As part of the response to the COVID-19 pandemic, employers have had to collect and disseminate information about their employees. This has given rise to concerns regarding data privacy. On 30 March 2020 the privacy commissioner for personal data issued guidelines for employers on the collection, processing and use of personal data during the COVID-19 pandemic. The guidelines provide the following:

  • Employers must protect the health of their employees and visitors. During the pandemic, it is generally justifiable for employers to collect temperature measurements or limited medical symptoms of COVID-19 information for such purposes.
  • Employers should follow the general rule that the collection of data should be necessary, appropriate and proportionate. The relevant data should be processed in an anonymised or de-identified way and the least privacy intrusive measures are preferred.
  • Employers can ask for travel data from employees who have returned from overseas, especially from high-risk areas. The collection of such data should be purpose specific and minimal data should be collected.
  • Personal data collected to combat COVID-19 should not be used or disclosed for other unrelated purposes unless express consent is obtained. In order to protect public health, employers may disclose the identity, health and location of individuals to the government and the health authorities. Employers may also notify other employees, visitors and office property managers if any of their employees contract COVID-19, without disclosing the infected individual's personally identifiable information.
  • Employers should permanently destroy personal data collected for the purpose of combating COVID-19 when the purpose of collection has been fulfilled.
  • Employers should take all practicable steps to protect the personal data collected against unauthorised or accidental access, processing, erasure, loss or use.
  • Employers and employees should exercise extra caution in relation to the transfer and use of documents when carrying out work-from-home arrangements. The new guidelines set out a number of recommendations in relation to the security of personal data.