TIP 1 – Have a separate Privacy and Information Policy for employees

As a starting point, it may be advisable to have a Privacy Policy even if you are not required by the Privacy Act to do so. This will let customers and others have comfort that their personal information will be respected.

However, your Privacy Policy need not apply to information provided by your employees (employee records), and you should alert them as to how you will treat their personal information.

Your employee policy can cover the requirement of employees to provide you with certain personal information, such as the information you need to keep under the Fair Work Act 2009 and health information, as well as your employee’s rights to access their information.  It can also put your employees on notice that their personal information held in their employee record may be open to be used and disclosed for any purposes directly related to their employment relationship with you, pursuant to the ‘employee record exemption’ in the Privacy Act.  This is an important point to share with your employees because, to the extent it applies, it puts their personal information outside the protection of the Privacy Act.

Remember though, you should not record or copy the Individual Health Care Identifier (IHI) of an employee which appears on COVID-19 vaccination certificates – more on this in our tips to come later this week.

TIP 2 – Check arrangements with third parties – especially if they are overseas

A data breach of one of your associates, which exposes the personal information of your customers, trading partners or employees, could not only affect you reputationally but may be a breach of your responsibilities under the Privacy Act.

Before sharing or storing data, which may contain personal information of your customers or employees, make sure your contracts with third parties contain appropriate safeguards to ensure you are meeting your privacy obligations. This could include things such as imposing an obligation of confidentiality on any third parties with whom you share data, ensuring those third parties have sufficient IT security to protect the data and checking their privacy policy to ensure their principles align with yours in relation to the treatment of personal information.

It is particularly important when dealing with third parties who are overseas. Privacy Principle 8 can make you specifically accountable for their mishandling of personal information you have disclosed. You are also required, in most cases, to take reasonable steps to ensure overseas third party recipients of personal information do not breach the Australian Privacy Principles.

Arrangements with third parties who store your data on their servers (in the ‘cloud’) are of utmost importance. You need to know the location of the servers storing your data and the personal information you have collected. If they are overseas, you will need to disclose this fact in your Privacy Policy.

TIP 3 – Obtain consent to use personal information for direct marketing

If your business is an organisation, or if you have chosen to be treated as an organisation, the 13 Australian Privacy Principles (APPs) contained in the Privacy Act will apply to your organisation. APP 7 provides that an organisation must not use or disclose personal information it holds for the purpose of direct marketing unless an exception applies.

The Office of the Australian Information Commission’s APP guidelines provides that, for the purposes of the Privacy Act, direct marketing means: “the use or disclosure of personal information to communicate directly with an individual to promote goods or services” and can encompass any communication made by or on behalf of an organisation to an individual. Clearly, direct marketing is intended to have far-reaching application.

Since the concept of direct marketing is broad, it is easy for an organisation to unwittingly breach APP 7. This is compounded by the fact that most organisations that provide goods or services will engage in direct marketing every day.

Knowing the exceptions to APP 7 and how to implement them is absolutely essential. One of the simplest ways to ‘work around’ APP 7 is to obtain consent from an individual to use their personal information in direct marketing. Crucially, validly given consent must consist of the following four elements:

  • the individual is adequately informed before giving consent;
  • the individual gives consent voluntarily;
  • the consent is current and specific; and
  • the individual has the capacity to understand and communicate their consent.

An organisation will also be exempt from complying with APP 7 if personal information (other than sensitive information, such as health information) is collected from an individual and:

  • the individual would reasonably expect the organisation to use or disclose their information for direct marketing;
  • the organisation provides a simple means by which the individual may ‘opt out’ of the direct marketing; and
  • the individual has not opted out.

So, the tip is, include consent options in your paper and electronic documentation for customers and make sure there is an unsubscribe function, which is also required by the Spam Act, for electronic messages.

TIP 4 – Assign a dedicated person to manage privacy related issues

Simply adopting a Privacy Policy is not enough to satisfy the requirements imposed by the Privacy Act on eligible organisations. An organisation must actively comply with the terms of its Privacy Policy and its additional obligations under the Privacy Act. For example, an organisation needs to:

  • respond to requests made by those affected by the Privacy Policy;
  • audit the organisation’s operations and practices to ensure compliance with the Privacy Act;
  • educate staff about the proper use of personal information held by the organisation;
  • maintain safe and secure methods of storing personal information;
  • manage responses to data breaches and ensure that the organisation has complied with its reporting obligations; and
  • conduct periodic reviews of its Privacy Policy to ensure that it continues to accurately reflect the organisation’s use of personal information, including the flow of that information to overseas entities.

For most organisations, compliance with the Privacy Act necessitates the appointment of a dedicated person to manage the organisation’s privacy obligations. Failure to allocate appropriate resources to managing compliance can result in costly penalties for breaches of the Act. For grave breaches, those penalties can amount to the greater of $10 million or 10% of a company’s annual domestic turnover.

TIP 5 — Beware of recording Individual Healthcare Identifiers (IHIs) from COVID-19 digital vaccination certificates

Does your workplace have a mandatory COVID-19 vaccination policy for employees? Does your workplace require the COVID-19 digital vaccination certificate as evidence of an employee’s vaccination status? STOP! Information about the vaccination status of an employee is health information which is sensitive information. Sensitive information is subject to a higher level of privacy protection under the Australian Privacy Principles (APPs).

In addition, an employee’s digital vaccination certificate will contain their Individual Healthcare Identifier (IHI). The IHI is health information.

An IHI is a unique 16-digit number used to identify an individual for healthcare purposes. If you have a Medicare card, are enrolled in Medicare or have a Department of Veteran’s Affairs card, you will have an IHI. This means almost everybody in Australia has an IHI. An individual’s IHI is found just under their name on the COVID-19 digital certificate.

An IHI can only be accessed, used, and disclosed for very limited purposes under the Healthcare Identifiers Act 2010 and is considered sensitive information under the APPs. There are strict criminal and civil penalties if it is used or accessed for a purpose that is not permitted.

An employer may retain personal information, including health information, about employees in employee records (see Tip 1 above). The employee record exemption does not apply to prospective employees, contractors, subcontractors and volunteers.

Although the APPs may not apply to employee records and lawfully collected vaccination information, be aware the Healthcare Identifiers Act still applies. An employer who collects and stores their employees’ COVID-19 digital vaccination certificates, including IHIs, must take reasonable steps to protect the IHIs from any mishandling of data. This can be done by ensuring the IT system is secure and robust with end-to-end encryption and only allowing authorised persons to access it.

However, the best practice is not to record IHIs and ask employees to remove their IHI from the digital vaccination certificate before providing a copy. Alternatively, have a designated individual who sights the employee’s digital vaccination certificate and confirms they have done so.

Regardless of how an employer verifies its employees’ vaccination status, an employer should always respect the privacy of the health information of its employees and ensure that it:

  • accurately records the collected information, keeps it up-to-date, and stores it securely;
  • limits the use and disclosure of employee vaccination status information to what is necessary to prevent and manage COVID-19 in the workplace. It is not appropriate to disclose vaccination status among colleagues unless there is a legitimate reason to do so; and
  • regularly reviews whether the organisation still needs to retain the vaccination information as more people receive the vaccine and restrictions are eased.

This communication provides general information which is current as at the time of production. The information contained in this communication does not constitute advice and should not be relied upon as such. Professional advice should be sought prior to any action being taken in reliance on any of the information. Should you wish to discuss any matter raised in this article, or what it means for you, your business or your clients' businesses, please feel free to contact us.

For more information, please contact...

Sandy Donaldson

View Profile →

Amy Bishop

View Profile →

Related Articles

View All News
December 20, 2023 New Reasons to Keep Your Contract Terms Fair
Corporate & Commercial
December 20, 2023 Is a Trade Mark License a Franchise?
Intellectual Property (IP)
December 20, 2023 Deeds vs Agreements
Corporate & Commercial
December 20, 2023 Trade Mark Use/Copyright and Fair Dealing – AGL v Greenpeace
Intellectual Property (IP)
December 20, 2023 When Can You Send Unsolicited Electronic Messages?
Corporate & Commercial
September 11, 2023 Advertising Health Services
Corporate & Commercial Health & Aged Care
October 14, 2022 Lessons From Theranos
Corporate & Commercial
October 12, 2022 Vendor Safety Nets
Corporate & Commercial
October 06, 2022 Bind Games
Corporate & Commercial
July 12, 2022 Personal and Confidential Information: Employer Obligations to Employees
Employment, Workplace Relations & Safety Intellectual Property (IP)
May 02, 2022 Privacy Week - Top Tips
Corporate & Commercial Intellectual Property (IP)
March 30, 2022 Domain Names and Cyber Security
Corporate & Commercial Intellectual Property (IP)
March 29, 2022 Are You a Director Who Still Needs to Get Your Director ID?
Corporate & Commercial
September 20, 2021 Termination of the Naval Group’s Australian Contract: What It Means for Local Subcontractors
Corporate & Commercial Defence
August 17, 2021 Music to Artists' Ears: Palmer to Pay Up Big for "Flagrant" Copyright Infringement
Intellectual Property (IP)
June 30, 2021 When are Directors Liable for Misleading or Deceptive Conduct, Passing off, Trade Mark Infringement or Unconscionable Conduct?
Corporate & Commercial Dispute Resolution & Insolvency Intellectual Property (IP)
June 30, 2021 NFT’s Explained: The Intellectual Property Implications of Licencing Digital Assets Through Blockchain
Intellectual Property (IP)
January 20, 2021 Terms and Conditions for Sale of Goods/Incoterms® 2020 and Vienna Convention
Corporate & Commercial
December 16, 2020 King Reigns All: High Court Decides Holding Companies May Be Held Accountable for Subsidiary Company Actions
Corporate & Commercial Dispute Resolution & Insolvency
December 16, 2020 Building and Construction Contracts: The Importance of Good Contract Administration
Corporate & Commercial Dispute Resolution & Insolvency Property