Up Again Australia: Privacy and Data

Intellectual Property and Technology

1. Can an employer carry out temperature monitoring and other health checks on employees and visitors prior to them entering work premises?

Yes, provided it is held in accordance with the organisation’s privacy policy and consent is provided by the employee or visitor to the collection of the information. If an employee does not provide consent, we recommend getting advice before taking any disciplinary action.

It is less likely that an organisation could rely on there being a “permitted general situation” under the Privacy Act 1988 (Cth) as the basis for collecting this information, because the individuals must be physically present to have their temperature taken, and so it is difficult to argue it is “unreasonable or impracticable” to obtain the individual’s consent to the collection of their personal information.

Organisations should also limit how much information they collect and hold, and for how long they hold it. For example, such information should only be held for a short period of time (i.e. a matter of weeks) to facilitate contact tracing if necessary to do so, and the information should be securely destroyed after. This process can also be included on any collection notice and consent form to provide transparency to people about how their information will be used.

2. Can an employer ask employees and visitors to complete a questionnaire on whether they are experiencing typical COVID-19 symptoms, have been in contact with an infected individual, or recently travelled to high risk countries?

Yes, if the employee or visitor is working in an environment where they are potentially physically interacting with other individuals (rather from working from home). The employer and visitor should be asked to consent to the collection and use of this information. Information should be held in accordance with the organisation’s privacy policy. If an employee does not provide consent, we recommend getting advice before taking any disciplinary action.

Organisations should also limit how much information they collect and hold, and for how long they hold it. For example, such information should only be held for a short period of time (i.e. a matter of weeks) to facilitate contact tracing if necessary to do so, and the information should be securely destroyed after. This process can also be included on any collection notice and consent form to provide transparency to people about how their information will be used.

3. Can an employer require their employees to notify them if they or a member of their household has contracted COVID-19, or that they have the antigen?

Yes – see question 2. However, the name of the infected household member should not be collected unless it is reasonably necessary for preventing or managing COVID-19. The fact that a household member has contracted COVID-19 should suffice.

4. Can an employer tell their employees that a colleague may have potentially contracted COVID-19?

Yes, an organisation may inform staff that a colleague or visitor has or may have contracted COVID-19, but the organisation should only use or disclose personal information that is reasonably necessary in order to prevent or manage COVID-19 in the workplace. For example, depending on the circumstances, it may not be necessary to reveal the name of the individual, or disclosure of the name of the individual may be restricted to a limited number of people on a need-to-know basis.

5. Can an employer share information with a health authority about COVID-19 cases they become aware of?

Yes, organisations can collect and share with other organisations information (including health information) about employees who test positive for COVID-19, but the information should only be shared on a need-to-know basis and organisations should consider how much information needs to be disclosed. For example, it may not be necessary to identify the individual by name.

While health information can generally be collected and used only with consent, and where necessary for the purposes of the organisation, it can also be collected and used where “a permitted general situation” (as defined in the Privacy Act 1988 (Cth)) exists regarding the collection or use or disclosure (as applicable) of the information by the organisation.

Among other circumstances, a permitted general situation exists where it is unreasonable or impracticable to obtain the individual’s consent to the collection, use or disclosure of their personal information, and the organisation reasonably believes that the collection, use or disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety.

While the risk of COVID-19 infection clearly poses a serious threat to life, health or safety of others, and a serious threat to public health, whether it is “unreasonable or impracticable” to obtain consent to the collection and use of health-related information will depend on the facts. It may be that the consent can be obtained from the employee when they report their results, or in other instances, it may be that the result is reported to the employer by a third party (e.g. family member or public health body). Whether the general permitted situation exemption from the consent requirement is available therefore depends on the factual circumstances.

In any event, as noted earlier, employers should limit how much information they collect and share with other organisations.

6. Can an employer send employees’ health data to one of their affiliates outside the EEA or otherwise in another jurisdiction?

Yes – see question 5 above. In addition, before sending the personal information outside of Australia, the employer must comply with Australian Privacy Principle (APP) 8 by:

  • taking reasonable steps to make sure the overseas recipient will not breach the APPs (i.e. contractually bind them to comply);
  • make known to the relevant individual that their personal information will not be protected by the APPs after disclosure and obtain the individual’s consent to the disclosure; or
  • form a reasonable belief that the overseas recipient is subject to laws substantially similar to the APPs and that the relevant individual may enforce those laws.

APP 8 is normally complied with by satisfying the “taking reasonable steps” requirement, which is done by entering into an enforceable contractual arrangement with the overseas recipient (e.g. service providers or intra-group members) that requires the recipient to handle personal information in accordance with the APPs.

7. Can an employer monitor how employees move around the workplace to help keep social distancing rules?

Yes, provided that it is done in accordance with the organisation’s privacy policy and consent is provided by the employee or visitor to the collection of this information. It is less likely that an organisation could rely on the “permitted general situation” as the basis for collecting this information, because the individuals must be physically present in the office to have this information collected, and so it is difficult to make a case that it is “unreasonable or impracticable” to obtain the individual’s consent to the collection of their personal information.

Organisations should also limit how much information they collect and hold, and for how long they hold it. For example, such information should only be held for a short period of time (i.e. a matter of weeks) to facilitate contact tracing if necessary to do so, and the information should be securely destroyed after. This process can also be included on any collection notice and consent form to provide transparency to people about how their information will be used.

Employers may also be subject to additional obligations under device and workplace surveillance laws in each state and territory. Such laws currently exist in NSW and the ACT, and any monitoring via CCTV would also require compliance with CCTV surveillance laws.

8. Does an employer need to comply with any other GDPR principles or local privacy laws, when collecting data for the purpose of tackling COVID-19?

Yes. If an employee is monitoring movement of employees or visitors around the workplace, and such monitoring involves surveillance devices or similar, there are specific workplace and device surveillance laws in each state and territory regarding such matters. 

9. What are the risks if I am in breach of the GDPR or local privacy laws?

Currently, penalties for serious or repeated breaches of the Privacy Act 1988 (Cth) may result in fines of up to AUD2.1 million for organisations.

Draft legislation has proposed higher penalties in line with the GDPR regime by increasing the maximum penalties for organisations for serious or repeated breaches up from AUD2.1 million to AUD10 million, or three times the value of any benefit obtained through the breach and misuse of personal information, or 10% of an entities annual domestic turnover – whichever is higher.

An organisation that breaches the privacy laws can also suffer serious reputational damage.