Contact

Test, track and trace: privacy issues for Australian businesses

Published
18 May 2020
Read time
8 min read
Category
Law, Privacy, Privacy Practice

Test, track and trace is becoming the universal strategy to support a move out of the COVID lock down. What are the privacy implications for Australian businesses?

To effectively test, track and trace, businesses will be expected to collect and share health information, from employees, customers and other individuals they interact with.  There’s undeniable community health reasons supporting the collection of this sort of information but what happens to individual rights to privacy in these unprecedented times? How should Australian businesses balance the need to protect themselves, their people and the broader community with individuals’ rights to privacy and the organisational duty to act ethically?

Collecting health information

The first point is to have some sort of COVID policy that requires individuals to notify if they should be quarantined (due to contact with other, their own symptoms or recent travel) or if they have been tested positive.  Most organisations should have this in place.

However, customers, contractors and suppliers may now be asking for more detailed assurances about the measures you are taking to manage the spread of the Corona virus.

Some of the test, track and trace measures you may be considering include:

  • Temperature checking prior to allowing staff or customers on site;
  • Requiring flu vaccinations or production of evidence of flu vaccines;
  • Completion of declarations regarding health status, interactions with others and recent travel. Given this information is collected in relation to a health condition it is likely to be regarded as health information;
  • Automatic or mandated download of the COVIDSafe app or other tracking app on all work issued devices to aid with tracking.

All these measures are likely to involve the collection of ‘health information.’ ‘Health information’ is classed as ‘sensitive information’ in the Privacy Act 1988 (Cth), and in general companies should get consent to collect and use this type of information.

Typically, this means you should get a signed form that includes both a description of the information being collected, the ways in which that information might be used (including who it might be shared with), how long the information is to be retained and details of the person providing the consent. There should also be some indication of proactive consent to collection on that basis (opt-out is generally not regarded as sufficient to support evidence of consent). Remember to be careful if securing the consent of minors and any other person who may not have capacity. (Consent is considered in more detail below).

Minimise data collected

A key strategy to strike the right balance between  test, track and trace, public health and individual rights to is collect the minimum amount of information necessary. The Australian Department of Health has provided advice on the information needed to identify risk and implement appropriate controls to prevent or manage COVID-19, for example:

  • whether the individual or a close contact has been exposed to a known case of COVID-19
  • whether the individual has recently traveled overseas and to which countries.

More information available here.

Employee Consent

Securing the consent of employees is a troublesome area.  The imbalance of power between employer and employee makes it difficult to support that employee consent is truly voluntary (which is one of the necessary requirements).  This can also be the case where you provide a service or product which is difficult to source elsewhere.

For Australian private enterprise organisations, there is an ‘employee records’ exemption from the Privacy Act 1988 (Cth) provisions. Many businesses otherwise covered by the Privacy Act have relied upon this exemption to avoid the ‘burden’ of compliance where the collection or use employee data is concerned. However,  the Lee vs. Superior Wood 2019 FWCFB 2946 case last year showed that this exemption has limitations. The Fair Work Full Bench found that the employee records exemption only applied to records already actually held by the employer, meaning the Privacy Act applied to practices engaged in by the employer up to the point of collecting personal information.  In that case, it meant that the employee’s consent was required to the collection of biometric information (which is health information).

One option to support the voluntary nature of consent, is to provide an alternative for individuals who object to measures like automated temperature taking.  This might involve, for example, manual collection, or some other measure managed by the individual in a de-centralised manner.

However, if getting consent is not feasible you may still be able collect or share information pursuant to privacy laws if necessary, for the protection of public health, including that of other employees.

There are exceptions which allow the collection if it is required or authorised under by or under an Australian law (APP 3.4(a)) or a ‘permitted general situation’ exists (APP 3.4(b)). This includes where the collection is undertaken to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety. There is also an exception to the limitation on collection, use and disclosure for generally permitted health situations.   To date, the Australian Privacy Commissioner has not issued any advice as to whether the collection or sharing of information to manage the spread of the Corona Virus would be considered a generally permitted health situation.

Sharing information

It is also important to have appropriate protocols in place to manage the sharing of health and other information. This may include communications with staff, contractors and customers as well as State health agencies.

Principles in relation to sharing health information during this time include:

  • Only share the minimum amount of personal information reasonably necessary to prevent or manage COVID-19. Don’t disclose the names of affected workers, contractors or customers if you don’t need to;
  • Ensure that you verify the identity and purpose of use with any third party who seeks to access the information you have collected. Only share with genuine health authorities and understand what information they need, and why;
  • Notify individuals of how their personal information will be handled in responding to any potential or confirmed case of COVID-19 in the workplace, or requests for sharing by authorities (in your Collection Notice, Privacy Policy or employee notification);
  • Maintain proper records of all information that has been shared and with whom (in case you receive queries from affected individuals);
  • Ensure that you have appropriate security controls in place to protect the collected data, including secure access to health information.

Notification of the intended use of the data may be in the consent form or in a new Collection Notice.  You may also need to update your Privacy Policy to cover the new collection and sharing of COVID-related information.

What should you do?

In times of crisis we should all be seeking to avoid making a bad situation worse. Privacy failures have the capacity to be existential issues right now. But those businesses that survive the current challenges and demonstrate that while implementing an effective track test and trace strategy they put their customers and staff first, and manage their data in a sensitive and ethical way, should ultimately emerge stronger than the competition.

Some issues to consider:

  • Do you have a COVID policy that covers how you enforce COVID safe practices and respond to any suspected or actual COVID infections?
  • Have you confirmed that you are able to use tracking or other new measures to collect COVID related information?
  • If you are collecting new health information, are you securing ‘voluntary’ consent or relying on another exception e.g. generally permitted health situation?
  • Do you need to provide a new collection notice?
  • Do you have a process to verify what information can be shared and with whom?
  • Do you track and maintain records of any access to the collected information?
  • Have you considered minimising the data you collect and retain and the extent to which data might be able to be de-identified?
  • Is there a communications policy or protocol that covers the sharing of information related to COVID issues to ensure it minimises the disclosure of personal information while protecting community health?
  • Have you considered how long you should be keeping any additional information you are collecting and the best way of getting rid of that information?
  • Do you have appropriate security protocols in place, including how to respond if there is a data breach?

Our team is available to assist with any part of your response to COVID and ensuring that you manage the right balance between protecting your stakeholders and the broader community and the privacy rights of individuals.

Contact us now.

References:

Australian Privacy Commissioner COVID Advice and FAQs

Australian Department of Health Guidance

Ready to turn insight into action?
Connect with Privacy 108.

"*" indicates required fields

This field is for validation purposes and should be left unchanged.
Privacy 108 collects your name and contact details to respond to your enquiry and communicate with you about it. If you do not provide this information, we may be unable to respond. We do not disclose this information to third parties. For more information about how we handle your personal information, including how to access or correct it or make a complaint, please see our Privacy Policy or contact us at hello@privacy108.com.au.
Jodie Siganto
Privacy, security and training
Jodie is one of Australia’s leading privacy and security experts and the Founder of Privacy 108 Consulting.
Jodie Siganto
Privacy, security and training
Jodie is one of Australia’s leading privacy and security experts and the Founder of Privacy 108 Consulting.
Talk to us?
Looking to take your business to the next level? Speak with our experts today!
Contact us
Related articles
  • 1300 41 20 50
  • Level 3, 240 Queen St, Brisbane QLD 4000
  • Ground Floor Reception, 3 Spring St, Sydney NSW 2000
  • PO Box 3295, Yeronga QLD 4104
  • Follow us on LinkedIn
Services
Privacy Risk Management Privacy Impact Assessments AI Governance Privacy Legal Services Research and Policy
Company
About Privacy 108 Our Team Careers Insights Contact Us Privacy Policy Terms & Conditions
Subscribe to our newsletter
Subscribe
Privacy 108 Consulting Pty Ltd ABN 52 600 425 885 is an incorporated legal practice registered with the Queensland Law Society. Liability limited by a scheme approved under Professional Standards Legislation.
We respectfully acknowledge the Traditional Owners of the land we work on and pay our respects to their Elders past, present and future in maintaining the culture, country and their spiritual connection to the land.
© 2026 by Privacy 108 Consulting Pty Ltd. ABN 52 600 425 885
Website by DeeperLook
Subscribe to our Newsletter

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

Privacy 108 collects your name and email to send you our newsletter. If you do not provide this information, we will be unable to send it to you. We may use third-party service providers (such as email marketing platforms) to distribute our communications. Some providers may store information overseas, including in the United States. For more information about how we handle your personal information, including how to access or correct it or make a complaint, please see our Privacy Policy or contact us at hello@privacy108.com.au. You can unsubscribe at any time using the link in our emails or by contacting hello@privacy108.com.au.