Skip to main navigation Skip to main content

How to comply with privacy law during COVID-19

During the unprecedented time of COVID-19 there are many unanswered questions. To help you and your business come out the other side of this worldwide pandemic we’ve recruited Gillian Bristow, Legal Practitioner Director of Bristow Legal, to provide you with useful information.

Businesses have ongoing obligations during the COVID-19 outbreak to ensure safe workplaces and to prevent further spread of the virus. However, you should take care that your transport business does not accidentally breach privacy laws in the process.

Does my business need to comply with the Privacy Act?

The Australian Privacy Principles (APPs), contained in the Privacy Act 1988 (Cth), set out rules that regulate the collection and management of personal information.

Generally speaking, a business is required to comply with the APPs if it has an annual turnover greater than $3 million. More information about compliance with the Privacy Act can be found here.

What is personal information?

Personal information is information or an opinion about an identified individual, or an individual who is reasonably identifiable whether the information or opinion is true or not, and regardless of whether the information is recorded.

‘Personal information’ includes information such as an individual’s name, signature, address, telephone number, date of birth, medical records, bank account details, employment details and commentary or opinion about a person. To decide if information is ‘personal’, you should consider whether the information could be used to identify the individual, either alone or in conjunction with other information.

Is information about COVID-19 ‘personal information’?

Yes. Information such as an individual’s symptoms, any medical services they have used or will use, test results, and any other identifying information about a person relating to their health is a kind of personal information called ‘health information’.

Health information is ‘sensitive information’ under the Act and is subject to even stricter legal obligations than other personal information.

Will my business need to collect COVID-19 related health information?

Probably yes - it is likely you will need to collect, use and disclose health information of your employees, visitors, or customers to maintain a safe workplace during the pandemic. The sorts of information that you may require includes information about risk factors, for example, whether a person:

  1. has COVID-19 symptoms;
  2. has had close contact with someone diagnosed with COVID-19; or
  3. is subject to isolation requirements.

However, you should attempt to limit the collection and use of this information to what is necessary to allow you to prevent or manage risks relating to COVID-19.  

You should also take steps to keep the information confidential and secure (see comments below in relation to working from home arrangements).

I know there are lots of requirements around collecting and disclosing sensitive information. Are there any exceptions because of the COVID-19 emergency?

As it is sensitive information, health information should usually only be collected and disclosed with the consent of the individual it relates to, and where the information is reasonably necessary for your business operations.

The Privacy Act has certain exceptions so that you don’t need an individual’s consent to collect, use or disclose health information if:

  1. it is unreasonable or impracticable to obtain the individual’s consent to the collection, use or disclosure;
  2. your business reasonably believes that the collection and use of the information is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety.

In general terms, this means that you don’t need a person’s consent to collect, use or disclose health information if it is impractical for you to obtain consent and that information is necessary to ensure that you manage your WHS obligations to prevent the spread of COVID-19.

There is also an exception if the collection/use of the information is required or authorised by law or a court.

Getting consent – where it is practical to do so

In some situations, it will be practical for you to obtain consent to collect and use health information. For example, if your drivers will be inside a home to deliver goods, it will be important for the homeowner to confirm that nobody at the home is suffering from COVID-19 or is in isolation. In these situations, you should use a ‘privacy collection notice’ when collecting the information that includes:

your business’ identity and contact details;

  1. what information you are collecting and why you are collecting the information (e.g. maintaining a safe workplace);
  2. who you will be disclosing the information to (and whether any disclosure will be made to overseas recipients);
  3. what will happen if the information is not provided (such as you will not be able to complete the job); and
  4. whether your business has a privacy policy that outlines how the individual can access or correct their information or make a complaint about your handling of information and how to access that policy.

It’s also important that you only collect information you actually need. For example, in the case of a home visit it is unlikely that you need the names of any individuals at the home who may have had exposure to COVID-19.

What if the information I am collecting is about my employee/s? Does that give me an ‘out’?

In general terms, there is an exception in the Privacy Act for acts or practices of an employer that are related directly to:

  1. a current or former employment relationship between the employer and the individual; and
  2. the employee record held by the organisation and relating to the individual.

This exception has been interpreted quite narrowly and does not apply to personal information about contractors and subcontractors. Because of this, it is important that you follow the practices and procedures set in this guide.

What about disclosing health information – can I tell staff and others that an employee has been diagnosed with COVID-19?

Even if you are entitled to collect health information, it is important that you only use that information for the limited purpose for which it was obtained.

Generally speaking, you should not use or disclose the information for any other purpose other than managing the health and safety risk that exists.

Because of this requirement, you should not reveal the name of an individual who has been diagnosed with COVID-19 except on a ‘need to know’ basis. Your decision as to who ‘needs to know’ should be based on the advice you receive from health authorities – in some circumstances you may be required to reveal the identity of the employee to others at your workplace so that appropriate enquiries to determine those at risk can be carried out.

Privacy and working from home arrangements

With so many administration and management staff working from home, it is important that you don’t forget about your privacy obligations to customers and others.  Consider the security and confidentiality aspects of having staff at home. Steps you could take to manage privacy risks include:

  1. making sure data is backed up;
  2. only using work email accounts when exchanging personal information;
  3. using multi-factor authentication for staff logging in remotely;
  4. keeping lists of equipment that has been removed from the workplace for use at home;
  5. reminding your team working from home about your business’s confidentiality obligations and making sure you have a system to allow any hard copy records printed at home to be securely stored or destroyed;
  6. ensuring that computers that have access to personal information are not left ‘logged on’ at home; and
  7. increasing cyber security measures.

Where can I go to find further relevant information?

Decisions and practices relating to collection, use and disclosure of personal information should evolve with changing health situations and legislative requirements. Businesses should continue to check for privacy updates on the Office of the Australian Information Commissioner’s website here.


Gillian has provided advice to the road transport industry for more than 25 years. She regularly presents to industry conferences and seminars, and writes a column for the magazine ‘Power Torque’. Gillian has previously worked with NTI to provide guidance material on chain of responsibility obligations and with the Australian Trucking Association to prepare a checklist for reviewing transport contracts.

Prepared 6 April 2020. Please note that this publication is for information only and is not legal advice. You should consider obtaining advice that is specific to your circumstances and should not rely upon this publication as legal advice.