Federal, state and territory privacy commissioners have jointly released new guidance for the handling of personal information by government and business as we chart a path out of the pandemic. The guidance re-iterates what is already baked into law – that privacy must remain at the fore when designing policies, processes or new technology.
There is a persistent misconception among some government and business leaders that privacy is less important because we are in the middle of a pandemic. As public and private sector leaders alike take on the challenge of designing new solutions that will hopefully speed up our exit from lockdowns, whether mandatory vaccination policies in workplaces, ‘vaccine passport’-style schemes or mobile apps that seek to help us claw back some freedom, it is concerning to see privacy considerations take a back seat or, worse, be ignored completely.
To counter this tendency, Australian Privacy Commissioner Angelene Falk along with seven of her state/territory counterparts jointly signed new guidance last week (National Guidance). It lays out five privacy principles that cannot be ignored even where, with the best of intentions, governments or the private sector seek to protect us, namely:
Our more detailed comments on managing privacy obligations are set out in a prior Market Insight published on 2 September 2021. In that Market Insight we note the often forgotten baseline requirement that, where no law or health order expressly requires or authorises the collection of sensitive information, an ‘APP entity can only collect personal information [including sensitive information] if the information is reasonably necessary for one or more of the entity’s functions or activities’. Where it is sensitive information, you also need the consent of the individual to collect it. We further note the OAIC’s general guidance that ‘APP entities should collect as little information as possible, only where absolutely required, and accessed on a need-to-know basis’.
The National Guidance, taking into account the personal information collection obligations of federal/state/territory privacy legislation, affirms this position:
‘The collection of personal information, including sensitive information such as health information, should always be limited to the minimum information reasonably necessary to achieve a legitimate purpose. This includes considering alternative solutions which achieve the same purpose and do not require personal information to be collected into a record.’
This is a clear and unambiguous statement that COVID-19 is no excuse for collecting extra personal information ‘just in case’. You must keep collection to the minimum information reasonably necessary for your activities. Also, as previously noted, where it is sensitive information you can only collect, use and disclose it if you also obtain it with the consent of the individual.
Government and business entities should clearly define their legitimate functions and activities and ensure that all collection of personal information: (a) is reasonably necessary for defined functions and activities; (b) is transparently notified to individuals; and (c) where it is sensitive information, consent is obtained.
Once collected for those specific notified purpose(s), privacy law leaves very limited scope for the use of personal information for other (i.e. secondary) purposes without obtaining consent for those secondary purposes. COVID-19 does not change this. There is absolutely no room for, for example, use of contact details collected for contract tracing purposes to later be used for sending unrelated notifications or, even worse, marketing messages. It is not open for law enforcement, for example, to use QR code check-ins for criminal investigations (as has recently occurred). Likewise, employers cannot collect vaccination data for the purpose of rostering workforce schedules and then, later, use that dataset to publish details of who is or is not vaccinated.
It is a common requirement across all federal/state/territory privacy legislation that entities take reasonable steps (or sometimes, ‘use reasonable safeguards’) to protect personal information held. The clear implication, often overlooked, is that what steps are considered reasonable will change depending on the specific circumstances. When it comes to COVID-19-related information such as COVID-19 test results, vaccination status, geolocation data and QR code check-ins, we are dealing with sensitive information with a much higher degree of sensitivity which, in turn, demands much higher levels of security.
This means that you need to ‘do your homework’ to ascertain the risks associated with the personal information you collect, hold, use and disclose – and the ways in which you do so. From there you must also determine the security required to eliminate (or at least substantially reduce) these risks. You need also to be mindful of any security standards that apply to you (or would be expected of you).
Most Australian privacy legislation requires that personal information be deleted or permanently de-identified when it is no longer required for the purposes for which it was collected (the privacy laws of Queensland and South Australia, which apply to state government agencies in those jurisdictions, being exceptions) and no law requires it to be kept in an identified form for a longer period. The National Guidance states the position that personal information ‘should’ be deleted once it is no longer needed for the purpose(s) for which it was collected and emphasises that this is the expectation of the Australian community. A quick way to destroy individuals’ trust in your organisation is to hold on to their personal information after those purposes have expired or been fulfilled.
What about those organisations not subject to the (federal) Australian Privacy Principles or any state/territory privacy legislation (e.g. businesses with annual turnover less than $3 million per annum)? The National Guidance has the answer: if information is being shared for ‘public health purposes’ (e.g. in connection with COVID-19) then ‘Australians’ personal information should be protected by an enforceable privacy law to ensure that individuals have redress if their information is mishandled’.
In other words, if privacy law does not apply to your organisation but your organisation is collecting personal information for COVID-19-related purposes, the default position and expectation is that your organisation opt in to and be covered by the Privacy Act 1988 (Cth) (pursuant to section 6EA).
Overlapping foreign, federal, state and territory privacy laws can raise complex questions, only exacerbated by the additional time and resource pressure on leaders during the pandemic and the mandate to ‘keep people safe’. We can assist your business or government agency in navigating this complexity in a number of ways, including:
We recently conducted a webinar - COVID-19 – It’s not a privacy “get out of jail free” pass (but clever privacy compliance now can make you prosilient). If you missed it and would like to be a sent a recording, please click here.