COVID-19: Privacy Obligations and Cyber Security for Business
The OAIC has released guidance on how employers may continue complying with their privacy obligations, whilst collecting and disclosing personal information in order to manage the spread of coronavirus. As more employees work from home, the ACCC’s Scamwatch has warned of heightened risks to cyber security, with a growing number of COVID-19 related scams being reported.
Exemptions to Privacy Obligations During COVID-19
Australian employers seeking to prevent or slow the spread of COVID-19 in their workplaces need to balance the need to monitor their employees with their obligations under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).
The Office of the Australian Information Commissioner (OAIC) has recently confirmed that regulated entities may collect, use or disclose personal information where it is necessary to lessen or prevent a serious threat to public health or safety.’
What Personal Information Can I Collect from Employees?
Regulated entities may collect information such as whether an employee:
- has been in contact with a known case of COVID-19; or
- has recently travelled overseas (and if so, to which countries).
However, the extent of personal information collected from employees must be limited to what is reasonably necessary for preventing or managing COVID-19 in the workplace.
When Can I Use or Disclose Personal Information from Employees?
If the information was collected for the primary purpose of protecting other employees from the spread of COVID-19, employers will be permitted to disclose this information. Again, disclosure of the information should be limited to what is necessary in the circumstances. For example, the identity of employees exposed to COVID-19 may be disclosed on a “need to know” basis to other employees and the OAIC recommends that employers follow the advice of the Department of Health. Employers cannot use this personal information for any secondary purpose and it should be destroyed or de-identified when it is no longer required.
Due to the rapid pace at which this situation is evolving, regulated entities should also be taking steps to notify employees about how their personal information will be handled, in the event of a confirmed case of COVID-19.
Secure Storage of Personal Information
Regulated entities will still bear ultimate responsibility for the safe and secure storage of personal information.
The OAIC recommends that all work mobile phones, laptops and data storage devices be secured, and that employees working from home should use work email accounts whenever sending personal information. Employees should also store devices in a secure location when not in use.
COVID-19 Outbreak Brings Increased Risks to Cyber Security
The ACCC is also warning businesses and consumers to remain vigilant to COVID-19 related scams. In particular, ACCC’s Scamwatch has received reports of phishing emails and phone calls and sales of virus-related products online, with the seller often requesting upfront payment in the form of money orders, wire transfers or electronic currency (such as Bitcoin).
Working From Home
Employees working from home must exercise the same levels of vigilance as they would in the workplace including:
- not opening attachments or links in emails, text messages or social media messages received from unknown sources;
- not responding to unsolicited messages or calls that ask for personal or financial details; and
- ensuring anti-virus and anti-spyware software is up to date on all devices being used at home for work purposes.
Businesses should stay informed and up to date with any further guidance released by the Government. If you are concerned about your privacy obligations during COVID-19, please contact us.
 Privacy Act 1988 (Cth) s 16A.
This content is current as at 27 March 2020. The speed with which COVID-19 is spreading and the varied responses both internally within Australia and externally change on a daily basis. It is important that you regularly keep up to date with all relevant information and be prepared to respond as the landscape in which the virus is moving changes.
This Alert is intended as general information only. It does not purport to be comprehensive advice or legal advice. Readers must seek professional advice before acting in relation to these matters.