrangements.

  • Organisations should remember their privacy obligations when managing the spread of COVID-19 and maintaining business operations during this pandemic.
  • Personal information that relates to infection and exposure with COVID-19 is sensitive information and is afforded higher protection under law.
  • Extra security measures may be required to ensure security of organisations’ information and data as remote work arrangements become the norm.

Privacy obligations

The Privacy Act 1988 (Cth) (Privacy Act) and the Australian Privacy Principles (APPs) regulate the collection, use and disclosure of personal information.

What constitutes personal information is broad – it is information or an opinion about an identified individual or an individual who is reasonably identifiable. Personal information includes sensitive information which is afforded higher protection under the Privacy Act. Sensitive information includes information or an opinion about the health of an individual.

Information gathered about an individual that relates to infection and risk of exposure with COVID-19 will be sensitive information under the Privacy Act. Related information about the individual’s symptoms, treatment or general health status will also be sensitive information.

Importantly, organisations should be mindful of their privacy obligations when:

  • collecting information about vaccination status, COVID-19 symptoms and related issues from employees, contractors and visitors to their premises;
  • disclosing information collected about COVID-19 symptoms and related issues within and outside the organisation; and
  • establishing remote working arrangements for employees and contractors.

Using and disclosing sensitive information

Organisations are generally only permitted to use and disclose personal information for the primary purpose for which it was collected. Personal information can also be used and disclosed:

  • with the consent of the individual;
  • for directly related purposes, if the individual would reasonably expect that information would be used or disclosed in that way; or
  • if it is unreasonable or impracticable to obtain the individual’s consent to the collection, use or disclosure, and the organisation reasonably believes that the collection, use or disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of any individual or to public health and safety (Permitted Health Situation).

In current circumstances, it is likely that an individual would reasonably expect their personal information would be used in connection with COVID-19 management measures within a business. Depending on the circumstances, many organisations will also be able to rely on the Permitted Health Situation exemption for purposes related to COVID-19.

However, this is not carte blanche for organisations to deal with the personal information it holds in any way it chooses or is convenient in current circumstances. We strongly recommend organisations continue clear and transparent communication with staff, contractors, visitors and any other person whose personal information you are collecting.

Security and working from home

Remote work arrangements bring flexibility to workplaces and are proving necessary in combatting the spread of COVID-19. With this flexibility, comes the potential for organisations to lose some control over the personal information held by their business, and increased risk of data breaches, fraud and cybersecurity issues.

Organisations must adapt their information and data security measures to ensure reasonable steps remain in place to keep the personal information they hold secure. Robust policies and ongoing communication with staff is essential.

Employee information – OAIC guidance

Helpfully, the Office of the Australian Privacy Commissioner (OAIC) has released guidance for organisations to help keep workplaces safe and handle personal information appropriately as part of the COVID-19 response. The guidance (which can be accessed here), is practical and easy to follow.

Update as of October 2021: Further guidance has recently been issued specifically related to the handling of COVID-19 vaccinations and can be found here.

We’re here to help

We understand the pressures organisations are facing and are here to help you navigate and adapt in this difficult time.

We can provide practical advice to help your business comply with its privacy obligations, without further worry and disruption to your business.


Disclaimer: This publication contains comments of a general nature only and is provided as an information service. It is not intended to be relied upon as, nor is it a substitute for specific professional advice. No responsibility can be accepted by Rigby Cooke Lawyers or the authors for loss occasioned to any person doing anything as a result of any material in this publication.

Liability limited by a scheme approved under Professional Standards Legislation.

©2020 Rigby Cooke Lawyers