A COVID-Safe Approach to Privacy

On 2 September 2021, the Office of the Australian Information Commissioner (OAIC) released a framework of 5 universal privacy principles which provide a nationally consistent, best practice approach to data management and personal information protection for governments and businesses during the COVID-19 pandemic.


Under the public health orders of each state and territory, governments and businesses are required to collect and disclose personal information and sensitive health information for the purpose of ‘critical information sharing’, that being for the purpose of preventing or managing the risk and/or reality of COVID-19. The absence of national legislation regarding what privacy protections regulate the retention and use of this information has led to public concern regarding the privacy of this information. These concerns are exacerbated by the unprecedented rise in cybercrime since the start of the pandemic.

As OAIC’s Angelene Falk has emphasised, organisations must handle personal information appropriately so as to ‘maintain the community’s trust in the use of their personal information’ and ensure they continue to provide accurate personal information necessary to prevent and manage the spread of COVID-19.

Best-practice Privacy Principles

To address these concerns, the OAIC has recommended governments and businesses develop laws or implement technical solutions or policies in accordance with the following five privacy principles that ensure a privacy-by-design approach to the collection and management of personal information.

  1. Data minimisation Governments and businesses should collect the minimum information necessary to achieve contract tracing purposes and alternative solutions to information collection for this same purpose should be considered.
  2. Purpose Limitation Information collected for the purpose of preventing or managing the risk and/or reality of COVID-19 should not be used for other purposes, such as direct marketing.
  3. Security Reasonable steps must be taken to protect’ personal information from misuse, interference and loss, and from unauthorised access, modification or disclosure.
  4. Retention Personal information should be destroyed once it is no longer needed for contact tracing purposes.
  5. Regulation by the Privacy Act Where personal information is collected or stored through a third party, organisations should ensure the third party is covered by the Privacy Act 1988 (Cth), alternatively where the organisation is not covered by the Privacy Act it should ‘opt in’ to its coverage as per section 6EA.

Ultimately, unlike the stringent privacy protections that accompanied the release of the Government’s COVIDSafe app in May 2020, these principles have not been given legislative force and their implementation remains discretionary. It remains to be seen whether these broad principles will be sufficient to address the apparent rising public distrust of the mechanisms of surveillance which hold the key to our return to normal life.

The content of this article is intended to provide a general guide to the subject matter. Specific advice should be sought about your specific circumstances.

Related News

Walton Construction Class Action – Media Release

MEDIA RELEASE 16 May 2024 Subcontractors Alliance confirms that Williams & Kersten Pty Ltd, the Lead Applicant in a Federal Court class action against National

Read More

The duty of utmost good faith

In life, they say that honesty is the best policy. But did you know that it is actually also one of the most important provisions in

Read More

Recoveries against third party insurers direct

Did you know? When an at-fault third party cannot be found or is dead, or a third party company is deregistered, a cause of action

Read More

Get in touch

Contact our team today

Stay informed

Keep up-to-date with our regular news and insights

This field is for validation purposes and should be left unchanged.
William Roberts Lawyers


Level 22
66 Goulburn Street


Level 21
535 Bourke Street


Level 8
300 Ann Street


Level 19
Singapore Land Tower
50 Raffles Place