Coronavirus Support: Privacy Considerations for Employers
When businesses are deciding how to respond to COVID-19, it is important they consider relevant COVID privacy considerations.
Information pertaining to employees who have either contracted COVID-19 or are thought to have the disease is considered to be sensitive health information. This information is covered by privacy laws such as the Privacy Act 1988 (Cth) as well as NSW legislation regulating the handling of health records.
Employee Records
Under section 7B of the Privacy Act 1988, employee records held by an organisation in relation to current and former employment relationships is exempt from Australian Privacy Principles.
The Act further clarifies in section 6 that this exemption covers personal information including health information about the employee.
In handling personal information related to COVID-19, employers should be advised that this exemption may not automatically apply. This is because the exemption only applies to employee information and will not extend to friends or relates who may have infected an employee. Further, a recent decision from the Fair Work Commission also suggests that this exemption may not apply to the collection of personal information.
When collecting COVID-19 personal information for employee records it is advised that employers:
- Acquire written consent for the collection of health information
- Only collect health information which is reasonably necessary
- Inform employees about collection and handling of their personal information
- Unless it is unreasonable or impracticable, collect information only from the relevant employee; and
- Collect information lawfully
Informing of Positive COVID-19 Results
Ideally any disclose of sensitive health information about an employee should be with the consent. However, employers may disclose this information without consent in limited circumstances.
Where the disclosure is reasonably necessary to lessen or prevent a serious threat to life or health, the disclosure may be permitted. It is important to note that the NSW legislation requires this threat to be “imminent”.
Employers may also be able to disclose information in circumstances where the purpose of disclosure is the same as that which the information is collected. For COVID-19 results, this would mean the purpose of collecting the information from the employee must have been to prevent the spread of COVID-19.
Summary of COVID Privacy Considerations
It is important employers follow both state and federal privacy laws regarding employee sensitive health information.
Although there may be situations where employers may disclose employee health information, employers should aim to collect, use and disclose only that which is reasonably necessary to manage the spread of COVID-19. Businesses should also adopt sufficient security measures to protect employee sensitive health information.