For your eyes only – privacy, confidentiality and COVID-19
The world is taking a step inside, employees are putting pens to paper in their home offices and individuals are acquainting themselves with “Zoom parties”. As we manage these new challenges, business will go on and critical issues of confidentiality and privacy must not be forgotten. At the heart of maintaining confidentiality and ensuring a high level of compliance with privacy obligations is cyber security and fostering an organisational culture where there is awareness and respect of privacy and security.
Critical information sharing will not be stopped by the Privacy Act 1988 (Cth) (Privacy Act). In present circumstances where businesses might be collecting additional personal information (including sensitive information), their practices must be open and transparent. In order to comply with the Australian Privacy Principles (APPs), businesses must:
There are two relevant legislative exemptions in these times that may provide a partial exemption to an organisation’s compliance obligations concerning personal information. The first being the “employee records exemption” and the second, the concept of a “permitted general situation”.
A private sector employer’s handling of employee records is exempt from complying with the Privacy Act. The exemption applies if an act done, or a practice engaged in, by an organisation is directly related to:
When purporting to rely on this exemption in dealing with personal information without compliance with the APPs, employers should note the personal information must be of an employee (not a contractor or third party) and must be directly related to one of the above matters. In two recent decisions, the limits of the employee records exemption was made clear:
Under the Privacy Act, partial exemptions exist where a “permitted general situation” has arisen. There are a variety of circumstances which will equate to a “permitted general situation”, which relevantly include ‘lessening or preventing a serious threat to the life, health or safety of any individual, or to public health or safety’. Where such circumstances arise, this lessens or varies the obligations on an organisation to comply with certain obligations under the APPs such as seeking an individual’s consent to collection, use or disclosure of personal information where it is impractical or unreasonable to do so. This is by no means a “hall-pass” for an organisation to freely collect, use and disclose such information, but it may provide a necessary degree of flexibility in the current climate of the coronavirus crisis.
Looking at this from a visual perspective we see the foundation to maintaining the integrity of valuable client information and ensuring your employee’s personal information is kept private are strong cyber security practices and fostering an organisational culture where there is awareness and respect of privacy and security. Here are some of the ways you can achieve this.
An organisation is required to take reasonable steps to implement practices, procedures and systems relating to the organisation’s functions or activities that will ensure it continues to comply with the requirements under the APPs and Privacy Act. The Office of the Australian Information Commissioner (OAIC) recently recommended organisations undertake a privacy impact assessment and implement measures to protect personal information. Some of the OAIC’s recommendations are:
Many private sector organisations will receive highly confidential information from their clients, customers or from potential business partners on a regular basis, which may relate to business viability and profitability, business ventures, business continuity plans and proposed actions with respect to redundancies or downsizing.
The nature of confidential information is that it must be kept confidential. A complication that working from home introduces is that an individual may find themselves working in the proximity of others who are not approved to be privy to such confidential information. The measures listed above concerning personal information are an excellent starting point, and the following behavioural shifts will also assist in maintaining confidentiality:
In commercial relationships, failure to take these precautions may result in a prohibited disclosure of confidential information in breach of any contractual obligations to maintain strict confidentiality of the other party’s confidential information. This may, in turn, give rise to a right of suspension or termination of the contract, depending on the terms, and a claim for compensation arising from such breach.
It will be beneficial for organisations to set out their expectations of employees in a policy, and if already in place, remind their employees of the requirements with respect to confidentiality under that policy.
As we write this article, we have seen some temporary leniencies implemented concerning critical matters such as the duty of directors to avoid trading whilst insolvent. However, there has not yet been a move to afford the same leniencies for data breach response timeframes in Australia.
Accordingly, organisations covered by the Privacy Act must assess and notify customers and other individuals if their personal information has been disclosed or accessed in a way likely to cause serious harm. If so, organisations must notify both the affected individuals about steps they can take to reduce the risk of serious harm and also the Australian Information and Privacy Commissioner of the data breach. These steps must be taken as soon as possible, and usually within 30 days of becoming aware of the breach.
The best way to respond efficiently and effectively, whilst reducing the risk of litigation arising out of a data breach, is to regularly brief your senior managers and expert advisors on such matters and ensure that your organisation has a data breach response plan in place.