Legal Insights

Managing requests for personal information about staff or students from a health authority during the COVID-19 crisis

By Sonia SharmaClaire Grundy

• 02 April 2020 • 8 min read
  • Share

In the midst of the rapidly evolving COVID-19 situation, the Commonwealth and State Governments are ‘working around the clock’ to try and contain the spread of the virus in Australia. In recent days we have seen schools shut for the day, entire corporate offices working from home, events cancelled, corporate travel bans (and an infamous toilet paper ‘shortage’).

Our Employment Safety & People team recently provided a practical guide to dealing with COVID-19 in the workplace.

In this article our education, data and privacy experts have partnered with our leading healthcare team to explain how to navigate requests for personal information from health authorities concerning your staff, students, and other business stakeholders, including customers and suppliers.

Public health laws

As you might expect, Australian Governments have wide ranging powers to manage a public health crisis under both Commonwealth and State public health and biosecurity laws. These laws require certain communicable diseases to be notified to public health authorities and give broad powers to government to enable them to gather information about individuals and to facilitate (or in fact require) testing or segregation of individuals.

For example, in New South Wales, COVID-19 is a scheduled medical condition, a ‘contact order condition’ and a notifiable disease under the Public Health Act 2010. The Act also includes broad information gathering powers.

Similarly in Victoria, COVID-19 has been added to Schedules 3 and 4 of the Public Health and Wellbeing Regulations 2019 as a notifiable condition under the Public Health and Wellbeing Act 2008, which also includes broad information gathering powers.

These laws allow health authorities to undertake the important work of confirming cases of COVID-19, tracing the movements of individuals who have been infected with COVID-19 and managing situations where individuals may have been in contact with infected individuals.

Privacy laws

The Privacy Act 1988 (Cth) and the Australian Privacy Principles govern the handling of ‘personal information’ for Australian Government agencies and private sector organisations with an annual turnover more than $3 million. This includes many private schools, Registered Training Organisations and private higher education providers.

Similar state privacy laws apply in NSW and Vic which govern state based agencies including state schools, TAFEs and public universities. Depending upon the way in which they have been established and funded, public universities may be subject to both state-based and Commonwealth privacy laws.

For the purposes of this article, the differences between Commonwealth and state privacy legislation are unlikely to be material, so we have focused on the Australian Privacy Act and APPs.

Under APP 6, generally speaking, an entity can only use or disclose personal information for the reason it was collected (known as the 'primary purpose') or for a 'secondary purpose' if an exception applies. Some key relevant exceptions under APP 6 include:

  • where the individual has consented to a secondary use or disclosure (APP 6.1 (a))
  • where the individual would reasonably expect the entity to use or disclose their personal information for the secondary purpose, and that purpose is related to the primary purpose of collection, or, in the case of sensitive information, directly related to the primary purpose (APP 6.2(a))
  • where the secondary use or disclosure is required or authorised by or under an Australian law or a court/tribunal order (APP 6.2(b))
  • a ‘permitted general situation’ exists in the secondary use or disclosure (APP 6.2 (c)). One ‘permitted general situation’ is where it is unreasonable to obtain the consent of an individual and an entity ‘reasonably believes’ that the collection, use or disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety. On this point, the APP Guidance issued by the Office of the Australian Information Commissioner states:
    • a reasonable belief means that there must be a reasonable basis for the belief (it is the responsibility of the entity to justify its ‘reasonable belief’)
    • disclosure would not be considered 'necessary' where it is merely helpful, desirable or convenient
    • a serious threat to public health or safety relates to broader safety concerns including 'the potential spread of a communicable disease'.

A number of other exceptions apply which allow the disclosure of personal information for a secondary purpose. There may also be other general relevant exceptions (for example, the ‘employee records’ exception may apply in certain situations).

So can I disclose personal information to public health authorities?

The short answer is most likely to be yes.

If your organisation is contacted by a public health authority such as NSW Health or the Victorian Department of Health and Human Services requesting personal information about one of your staff, students, customers, suppliers or attendees to your office or premises, for the purpose of COVID-19 contact tracing or management, then taking a practical, prompt and cooperative approach is appropriate.

In almost all circumstances organisations should be able to rely on either (or both) the ‘authorised by law’ exemption in APP 6.2 (b), and the ‘permitted general situation’ exception in 6.2 (e). Considering the scale, acuity and urgency of the COVID-19 outbreak – even if public health authorities are not exercising formal information gathering powers – a disclosure reasonably necessary to prevent the potential spread of a communicable disease is within the contemplation of the ‘public health and safety’ permitted general situation.

So does that mean that privacy does not matter when it comes to COVID-19? What about other requests I might get from people or entities which are not a public health authority?


Privacy concerns should not simply be disregarded due to the COVID-19 crisis. Where you receive a request for personal information from a person (who is not acting for a public health authority) you will need to promptly assess the facts to see whether an exception under APP 6 applies before personal information is disclosed.

However, on the facts alone – the following scenarios are examples where it may be difficult to justify any exception to disclosure personal information under APP 6:

  • Company X decides to direct all of its staff to work from home due to concerns about an employee being indirectly exposed to COVID-19. A business associate who was recently in the office sees this development in the news and calls Company X’s reception demanding to know who the person was.
  • A parent whose child attends school has seen another child in the playground constantly coughing. The parent calls the school to demand to know what class the child is in, who their parents are and whether the family has been overseas lately.
  • Your organisation recently hosted a large International Women’s Day event at your offices, you receive a call from an individual who had a great time at the event connecting with the other attendees but has now developed a sniffle. She was hoping to get the contact details of six women she spoke to at the event to let them know about her condition 'just in case'.

So what should I do?

As part of your response COVID-19 planning, provide your front-line staff such as reception, customer service personnel and Human Resources staff with a clear plan for dealing with any personal information requests. This might include:

  • giving basic training to such frontline staff about how to manage such requests
  • appointing an appropriately qualified and trained person to manage all personal information requests for your organisation (i.e. appropriate escalation processes)
  • keeping a record of all disclosures made, including the circumstances and the entity to which the personal information was disclosed.
  • Organisations should promptly assess each disclosure request on a case-by-case basis.
  • Take a cooperative and prompt approach when dealing with public health authorities who are doing their jobs – ask the public health officers to identify themselves and to confirm authority to require the information to be provided.
  • Make a record of the request, the information disclosed and any follow up actions by the public health authority or your organisation.
  • Treat all other requests to disclose personal information with caution and on a case-by-case basis.
  • Have a plan in place for managing third-party requests including who is responsible for assessing the request and, if appropriate, providing the information in a timely way.

Looking for guidance regarding COVID-19?

Maddocks has produced guides to a range of legal issues raised by the coronavirus.

By Sonia SharmaClaire Grundy

  • Share

Recent articles

Online Access