COVID-19 AND PRIVACY CONSIDERATIONS
There is a clear and urgent need to collect, use, and share information to manage the spread of novel coronavirus (COVID-19). As organisations are likely adapting the way they handle information to deal with the current situation, it is crucial for organisations to understand their privacy obligations. It is important to note that Victoria’s privacy legislation does not prevent information from being used or shared in critical situations such as this.
This guidance is intended to help Victorian public sector organisations and health providers (both public and private sector) that handle health information understand their privacy obligations while dealing with COVID-19. The term ‘organisation’ is used in this guidance to refer to both types of organisations.
WHAT ARE MY ORGANISATION’S PRIVACY OBLIGATIONS?
In these circumstances, organisations may have obligations under both the Privacy and Data Protection Act 2014 (PDP Act) and the Health Records Act 2001 (HR Act). For a list of organisations with privacy obligations under the PDP Act, see section 13 of the PDP Act. For a list of organisations required to adhere to the HR Act, see sections 10 and 11 of the HR Act.
Organisations are required to handle the personal information they hold in accordance with the 10 Information Privacy Principles (IPPs) in the PDP Act, and health information in accordance with the 11 Health Privacy Principles (HPPs) in the HR Act. Personal information is defined in section 3 of the PDP Act and health information is defined in section 3 of the HR Act.
COLLECTION OF PERSONAL AND HEALTH INFORMATION
Organisations may need to collect personal and health information from their employees or from individuals who have personal contact with the organisation to manage the spread of COVID-19. Organisations should only collect the minimum amount of information necessary to do so.
Collection in specified circumstances
HPP 1 sets out specific circumstances that permit organisations to collect health information from an individual. For example, under HPP 1.1(f), organisations can collect health information if it is necessary for one or more of their activities and the collection is necessary to prevent or lessen a serious threat to public health, public safety or public welfare. In the PDP Act, IPP 1.1 permits organisations to collect personal information where it is necessary for one or more of their functions or activities.
Requirements of collection
Organisations should collect personal and health information directly from the individual where it is reasonable and practicable to do so, as stated by IPP 1.4 and HPP 1.3. Organisations should also give notice to individuals about how their information is likely to be handled in managing COVID-19, as required by IPP 1.3 and HPP 1.4. For example, organisations may need to disclose information to authorities or health service providers.
In an emergency or time-sensitive situation, it may not be feasible to give notice to individuals at the time of collecting their information. In such circumstances, organisations should provide notice as soon as it is practicable to do so.
USE AND DISCLOSURE OF PERSONAL AND HEALTH INFORMATION FOR PURPOSES RELATED TO COVID-19
IPP 2 and HPP 2, which govern the use and disclosure of personal and health information respectively, state that organisations should only use and disclose personal or health information for the primary purpose for which it was collected or for one of the permitted secondary purposes outlined in those provisions.
Threat to public health or safety
Under IPP 2.1(d)(ii), organisations can use and disclose personal information for a secondary purpose in the absence of consent where they reasonably believe that the use or disclosure is necessary to lessen or prevent a serious threat to public health, public safety or public welfare. HPP 2.2(h)(ii) contains a similar permission for the secondary use and disclosure of health information.
As the World Health Organisation has declared the outbreak of COVID-19 a pandemic, and the Victorian Government has declared a State of Emergency in Victoria, using and disclosing personal and health information under IPP 2.1(d)(ii) and HPP 2.2(h)(ii) to prevent or manage the virus is likely permissible.
Organisations must reassess this position once the spread of the virus has subsided, as the threat may no longer meet the ‘serious’ threshold required to share personal and health information under this exception after the emergency has passed.
Use or disclosure with consent
Another permitted secondary purpose under the IPPs that may be relevant in these circumstances is IPP 2.1(b), which permits organisations to use and disclose personal information where the individual has consented to the use or disclosure of their personal information.
This permitted secondary purpose is mirrored in the HPPs under HPP 2.2(b). If organisations rely on the consent of the individual to use or disclose their information, organisations must ensure that consent is provided voluntarily, and the individual is able to make an informed choice. See OVIC’s Guidelines to the Information Privacy Principles for further information on consent.
Managing the pandemic in a privacy-enhancing way
Organisations relying on any of the exceptions under the IPPs or the HPPs to use or disclose personal or health information must do so in a privacy-enhancing way. This means that organisations should not use or disclose personal or health information unless it is necessary to do so, and if it is necessary, organisations must only use and disclose the minimum amount of information needed.
For example, if organisations need to inform their employees that a staff member has tested positive for COVID-19, they may not need to disclose the name of the staff member that has COVID-19 in order for their employees to take the necessary precautions. Those employees who worked closely with the staff member may be able to ascertain the individual’s identity and should be advised not to disclose information that could identify the staff member who has COVID-19.
Organisations must consider the circumstances of each case when deciding whether to disclose personal or health information. For information on IPP 2, see OVIC’s Guidelines to the Information Privacy Principles. For guidance on the HPPs, visit the HCC’s website.
MANAGING THE SECURITY OF INFORMATION
To manage the spread of COVID-19, many organisations have asked their employees to work from home. Those organisations need to consider how they will comply with their data security obligations under IPP 4.1 and HPP 4.1 to protect the information they hold from misuse and loss and from unauthorised access, modification or disclosure.
For guidance on how to implement appropriate measures to protect personal information, read OVIC’s Guidelines on IPP 4.
OVIC’s website also has a tip sheet for individuals on how to ensure that they protect public sector information when working away from the office.