18 March 2020

Organisations responding to the Coronavirus (COVID-19) pandemic have been issued new advice from the privacy regulator to help keep workplaces safe while respecting privacy.

The Office of the Australian Information Commissioner (OAIC) has published COVID-19 privacy guidance for organisations covered by the Privacy Act 1988, including Australian Government agencies and private sector employers.

The Privacy Act does not stop the sharing of critical information to manage the spread of the coronavirus. Agencies and employers (including private health service providers) have important obligations to maintain a safe workplace for staff and visitors and handle personal information appropriately.

In order to manage the pandemic while respecting privacy, the OAIC advises organisations should aim to limit the collection, use and disclosure of personal information to what is necessary to prevent and manage COVID-19.

They should also take reasonable steps to keep personal information secure.

This includes the personal information of employees and their family members, visitors to organisation premises, customers and the general public.

Where changes to working arrangements are required, organisations also need to consider the potential impact on the handling and security of personal information, assess any risks and put mitigation strategies in place.

Key tips

  • Personal information should be used or disclosed on a ‘need-to-know’ basis
  • Only the minimum amount of personal information reasonably necessary to prevent or manage COVID-19 should be collected, used or disclosed
  • Consider taking steps now to notify staff of how your organisation will handle their information in responding to any potential or actual case of COVID-19 in the workplace
  • Ensure reasonable steps are in place to keep personal information secure, including where employees are working remotely.

For more information please visit oaic.gov.au/covid-19-privacy-guidance