The COVID–19 pandemic has brought into focus in Australia a number of privacy misconceptions or 'fake privacy advices' (to borrow from The Donald) which are, as regards privacy compliance, just as dangerous as the COVID-19 'fake news' being spread by social media.  These alarming times are made more alarming by the increasing number of COVID–19 related privacy articles and posts that are just plain wrong.

The 'fake privacy advices' that have appeared recently in Australia include statements like "COVID-19 is a privacy 'get out of jail free' card", "it is okay to 'out' employees and others who test positive", "collecting personal information via third parties insulates you from any APP collection failings" and that collecting personal information via third parties "in practice significantly reduces your collection obligations". 

COVID-19 is not a privacy "get out of jail free" card in Australia. On the contrary, in these times more care must be taken to ensure privacy rights are not breached in the well-intentioned rush to protect the health of your staff and the community and 'do the right thing' as regards the pandemic.

The problem stated

The fake privacy advices circulating often relate to privacy obligations which are rarely considered, at best, have been forgotten about or, at worst, are simply ignored by organisations. Below we examine the so called 'basis' for three of the most popular recent fake privacy advices and the related 'forgotten' privacy law/provisions which underpin them:

  • companies are exempt from obtaining consent to collect and use health information where such is to lessen a serious threat to the health of any person (APPs 3.3 and 3.4 and s16A);
  • if you are collecting and using health information of your employees the employee records exception exempts you from complying with the APPs (ss6 and 7B(3)); and
  • collecting personal information via a third party avoids or significantly lessens your collection and other privacy obligations (APPs 3.5 and 3.5).

Unfortunately, if you follow these your organisation will be in breach of the privacy law/APPs and will (i) suffer a notifiable data breach which must be reported to the privacy regulator and all affected individuals and/or (ii) make you liable for damages on a successful complaint by an individual (or class) to the privacy regulator for breach of the privacy law and/or (iii) make you liable to civil penalties up to $2.1million per affected individual. Further, if any of the people 'outed' as infected are bullied or discriminated against then it's much more than privacy infringements your organisation will need to worry about.

Exception from obtaining consent for collection & use of health information

There is a limited exception from obtaining consent to collect and use/disclose health information (e.g. if one has COVID-19) where: 

  • it is unreasonable or impracticable to obtain consent; and
  • such is required to lessen/prevent a serious threat to the life or health of any individual or in relation to public health.

However, while recent fake privacy advices focus on the second limb alone, both these elements are equally important for this exception to apply.

Even if both limbs of this exception apply, this exception is strictly interpreted and must be exercised with great care, only when there is no alternative. For example, how can it be impracticable or impossible to get employees' consent, especially in current circumstances when most are online and the employer is in constant contact with them? This would be a difficult argument to make before the Privacy Commissioner or the Federal Court.

Also, even if both limbs are satisfied and the collection and use of this health information is permitted, it's not the case (as some have recently stated) that in a pandemic, once this exception applies, no privacy obligations apply at all and all breaches of privacy obligations are forgiven. Wrong! All other privacy obligations continue to apply to that health information (except the need for consent for the relevant collection and use/disclosure).

Employee records exemption

Many of these recent posts also declare that if the health information is about your employees you are 'immune' (I suspect, pun intended!) from all privacy obligations. Wrong again!  The decision in the case of Lee v Superior Wood has clarified that the collection of sensitive (including health) information from/about employees requires their consent.

If you do not already have this consent via, for example, your terms of employment (and great work if you covered collecting an employee's specific health information in this pandemic) then you will need to obtain it. However, as Lee v Superior Wood found, employees may legitimately refuse to consent to such.

Collecting Personal Information via Third Parties

The two APPs that the fake privacy advices ignore when they extoll the virtues of having a third party provide you with the personal information of your staff, contractors, customers etc are APP 3.5 and APP 3.6:

  • you must only collect personal information by lawful and fair means (APP 3.5); and
  • you must only collect personal information from the individual it relates to unless it is unreasonable or impracticable to do so (APP 3.6).

Together these APPs set a high bar for your collection of personal information about an individual from a third party (i.e. rather than directly from the individual). These recent posts on third party collection are especially dangerous in the current pandemic where companies are collecting information from a number of sources (including new social distancing AI products and the Government's outsourced COVID-19 contact tracing app) about whether or not their employees, contractors, customers and/or Australian residents are possibly infected with COVID-19 or complying with social distancing requirements.. 

APP 3.6 – Only collect personal information from the individual unless it is unreasonable or impractical to do so

Is it actually 'unreasonable or impracticable' to collect the personal information in question directly from that individual in the circumstances? If you have the means to communicate with the relevant individual, why is it then unreasonable or impracticable to collect the personal information from that individual directly? 

Simply saying it is unreasonable or impracticable to collect the information directly does not make it so. Even if it is more efficient, easier or less costly to collect the personal information about an individual from a third party, this is not good enough to meet the requirement of it being 'unreasonable or impracticable' under privacy law. You must be able to show that it is truly unreasonable (e.g. cost prohibitive, not just more costly) or impracticable (e.g. you have never communicated with the individual and do not have, and have no way of getting, their contact details to do so) before this exception applies.

APP 3.6 requires that you examine all collections of personal information from third parties and ask, could we collect this information directly from the individuals in question? If yes, then you are only exempted from the obligation to do so if it is clearly and justifiably 'unreasonable or impracticable' (not just more difficult or more costly) for you to do so.

We recommend that you document your thought processes, the supporting evidence and the conclusion for every instance where you continue to collect personal information from a third party. Of course, where you cannot establish that it is unreasonable or impractical for you to collect the personal information directly from the individual, you must only collect that personal information directly from the individual.

APP 3.5 – Only collect personal information by lawful and fair means

If you collect personal information from a third party who has not collected such in accordance with the APPs (e.g. it has failed to obtain consent for collection or disclosure of sensitive information and/or has not appropriately notified the individual under APP 5), does their breach "taint" your collection/use of that personal information under APP 3.5?

Absolutely, yes it does. You cannot meet your obligation under APP 3.5 to only collect personal information by lawful and fair means if you obtain it from a third party who has not complied with the APPs in collecting and/or disclosing to you that personal information.

Even if you have obtained the information from that third party in good faith without notice of their unlawful or unfair collection (or unlawful disclosure of such to you) you will have breached APP 3.5 simply by receiving that information from them. That is, you can never lawfully or fairly collect personal information from (i.e. comply with APP 3.5 where) a third party that has not lawfully and fairly collected the personal information in the first place or lawfully disclosed it to you. Ignorance is no excuse. It is not good enough to say that you assumed, given that they were providing the information to you in Australia, that they would have complied with the APPs.

Conclusion and what you need to do now

Despite any fake privacy advice and/or whether or not any exceptions actually apply to your company, there is usually a way to be more privacy affirming. For example, rather than saying in an all staff email 'Alec Christie has been diagnosed with COVID-19 and anyone who came into contact with him should self-isolate' (Example), this could be done in a significantly more privacy compliant manner. That is, the email could instead read 'all staff who were working on the 11th floor yesterday should call HR'. HR could then ask staff who call who they interacted with and, if Alec's name came up, request those staff to self-isolate without confirming who the infected person is.

No health or employee record exception will save you from: (i) the need to consider if conduct similar to the Example is a mandatory notifiable data breach (hint: it likely is); and (ii) liability for the many privacy breaches occurring in the Example, and nor should it. Nor will collecting via a third party absolve you of your privacy obligations. On the contrary you must consider, for all third party collections, APPs 3.5 and 3.6 and whether you can legally collect that personal, sensitive and/or health information via that third party.

You need to do a "due diligence" of sorts on all current and future activities and arrangements in relation to this pandemic to determine whether:

  • it really is 'unreasonable or impracticable' (to the standard required by privacy law) for you to collect the personal information directly;
  • if you are collecting personal information from a third party, that third party has the right to disclose such to you and if it has collected that personal information by lawful and fair means in compliance with the APPs;
  • it is 'unreasonable or impractical' (to the standard required by the privacy law) for you to obtain consent for the collection of the health information; and
  • there isn't a more privacy affirming way of collecting and using health information (i.e. rather than the all staff email in the Example).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.