On 18 March 2020, the Office of the Australian Information Commissioner (OAIC) published a statement and comprehensive guidance to assist Australian Government agencies and private sector employers in understanding their privacy obligations under the Privacy Act 1988 (Cth) (Privacy Act) during the Coronavirus (COVID-19) pandemic.

The OAIC has provided guidance on the handling of personal information of staff. Information pertaining to an individual’s infection or risk of exposure to COVID-19 is classified as ‘health information’, which is considered ‘sensitive information’ under the Privacy Act and therefore generally afforded a higher level of privacy protection. The guidance also addresses frequently asked questions.

For those organisations regulated by the Privacy Act, the key take-aways are:

The Australian Privacy Principles continue to apply to the collection, use or disclosure of personal information

In order to maintain a safe workplace for staff and visitors while respecting privacy, employers should limit the collection, use and disclosure of personal information to what is reasonably necessary to prevent and manage the spread of COVID-19 in the workplace.

Regulated entities may collect information such as whether an individual:

  • has been exposed to COVID-19; or
  • whether an individual has recently travelled overseas (and, if so, to which countries).

Government agencies and private sector employers should also consider if any exceptions may apply to the information they collect (for example, for private sector employers, the employee records exemption will apply in a number of instances to permit the handling of employee health information).

Review and update policies and procedures

Agencies and private sector employers should take reasonable steps to sufficiently store and secure personal information; for example, by reviewing and updating business policies and procedures, and ensuring the security of all work mobile phones, laptops and data storage services, particularly where employees are working remotely.


Employers should also notify employees of changes to any policies and procedures and, in particular, how their personal information will be handled in responding to any potential or confirmed case of COVID-19 in the workplace.

Regulated entities should ensure they are complying with their privacy obligations and stay up to date with any further guidance released by the OAIC. For any assistance, or to discuss your privacy obligations during COVID-19, please contact us.

Interested to find out more? Feel free to contact us today.