Why do I need to consider privacy?
If an employee is diagnosed with COVID-19 or is thought to potentially have the disease, this is considered health information that is regulated by privacy laws. An employee’s temperature also may be considered health information.
In addition to the Privacy Act 1988 (Cth), state and territory health records legislation will apply to handling this information.
Does the employee records exemption apply?
While the employee records exemption may permit employers to handle personal information as part of their COVID-19 response, employers should not assume the exemption automatically applies. Its application is limited, particularly because:
- It potentially does not apply to collecting personal information (see our case study on Lee v Superior Wood);
- It does not apply to handling health information regulated by health records laws in Victoria (or the ACT); and
- It only applies to an employee – it does not extend to relatives or friends of the employee, who may be the cause of the infection, or to contractors or volunteers.
What steps should I take when collecting personal information as part of my COVID-19 response?
The following steps will ensure you take the correct steps when collecting and disclosing personal information in as part of your COVID-19 response:
- Collect only what is reasonably necessary for your response to COVID-19 – In NSW, the collection of health information must be reasonably necessary for a lawful purpose that directly relates to your organisation’s functions or activities. The information collected must be relevant and not excessive;
- Obtain consent to collect health information (or other sensitive information), unless an exception applies – Obtaining written opt-in consent is the preferable course if practicable. In the context of temperature testing, another option may be to clearly and prominently display a sign next to the testing station that states the temperature will be recorded unless an employee requests that their temperature not be recorded. The most relevant exception to consent relates to collection to lessen or prevent serious threats to life or health (considered below).
- Collect by lawful and fair means – Seeking to collect information covertly will not meet this requirement. Additionally, in NSW, the collection must not intrude to an unreasonable extent on the personal affairs of the individual. In Victoria, the collection must not be undertaken in an unreasonably intrusive way.
- Collect directly from the individual – Collect information only from the relevant individual, unless it is unreasonable or impracticable to do so. In most circumstances, it will not be unreasonable or impracticable to collect information directly from the employee, but this may raise an issue if an employee provides information about a person they live with or have had close contact with.
- Notify relevant individuals – Take reasonable steps to notify individuals about the collection and handling of their personal information. For example, include wording on the sign referred to in (2) above, or in a short email to all employees.
If an employee is diagnosed with COVID-19, can I inform their co-workers or others?
Disclosing a diagnosis is permitted if:
- The employee who has COVID-19 consents to the disclosure – It is important not to dismiss this option. It is always preferable to be open with employees, and the employee knows more than the employer in terms of who they have been in close contact with.
- The purpose of the disclosure is the same as the purpose for which the information was collected (the primary purpose) – The Office of the Australian Information Commissioner has indicated that:
In relation to COVID-19, as a communicable disease, the purpose of collecting personal information from a staff member or visitor is to prevent or manage the risk and/or reality of COVID-19 to ensure that necessary precautions can be taken in relation to that individual and any other individuals that may be at risk. In these circumstances, personal information (including sensitive information) may be used or disclosed for this purpose as it falls within the primary purpose of collection;
- The purpose of the disclosure is directly related to the primary purpose, and the employee would reasonably expect this disclosure – A reasonable expectation can be achieved through advance notification, such as by circulating information about an existing employee policy or sending employees an email setting out how personal information will be handled as part of the organisation’s COVID-19 response.
- The disclosure is necessary to lessen or prevent a serious threat to life or health – To justify this reasoning, it must be unreasonable or impracticable to obtain the employee’s consent; and the employer must reasonably believe that the disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety.
The NSW health records legislation also requires that the threat be imminent. Although the situation with COVID-19 is constantly evolving, there is little doubt that it currently presents a serious and imminent threat to the health of individuals, and is life-threatening for some.
What should I consider in deciding whether to inform co-workers or others?
Regardless of which legislation you believe permits you to make a disclosure, we recommend you do the following:
- Consider if you have enough information to determine whether a threat exists – A high temperature could be due to a number of factors.
- Align with current medical advice in determining who to notify – Consider medical advice about how the virus is spread and what constitutes close contact
- Limit the disclosure – Only disclose the necessary information, and to the persons necessary, to prevent and manage the risk. For example, you could do so without disclosing the employee’s name.
- Invite discussion with those at high risk – Rather than providing the employee’s name, you could inform all employees as per point (3) above, and invite discussion with employees who feel they are at high risk from COVID-19 (or who have contact with someone at high risk).
- Take a tiered approach (if appropriate) – You may decide it is necessary to inform the affected employee’s direct team that the employee has COVID-19; and then all other employees working at the same site (without naming the affected employee). In informing all employees at the site, invite discussion with those at high risk. The appropriate tiered approach should be tailored to the particular circumstances.
- Avoid disclosing non-employees’ information – If an employee has a temperature and lives with someone who has been diagnosed with COVID-19, you may feel it is necessary to disclose this fact (provided this is a permitted disclosure, as considered above). While it may be necessary to include the employee’s name (subject to our comments above), you should not disclose the name of the person the employee lives with.
- Do not disseminate widely – Except in exceptional circumstances, you should not widely publish the name (or other identifying details) of an employee who has COVID-19 or who has been sent home because they have a temperature or other symptoms.
How we can assist
Our specialists are assisting many clients with the issues discussed above, as well as many other concerns related to COVID-19.
If you would like advice or assistance, please contact us.