Privacy Refresher – Collecting sensitive information

Since 2018 we have been observing a significant increase in the number of organisations failing to meet their legal obligations for their collections of sensitive (including health) information. This has been exacerbated by the current pandemic: the rush to collect COVID-19 check-ins, track test results/fitness for work, create vaccine action passports, implement mandatory vaccination programs and now even to build apps with facial recognition for home quarantine. There is also a perception that the noble cause of diversity and inclusion gives HR departments a privacy ‘free kick’.

Introduction

As defined in the Privacy Act 1988 ‘sensitive information’ includes political opinions, membership of a political association or trade union, religious or philosophical beliefs, criminal record, sexual orientation or practices, racial or ethnic origin and health, genetic and biometric information. The increased collection of health information during the pandemic and now, in relation to home quarantine apps, biometric information has brought into focus for all sensitive information collections both the significant lack of understanding of the legal requirements on collecting and the increased obligations that apply to keeping that information.

In this brief “Privacy Refresher” we highlight the key elements of the APPs/Australian privacy law generally as regards the collecting and securing of sensitive information.

Collecting sensitive information

If there is no law, regulation or, in current circumstances, public health order (PHO) that expressly requires or authorises you to collect (and hold) the specific sensitive information you wish to collect then, in order to collect it, you must:

1. determine if the sensitive information you wish to collect is reasonably necessary for your day-to-day business activities; and, if so,
2. obtain the ‘informed’ consent of the individuals (including your employees) from whom you are collecting that sensitive information.

Often wrongly considered unimportant based on privacy “folklore”, for sensitive information the key collection requirements are:

• consent must be freely given. That is, your employees cannot be forced to consent;
• consent must be informed. That is, at or before the time of collection of the sensitive information, you must provide the individual from whom you are collecting a clear statement of what sensitive information you are collecting, what you will use it for (i.e. the purpose for collecting), to which type of entities you may disclose it, specifically noting if any of them are outside of Australia, and referring them to your privacy policy for the other APP 5 requirements;
• consent is required from your employees. That is, the ‘employee records exemption’ does not apply to the collection of sensitive information from your employees who have not previously consented to the collection of such;
• in order to substantiate that consent was actually provided we recommend that you consider, at a minimum, documenting the process by which consent was obtained (e.g. if consent had not been provided the next step such as submitting their details would not have occurred); and
• finally, consent may be withdrawn at any time and you should provide a mechanism by which such can be (a) done by the individual and (b) actioned by your organisation.

Minimisation

You must also always consider the privacy law’s overriding minimisation requirement and seek to explore alternatives to mass sensitive information collection. Any processes you implement need to have considered minimisation and seek to minimise the personal information, including sensitive information, that you collect and hold.

As regards how the ‘necessary for your day‑to‑day business activities’ test and the minimisation principle work together in practice, we note a recent real-life example – the collection of employees’ vaccination status.

While collecting employees’ vaccination status is reasonably necessary where your organisation needs to roster only vaccinated staff at certain sites/customers, whether pursuant to a PHO or contractual provisions, collecting it from those who work from home (or generally voluntarily by any company without a mandatory vaccination policy in place) is not reasonably necessary – if it was, you would have a mandatory program in place.  Also, while you need to know who of your employees to roster at relevant sites, in this example you don’t need to keep the medical evidence they presented to prove it (i.e. once sighted and an indication of vax status is added to their record). This evidence should be deleted (or, if possible, never collect).

A word about laws, regulations and PHOs

A word of caution – many organisations jump to the conclusion (especially in these current times) that a PHO, for example, requiring you to ensure only vaccinated workers are allowed on site or to verify the vaccination status of certain persons is authorisation for your collection of copies of immunisation records or other health information. This is not the case. Unless the words of the PHO or law/regulation specifically state you are to or may collect and hold the relevant specified health/sensitive information, you are not authorised to (a) collect this information without considering if its reasonably necessary for your activities and/or (b) collect it without consent.

The recent Victorian PHO is an example of this.  It gives clear direction as to sighting, verifying and even recording the result/conclusion of that verification in your systems (i.e. if someone is vaccinated or not) but it does not authorise the collection and keeping of a copy of the evidence sighted.

You’ve collected the sensitive information – now what?

Sensitive information, once collected, requires a higher level of security than personal information you hold – significantly higher.  We suggest that sensitive information collected not be held in the BAU database (unless it already manages sensitive information) but somewhere where the increased security obligations can be met (e.g. encryption at rest and in transit, limited need-to-know access and the like). 

All sensitive information also requires a more rigorous application of APP 11.2 (deletion/de-identification).  That is, you must have a ‘Data Destructive & Retention Policy’ in place which specifically deals with sensitive information, the periods for its retention and the processes for its deletion/de‑identification once the legal period requiring you to keep it has expired (and verification of both its deletion and the quality of the destruction/de-identification).

Another word of caution – if you de-identify rather than delete, you must continually re-assess if any further information you obtain or which is reasonably available and/or technological developments result in that information then being reasonably able to be re-identified. If that happens (even though you would never re-identify), it is no longer de-identified information and you are back to square one, except for the fact you will then be in breach of APP 11.2 as its sensitive information you should no longer have.

Conclusion

Many organisations are currently not legally collecting sensitive information.  The Attorney General’s current privacy review is considering the option of moving Australian privacy law to a substantially more consent-based model for collection of all personal information (i.e. not just sensitive information).  Therefore, whether this happens or not, it’s fair to say that there will naturally be more focus on enforcing the existing sensitive information collection obligations arising from this.

We can help!

Please do not hesitate to contact us if this “Privacy Refresher” has raised any concerns or you wish to discuss this or other privacy or security matters further. We would be pleased to support you with the privacy issues surrounding your return to office plan, vaccination policy and/or remote-working arrangements, integrating our market-leading privacy, health and safety and employment expertise.