Coronavirus (COVID-19): understanding your privacy obligations to your staff

<!doctype html> <html lang="en"> <head> <title>Coronavirus (COVID-19): understanding your privacy obligations to your staff | OAIC</title>  <meta charset="utf-8"> <meta name="mobile-web-app-capable" content="yes"> <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, minimum-scale=1.0"> <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">  <meta name="dcterms.title" content="Coronavirus (COVID-19): understanding your privacy obligations to your staff"> <meta name="dcterms.creator" content="OAIC"> <meta name="dcterms.created" content="2022-09-08T14:53:03+10:00"> <meta name="dcterms.modified" content="2023-10-17T17:20:08+11:00"> <meta name="dcterms.issued" content="2023-03-10T16:35:34+11:00"> <meta name="dcterms.format" content="HTML"> <meta name="dcterms.identifier" content="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/covid-19/coronavirus-covid-19-understanding-your-privacy-obligations-to-your-staff">    <meta name="publishedDate" content="10 March 2023"> <meta name="publishedDate_ISO" content="2023-03-10T00:00:00+11:00"> <meta name="description" content="Guide to help entities regulated by the Privacy Act 1988 to understand their privacy obligations in the context of the pandemic." /> <meta name="pdISO" content="2023-03-10T00:00:00+11:00" /> <meta name="robots" content="" />  <meta name="chapter-nav" content="no" /> <meta name="chapter-nav-prev" content="" /> <meta name="chapter-nav-next" content="" /> <meta name="chapter-nav-prev-btn-text" content="Previous chapter" /> <meta name="chapter-nav-next-btn-text" content="Next chapter" /> <meta name="background_color" content="chapter-navigation__wrapper--white" />  <meta name="show-related-articles" content="no" /> <meta name="topic" content="" /> <meta name="contentType" content="" /> <meta name="featuredNews" content="no" /> <meta name="author-name" content="" /> <meta name="author-title" content="" /> <meta name="author-image" content="" />  <meta name="type" content="web" />  <meta name="showFeedbackWidget" content="yes" /> <meta name="showShareWidget" content="yes" />  <meta itemprop="name" content="Coronavirus (COVID-19): understanding your privacy obligations to your staff" /> <meta itemprop="description" content="Guide to help entities regulated by the Privacy Act 1988 to understand their privacy obligations in the context of the pandemic." /> <meta itemprop="image" content="" />  <meta name="twitter:card" content="summary" /> <meta name="twitter:site" content="@OAICgov" /> <meta name="twitter:title" content="Coronavirus (COVID-19): understanding your privacy obligations to your staff" /> <meta name="twitter:description" content="Guide to help entities regulated by the Privacy Act 1988 to understand their privacy obligations in the context of the pandemic." /> <meta name="twitter:image" content="" />  <meta property="og:title" content="Coronavirus (COVID-19): understanding your privacy obligations to your staff" /> <meta property="og:type" content="website" /> <meta property="og:url" content="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/covid-19/coronavirus-covid-19-understanding-your-privacy-obligations-to-your-staff" /> <meta property="og:image" content="" /> <meta property="og:description" content="Guide to help entities regulated by the Privacy Act 1988 to understand their privacy obligations in the context of the pandemic." /> <meta property="og:site_name" content="OAIC" /> <meta property="article:published_time" content="2023-03-10T16:35:34+11:00" /> <meta property="article:modified_time" content="2023-10-17T17:20:08+11:00" /> <meta property="article:tag" content="" /> <meta name="theme-color" content="#fafafa">  <script src="//cdn-oc.readspeaker.com/script/9755/webReader/webReader.js?pids=wr" type="text/javascript" id="rs_req_Init"></script>  <script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0], j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src= 'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f); })(window,document,'script','dataLayer','GTM-PTH9SP3B');</script>   <meta name="google-site-verification" content="sQVHBUKhjuCjBjithPialZYhGQ5SPKwjb1_rY8OqsjA" /> <link rel="stylesheet" href="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/main.css?h=06ed308"> <link rel="stylesheet" href="https://www.oaic.gov.au/__data/assets/css_file/0024/240585/custom.css?v=0.1.202">  <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/bootstrap-icons@1.11.3/font/bootstrap-icons.min.css"> <link rel="preconnect" href="https://fonts.googleapis.com"> <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin> <link href="https://fonts.googleapis.com/css2?family=Source+Code+Pro:ital,wght@0,200;0,300;0,400;0,500;0,600;0,700;0,800;0,900;1,200;1,300;1,400;1,500;1,600;1,700;1,800;1,900&display=swap" rel="stylesheet">  <link rel="shortcut icon" href="https://www.oaic.gov.au/__data/assets/image/0016/14182/favicon-32x32.png"> <link rel="apple-touch-icon" href="https://www.oaic.gov.au/__data/assets/image/0015/14181/apple-touch-icon.png">  </head> <body class="inside">  <section class="cookie-banner" aria-labelledby="cookie-heading"> <h2 class="visuallyhidden" id="cookie-heading">We use cookies on this site</h2> <div class="cookie-banner__content"> <div> <p>We use cookies to analyse traffic and to improve your browsing experience on our website. To find out more, read our <a href="https://www.oaic.gov.au/about-the-OAIC/our-corporate-information/plans-policies-and-procedures/privacy-policy">privacy policy</a>.</p> </div> <button class="cookie-banner__close primary-button" id="close-cookie-banner" aria-label="Close and accept cookie policy">Close</button> </div> </section>   <div class="skip-to-content"> <a href="#main-content-area" class="skip-to-content__link visuallyhidden focusable">Skip to main content</a> </div>  <div class="page-wrapper">     <header class="site-header"> <div class="utility-nav"> <div class="utility-nav__wrapper"> <a href="/news" class="utility-nav__link ">News</a> <a href="/about-the-OAIC/join-our-team" class="utility-nav__link ">Join our team</a> <a href="/contact-us" class="utility-nav__link ">Contact us</a> </div> </div> <div class="header-content"> <a href="https://www.oaic.gov.au" class="header-logo"> <img src="https://www.oaic.gov.au/__data/assets/file/0020/13664/oaic-header-logo.svg" alt="OAIC - Australian Government - Office of the Australian Information Commissioner"> </a> <button class="mobile-menu" aria-controls="header-nav" aria-expanded="false"> <img class="menu-icon menu-icon--burger" src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/hamburger-menu.svg" alt="open menu"> <img class="menu-icon menu-icon--close" src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/cancel-icon-white.svg" alt="close menu"> </button> <div class="search-container search-container--header"> <form class="input-form" action="https://www.oaic.gov.au/search" data-action="https://www.oaic.gov.au/search?SQ_ASSET_CONTENTS_RAW"> <input name="query" autocomplete="off" id="autoComplete" placeholder="Search…" class="search-box" aria-label="Search input" data-autocomplete-endpoint="https://dxp-au-search.funnelback.squiz.cloud/s/suggest.json?collection=113e9365-ffcc-4320-a995-5c1b98bea3bb~sp-oaic-web-new&profile=auto-completion-global&fmt=json%2B%2B&alpha=0.5&show=10"> <input type="hidden" name="form" value="result"> <button type="button" id="clear-text-btn" class="cancel-logo" aria-label="Clear text"> <img src="https://www.oaic.gov.au/__data/assets/file/0022/13666/cancel-icon.svg" alt="clear text cancel icon"> </button> <button type="submit" aria-label="Submit search"> <img class="search-icon" src="https://www.oaic.gov.au/__data/assets/file/0023/13667/search-outline.svg" alt="search icon thst submits form"> </button> </form> </div> <div id="header-nav" class="header-nav"> <nav class="header-nav__nav"> <div class="header-nav__item"> <a href="https://www.oaic.gov.au" class="header-nav__link " > Home </a> </div> <div class="header-nav__item"> <button class="header-nav__button current" aria-expanded="false" > Privacy <div class="header-nav__mobile-toggle"> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/icon-plus-white.svg" class="icon-plus" alt="expand menu"> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/icon-plus-white.svg" class="icon-minus" alt="collapse menu"> </div> <div class="header-nav__desktop-toggle"> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/chevron-down-white.svg" alt="expand menu"> </div> </button> <div class="header-nav__sub"> <div class="header-nav__sub-wrapper"> <div class="header-nav__sub-first"> <a href="https://www.oaic.gov.au/privacy" class="header-nav__sub-link"> Privacy </a> </div> <div class="header-nav__sub-grid"> <a href="https://www.oaic.gov.au/privacy/your-privacy-rights" class="header-nav__sub-link"> Your privacy rights </a> <a href="https://www.oaic.gov.au/privacy/privacy-complaints" class="header-nav__sub-link"> Privacy complaints </a> <a href="https://www.oaic.gov.au/privacy/australian-privacy-principles" class="header-nav__sub-link"> Australian Privacy Principles </a> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies" class="header-nav__sub-link"> Privacy guidance for organisations and government agencies </a> <a href="https://www.oaic.gov.au/privacy/notifiable-data-breaches" class="header-nav__sub-link"> Notifiable data breaches </a> <a href="https://www.oaic.gov.au/privacy/privacy-legislation" class="header-nav__sub-link"> Privacy legislation </a> <a href="https://www.oaic.gov.au/privacy/privacy-assessments-and-decisions" class="header-nav__sub-link"> Privacy assessments and decisions </a> <a href="https://www.oaic.gov.au/privacy/privacy-registers" class="header-nav__sub-link"> Privacy registers </a> </div> </div> </div> </div> <div class="header-nav__item"> <button class="header-nav__button " aria-expanded="false" > Freedom of information <div class="header-nav__mobile-toggle"> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/icon-plus-white.svg" class="icon-plus" alt="expand menu"> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/icon-plus-white.svg" class="icon-minus" alt="collapse menu"> </div> <div class="header-nav__desktop-toggle"> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/chevron-down-white.svg" alt="expand menu"> </div> </button> <div class="header-nav__sub"> <div class="header-nav__sub-wrapper"> <div class="header-nav__sub-first"> <a href="https://www.oaic.gov.au/freedom-of-information" class="header-nav__sub-link"> Freedom of information </a> </div> <div class="header-nav__sub-grid"> <a href="https://www.oaic.gov.au/freedom-of-information/your-freedom-of-information-rights" class="header-nav__sub-link"> Your freedom of information rights </a> <a href="https://www.oaic.gov.au/freedom-of-information/how-to-access-government-information" class="header-nav__sub-link"> How to access government information </a> <a href="https://www.oaic.gov.au/freedom-of-information/freedom-of-information-guidance-for-government-agencies" class="header-nav__sub-link"> Freedom of information guidance for government agencies </a> <a href="https://www.oaic.gov.au/freedom-of-information/freedom-of-information-legislation-and-determinations" class="header-nav__sub-link"> Freedom of information legislation and determinations </a> <a href="https://www.oaic.gov.au/freedom-of-information/information-commissioner-decisions-and-reports" class="header-nav__sub-link"> Information Commissioner decisions and reports </a> <a href="https://www.oaic.gov.au/freedom-of-information/freedom-of-information-statistics-for-the-oaic" class="header-nav__sub-link"> Freedom of information statistics for the OAIC </a> </div> </div> </div> </div> <div class="header-nav__item"> <button class="header-nav__button " aria-expanded="false" > Consumer Data Right <div class="header-nav__mobile-toggle"> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/icon-plus-white.svg" class="icon-plus" alt="expand menu"> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/icon-plus-white.svg" class="icon-minus" alt="collapse menu"> </div> <div class="header-nav__desktop-toggle"> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/chevron-down-white.svg" alt="expand menu"> </div> </button> <div class="header-nav__sub"> <div class="header-nav__sub-wrapper"> <div class="header-nav__sub-first"> <a href="https://www.oaic.gov.au/consumer-data-right" class="header-nav__sub-link"> Consumer Data Right </a> </div> <div class="header-nav__sub-grid"> <a href="https://www.oaic.gov.au/consumer-data-right/information-for-consumers" class="header-nav__sub-link"> Information for consumers </a> <a href="https://www.oaic.gov.au/consumer-data-right/consumer-data-right-complaints" class="header-nav__sub-link"> Consumer Data Right complaints </a> <a href="https://www.oaic.gov.au/consumer-data-right/consumer-data-right-guidance-for-business" class="header-nav__sub-link"> Consumer Data Right guidance for business </a> <a href="https://www.oaic.gov.au/consumer-data-right/consumer-data-right-legislation,-regulation-and-definitions" class="header-nav__sub-link"> Consumer Data Right legislation, regulation and definitions </a> <a href="https://www.oaic.gov.au/consumer-data-right/consumer-data-right-assessments" class="header-nav__sub-link"> Consumer Data Right assessments </a> </div> </div> </div> </div> <div class="header-nav__item"> <a href="https://www.oaic.gov.au/digital-id" class="header-nav__link " > Digital ID </a> </div> <div class="header-nav__item"> <button class="header-nav__button " aria-expanded="false" > Engage with us <div class="header-nav__mobile-toggle"> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/icon-plus-white.svg" class="icon-plus" alt="expand menu"> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/icon-plus-white.svg" class="icon-minus" alt="collapse menu"> </div> <div class="header-nav__desktop-toggle"> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/chevron-down-white.svg" alt="expand menu"> </div> </button> <div class="header-nav__sub"> <div class="header-nav__sub-wrapper"> <div class="header-nav__sub-first"> <a href="https://www.oaic.gov.au/engage-with-us" class="header-nav__sub-link"> Engage with us </a> </div> <div class="header-nav__sub-grid"> <a href="https://www.oaic.gov.au/engage-with-us/consultations" class="header-nav__sub-link"> Consultations </a> <a href="https://www.oaic.gov.au/engage-with-us/submissions" class="header-nav__sub-link"> Submissions </a> <a href="https://www.oaic.gov.au/engage-with-us/translations" class="header-nav__sub-link"> Translations </a> <a href="https://www.oaic.gov.au/engage-with-us/events" class="header-nav__sub-link"> Events </a> <a href="https://www.oaic.gov.au/engage-with-us/networks" class="header-nav__sub-link"> Networks </a> <a href="https://www.oaic.gov.au/engage-with-us/research-and-training-resources" class="header-nav__sub-link"> Research and training resources </a> </div> </div> </div> </div> <div class="header-nav__item"> <button class="header-nav__button " aria-expanded="false" > About the OAIC <div class="header-nav__mobile-toggle"> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/icon-plus-white.svg" class="icon-plus" alt="expand menu"> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/icon-plus-white.svg" class="icon-minus" alt="collapse menu"> </div> <div class="header-nav__desktop-toggle"> <img src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/mysource_files/chevron-down-white.svg" alt="expand menu"> </div> </button> <div class="header-nav__sub"> <div class="header-nav__sub-wrapper"> <div class="header-nav__sub-first"> <a href="https://www.oaic.gov.au/about-the-OAIC" class="header-nav__sub-link"> About the OAIC </a> </div> <div class="header-nav__sub-grid"> <a href="https://www.oaic.gov.au/about-the-OAIC/what-we-do" class="header-nav__sub-link"> What we do </a> <a href="https://www.oaic.gov.au/about-the-OAIC/who-we-are" class="header-nav__sub-link"> Who we are </a> <a href="https://www.oaic.gov.au/about-the-OAIC/join-our-team" class="header-nav__sub-link"> Join our team </a> <a href="https://www.oaic.gov.au/about-the-OAIC/access-our-information" class="header-nav__sub-link"> Access our information </a> <a href="https://www.oaic.gov.au/about-the-OAIC/our-regulatory-approach" class="header-nav__sub-link"> Our regulatory approach </a> <a href="https://www.oaic.gov.au/about-the-OAIC/our-corporate-information" class="header-nav__sub-link"> Our corporate information </a> <a href="https://www.oaic.gov.au/about-the-OAIC/information-policy" class="header-nav__sub-link"> Information policy </a> <a href="https://www.oaic.gov.au/about-the-OAIC/serving-legal-documents-on-the-australian-information-commissioner" class="header-nav__sub-link"> Serving legal documents on the Australian Information Commissioner </a> </div> </div> </div> </div> <div class="header-nav__item header-nav__item--mobile-only"> <a href="/news" class="header-nav__link">News</a> </div> <div class="header-nav__item header-nav__item--mobile-only"> <a href="/about-the-OAIC/join-our-team" class="header-nav__link">Join our team</a> </div> <div class="header-nav__item header-nav__item--mobile-only"> <a href="/contact-us" class="header-nav__link">Contact us</a> </div> </nav> </div> </div> </header> <div class="nav-close-overlay"></div>   <main class="main"> <div class="breadcrumb__wrapper"> <div class="section "> <div class="section-item flex-box "> <div class="breadcrumb breadcrumb--separator-chevron"> <nav class="breadcrumb__nav" aria-label="Breadcrumb"> <ul class="breadcrumb__list"> <span class="breadcrumb__list-item"><a href="https://www.oaic.gov.au" class="breadcrumb__list-item-link" aria-label="Go to home page"><svg xmlns="http://www.w3.org/2000/svg" version="1.0" viewBox="0 0 50 50" height="24" width="24"><path d="M25 9.0937 7.281 25.3747h5.563v15.531h24.312v-15.531h5.563L25 9.0937z" fill="currentColor"></path></svg></a></span> <li class="breadcrumb__list-item"> <a class="breadcrumb__list-item-link" href="https://www.oaic.gov.au/privacy">Privacy</a> </li> <li class="breadcrumb__list-item"> <a class="breadcrumb__list-item-link" href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies">Privacy guidance for organisations and government agencies</a> </li> <li class="breadcrumb__list-item"> <a class="breadcrumb__list-item-link" href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/covid-19">COVID-19</a> </li> <li class="breadcrumb__list-item"> <a class="breadcrumb__list-item-link" href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/covid-19/coronavirus-covid-19-understanding-your-privacy-obligations-to-your-staff">Coronavirus (COVID-19): understanding your privacy obligations to your staff</a> </li> </ul> </nav> </div> </div> </div> </div>  <div id="main-content-area" class="page-content"> <div class="toc"> <ul class="toc__list"> <li class="toc__heading"> <h2 class="toc-exclude">On this page</h2> </li> </ul> </div> <section class="banner-grey-newsroom__wrapper"> <div class="banner-grey-newsroom__content"> <h1 class="banner-grey-newsroom__title">Coronavirus (COVID-19): Understanding your privacy obligations to your staff</h1> </div> </section>  <script> if(document.querySelector('.banner-grey-newsroom__wrapper .banner-grey-newsroom__content')) { document.querySelector('.breadcrumb__wrapper').insertAdjacentElement('afterend',document.querySelector('.banner-grey-newsroom__wrapper .banner-grey-newsroom__content').closest(' .banner-grey-newsroom__wrapper')) } </script> <div class="gov-numbered-paragraphs" id="component_21761"> <div><div><br />Publication date: 1 June 2021</div></div><div><div id="page-content"><p>The Office of the Australian Information Commissioner (OAIC) appreciates the unprecedented challenges <a href="https://www.oaic.gov.au/_old/privacy/your-privacy-rights/government-agencies">Australian Government agencies</a> and <a href="https://www.oaic.gov.au/_old/privacy/privacy-for-organisations">private sector employers</a> are facing to address the spread of COVID-19. This guidance is intended to help entities regulated by the <em>Privacy Act 1988</em> (Cth) to understand their privacy obligations in the context of the pandemic.</p><p>The Privacy Act will not stop critical information sharing. Agencies and private sector employers (including <a href="https://www.oaic.gov.au/_old/privacy/health-information/what-is-a-health-service-provider">private health service providers</a>)<a title="" name="_ftnref1" href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/covid-19/coronavirus-covid-19-understanding-your-privacy-obligations-to-your-staff#_ftn1">[1]</a> have important obligations to maintain a safe workplace for staff and visitors and handle personal information appropriately, and already have practices in place to handle employee health information. For private sector employers, the <a href="https://www.oaic.gov.au/_old/privacy/privacy-for-organisations/employee-records-exemption">employee records exemption</a> will apply in many instances to permit the handling of employee health information.<a title="" name="_ftnref2" href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/covid-19/coronavirus-covid-19-understanding-your-privacy-obligations-to-your-staff#_ftn2">[2]</a></p><p>In order to manage the pandemic while respecting privacy, agencies and private sector employers should aim to limit the collection, use and disclosure of personal information to what is necessary to prevent and manage COVID-19, and take reasonable steps to keep personal information secure.</p><p>Regulated entities should also consider whether any changes to working arrangements will impact on the handling of personal information, assess any potential privacy risks and put in place appropriate mitigation strategies as part of Business Continuity Planning.</p><h2>Key points</h2><ul><li>Personal information should be used or disclosed on a ‘need-to-know’ basis</li><li>Only the minimum amount of personal information reasonably necessary to prevent or manage COVID-19 should be collected, used or disclosed</li><li>Consider taking steps now to notify staff of how their personal information will be handled in responding to any potential or confirmed case of COVID-19 in the workplace</li><li>Ensure reasonable steps are in place to keep personal information secure, including where employees are working remotely.</li></ul><h2>Frequently asked questions</h2><h3>Can we collect information from employees or visitors in relation to COVID-19?</h3><p>Yes, however you should collect as little information as is reasonably necessary for preventing or managing COVID-19. That includes information that the <a href="https://www.health.gov.au/news/health-alerts/novel-coronavirus-2019-ncov-health-alert/what-you-need-to-know-about-coronavirus-covid-19">Department of Health</a> says is needed to identify risk and implement appropriate controls to prevent or manage COVID-19, for example:</p><ul><li>whether the individual or a close contact has been exposed to a known case of COVID-19</li><li>whether the individual has recently travelled overseas and to which countries.</li></ul><h3>Can we tell staff that a colleague or visitor has or may have contracted COVID-19?</h3><p>Yes, you may inform staff that a colleague or visitor has or may have contracted COVID-19 but you should only use or disclose personal information that is reasonably necessary in order to prevent or manage COVID-19 in the workplace.</p><p>For example, depending on the circumstances, it may not be necessary to reveal the name of an individual in order to prevent or manage COVID-19, or the disclosure of the name of the individual may be restricted to a limited number of people on a ‘need-to-know basis’. Whether disclosure is necessary should be informed by advice from the <a href="https://www.health.gov.au/news/health-alerts/novel-coronavirus-2019-ncov-health-alert/what-you-need-to-know-about-coronavirus-covid-19">Department of Health</a>.</p><h3>Can staff work from home?</h3><p>The Privacy Act does not prevent employees from working remotely as a response to COVID-19, however the Australian Privacy Principles (APPs) will continue to apply.</p><p>Agencies and employers will need to consider similar security measures for employees working remotely as those that apply in normal circumstances.</p><p>A privacy impact assessment is a useful tool for evaluating and mitigating risks to personal information. Agencies are <a href="https://www.oaic.gov.au/_old/privacy/privacy-registers/privacy-codes-register/australian-government-agencies-privacy-code">required</a> to undertake a privacy impact assessment for all high privacy risk projects or initiatives that involve new or changed ways of handling personal information.</p><h3>How can we protect personal information when working remotely?</h3><p>Some tips for making sure reasonable steps are in place to protect personal information include:</p><ul><li>Keep up to date with the latest advice from the <a href="https://www.cyber.gov.au/advice">Australian Cyber Security Centre</a></li><li>Agencies should ensure continued compliance with Protective Security Policy Framework requirements</li><li>Secure mobile phones, laptops, data storage devices and remote desktop clients</li><li>Increase cyber security measures in anticipation of the higher demand on remote access technologies, and test them ahead of time</li><li>Ensure all devices, Virtual Private Networks and firewalls have necessary updates and the most recent security patches (including to operating systems and antivirus software) and have strong passwords</li><li>Make sure devices are stored in a safe location when not in use</li><li>Use work email accounts not personal accounts for all work-related emails that contain personal information</li><li>Implement <a href="https://www.cyber.gov.au/node/105">multi-factor authentication</a> for remote access systems and resources (including cloud services)</li><li>Only access trusted networks or cloud services.</li></ul><h2>Background information</h2><h3>Protecting privacy while ensuring safety</h3><p>Regulated entities need to ensure they meet their obligation to maintain a safe workplace for staff and visitors and handle personal information appropriately.</p><p>Agencies and private sector employers (including private health service providers) will likely need to collect, use and disclose personal information in order to prevent or manage COVID-19 in the workplace. This may include collecting information from visitors about risk factors or notifying staff members who may be at risk so necessary precautions can be taken.</p><p>Only personal information reasonably necessary in order to prevent or manage COVID-19 in the workplace should be collected, used or disclosed. For example, it may not be necessary to reveal an individual’s name, or the disclosure of an individual’s name may be restricted to a limited number of people on a ‘need-to-know basis’. Whether disclosure is necessary should be informed by advice from the <a href="https://www.health.gov.au/news/health-alerts/novel-coronavirus-2019-ncov-health-alert/what-you-need-to-know-about-coronavirus-covid-19">Department of Health</a>.</p><h3>Personal information and sensitive information</h3><p>Personal information includes a broad range of information, or an opinion, that can identify an individual. It includes an individual’s employee record information. It also includes ‘sensitive information’ which is afforded higher protection under the Privacy Act. Sensitive information includes information or an opinion about the health of an individual.</p><p>Information gathered about an individual that relates to infection and risk of exposure with COVID-19 will be sensitive information under the Privacy Act.  Related information about the individual's symptoms, treatment or general health status will also be sensitive information.</p><h3>Collecting sensitive information</h3><p>Agencies and private sector employers can collect health information about individuals if:</p><ul><li>the individual gives consent (express or implied) to its collection, and</li><li>the information is <a href="https://www.oaic.gov.au/_old/privacy/australian-privacy-principles-guidelines/chapter-b-key-concepts#reasonably-necessary-and-necessary">reasonably necessary</a>, or directly related to, one or more of its functions or activities, such as to prevent or manage COVID-19 in the workplace.</li></ul><p>Consent is not necessary if the collection is required or authorised under by or under an Australian law (APP 3.4(a)) or a ‘permitted general situation’ exists (APP 3.4(b)). This includes where the collection is undertaken to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety.</p><h3>Using and disclosing sensitive information</h3><p>Under APP 6, if a regulated entity (an APP entity) holds personal information about an individual that was collected for a particular purpose (the primary purpose), the entity must not use or disclose the information for another purpose (the secondary purpose) unless:</p><p>(a)    the individual has consented to the use or disclosure of the information; or</p><p>(b)   another exception applies.</p><h3>Primary purpose</h3><p>The purpose for which an APP entity collects personal information is known as the ‘primary purpose’ of collection. This is the specific function or activity for which the entity collects the personal information. If an APP entity uses or discloses the personal information for another purpose, this is known as a ‘secondary purpose.’</p><p>In relation to COVID-19, as a communicable disease, the purpose of collecting personal information from a staff member or visitor is to prevent or manage the risk and/or reality of COVID-19 to ensure that necessary precautions can be taken in relation to that individual and any other individuals that may be at risk. In these circumstances, personal information (including sensitive information) may be used or disclosed for this purpose as it falls within the primary purpose of collection.</p><p>Any other proposed use or disclosure of the information will be a secondary purpose and agencies and employers will need to consider whether it is permitted by an exception to APP 6. For example,  APP 6.2(b) permits secondary uses where the use or disclosure is required or authorised under an Australian law or where a permitted general situation applies, such as where it is unreasonable or impracticable to obtain consent, and it is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety.</p><h3>Permitted general situations</h3><p>The information handling requirements imposed by some APPs do not apply if a ‘permitted general situation’ exists. This exception applies in relation to the collection, use and disclosure of sensitive information.</p><p>The most relevant permitted general situation in the current circumstances is ‘lessening or preventing a serious threat to the life, health or safety of any individual, or to public health or safety’.<a title="" name="_ftnref3" href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/covid-19/coronavirus-covid-19-understanding-your-privacy-obligations-to-your-staff#_ftn3">[3]</a> This permitted general situation applies when an APP entity is collecting, using or disclosing personal information and:</p><ul><li>It is unreasonable or impracticable to obtain the individual’s consent to the collection, use or disclosure, and</li><li>The entity reasonably believes that the collection, use or disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of an individual, or to public health or safety.</li></ul><h3>Employee records</h3><p>For personal information relating to an individual held in a record by a private sector  employer, an act or practice is also exempted where it is directly related to that record, and directly related to a current or former employment relationship between the employer and the individual.</p></div><div id="content-sidebar" role="complementary" aria-label="Sidebar"></div></div> </div> <div class="footnotes"><h2>Footnotes</h2><div id="ftn1"><p><a title="" name="_ftn1" href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/covid-19/coronavirus-covid-19-understanding-your-privacy-obligations-to-your-staff#_ftnref1">[1]</a> The OAIC’s <a href="https://www.oaic.gov.au/_old/privacy/guidance-and-advice/guide-to-health-privacy">Guide to Health Privacy</a> provides guidance for health service providers to help them comply with their obligations under the Privacy Act.</p></div><div id="ftn2"><p><a title="" name="_ftn2" href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/covid-19/coronavirus-covid-19-understanding-your-privacy-obligations-to-your-staff#_ftnref2">[2]</a> For example, a record about a private sector employee’s sick leave falls within this exemption where it is used or disclosed for a purpose directly related to a current or former employment relationship between the employer and individual.</p></div><div id="ftn3"><p><a title="" name="_ftn3" href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/covid-19/coronavirus-covid-19-understanding-your-privacy-obligations-to-your-staff#_ftnref3">[3]</a> See APPs 3.4(b), 6.2(c), 8.2(d) and 9.2(d).</p></div></div><section class="background--grey"> <div class="feature-cards__wrapper"> <h2 class="feature-cards__main-heading">Related page</h2> <div class="feature-cards__tile-s"> <a href="https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/privacy-impact-assessments/assessing-privacy-risks-in-changed-working-environments-privacy-impact-assessments" class="feature-cards__tile-links-s" data-order="1"> <h3 class="feature-cards__heading-s">Assessing privacy risks in changed working environments: privacy impact assessments</h3> <div class="feature-cards__call-to-action-s"> <span class="feature-cards__arrow-s"> <img src="https://www.oaic.gov.au/__data/assets/file/0020/12548/arrow.svg" alt="" class="icon" aria-hidden="true"> </span> </div> </a> </div> </div> </section> </div>  </main>   <div class="footer"> <div class="footer__upper"> <div class="footer__upper--wrapper"> <div class="back-to-top__wrapper"> <button class="back-to-top" aria-label="Back to top"> <svg class="back-to-top__icon" aria-hidden="true" focusable="false" width="28" height="47" viewBox="0 0 28 47" fill="none" xmlns="http://www.w3.org/2000/svg"><path d="M6 8.82715L14 1.00106" stroke="white" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/><path d="M22 8.82715L14 1.00106" stroke="white" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/><path d="M14 21L14 1" stroke="white" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"/><path d="M2.94 41V33.41H0.36V31.25H8.1V33.41H5.52V41H2.94ZM13.2027 41.18C12.5227 41.18 11.9027 41.065 11.3427 40.835C10.7927 40.605 10.3177 40.275 9.9177 39.845C9.5277 39.405 9.2227 38.87 9.0027 38.24C8.7827 37.6 8.6727 36.88 8.6727 36.08C8.6727 35.28 8.7827 34.57 9.0027 33.95C9.2227 33.32 9.5277 32.795 9.9177 32.375C10.3177 31.945 10.7927 31.62 11.3427 31.4C11.9027 31.18 12.5227 31.07 13.2027 31.07C13.8727 31.07 14.4877 31.18 15.0477 31.4C15.6077 31.62 16.0827 31.945 16.4727 32.375C16.8727 32.805 17.1827 33.33 17.4027 33.95C17.6227 34.57 17.7327 35.28 17.7327 36.08C17.7327 36.88 17.6227 37.6 17.4027 38.24C17.1827 38.87 16.8727 39.405 16.4727 39.845C16.0827 40.275 15.6077 40.605 15.0477 40.835C14.4877 41.065 13.8727 41.18 13.2027 41.18ZM13.2027 38.96C13.7927 38.96 14.2527 38.705 14.5827 38.195C14.9227 37.675 15.0927 36.97 15.0927 36.08C15.0927 35.19 14.9227 34.505 14.5827 34.025C14.2527 33.535 13.7927 33.29 13.2027 33.29C12.6127 33.29 12.1477 33.535 11.8077 34.025C11.4777 34.505 11.3127 35.19 11.3127 36.08C11.3127 36.97 11.4777 37.675 11.8077 38.195C12.1477 38.705 12.6127 38.96 13.2027 38.96ZM19.4784 41V31.25H23.0484C23.5784 31.25 24.0834 31.305 24.5634 31.415C25.0434 31.515 25.4634 31.695 25.8234 31.955C26.1834 32.205 26.4684 32.54 26.6784 32.96C26.8984 33.37 27.0084 33.88 27.0084 34.49C27.0084 35.09 26.8984 35.605 26.6784 36.035C26.4684 36.465 26.1834 36.82 25.8234 37.1C25.4634 37.37 25.0484 37.575 24.5784 37.715C24.1084 37.845 23.6184 37.91 23.1084 37.91H22.0584V41H19.4784ZM22.0584 35.87H22.9884C23.4984 35.87 23.8734 35.75 24.1134 35.51C24.3634 35.27 24.4884 34.93 24.4884 34.49C24.4884 34.05 24.3534 33.74 24.0834 33.56C23.8134 33.38 23.4284 33.29 22.9284 33.29H22.0584V35.87Z" fill="white"/></svg> </button> </div> <div class="footer__logo-group"> <img src="https://www.oaic.gov.au/__data/assets/file/0020/12962/logo.svg" class="logo--main" alt="OAIC logo"> <a href="https://www.oaic.gov.au/about-the-OAIC/access-our-information/freedom-of-information-requests-to-the-oaic" class="footer-logo" aria-label="OAIC sub-logo"> <img src="https://www.oaic.gov.au/__data/assets/file/0021/12963/logo2.svg" class="logo--sub" alt="OAIC sub logo"> </a> <a href="https://www.oaic.gov.au/about-the-OAIC/access-our-information/our-information-publication-scheme" class="footer-logo" aria-label="OAIC Information Publication Scheme"> <img src="https://www.oaic.gov.au/__data/assets/image/0026/91385/ips_white_text.png" class="logo--sub" width="120px" alt="Information Publication Scheme"> </a> </div><div class="footer__link-group"> <ul class="link-list"> <li><a href="https://www.oaic.gov.au/sitemap" class="footer-link" aria-label="Site map">Site map</a></li><li><a href="https://www.oaic.gov.au/about-the-OAIC/copyright" class="footer-link" aria-label="Copyright">Copyright</a></li><li><a href="https://www.oaic.gov.au/about-the-OAIC/terms-and-conditions" class="footer-link" aria-label="Terms and conditions">Terms and conditions</a></li><li><a href="https://www.oaic.gov.au/about-the-OAIC/our-corporate-information/plans-policies-and-procedures/privacy-policy" class="footer-link" aria-label="Privacy policy">Privacy policy</a></li><li><a href="https://www.oaic.gov.au/about-the-OAIC/accessibility" class="footer-link" aria-label="Accessibility">Accessibility</a></li> </ul> </div> </div> </div> <div class="footer__lower"> <div class="footer__util-group"> <div class="footer__contact"> <a href="https://www.oaic.gov.au/contact-us" class="contact--link" aria-label="Contact us">Contact us</a> <a href="tel:1300 363 992" class="contact--phone" aria-label="Call 1300 363 992">1300 363 992</a> <p class="contact--hours">Monday to Thursday 10 am to 4 pm (AEST/AEDT)</p> </div> <div id="footer_language_listing_13517"> <div class="footer__language-list"> <label for="languages">Translations</label> <select name="languages" id="languages" onChange="if (this.value.startsWith('https://www.oaic.gov.au')) window.location = this.value;"> <option value="">Please select…</option> <option lang="ar" value="https://www.oaic.gov.au/engage-with-us/translations/arabic">العربية</option><option lang="zh" value="https://www.oaic.gov.au/engage-with-us/translations/chinese">中文</option><option lang="el" value="https://www.oaic.gov.au/engage-with-us/translations/greek">ελληνικός</option><option lang="it" value="https://www.oaic.gov.au/engage-with-us/translations/italian">Italiano</option><option lang="es" value="https://www.oaic.gov.au/engage-with-us/translations/spanish">Español</option><option lang="th" value="https://www.oaic.gov.au/engage-with-us/translations/thai">ไทย</option><option lang="vi" value="https://www.oaic.gov.au/engage-with-us/translations/vietnamese">Tiếng Việt</option><option lang="EN" value="https://www.oaic.gov.au/engage-with-us/translations/easy-english">Easy English</option> </select> </div> </div> <div class="footer__social"> <p class="social--header">Follow us</p> <ul class="social-list"> <li> <a href="https://www.facebook.com/OAICgov" class="social-link social-link--facebook" aria-label="OAIC on Facebook"> <img class="social-icon" src="https://www.oaic.gov.au/__data/assets/file/0025/12958/facebook.svg" alt="OAIC on Facebook"> </a> </li> <li> <a href="https://twitter.com/OAICgov" class="social-link social-link--twitter" aria-label="OAIC on Twitter" > <img class="social-icon" src="https://www.oaic.gov.au/__data/assets/file/0026/12959/x-logo.svg" alt="OAIC on Twitter"> </a> </li> <li> <a href="https://www.youtube.com/user/oaicgov" class="social-link social-link--youtube" aria-label="OAIC on Youtube" > <img class="social-icon" src="https://www.oaic.gov.au/__data/assets/file/0018/12960/youtube.svg" alt="OAIC on Youtube"> </a> </li> <li> <a href="https://au.linkedin.com/company/office-of-the-australian-information-commissioner" class="social-link social-link--linkedin" aria-label="OAIC on Linkedin"> <img class="social-icon" src="https://www.oaic.gov.au/__data/assets/file/0019/12961/linkedin.svg" alt="OAIC on Linkedin"> </a> </li> <li> <a href="https://www.instagram.com/oaicgov/" class="social-link social-link--Instagram" aria-label="OAIC on Instagram" > <img class="social-icon" src="https://www.oaic.gov.au/__data/assets/file/0023/91364/Instagram_Glyph_White.svg" alt="OAIC on Instagram"> </a> </li> </ul> </div> </div> <div class="footer__content-group"> <p class="footer__content-header">Acknowledgement of Country</p> <p class="footer__content-text">The OAIC acknowledges Traditional Custodians of Country across Australia and their continuing connection to land, waters and communities. We pay our respect to First Nations people, cultures and Elders past and present.</p> <p class="footer__content-copyright">© Commonwealth of Australia</p> </div> </div> </div>   </div>   <div id="footer_js" style="display: none !important;"> <script src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/js/runtime.js?h=06ed308"></script> <script src="https://www.oaic.gov.au/__data/assets/git_bridge/0012/12063/js/main.js?h=06ed308"></script> <script src="https://www.oaic.gov.au/__data/assets/js_file/0025/242791/custom.js"></script> <script> var lhsWrapper = document.querySelector('.lhs-wrapper'); if(lhsWrapper) { lhsWrapper.innerHTML.trim() === '' ? lhsWrapper.style.display='none' : ''; } //Readpeaker function readSpeaker() { var readButtonContent = ` <div id="readspeaker_button1" class="rs_skip rsbtn rs_preserve"> <a rel="nofollow" class="rsbtn_play" accesskey="L" title="Listen to this page using ReadSpeaker webReader" href="//app-oc.readspeaker.com/cgi-bin/rsent?customerid=9755&lang=en_au&readclass=page-content&url=https%3A%2F%2Fwww.oaic.gov.au%2Fprivacy%2Fprivacy-guidance-for-organisations-and-government-agencies%2Fcovid-19%2Fcoronavirus-covid-19-understanding-your-privacy-obligations-to-your-staff"> <span class="rsbtn_left rsimg rspart"><span class="rsbtn_text"><span>Listen</span></span></span> <span class="rsbtn_right rsimg rsplay rspart"></span> </a> </div>`; var readButtonSearch = ` <div id="readspeaker_button2" class="rs_skip rsbtn rs_preserve"> <a rel="nofollow" class="rsbtn_play" accesskey="L" title="Listen to this page using ReadSpeaker webReader" href="//app-oc.readspeaker.com/cgi-bin/rsent?customerid=9755&lang=en_au&readclass=search-content&url=https%3A%2F%2Fwww.oaic.gov.au%2Fprivacy%2Fprivacy-guidance-for-organisations-and-government-agencies%2Fcovid-19%2Fcoronavirus-covid-19-understanding-your-privacy-obligations-to-your-staff"> <span class="rsbtn_left rsimg rspart"><span class="rsbtn_text"><span>Listen</span></span></span> <span class="rsbtn_right rsimg rsplay rspart"></span> </a> </div>`; //for content pages var pageContent = document.querySelector('.page-content'); //for search pages var pageSearch = document.querySelector('.search-content'); if(pageContent) pageContent.insertAdjacentHTML('afterbegin', readButtonContent); if(pageSearch) pageSearch.insertAdjacentHTML('afterbegin', readButtonSearch); } readSpeaker(); </script> <script> function feedbackGrepCallback(response) { if (response.length > 0) { document.querySelector(".feedback__submit input").disabled = false } } function feedbackGrepExpiredCallback(response) { if (!response) { document.querySelector(".feedback__submit input").disabled = true } } </script> </div> <style> .page-content section.banner-grey-newsroom__wrapper, .page-content section.landing-page { display: none; } </style>   </body> </html>

CINXE.COM

Coronavirus (COVID-19): understanding your privacy obligations to your staff | OAIC