COVID-19 and privacy law – What can employers ask and tell?
18 March 2020
With COVID-19 having now reached our shores and thousands of New Zealanders at home in self-isolation, employers around the country are working hard to manage the current situation and prepare for what is to come. So far, there has been plenty of discussion about health and safety and employment duties, but not many people are talking about privacy. This bulletin addresses the key privacy issues: what can, should and must you communicate to your employees, your stakeholders and the authorities if there is an exposure affecting your workplace?
Key privacy principles
The COVID-19 outbreak raises all sorts of privacy questions, and the right approach to take will depend on the particular circumstances. With that said, employers will generally get things right if they remember the following key principles.
The starting point is that employers have a duty to keep their employees’ personal information confidential, and can only share that information if an exception in the Privacy Act allows. In the COVID-19 context there are however a number of exceptions that may apply to allow sharing of personal information.
- First and foremost, information can be shared if the employee concerned authorises it. As a first step therefore, employers should generally work with their employees, to determine the extent of the information they are willing to share and with whom
- The Privacy Act is ‘purpose driven’. Personal information can be shared if it is for the same, or directly related to, the purpose for which it was collected in the first place. This exception will often apply to information about an employee's COVID-19 exposure and risk; a key reason employers are seeking this information is to enable them to take steps to keep their workforce and others safe and manage the impact on the workplace
- There is an express exception in the Privacy Act that allows sharing of information if it is necessary to prevent or lessen a serious threat to public health or to the life or health of another individual.
Employers can also take some comfort from the fact that health practitioners and laboratories have mandatory duties to notify the health authorities when a new COVID-19 case is confirmed. That responsibility lies with the health professionals, so employers can focus on what needs to happen to keep people safe in their workplace.
When thinking about what to share however, employers still need to take care. In particular:
- Even when an exception applies, employers must still consider the extent of the information to share. You may share information only to the extent necessary to achieve your purpose. For disclosure to be necessary, it need not be essential – there is an element of pragmatism - but it means more than ‘expedient’. The particular disclosure should genuinely be required for the given situation. You are unlikely, for example, to need to identify which relative of an employee has been infected; saying a 'close contact' will be enough. In simple terms, consider whether you can say less to achieve the particular purpose - don't use a sledgehammer to crack a nut
- The Privacy Act also requires employers to make sure any information used or shared is accurate. Take care with the language used: an employee required to self-isolate is different, for example, to an employee doing so out of extra caution
- The Privacy Act rules only apply to 'identifiable' information, but even where information is anonymised, individuals are often still identifiable by joining the dots.
One of my employees has just arrived home from Italy and has to work from home in self-isolation – what do I tell the rest of my staff?
One of the first questions is whether your employee is comfortable with you sharing this information within the workplace. Many employees will be understanding of the need for their colleagues to be told the details of their situation, in which case privacy concerns will fall away.
Another question you need to ask is who needs to know this information and why. Practically of course, the employee's immediate colleagues will need to know that their colleague is working from home, and the 'directly related purpose' exception will apply to allow that. Any information beyond this is probably unnecessary to share. Certainly, the 'serious threat' justification will not apply if the employee hasn't been into work.
There is also no obligation for employers to notify the authorities, and probably no justification for doing so other than in exceptional circumstances.
One of my employees has gone home with flu-like symptoms – what do I tell the rest of my staff?
The immediate answer to this question is easy. You don't need to tell the rest of your staff much, except letting them know that their colleague is away – as you would normally.
That said, the answer to this question changes depending on your assessment of the employee's risk profile. If the employee has recently travelled for example, then you will need to work closely with the employee, and perhaps also take health professional advice, to understand what further steps are necessary to minimise risk to others.
If further communications are needed based on this advice, the 'connected purpose’ or 'serious threat' exceptions may apply, but you should consider whether it is possible to address the risks without identifying the person affected. It all depends on the context, and again, having a discussion with the employee about what they are willing for you to share will be the best starting point - alongside the questions, ‘what information do I need to share and why?’.
In some situations you may feel a need to act quickly and want to disclose information to limit the risk of further exposure, for example to co-workers who worked closely and recently with the employee. If you have taken precautions in your workplace generally and the employee is isolated, a few minutes to talk to the employee, re-check the advice from the Ministry of Health and seek specific advice from the health authorities and others as needed will be time well spent.
I want to make a risk management plan and I am worried that some of my staff might have particular vulnerabilities to COVID-19 – what can I ask about their health?
This question is important as it addresses the obligations an employer has when collecting information. In this case, the Human Rights Act is also relevant because it prohibits employers from treating employees less favourably because of a disability (which includes an illness or health condition), and asking questions unnecessarily about an employee's health status could be considered discriminatory.
In the COVID-19 situation, the health and safety obligations that an employer has to eliminate and minimise risks in the workplace will however provide robust justification for asking questions about an employee's health vulnerabilities, provided those questions are linked to COVID-19 and focussed on the managing the risks at hand. Before asking employees such questions, employers should do their research and in particular consider the Ministry of Health's guidance. Employers also need to bear in mind principle 3 of the Privacy Act, and let employees know (among other things) why they are collecting the information, what they are going to do with it and how they can access it in future.
It’s the worst-case scenario – one of my employees has confirmed COVID-19. What do I tell the rest of my staff and do I have to tell anyone else?
Again, the answer to this question will depend on your risk analysis and the information you are given by your employee and the health authorities. When a person is diagnosed, the health authorities will work directly with that person to identify contacts who are at risk and notify them as necessary. You as an employer can rely upon that professional process and advice, as well as on the more general advice that the Ministry of Health and healthline is giving. If it becomes necessary, health authorities also have powers under the Health Act to require individuals and employers to provide key information to help with contact tracing. These powers will override the duties of confidentiality in the Privacy Act.
There are no statutory duties that require you as an employer to notify anyone else about the confirmed diagnosis of an employee (and WorkSafe has recently confirmed that they do not need to be notified). You do however need to think about your broader health and safety duties, both to your staff and also to any others, such as clients or onsite visitors. As well as keeping up to date with the Ministry advice, consider taking advice from healthline or another health professional about where the risks might lie and act accordingly.
Coming soon: As you will be aware the Government has announced new measures to assist employers with managing the impact of COVID-19, including a wage subsidy and leave payment for workers in mandatory self-isolation. We will soon be providing a further update on these measures, so watch this space, and let us know if you have any questions in the meantime.