In brief - This article outlines the legal obligations of providers to uphold client and employee privacy and workplace safety during the COVID-19 Pandemic and suggested strategies to strike the right balance are outlined below including a privacy impact assessment.

A cornerstone of managing the trajectory of the COVID-19 Pandemic is accurate monitoring and tracing of people affected by the virus. This necessitates the sharing of personal or sensitive information among different stakeholders.

Close epidemiological surveillance provides the opportunity to swiftly direct resources towards containing the spread of the virus and therefore protect the community's most vulnerable people.

Providers of community based care services (Providers), including aged care and disability support services, must consider balancing a client's right to privacy against the necessity to protect the health and safety of employees, volunteers, visitors, other clients and their families. Privacy obligations also extend to all people in the workplace.

Primary Duty of Care

An employer's paramount consideration is always the health and safety of employees and people in the workplace.

The Work Health and Safety Act 2011 (Qld) (WHS Act) provides that persons with management or control of a workplace have a legal duty to make sure, so far as is reasonably practicable, that there are no health and safety risks to anyone working in or visiting the workplace.

To uphold this obligation under the WHS Act, it becomes necessary to inform staff of any potential risks posed to their health and safety from a client, while being cautious as to how the disclosure is made so to also comply with privacy obligations.

Privacy Laws

Employees and volunteers of providers are governed by the Privacy Act 1988 (Cth) (Privacy Act), National Disability Insurance Scheme Act 2013 (Cth), Australian Privacy Principles (APP), Information Privacy Act 2009 (Qld) and registered privacy codes which describe how private and personal information is to be gathered and when it can be shared.  
 
The Privacy Act 1988 (Cth) (Privacy Act)
 
The Privacy Act, which encompasses the APP, regulates the handling of "personal information" which includes "information or an opinion about an identified individual, or an individual who is reasonably identifiable." The Privacy Act imposes stronger protections for "sensitive information", which includes "health information" about an individual (ie Information, or an opinion, about the health - including an illness, disability or injury - of an individual).
These provisions mean that information about, for example, whether an individual is or may be infected with COVID-19 will be sensitive information. Related information about the individual's symptoms, treatment or general health status will usually also be sensitive information.

Providers can use or disclose health information about a patient:

  • for the primary purpose for which you collected it; and

  • for a secondary purpose in certain circumstances (that is, if the individual has consented to the use or disclosure of the information, or an exception applies).

Relevantly, there are exceptions to the operation of the Privacy Principles in respect of disclosures which may be required under the Public Health Act or where a disclosure is required to lessen or prevent a threat to life.
 
The National Disability Insurance Scheme (NDIS)

The NDIS Code of Conduct (Code) also provides that registered NDIS providers and their employees must respect the privacy of people with a disability.  

Element two of the Code states that NDIS providers and workers subject to the Code must comply with Commonwealth and State privacy laws, therefore reinforcing their statutory privacy obligations.

There are circumstances where NDIS providers should disclose personal information about clients without consent (eg child protection, abuse etc).

In Practice

The Office of the Australian Information Commissioner (OAIC) is recommending that in order to manage the pandemic, while respecting privacy, agencies and private sector employers should aim to limit the collection, use and disclosure of personal information to what is necessary to prevent and manage COVID-19, and take reasonable steps to keep personal information secure. 
 
Obligations to Clients

Clients who are exposed to, or are confirmed or suspected cases of COVID-19, pose a health risk not only to people who care for them but also to other clients and the broader community (which might include other workers, the families of workers and those they come into contact with).

To manage this risk providers should inform staff if a client that they will work with is being tested or has been exposed. 

Notifying staff of 'at risk' clients also forms part of a Provider's obligation to properly ‘monitor’ conditions in the workplace that may pose a risk. Provider's should be recording and tracing clients and staff with possible COVID-19 exposure to mitigate the risk of transmission and protect vulnerable clients.

The information that the Australian Government Department of Health says is needed to identify risk and implement appropriate controls to prevent or manage COVID-19 includes, for example:

  • whether the individual or a close contact has been exposed to a known case of COVID-19; or

  • whether the individual has recently travelled overseas and to which countries.

Depending on the circumstances, it may not be necessary to reveal the name of an individual in order to prevent or manage COVID-19, or the disclosure of the name of the individual may be restricted to a limited number of people on a 'need to know' basis.

The NDIS Code implies that best practice in the first instance is to obtain consent if possible from a client before personal information is disclosed. This includes advising clients on how their personal or sensitive information will be handled and disclosed.

At the same time clients should be asked to let the provider know if they have been exposed, tested or if someone in their household has been exposed or tested so appropriate control measures can be taken.
 
Obligations to Staff

A provider's legal obligation to protect client privacy extends to all people in the workplace. This means that providers must similarly monitor staff who contract or are suspected to have contracted COVID-19 and may pose a risk to the health and safety of clients.
Providers must remain informed of and be guided by the latest Australian and State Health Department advice on how exposures should be managed.

The Communicable Diseases Network Australia in consultation with the Aged Care Sector, and noted by the Australian Health Protection Principal Committee, advise that staff in aged care facilities who develop symptoms of a respiratory illness should immediately be excluded from the workplace and seek their own medical advice on whether COVID-19 testing and self-isolation is required. This advice would reasonably apply to community care workers.
 
When is disclosure permitted

If a staff member is tested for COVID-19 it is reasonably necessary for the provider to ask the worker for their test outcome. Staff should be asked to let the provider know if they have been exposed. If a diagnosis of COVID-19 is confirmed, the staff member must be excluded from the workplace until they complete the mandatory self-isolation requirements as guided by medical professionals.

The Privacy Act does not prohibit disclosure of sensitive information in circumstances where it is reasonably necessary to prevent the spread of COVID-19. This includes disclosing information about confirmed and suspected cases in the workplace.
In the event of a positive case, Providers must also seek advice from their local Public Health Unit on appropriate follow on actions, as COVID-19 is a notifiable disease in all States and Territories.

However, any personal or sensitive information obtained from a staff member must be securely stored and only disclosed on a need to know basis. If disclosure is required, providers should ensure:

  • proposed disclosures are discussed with the affected staff member first;

  • disclosure is limited to people considered to be high risk (ie those in close contact with the worker);

  • information is disclosed confidentially and with as few personal identifiers as possible;

  • organisation-wide notifications should be avoided unless necessary;

  • persons categorised as a 'close contact' of a confirmed or probable case should be followed up, advised to seek medical advice and instructed to self-quarantine for 14 days after the last exposure; and

  • that communication policies around COVID-19 disclosure is clearly articulated to staff with frequent updates.

Mitigating Risk - Privacy Impact Assessments (PIA)

As many employers have transitioned the workforce from the office into the home environment in response to COVID-19, there may be changes to the way personal information is being handled.

Even under remote working arrangements, entities and providers are required to robustly manage and prevent the risk of data breaches to sensitive or confidential information they hold. In accordance with APP 11 - Security of personal information, all entities regulated by the Privacy Act are obligated to take reasonable measures to:

"protect personal information it holds from misuse, interference and loss, as well as unauthorised access, modification or disclosure"  

The OAIC recommends using a PIA which is an assessment tool that assists entities in identifying potential risks to personal information and implementing strategies to prevent unauthorised access and use. A PIA encourages a 'privacy by design' approach which ensures that privacy compliance is inbuilt into systems and projects (which includes policies and services).
 
A PIA provides a useful framework to view a work project or service in its entirety to understand the broader privacy implications and risks posed by the activity and to continuously evaluate the efficacy of data breach prevention strategies. The OAIC sets out ten steps for completing a PIA:

  1. Threshold assessment - is a PIA required for the project?

  2. Plan the PIA - consider the who, when, how and how much of performing the PIA

  3. Describe the project - nature, scope and extent of project

  4. Identify and consult with stakeholders - who will be impacted by the project?

  5. Map information flows - what private information is collected, used and disclosed?

  6. Privacy impact analysis and compliance check - critical analysis of the project's impact on privacy

  7. Privacy management — addressing risks and strategies to mitigate

  8. Recommendations - what strategies should be implemented?

  9. Report - documenting the PIA process

  10. Respond and review - implementing and continuous evaluation.

 A flexible approach to conducting a PIA is encouraged but it should consider:

  • Governance, culture and training of the workforce;

  • Information and Communication Technology security to mitigate risks of internal and external attacks;

  • Access security - passwords, appropriate access to files and surveillance of use;

  • Data breaches - response plans to breaches including reporting; and

  • Physical security - home security, storage of devise and hard copy information, confidentiality when videoconferencing.

Any entity or provider who holds, uses or discloses personal information must take reasonable measures to mitigate risks to privacy.

For more guidance on how to conduct a PIA, see the OAIC's website here.

This is commentary published by Colin Biggers & Paisley for general information purposes only. This should not be relied on as specific advice. You should seek your own legal and other advice for any question, or for any specific situation or proposal, before making any final decision. The content also is subject to change. A person listed may not be admitted as a lawyer in all States and Territories. © Colin Biggers & Paisley, Australia 2020.