You can’t ask that: Privacy, ECEC workplaces and COVID-19 – a rights explainer
It goes without saying that in early childhood education and care (ECEC) settings, both employers and employees generally want to do the right thing by one another.
That said, in a rapidly changing policy environment, such as the one in which the sector finds itself thanks to the COVID-19 pandemic, it can be complex to stay current with rights, obligations, and responsibilities on both sides.
To support in deepening this understanding The Sector has developed the following guide, based on information produced by the Australian Council of Trade Unions (ACTU). As with much of the information circulating around COVID-19, this advice is general in nature, and employers and employees are encouraged to confirm the currency of the information with the source provider prior to implementing it.
Sensitive health information
Health information, the ACTU said, can be “particularly sensitive” and must be handled appropriately by employers.
That said, privacy laws do not prohibit the collection, use and disclosure of health information to the extent that it is necessary to prevent and manage COVID-19 risks at work.
Therefore, the Union noted, it is crucial for all ECEC employers to have clear workplace policies and processes which ensure that personal and health information is only collected when necessary, stored securely, and used or disclosed only for lawful and proper purposes, including to ensure the health and safety of workers and others.
These policies should also consider any privacy issues which might arise from changed working arrangements. For example, in the event that an employee is asked to self isolate while waiting for the results of COVID-19 testing, the policy should give clear guidance about how this information is delivered, and to whom, in a way which protects the right of the employee to privacy.
Employers collect, disclose, use and store personal and health information about employees frequently for many different purposes.
While privacy obligations vary depending on jurisdiction, and whether the employee is public or private, generally employers are obliged not to use or disclose personal or health information other than for the purpose it was collected, unless the consent of the worker is provided.
Even when employees do not provide consent for this information to be shared, there are exemptions allowing use or disclosure in certain limited circumstances – for example, to prevent imminent harm to someone.
According to the Privacy Act, personal information is “information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether true or not, and whether written or not.”
Health information is a subset of personal information, and is defined as “information or an opinion about an individual’s health (including an illness, disability or injury) at any point in time; or an individual’s expressed wishes about the future provision of health services, or a health service provided, or to be provided, to an individual.”
Use versus disclosure
Using information and disclosing information are two different things.
When an employer uses information, they are handling it, but remaining effectively in control of it. In an ECEC context, an employer “uses” health information when they inform payroll of someone using personal leave to recover from an injury.
When information is disclosed, it is made available to others outside the boundaries of the employer. Essentially, when information is disclosed, it goes out into the world, and the employer no longer has effective control. In an ECEC context, an employer may disclose information about an employees mental health to a regulatory authority as part of a complaints investigation process.
Employers have a general obligation to ensure that, so far as is reasonably practicable, they provide a safe and healthy working environment which cares for those who work within it.
In the context of COVID-19, employers must take all reasonable steps to limit the work-related spread of COVID-19. For an employer to be able to do this effectively, they may need to collect information from workers and visitors about their potential exposure to COVID-19 in order to identify, assess and control risks of infection.
Workplace health and safety (WHS) laws include a specific obligation to provide ‘any information necessary’ to protect all persons (including workers and others, such as visitors) from risks to their health and safety arising from work.
The laws also outline the obligation of employers to “consult, confer and provide access” to information to health and safety representatives (HSRs) relating to the health and safety of the workers in the HSR’s work group.
Employers are only allowed to provide HSRs with access to personal or medical information with the express consent of the employee, unless the information is given in such a way that it is not possible to identify the worker, and it could not reasonably be expected to lead to the identification of the worker.
In an ECEC context, an employer can collect information that is reasonably necessary to meet their obligations under WHS laws to identify risk and implement appropriate controls to prevent or manage COVID-19 in line with Department of Health guidelines.
This could include collecting information from educators and visitors, including parents, about having close contact with confirmed or potential cases of COVID-19, or asking about travel history.
Need to know basis
In order to comply with privacy laws, personal and health information should only be used or disclosed by employers on a ‘need-to-know’ basis.
The minimum amount of personal and health information about any given employee should be collected, and steps should be taken to protect this information.
Those working in an ECEC setting should be told about what information is being collected and why, and also how it will be stored and used. Employers, the ACTU said, should have clear processes and designated staff members with responsibility for handling these matters, and secure information storage methods.
In the event that a staff member contracts COVID-19, employers must ensure that the employee is supported not to return to work while infectious, as well as notifying the regulatory authorities relevant for their area.
It may be necessary to share the identity of the worker with others at the workplace in order to identify those who have had close contact with a confirmed case. In this instance, HSRs should be notified of the existence of a confirmed case and consulted on appropriate control measures.
In order to comply with privacy obligations, a confirmed case’s identity should be shared with others strictly on a ‘need to know’ basis, even if consent has been provided by the worker. This is particularly important because discrimination, harassment and abuse has been targeted at those who have contracted coronavirus. This may undermine the health and safety of the worker in question as well as HSR and employer efforts to effectively manage the situation.
To read this information in full, as produced by the ACTU, please see here.