On this page
- What are the key privacy considerations relevant to your organisation during COVID-19?
- What do you need to do to manage privacy risk?
- If an employee or volunteer tells you they have tested positive to COVID-19, how should you treat this information?
- Is an employer’s request for COVID-19 related information from an employee a breach of Australian privacy laws?
- What privacy and cyber-security considerations do you need to think about for your workers that work from home?
- Is communication through video conferencing software like Zoom and WhatsApp secure and confidential?
- What should you do if you suspect that your organisation has been the subject of a phishing attack?
While Australian organisations have faced new challenges during the COVID-19 health crisis, their privacy obligations continue to underpin how they handle personal information.
The Privacy Act 1988 (Cth) and other state and territory privacy laws, generally speaking, govern the handling of personal information including its collection, use, storage, disclosure and destruction.
What are the key privacy considerations relevant to your organisation during COVID-19?
The key privacy considerations relevant to your organisation during the COVID-19 pandemic concern:
- effective management of employee reports of testing positive to COVID-19 without breaching employee privacy, while also providing a safe workplace, and
- making sure personal information collected in the ordinary course of business (for example, customer and employee data) remains secure
Employee health information about the COVID-19 vaccine
The Office of the Australian Information Commissioner (OAIC), the independent national regulator for privacy and freedom of information, has published guidance on how to manage privacy obligations while responding to COVID-19, as well as guidance specifically on an organisation's obligations when dealing with employee health information related to the COVID-19 vaccine.
What do you need to do to manage privacy risk?
Generally, to minimise the privacy risk to employees' and peoples' data while managing the pandemic response and working remotely, consistent with privacy best practice, organisations should:
- limit the collection, use, storage and disclosure of personal information to what is necessary only (on a 'need-to-know' basis and only the minimum amount of information necessary). This applies particularly when communicating with employees about a staff member who has tested positive to COVID-19
- tell employees how the organisation will handle their personal and health information in responding to any potential or actual case of COVID-19 in the workplace, and
- take measures to secure personal information in an increased risk environment. This includes increasing staff awareness of cyber risk, developing robust procedures around sharing personal information and conducting financial transactions, and enforcing increased security controls on systems to prevent data breaches occurring
These steps are especially important due to the need to respond quickly to prevent the spread of COVID-19 and the increased risks that come with working remotely. These increased risks result from limited face to face interaction between staff and clients and the use of technologies to do business.
If an employee or volunteer tells you they have tested positive to COVID-19, how should you treat this information?
If an employee tests positive to COVID-19, the employer and employee must follow the latest government-issued guidance, including any exclusion or self-isolation requirements, to limit the spread of the virus.
For more information, visit the Australian Government's Department of Health website, or call the National Coronavirus Health Information Line on 1800 020 080 for general advice or healthdirect on 1800 022 222 if a person has symptoms. Each state and territory government health agency also has its own website for localised information.
Strict privacy obligations apply when handling employee data, especially health information. Although these obligations are balanced against the need to provide a safe workplace, you should take care to protect the affected employee's privacy while notifying others of the risk of transmission.
Importantly, the Privacy Act is not intended to prevent critical information sharing and, provided they take some simple steps, organisations can comply with their privacy obligations while managing its response effectively.
When you notify employees of the risk, you should only disclose information that is reasonably necessary to prevent or manage the spread of COVID-19 in the workplace. Depending on the circumstances, notification may include the name of the affected employee.
When notifying employees or other people who may have had contact with an affected employee:
- take steps to get consent from the affected employee before disclosing that they are positive for COVID-19 to others. Generally, you don’t need to get consent if it is unreasonable or impractical for you to do this. Seek advice if this applies to you, as this scenario needs to be carefully managed
- only reveal the name of the affected employee if necessary, and consider whether naming the person can be restricted to a limited number of people on a need-to-know basis, and
- only collect, use, store or disclose the minimum amount of the affected person's personal information that is required to prevent the risk of COVID-19
Follow government-issued guidance on whether it is safe for employees to return to work including the affected employee, and communicate appropriately to all employees having regard to the above considerations.
Is an employer’s request for COVID-19 related information from an employee a breach of Australian privacy laws?
The Fair Work Commission (Commission) decision of Kieran Knight v One Key Resources (Mining) Pty Ltd T/A One Key Resources  FWC 3324 considered this, and is an example of the balance struck between a person’s right to privacy and the rights of employees to a safe working environment.
In this case, an employer terminated an employee's employment because the employee refused to complete a survey (sent to all employees) that asked employees whether they had travelled to certain foreign countries which, at that time, based on Federal Government advice, were deemed to be of moderate to high risk of coronavirus infection. The employer argued that it had asked for personal, and not sensitive, information from the employee, which was reasonable and in compliance with its obligations under the Queensland Workplace Health and Safety Act 2011 (Act) to provide and maintain a safe work environment.
The Commission found that the information requested through the survey was not sensitive information and that the direction to employees to complete the survey was lawful and reasonable, so the employer had a valid reason for dismissing the employee. The Commission said further - even if the information had been sensitive, it's likely that a 'permitted general situation' exemption would have applied. One of the 'permitted general situation' exemptions is when an entity reasonably believes that the collection, use or disclosure of sensitive information is necessary to lessen or prevent a serious threat to the life, health or safety of any person, or to public health or safety.
More recently, the Commission considered the collection of vaccination information by organisations from their employees under privacy laws.
In CFMMEU v BHP Coal Pty Ltd  FWC 81, the Commission held that BHP didn’t breach privacy law when it required employees to provide evidence of vaccination status as a condition of entry to the workplace.
The Commissioner said that employees, in handing over their private health information did so with consent, even though they faced potential dismissal if they refused. While employees may have felt economic pressure to consent, the Commissioner took the view that this was not duress of the kind that could invalidate consent.
This decision also provides other useful guidance about how organisations should handle vaccination information to comply with privacy laws.
What privacy and cyber-security considerations do you need to think about for your workers that work from home?
There are increased risks associated with remote working. These include:
- increased risk of cyber-crime, where criminals will look to exploit changes to business environments to extract funds or personal information from employees
- risk of employees inadvertently disclosing personal information through using unfamiliar document storage and conference platforms, and
- risk of inadvertently disclosing personal information while working in a shared remote location (for example, a communal space in a sharehouse)
While technology controls can help to mitigate risk, it's critical to increase staff awareness around cyber risk and develop procedures for securely sharing personal information and conducting financial transactions. In particular, advise staff members to remain hyper-vigilant to phishing campaigns, and think twice before clicking on anything relating to COVID-19.
To manage this risk:
- enforce complex password requirements for all email accounts and other systems used to hold sensitive data (such as payroll systems, HR systems or client management systems)
- implement multi-factor authentication to put added security in place to prevent unauthorised systems access, in addition to complex password requirements
- limit access to particular systems and restrict privileges on those accounts to only those who require it to perform their role
- educate employees about the risk of phishing emails especially while working from home. Encourage employees to call the sender if they have the slightest doubt about the authenticity of an email, and
- if appropriate, buy cyber insurance to help address the potential costs of responding to a cyber incident
The Australian government has prepared some helpful resources about managing data risk through the pandemic response, including: Protecting your small business.
You can also read the OAIC's guidance on conducting Privacy Impact Assessments in changed working environments, which provides a list of considerations relevant to protecting data.
Is communication through video conferencing software like Zoom and WhatsApp secure and confidential?
Video conferencing is a useful way to remain in contact when working from home. However, video conferencing software must be used with care, as these tools increase exposure to cybercrime and inadvertent disclosure of data.
- Check what security is offered by the application provider – is multi-factor authentication offered? Is end-to-end encryption offered? Does the provider keep any metadata from your conferences (or other data)? If data is collected, how is it used?
- Read the provider's terms and conditions to check your rights and the provider's obligations.
- Make sure you have the latest security and software updates installed for the teleconferencing facility you use.
- Hold teleconferences in private rooms, not shared spaces. Use headphones rather than speaker to prevent others listening in.
- Password protect access to video and teleconferences.
- Only allow invited participants to join the teleconference and make sure you send invitations to the right people.
- Notify participants if the video conference is being recorded.
What should you do if you suspect that your organisation has been the subject of a phishing attack?
Cyber criminals are targeting organisations and people with COVID-19 related material with the aim of gaining access to systems, sensitive information and money.
If you think you have been subjected to a phishing attack, you should change passwords to the affected email accounts and contact your IT provider to investigate immediately.
You should also take the following steps:
- Isolate: if you have clicked or opened a malicious attachment or link – isolate affected machines from the network to prevent the spread of unauthorised access or malware in your organisation's systems. Assess the scope of the impact on your network including what information may be at risk.
- Missing funds: if you have paid funds, contact your bank to put a freeze on the funds and to trace the funds. This needs to be done as quickly as possible because there is often a time delay between funds being paid and users becoming aware of the fraudulent activity, which reduces the prospects of recovery.
- Personal Data Protection: if personal information has been provided, consider what steps you can take to prevent misuse of that information. This includes taking steps to protect against identity theft and account takeover, such as changing passwords to online accounts if credentials were provided, and implementing multi-factor authentication where possible on critical applications (such as online banking) to prevent unauthorised access.
- Consider your regulatory obligations: while the focus is on containment and remediation, at the same time, you should assess whether the incident is an 'Eligible Data Breach' under the Privacy Act and whether it needs to be reported to the Office of the Australian Information Commissioner. Statutory investigation and notification timeframes apply, so you need to do this expeditiously. Organisations are also encouraged to report cyber security incidents to the Australian Cyber Security Centre so investigation and analysis can be undertaken, and advice can be provided.
- If you have cyber insurance: contact your insurer for assistance from expert vendors to support your response capabilities.
The content on this webpage was last updated in March 2022 and is not legal advice. See full disclaimer and copyright notice.