Many financial institutions and utilities companies, in particular, and some in other sectors provided special treatment, deferments, reductions, waivers or the like for those of us impacted by COVID-19 and who applied for such. While this is to be commended, it does not absolve you of your privacy law obligation or the potential for damages, including to your reputation, if you get it wrong.
While this article focuses on COVID-19 measures, the discussion is also applicable to those organisations (again often financial services and utilities companies) which generally offer special treatment to vulnerable customers and those suffering hardship such as medical emergencies, death of a loved one, loss of employment and to those employers who obtained additional pandemic related health information from their staff (where such is, post-pandemic, likely not "records of employment" exempt from the Privacy Act).
Now that we are finally emerging from the worst of the pandemic (and given that soon most of the population will be vaccinated), any organisation that kindly offered special treatment during COVID‑19 (or generally on an ongoing basis) where customers established their bona fides by detailing their vulnerability/hardship must now assess and address three key privacy matters in respect of the personal information collected to ensure that their kindness does not turn creepy and/or put them in breach of privacy law:
In order to collect, use or disclose sensitive information Australian Privacy Principle (APP) 3 requires that consent be obtained from the individual whose sensitive information it is. That is, at or prior to the time of collection an individual's consent needs to be obtained for that collection (with the appropriate APP 5 information having been provided including, among other things, the purpose for collection, what was being collected and to whom it may be disclosed) from the individual. Even with the best of intentions this may well have been overlooked in the rush to help customers suffering hardship due to the pandemic.
That is, you must review the specific information you have collected as regards the vulnerability/hardship, the process relating to the collection (was consent obtained/the relevant information notified), what you use it for (it must be limited to the notified purpose which was consented to) and it must not have been disclosed to anyone who is extraneous to those purposes, including within the organisation. That is, this information must not be used for marketing, by other parts of the business or be generally accessible within the organisation.
The Notifiable Data Breaches Scheme provisions of the Privacy Act provide that an unauthorised access to (or loss of, etc) the personal information (including sensitive information) of an individual needs to be notified to the OAIC and all affected individuals where such "data breach" could cause serious harm (i.e. where it is an "eligible data breach"). While this may be obvious in respect of third party malicious actors, cyber incidents or other malicious activities, in our experience there is a blind spot in respect of "unauthorised access" to this information by those within the organisation (i.e. employees).
If this information is collected for the purposes of an interest rate deferral (for example), then (especially if sensitive as we expect it will be in most circumstances) it should only be accessible by those employees whose function it is to process that interest rate deferment. It should not be accessible to anyone within the organisation whose specific function is not directly related to performing that task and, if anyone else does access it, then consideration should be given to whether that data breach is in fact an "eligible data breach" which requires notification to the affected individuals and the OAIC.
Given the likely sensitivity of this information (health information, detailed circumstances of the vulnerability/hardship being suffered and the like), it appears to us that any unauthorised employee access to such information should be seriously considered as a potential eligible data breach, unless and until you have worked through the circumstances and determined positively that no serious harm has or is likely to occur in relation to any of the affected individuals. Caution, serious harm is not simply financial harm and you do not get a free pass because you were trying to "do good".
APP 11.2 legally requires that you delete or de-identify personal information (including sensitive information) which is no longer required for the notified (and consented to, in the case of sensitive information) purpose for which it was collected and there is no longer any legal obligation on you to keep it in an identified form.
While the circumstances will vary, our expectation is that sensitive information collected for the purposes of justifying COVID-19 (or other vulnerability/hardship) related special treatment will not be required after the particular special treatment has ended. In fact, there is a growing school of thought that the sensitive information to justify special treatment should not be kept very long (if at all).
That is, once the appropriate person in your organisation has determined that special treatment is appropriate, then that alone could be noted on the system without recording the details which will likely be some very sensitive information. in terms of minimising the privacy impact there could be a process, even if initially recorded, of a supervisor assessing and confirming that special treatment should be extended to the individual and then deleting the relevant sensitive information/details as soon as possible (or, not collecting it at all).
Likewise, where an organisation has collected health information related to customers entering their branch or their employees in the office, then arguably there is no reason to continue to hold such information once used for the original notified purpose (to confirm health and thus access to the office, shop or branch etc). Even then it may be that the relevant information could be held with many of the details (e.g. the temperature reading) having been deleted if the ongoing purpose is only to be able to track those persons who were in a branch, a store or the office at a certain time in case of an outbreak.
If you implemented a COVID-19 (or have any other) special treatment program and collect sensitive information in order to assess the bona fides of the individual in question or collect health information for those entering your premises you must focus on the above three areas urgently to ensure that what is a good thing does not become either creepy and/or a breach of your legal privacy obligations, which may ultimately cause you more harm than the good you have done.
This brief note belies some tricky considerations in respect of such programs (including domestic violence and vulnerable persons flagging programs). If this article has caused any concerns for you we are happy to discuss them in relation to your specific circumstances and to assist you to "continue to do good" without breaching the law or betraying people's trust in you when they are at their most vulnerable.
Clyde & Co has the largest dedicated and rapidly expanding cyber incident response and privacy advisory practice in Australia and New Zealand. Our experienced team has dealt with thousands of data breach and technology related disputes in recent times, privacy reviews, assessments and solutions advices, including a number of the largest and most complex incidents in Asia Pacific to date.
From pre-incident readiness reviews, solutions and advice, breach response, through to defence of regulatory investigations and proceedings, as well as recovery actions against wrongdoers, we assist clients globally across the full cyber lifecycle. Our team is also highly regarded for their expertise and experience in financial services information technology prudential requirements and managing all forms of disputes across sectors including advising on some of the most newsworthy class actions commenced in Australia.
Our 24-hour cyber incident response hotline or email allows you to access our team directly around the clock. For more information, contact us on:
Australia: + 61 2 9210 4464
New Zealand: 0800 527 508