A COVID-Safe Approach to Privacy

27 Sep 2021

On 2 September 2021, the Office of the Australian Information Commissioner (OAIC) released a framework of 5 universal privacy principles which provide a nationally consistent, best practice approach to data management and personal information protection for governments and businesses during the COVID-19 pandemic.

Background

Under the public health orders of each state and territory, governments and businesses are required to collect and disclose personal information and sensitive health information for the purpose of ‘critical information sharing’, that being for the purpose of preventing or managing the risk and/or reality of COVID-19. The absence of national legislation regarding what privacy protections regulate the retention and use of this information has led to public concern regarding the privacy of this information. These concerns are exacerbated by the unprecedented rise in cybercrime since the start of the pandemic.

As OAIC’s Angelene Falk has emphasised, organisations must handle personal information appropriately so as to ‘maintain the community’s trust in the use of their personal information’ and ensure they continue to provide accurate personal information necessary to prevent and manage the spread of COVID-19.

Best-practice Privacy Principles

To address these concerns, the OAIC has recommended governments and businesses develop laws or implement technical solutions or policies in accordance with the following five privacy principles that ensure a privacy-by-design approach to the collection and management of personal information.

1. Data minimisation Governments and businesses should collect the minimum information necessary to achieve contract tracing purposes and alternative solutions to information collection for this same purpose should be considered.
2. Purpose Limitation Information collected for the purpose of preventing or managing the risk and/or reality of COVID-19 should not be used for other purposes, such as direct marketing.
3. Security Reasonable steps must be taken to protect’ personal information from misuse, interference and loss, and from unauthorised access, modification or disclosure.
4. Retention Personal information should be destroyed once it is no longer needed for contact tracing purposes.
5. Regulation by the Privacy Act Where personal information is collected or stored through a third party, organisations should ensure the third party is covered by the Privacy Act 1988 (Cth), alternatively where the organisation is not covered by the Privacy Act it should ‘opt in’ to its coverage as per section 6EA.

Ultimately, unlike the stringent privacy protections that accompanied the release of the Government’s COVIDSafe app in May 2020, these principles have not been given legislative force and their implementation remains discretionary. It remains to be seen whether these broad principles will be sufficient to address the apparent rising public distrust of the mechanisms of surveillance which hold the key to our return to normal life.  

The content of this article is intended to provide a general guide to the subject matter. Specific advice should be sought about your specific circumstances.