By Alec Christie, Partner
These are alarming times, made more alarming by the increasing number of COVID–19 related privacy articles that are just plain wrong. The ‘advice’ in these articles and posts, which include the crazy statement that it is okay to “out” employees and others who test positive, will cause a notifiable data breach and make you liable for damages on a successful complaint to the Privacy Commissioner. Further, if any person named as infected is bullied or discriminated against then it’s more than privacy you need to worry about.
COVID-19 is not a privacy “get out of jail free” card. On the contrary, in these times more care must be taken to ensure privacy rights are not breached in the well-intentioned rush to protect the health of your staff and the community.
It is correct that there is a (limited) exception from obtaining consent to collect and use/disclose health information where:
- it is unreasonable or impracticable to obtain consent; and
- such is required to lessen/prevent a serious threat to the life or health of any individual or in relation to public health.
Both these elements are equally important. It’s not the case, as some have implied, that given there is a pandemic any and all breaches of privacy obligations are forgiven. Even if both limbs of this exception apply, it is strictly interpreted and must be exercised with great care and only when there is no alternative. For example, how can it be ‘impracticable’ or impossible to get employees’ consent, especially in current circumstances when most are online and the employer is in constant contact with them? This would be a difficult argument to make before the Privacy Commissioner or the Federal Court.
A number of these misleading posts and articles also declare that if the health information is about your employees you are immune from the privacy obligations. Wrong again! As noted in a post some time ago, the decision in the case of Lee v Superior Wood has clarified that the collection and use/disclosure of sensitive (including health) information of employees requires their consent. If you do not have this consent via your terms of employment (and great work if you covered collecting and disclosing to all other employees etc the employee’s health information in a pandemic) then you will need to obtain it.
Even if this exception applies, it’s not carte blanche to not think about individuals’ (including employees’) privacy. There is usually a way to at least be more privacy compliant. Rather than saying in an all staff email ‘Alec Christie has been diagnosed with COVID-19 and anyone who came into contact with him should self-isolate’ (Example 1), this could be done in a significantly more privacy compliant manner. That is, the email could instead read ‘all staff who were working on the 11th floor yesterday should call HR’.HR could then ask staff who call who they interacted with and, if Alec’s name came up, request those staff self-isolate without confirming who the infected person is.
No health exception will save you from: (i) the need to consider if Example 1 is a mandatory notifiable data breach (hint: it likely is); and (ii) liability for the privacy breaches occurring in Example 1, and nor should it.
Stay healthy (and privacy compliant)!
Update: This article is followed by a Part Two addressing further ‘fake privacy advice’ surrounding the collection of personal information.”
Get the latest news insights and articles straight to your inbox, simply enter your details.