Test, track and trace: privacy issues for Australian businesses

Test, track and trace is becoming the universal strategy to support a move out of the COVID lock down. What are the privacy implications for Australian businesses?

To effectively test, track and trace, businesses will be expected to collect and share health information, from employees, customers and other individuals they interact with.  There’s undeniable community health reasons supporting the collection of this sort of information but what happens to individual rights to privacy in these unprecedented times? How should Australian businesses balance the need to protect themselves, their people and the broader community with individuals’ rights to privacy and the organisational duty to act ethically?

Collecting health information

The first point is to have some sort of COVID policy that requires individuals to notify if they should be quarantined (due to contact with other, their own symptoms or recent travel) or if they have been tested positive.  Most organisations should have this in place.

However, customers, contractors and suppliers may now be asking for more detailed assurances about the measures you are taking to manage the spread of the Corona virus.

Some of the test, track and trace measures you may be considering include:

  • Temperature checking prior to allowing staff or customers on site;
  • Requiring flu vaccinations or production of evidence of flu vaccines;
  • Completion of declarations regarding health status, interactions with others and recent travel. Given this information is collected in relation to a health condition it is likely to be regarded as health information;
  • Automatic or mandated download of the COVIDSafe app or other tracking app on all work issued devices to aid with tracking.

All these measures are likely to involve the collection of ‘health information.’ ‘Health information’ is classed as ‘sensitive information’ in the Privacy Act 1988 (Cth), and in general companies should get consent to collect and use this type of information.

Typically, this means you should get a signed form that includes both a description of the information being collected, the ways in which that information might be used (including who it might be shared with), how long the information is to be retained and details of the person providing the consent. There should also be some indication of proactive consent to collection on that basis (opt-out is generally not regarded as sufficient to support evidence of consent). Remember to be careful if securing the consent of minors and any other person who may not have capacity. (Consent is considered in more detail below).

Minimise data collected

A key strategy to strike the right balance between  test, track and trace, public health and individual rights to is collect the minimum amount of information necessary. The Australian Department of Health has provided advice on the information needed to identify risk and implement appropriate controls to prevent or manage COVID-19, for example:

  • whether the individual or a close contact has been exposed to a known case of COVID-19
  • whether the individual has recently traveled overseas and to which countries.

More information available here.

Employee Consent

Securing the consent of employees is a troublesome area.  The imbalance of power between employer and employee makes it difficult to support that employee consent is truly voluntary (which is one of the necessary requirements).  This can also be the case where you provide a service or product which is difficult to source elsewhere.

For Australian private enterprise organisations, there is an ‘employee records’ exemption from the Privacy Act 1988 (Cth) provisions. Many businesses otherwise covered by the Privacy Act have relied upon this exemption to avoid the ‘burden’ of compliance where the collection or use employee data is concerned. However,  the Lee vs. Superior Wood 2019 FWCFB 2946 case last year showed that this exemption has limitations. The Fair Work Full Bench found that the employee records exemption only applied to records already actually held by the employer, meaning the Privacy Act applied to practices engaged in by the employer up to the point of collecting personal information.  In that case, it meant that the employee’s consent was required to the collection of biometric information (which is health information).

One option to support the voluntary nature of consent, is to provide an alternative for individuals who object to measures like automated temperature taking.  This might involve, for example, manual collection, or some other measure managed by the individual in a de-centralised manner.

However, if getting consent is not feasible you may still be able collect or share information pursuant to privacy laws if necessary, for the protection of public health, including that of other employees.

There are exceptions which allow the collection if it is required or authorised under by or under an Australian law (APP 3.4(a)) or a ‘permitted general situation’ exists (APP 3.4(b)). This includes where the collection is undertaken to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety. There is also an exception to the limitation on collection, use and disclosure for generally permitted health situations.   To date, the Australian Privacy Commissioner has not issued any advice as to whether the collection or sharing of information to manage the spread of the Corona Virus would be considered a generally permitted health situation.

Sharing information

It is also important to have appropriate protocols in place to manage the sharing of health and other information. This may include communications with staff, contractors and customers as well as State health agencies.

Principles in relation to sharing health information during this time include:

  • Only share the minimum amount of personal information reasonably necessary to prevent or manage COVID-19. Don’t disclose the names of affected workers, contractors or customers if you don’t need to;
  • Ensure that you verify the identity and purpose of use with any third party who seeks to access the information you have collected. Only share with genuine health authorities and understand what information they need, and why;
  • Notify individuals of how their personal information will be handled in responding to any potential or confirmed case of COVID-19 in the workplace, or requests for sharing by authorities (in your Collection Notice, Privacy Policy or employee notification);
  • Maintain proper records of all information that has been shared and with whom (in case you receive queries from affected individuals);
  • Ensure that you have appropriate security controls in place to protect the collected data, including secure access to health information.

Notification of the intended use of the data may be in the consent form or in a new Collection Notice.  You may also need to update your Privacy Policy to cover the new collection and sharing of COVID-related information.

What should you do?

In times of crisis we should all be seeking to avoid making a bad situation worse. Privacy failures have the capacity to be existential issues right now. But those businesses that survive the current challenges and demonstrate that while implementing an effective track test and trace strategy they put their customers and staff first, and manage their data in a sensitive and ethical way, should ultimately emerge stronger than the competition.

Some issues to consider:

  • Do you have a COVID policy that covers how you enforce COVID safe practices and respond to any suspected or actual COVID infections?
  • Have you confirmed that you are able to use tracking or other new measures to collect COVID related information?
  • If you are collecting new health information, are you securing ‘voluntary’ consent or relying on another exception e.g. generally permitted health situation?
  • Do you need to provide a new collection notice?
  • Do you have a process to verify what information can be shared and with whom?
  • Do you track and maintain records of any access to the collected information?
  • Have you considered minimising the data you collect and retain and the extent to which data might be able to be de-identified?
  • Is there a communications policy or protocol that covers the sharing of information related to COVID issues to ensure it minimises the disclosure of personal information while protecting community health?
  • Have you considered how long you should be keeping any additional information you are collecting and the best way of getting rid of that information?
  • Do you have appropriate security protocols in place, including how to respond if there is a data breach?

Our team is available to assist with any part of your response to COVID and ensuring that you manage the right balance between protecting your stakeholders and the broader community and the privacy rights of individuals.

Contact us now.

References:

Australian Privacy Commissioner COVID Advice and FAQs

Australian Department of Health Guidance