Not-for-profit Law
Legal help for community organisations

Privacy and COVID-19

Please change your location to view this page.

This page contains content that does not match your current location

What are the key privacy considerations relevant to your organisation during COVID-19?

While Australian organisations have faced new challenges during the COVID-19 health crisis, their privacy obligations continue to underpin how they handle personal information.
The Privacy Act 1988 (Cth) and other state and territory privacy laws, generally speaking, govern the handling of personal information including its collection, use, storage, disclosure and destruction. For more information on these obligations, read our privacy guide
In responding to COVID-19, key privacy considerations relate to:
  • effectively managing your response to an employee’s report that they have tested positive to COVID-19 without breaching the employee's privacy, while also providing a safe workplace, and
  • making sure personal information collected in the ordinary course of business (for example, customer and employee data) remains secure in an increased risk environment while employees work remotely
The Office of the Australian Information Commissioner (OAIC) has prepared some helpful guidance on how to manage privacy obligations while responding to COVID-19.
Employee health information about the COVID-19 vaccine
Hall & Willcox has addressed the question: COVIDSafe: can an employer direct employees to download or use the app? in an article published on their website.
This information is intended to provide general guidance for the not-for-profit community in managing the general data, privacy and business risks associated with COVID-19, and not for health service providers dealing with the health crisis at the front line (which have their own unique risks).   

We have answered the following questions:

  1. What do you need to do to manage privacy risk?
  2. If an employee or volunteer tells me they have tested positive to COVID-19, how do I treat this information? Do I need to disclose this information to anyone?
  3. Is an employer’s request for COVID-19 related information from an employee a breach of Australian privacy laws?
  4. What privacy and cyber-security considerations do I need to think about with my workforce working from home?
  5. My organisation is speaking to clients through Zoom, Skype, WhatsApp and similar video conferencing software. Is communication through these programs secure, private and confidential? 
  6. What should I do if I suspect that I have been the subject of a phishing attack?

1. What do you need to do to manage privacy risk?

Generally, to minimise the privacy risk to employees' and peoples' data while managing the pandemic response and working remotely, consistent with privacy best practice, organisations should:
  • limit the collection, use, storage and disclosure of personal information to what is necessary only (on a 'need-to-know' basis and only the minimum amount of information necessary). This applies particularly when communicating with employees about a staff member who has tested positive to COVID-19
  • tell employees how the organisation will handle their personal and health information in responding to any potential or actual case of COVID-19 in the workplace, and
  • take measures to secure personal information in an increased risk environment. This includes increasing staff awareness of cyber risk, developing robust procedures around sharing personal information and conducting financial transactions, and enforcing increased security controls on systems to prevent data breaches occurring
These steps are especially important due to the need to respond quickly to prevent the spread of COVID-19 and the increased risks that come with working remotely. These increased risks result from limited face to face interaction between staff and clients and the use of new and unfamiliar technologies to do business. 

2. If an employee or volunteer tells me they have tested positive to COVID-19, how do I treat this information? Do I need to disclose this information to anyone?

If an employee tests positive to COVID-19, the employer and employee must follow the latest government-issued guidance, including any exclusion or self-isolation requirements, to limit the spread.

This includes contact tracing to identify who might have passed on the illness to any 'confirmed case', and to understand who the 'confirmed case' was in contact with while infectious.  For more information, visit the Australian Government's Department of Health website, or call the National Coronavirus Health Information Line on 1800 020 080 for general advice or healthdirect on 1800 022 222 if a person has symptoms. Each State and Territory Government health agency has their own website for localised information.

Safe Work Australia has published resources on COVID-19 for workplaces including a guide on what to do if a worker has COVID-19. 

Since 29 July 2020, Victorian organisations have been required to notify WorkSafe Victoria immediately if an employee has a confirmed coronavirus diagnosis. This includes people who are self-employed and contractors who may have attended a worksite during their infectious period. There are penalties for failing to comply with the reporting requirement. The requirement will be in force for 12 months. See WorkSafe Victoria's website for more information and guidance.
Strict privacy obligations apply when handling employee data, especially health information. Although these obligations are balanced against the need to provide a safe workplace, you should take care to protect the affected employee's privacy while notifying others of the risk of transmission. 
Importantly, the Privacy Act is not intended to prevent critical information sharing and, provided they take some simple steps, organisations can comply with their privacy obligations while managing its response effectively.
When you notify employees of the risk, you should only disclose information that is reasonably necessary to prevent or manage the spread of COVID-19 in the workplace. Depending on the circumstances, notification may include the name of the affected employee.
When notifying employees or other people who may have had contact with an affected employee:
  • take steps to get consent from the affected employee before disclosing that they are positive for COVID-19 to others. Generally, you don’t need to get consent if it is unreasonable or impractical for you to do this. Seek advice if this applies to you, as this scenario needs to be carefully managed
  • only reveal the name of the affected employee if necessary, and consider whether naming the person can be restricted to a limited number of people on a need-to-know basis, and
  • only collect, use, store or disclose the minimum amount of the affected person's personal information that is required to prevent the risk of COVID-19 
Follow government-issued guidance on whether it is safe for employees to return to work including the affected employee, and communicate appropriately to all employees having regard to the above considerations.  
Examples of how to appropriately manage the disclosure of a positively tested employee. 
Example 1
A staff member tests positive for COVID-19, having recently returned from overseas. The staff member didn’t return to the office or come into contact with anyone from work before showing symptoms. The staff member and HR team develop a strategy in consultation with advice from health authorities. The staff member consents to staff being notified and their name and whereabouts before developing symptoms being disclosed. 
The employer decides not to name the staff member as it’s not necessary to do so, however it notifies all staff, on a precautionary basis, that a staff member has tested positive for COVID-19. 
To manage the employees' concerns, the employer:
  • informs all employees that the staff member has not come into contact with the office or any other employees in the 24 hours before the staff member showed symptoms, thereby lowering the risk of transmission
  • reminds all employees to continue to follow best practice Government advice to slow the spread of Coronavirus through social distancing, and 
  • encourages all employees to work from home where possible
All employees are instructed to continue to monitor their health conditions and contact the HR team or the COVID-19 hotline if they are concerned. 
Example 2 
A staff member tests positive for COVID-19 while at work. The staff member and HR team develop a strategy in consultation with advice from health authorities. The staff member consents to staff being notified and their name and whereabouts before developing symptoms being disclosed.
HR contacts all employees who worked on the same floor as the affected staff member, and any other employees who may have come into contact with common areas accessed by the staff member, in the 24 hours leading up to the staff member showing symptoms directly. HR informs those employees who the affected staff member is, when the staff member was last in the office and whereabouts, when the staff member first noticed symptoms, and when the staff member was diagnosed. All at risk employees are immediately sent home to self-isolate and monitor their health conditions. 
The employer also sends a generic email to the entire office alerting all employees that a staff member has tested positive (without naming the staff member) and directs all employees to self-isolate as a precaution and monitor health conditions. The employer deep cleans the office thoroughly in consultation with best practice guidance from health authorities including ensuring that PPE equipment is used. The employer consults with health authorities before informing all employees that it is safe to return to work. 
In all communications relating to the event, utmost care is taken to communicate with all employees in a meaningful way so that each employee can manage their health risk exposure, while limiting the number of staff members who are told about the affected staff member's name and other relevant details to only those on a need-to-know basis. 
These examples are intended to be practical guidance only. You should get appropriate advice on a case by case basis in consultation with Government agencies and health authorities. 

3. Is an employer’s request for COVID-19 related information from an employee a breach of Australian privacy laws? 

It depends. The recent Fair Work Commission (Commission) decision of Kieran Knight v One Key Resources (Mining) Pty Ltd T/A One Key Resources [2020] FWC 3324 considered this, and is an example of the balance struck between a person’s right to privacy and the rights of employees to a safe working environment.

In this case, Kieran Knight, an employee of One Key Resources refused to complete a survey (sent to all employees) that asked employees whether they had travelled to certain foreign countries which, at that time, based on Federal Government advice, were deemed to be of moderate to high risk of coronavirus infection.

One Key Resources first issued a written warning to Mr Knight. When Mr Knight continued to refuse to answer the survey, One Key Resources terminated his employment on the basis that he ‘had engaged in misconduct for failing to follow a lawful and reasonable direction to complete the survey’. 

Mr Knight disagreed that he had engaged in misconduct and took his case to the Commission. Mr Knight claimed that his employer’s direction to provide information by completing the survey was a breach of Australian Privacy Principle 3 (which covers the collection of solicited personal information) and therefore not lawful or reasonable. He argued that, because the employer had requested information for the purpose of assessing the health risk of Mr Knight, it was sensitive information, which required his consent – which he did not provide. 

One Key Resources argued that it had asked for personal, and not sensitive, information from Mr Knight, which was reasonable and in compliance with its obligations under the Queensland Workplace Health and Safety Act 2011 (Act) to uphold its primary duty of care to employees and to provide and maintain a safe work environment.

The Commission decision-maker, Commissioner Simpson, found that the information One Key Resources requested through the survey was not sensitive information and that One Key Resources’ direction to Mr Knight to complete the survey was both lawful and reasonable, given the employer’s responsibilities under the Act to protect itself and its employees from risk. Accordingly, Commissioner Simpson found that the employer had a valid reason for dismissing Mr Knight.

Commissioner Simpson said further - even if the information had been sensitive, it's likely that a 'permitted general situation' exemption would have applied. One of the 'permitted general situation' exemptions is when an entity reasonably believes that the collection, use or disclosure of sensitive information is necessary to lessen or prevent a serious threat to the life, health or safety of any person, or to public health or safety.

For more information about the Australian Privacy Principles see our Privacy Guide

Back to the top

4. What privacy and cyber-security considerations do I need to think about with my workforce working from home?

There are increased risks associated with remote working. These include: 

  • increased risk of cyber-crime, where criminals will look to exploit changes to business environments to extract funds or personal information from employees
  • risk of employees inadvertently disclosing personal information through using unfamiliar document storage and conference platforms, and
  • risk of inadvertently disclosing personal information while working in a shared remote location (for example, a communal space in a sharehouse) 
While technology controls can help to mitigate risk, it's critical to increase staff awareness around cyber risk and develop procedures for securely sharing personal information and conducting financial transactions. In particular, advise staff members to remain hyper-vigilant to phishing campaigns, and think twice before clicking on anything relating to COVID-19. 
To manage this risk:
  • enforce complex password requirements for all email accounts and other systems used to hold sensitive data (such as payroll systems, HR systems or client management systems)
  • implement multi-factor authentication to put added security in place to prevent unauthorised systems access, in addition to complex password requirements
  • limit access to particular systems and restrict privileges on those accounts to only those who require it to perform their role
  • educate employees about the risk of phishing emails especially while working from home. Encourage employees to call the sender if they have the slightest doubt about the authenticity of an email, and
  • if appropriate, buy cyber insurance to help address the potential costs of responding to a cyber incident
The Australian government has prepared some helpful resources about managing data risk through the pandemic response: Protecting your small business, Malicious cyber activity, and Using remote desktop clients
You can also read the OAIC's guidance on conducting Privacy Impact Assessments in changed working environments, which provides a list of considerations relevant to protecting data. 
Also read our COVID-19 resources on insurance.

5. My organisation is speaking to clients through Zoom, Skype, WhatsApp and similar video conferencing software. Is communication through these programs secure, private and confidential?

Video conferencing is a useful way to remain in contact when working from home. However, video conferencing software must be used with care, as these tools increase exposure to cybercrime and inadvertent disclosure of data. 
In general:
  • Check what security is offered by the application provider – is multi-factor authentication offered? Is end-to-end encryption offered? Does the provider keep any metadata from your conferences (or other data)? If data is collected, how is it used? 
  • Read the provider's terms and conditions to check your rights and the provider's obligations. 
  • Make sure you have the latest security and software updates installed for the teleconferencing facility you use. 
  • Hold teleconferences in private rooms, not shared spaces. Use headphones rather than speaker to prevent others listening in.
  • Password protect access to video and teleconferences. 
  • Only allow invited participants to join the teleconference and make sure you send invitations to the right people.
  • Notify participants if the video conference is being recorded.

6. What should I do if I suspect that I have been the subject of a phishing attack?

Cyber criminals are targeting organisations and people with COVID-19 related material with the aim of gaining access to systems, sensitive information and money.
If you think you have been subjected to a phishing attack, you should change passwords to the affected email accounts and contact your IT provider to investigate immediately. 
You should also take the following steps:
  • Isolate: if you have clicked or opened a malicious attachment or link – isolate affected machines from the network to prevent the spread of unauthorised access or malware in your organisation's systems. Assess the scope of the impact on your network including what information may be at risk.
  • Missing funds: if you have paid funds, contact your bank to put a freeze on the funds and to trace the funds. This needs to be done as quickly as possible because there is often a time delay between funds being paid and users becoming aware of the fraudulent activity, which reduces the prospects of recovery.
  • Personal Data Protection: if personal information has been provided, consider what steps you can take to prevent misuse of that information. This includes taking steps to protect against identity theft and account takeover, such as changing passwords to online accounts if credentials were provided, and implementing multi-factor authentication where possible on critical applications (such as online banking) to prevent unauthorised access.
  • Consider your regulatory obligations: while the focus is on containment and remediation, at the same time, you should assess whether the incident is an 'Eligible Data Breach' under the Privacy Act and whether it needs to be reported to the Office of the Australian Information Commissioner. Statutory investigation and notification timeframes apply, so you need to do this expeditiously. Organisations are also encouraged to report cyber security incidents to the Australian Cyber Security Centre so investigation and analysis can be undertaken, and advice can be provided.
  • If you have cyber insurance: contact your insurer for assistance from expert vendors to support your response capabilities.

Back to the top

Back to the main COVID-19 page

If this information doesn't answer your specific query, please contact us.
We have many other free resources that may be relevant to you. Access our complete library of resources on privacy.
Last Updated: 29 June 2021

Need more help with COVID-19 issues ?

Check out our COVID-19 page which contains more resources and answers to FAQs on issues related to governance, contracts, employees and privacy.