What you can and can’t say to staff during the COVID-19 pandemic

The Office of the Australian Information Commissioner (OAIC) has issued some valuable privacy advice for business during the COVID-19 pandemic.

This guidance is intended to help businesses regulated by the Privacy Act 1988 (Cth) (Privacy Act) to understand their privacy obligations in the context of the pandemic. Note that if you are a business with a turnover less than $3 million per annum you are not bound by the Privacy Act.

Businesses have important obligations to maintain a safe workplace for staff and visitors and handle personal information appropriately, and should already have practices in place to handle employee health information.

The key piece of information that members should know is that you have an obligation to disclose information on COVID-19 to meet your workplace health and safety requirements.

If a staff member or visitor to the workplace has or may have contracted COVID-19 you may inform staff that a colleague or visitor has or may have contracted COVID-19. But you should only use or disclose personal information that is reasonably necessary in order to prevent or manage COVID-19 in the workplace.

For example, depending on the circumstances, it may not be necessary to reveal the name of an individual in order to prevent or manage COVID-19, or the disclosure of the name of the individual may be restricted to a limited number of people on a ‘need-to-know’ basis.

For further information on your privacy requirements, we encourage you to read the Office of the Australian Information Commissioner (OAIC) factsheet below.