As employers collect personal information from workers and workplace visitors to control the risks posed by the COVID-19 pandemic, they are being reminded that they must comply with relevant privacy laws.
The Office of the Australian Information Commissioner (OAIC) has released guidance intended to help entities regulated by the Privacy Act 1988 (Cth) (Privacy Act) understand their privacy obligations in the context of the pandemic.
OAIC says its office appreciates the “unprecedented challenges” private sector employers are facing to address the spread of COVID-19, and that the Privacy Act would not stop critical information sharing.
However, it said that employers still have an obligation to handle personal information appropriately.
“In order to manage the pandemic while respecting privacy, agencies and private sector employers should aim to limit the collection, use and disclosure of personal information to what is necessary to prevent and manage COVID-19, and take reasonable steps to keep personal information secure.”
“Regulated entities should also consider whether any changes to working arrangements will impact on the handling of personal information, assess any potential privacy risks and put in place appropriate mitigation strategies as part of Business Continuity Planning.”
- Personal information should be used or disclosed on a ‘need-to-know’ basis.
- Only the minimum amount of personal information reasonably necessary to prevent or manage COVID-19 should be collected, used or disclosed.
- Consider taking steps now to notify staff of how their personal information will be handled in responding to any potential or confirmed case of COVID-19 in the workplace.
- Ensure reasonable steps are in place to keep personal information secure, including where employees are working remotely.
Information that can be collected from employees includes that which the Department of Health says is needed to identify risk and implement appropriate controls to prevent or manage COVID-19.
For example, whether the individual or a close contact has been exposed to a known case of COVID-19, and whether the individual has recently travelled overseas and to which countries.
Employers may also inform staff that a colleague or visitor has, or may have, contracted COVID-19, but should only use or disclose personal information that is reasonably necessary in order to prevent or manage COVID-19 in the workplace.
The guidance also states that the Privacy Act does not prevent employees from working remotely as a response to COVID-19, however the Australian Privacy Principles (APPs) will continue to apply.
COVID-19 Reporting Module
In response to rapid demand, the myosh team have developed a simple but powerful COVID-19 Reporting Module.
The purpose of the module is to allow people to report either a suspicion of, or actual, COVID-19 illness. It is designed to facilitate effective communications to HR and provide advice to affected individuals based on government guidelines.
COVID-19 reporting will assist with protecting other workers within your organisation with the aim of minimising the spread of the disease. It will allow HR to contact staff and contractors who may have come in to contact with affected people and then take the relevant action. Many of the fields are based on reporting requirements from the World Health Organisation.
Feature and functions:
- Allow self-reporting of COVID-19.
- Facilitate HR to manage their response in line with emergency response plans.
- Allow contact tracing.
- Provide real-time information to all parties through automated rules based emails and push notifications through mobile devices.
- Track related COVID-19 cases.