Please change your location to view this page.
This page contains content that does not match your current location
What are the key privacy considerations relevant to the COVID-19 outbreak?
- effectively managing your response to an employee’s report that they have tested positive to COVID-19 without breaching the employee's privacy, while also providing a safe workplace, and
- making sure personal information collected in the ordinary course of business (for example, customer and employee data) remains secure in an increased risk environment while employees work remotely
- What do you need to do to manage privacy risk?
- If an employee or volunteer tells me they have tested positive to COVID-19, how do I treat this information? Do I need to disclose this information to anyone?
- Is an employer’s request for COVID-19 related information from an employee a breach of Australian privacy laws?
- What privacy and cyber-security considerations do I need to think about with my workforce working from home?
- My organisation is speaking to clients through Zoom, Skype, WhatsApp and similar video conferencing software. Is communication through these programs secure, private and confidential?
- What should I do if I suspect that I have been the subject of a phishing attack?
- limit the collection, use, storage and disclosure of personal information to what is necessary only (on a 'need-to-know' basis and only the minimum amount of information necessary). This applies particularly when communicating with employees about a staff member who has tested positive to COVID-19
- tell employees how the organisation will handle their personal and health information in responding to any potential or actual case of COVID-19 in the workplace, and
- take measures to secure personal information in an increased risk environment. This includes increasing staff awareness of cyber risk, developing robust procedures around sharing personal information and conducting financial transactions, and enforcing increased security controls on systems to prevent data breaches occurring
2. If an employee or volunteer tells me they have tested positive to COVID-19, how do I treat this information? Do I need to disclose this information to anyone?
If an employee tests positive to COVID-19, the employer and employee must follow the latest government-issued guidance, including any exclusion or self-isolation requirements, to limit the spread.
- take steps to get consent from the affected employee before disclosing that they are positive for COVID-19 to others. Generally, you don’t need to get consent if it is unreasonable or impractical for you to do this. Seek advice if this applies to you, as this scenario needs to be carefully managed
- only reveal the name of the affected employee if necessary, and consider whether naming the person can be restricted to a limited number of people on a need-to-know basis, and
- only collect, use, store or disclose the minimum amount of the affected person's personal information that is required to prevent the risk of COVID-19
Examples of how to appropriately manage the disclosure of a positively tested employee.
- informs all employees that the staff member has not come into contact with the office or any other employees in the 24 hours before the staff member showed symptoms, thereby lowering the risk of transmission
- reminds all employees to continue to follow best practice Government advice to slow the spread of Coronavirus through social distancing, and
- encourages all employees to work from home where possible
3. Is an employer’s request for COVID-19 related information from an employee a breach of Australian privacy laws?
It depends. The recent Fair Work Commission (Commission) decision of Kieran Knight v One Key Resources (Mining) Pty Ltd T/A One Key Resources  FWC 3324 considered this, and is an example of the balance struck between a person’s right to privacy and the rights of employees to a safe working environment.
In this case, Kieran Knight, an employee of One Key Resources refused to complete a survey (sent to all employees) that asked employees whether they had travelled to certain foreign countries which, at that time, based on Federal Government advice, were deemed to be of moderate to high risk of coronavirus infection.
One Key Resources first issued a written warning to Mr Knight. When Mr Knight continued to refuse to answer the survey, One Key Resources terminated his employment on the basis that he ‘had engaged in misconduct for failing to follow a lawful and reasonable direction to complete the survey’.
Mr Knight disagreed that he had engaged in misconduct and took his case to the Commission. Mr Knight claimed that his employer’s direction to provide information by completing the survey was a breach of Australian Privacy Principle 3 (which covers the collection of solicited personal information) and therefore not lawful or reasonable. He argued that, because the employer had requested information for the purpose of assessing the health risk of Mr Knight, it was sensitive information, which required his consent – which he did not provide.
One Key Resources argued that it had asked for personal, and not sensitive, information from Mr Knight, which was reasonable and in compliance with its obligations under the Queensland Workplace Health and Safety Act 2011 (Act) to uphold its primary duty of care to employees and to provide and maintain a safe work environment.
The Commission decision-maker, Commissioner Simpson, found that the information One Key Resources requested through the survey was not sensitive information and that One Key Resources’ direction to Mr Knight to complete the survey was both lawful and reasonable, given the employer’s responsibilities under the Act to protect itself and its employees from risk. Accordingly, Commissioner Simpson found that the employer had a valid reason for dismissing Mr Knight.
Commissioner Simpson said further - even if the information had been sensitive, it's likely that a 'permitted general situation' exemption would have applied. One of the 'permitted general situation' exemptions is when an entity reasonably believes that the collection, use or disclosure of senstive information is necessary to lessen or prevent a serious threat to the life, health or safety of any person, or to public health or safety.
For more information about the Australian Privacy Principles see our Privacy Guide.
4. What privacy and cyber-security considerations do I need to think about with my workforce working from home?
There are increased risks associated with remote working. These include:
- increased risk of cyber-crime, where criminals will look to exploit changes to business environments to extract funds or personal information from employees
- risk of employees inadvertently disclosing personal information through using unfamiliar document storage and conference platforms, and
- risk of inadvertently disclosing personal information while working in a shared remote location (for example, a communal space in a sharehouse)
- enforce complex password requirements for all email accounts and other systems used to hold sensitive data (such as payroll systems, HR systems or client management systems)
- implement multi-factor authentication to put added security in place to prevent unauthorised systems access, in addition to complex password requirements
- limit access to particular systems and restrict privileges on those accounts to only those who require it to perform their role
- educate employees about the risk of phishing emails especially while working from home. Encourage employees to call the sender if they have the slightest doubt about the authenticity of an email, and
- if appropriate, buy cyber insurance to help address the potential costs of responding to a cyber incident
5. My organisation is speaking to clients through Zoom, Skype, WhatsApp and similar video conferencing software. Is communication through these programs secure, private and confidential?
- Check what security is offered by the application provider – is multi-factor authentication offered? Is end-to-end encryption offered? Does the provider keep any metadata from your conferences (or other data)? If data is collected, how is it used?
- Read the provider's terms and conditions to check your rights and the provider's obligations.
- Make sure you have the latest security and software updates installed for the teleconferencing facility you use.
- Hold teleconferences in private rooms, not shared spaces. Use headphones rather than speaker to prevent others listening in.
- Password protect access to video and teleconferences.
- Only allow invited participants to join the teleconference and make sure you send invitations to the right people.
- Notify participants if the video conference is being recorded.
- Isolate: if you have clicked or opened a malicious attachment or link – isolate affected machines from the network to prevent the spread of unauthorised access or malware in your organisation's systems. Assess the scope of the impact on your network including what information may be at risk.
- Missing funds: if you have paid funds, contact your bank to put a freeze on the funds and to trace the funds. This needs to be done as quickly as possible because there is often a time delay between funds being paid and users becoming aware of the fraudulent activity, which reduces the prospects of recovery.
- Personal Data Protection: if personal information has been provided, consider what steps you can take to prevent misuse of that information. This includes taking steps to protect against identity theft and account takeover, such as changing passwords to online accounts if credentials were provided, and implementing multi-factor authentication where possible on critical applications (such as online banking) to prevent unauthorised access.
- Consider your regulatory obligations: while the focus is on containment and remediation, at the same time, you should assess whether the incident is an 'Eligible Data Breach' under the Privacy Act and whether it needs to be reported to the Office of the Australian Information Commissioner. Statutory investigation and notification timeframes apply, so you need to do this expeditiously. Organisations are also encouraged to report cyber security incidents to the Australian Cyber Security Centre so investigation and analysis can be undertaken, and advice can be provided.
- If you have cyber insurance: contact your insurer for assistance from expert vendors to support your response capabilities.