The Office of the Australian Information Commissioner (OAIC) recently released an advice notice for entities that are collecting personal information for COVID-19 purposes. In its advice, the OAIC recommended that entities review their privacy and personal information practices and adjust as necessary to comply with changing privacy and health regulations.
The OAIC recommended considering three questions:
- Is collecting personal information still necessary?
- Is retaining personal information still necessary?
- When should you destroy personal information?
Entities must have clear and justifiable reasons to continue collecting personal information from individuals. For example, this may be on a legal basis to ensure compliance with public health order requirements. However, if there is no law requiring the collection of personal information, entities must then consider whether collecting the personal information is necessary for their continued operation. This generally falls under a test whereby a reasonable person would agree that collection is necessary. Where there is no longer a reasonably necessary need, it may become necessary to cease data collection.
Similarly, if personal information is no longer required, it must be destroyed or de-identified in accordance with the Australian Privacy Principles. If the entity requires the retention of information for a specified period of time, it must ensure there are processes and systems in place which enable regular review of the need to retain the information.
If retained information is no longer necessary and must be removed, entities must follow proper methods of destruction or de-identification. This will vary depending on the medium of the information, eg. physical, electronic, or cloud.
For a full reading of the OAIC’s release, see here.
At Arnotts Technology Lawyers, we have significant experience advising clients on their obligations under the Australian Privacy Act, GDPR and the privacy law that applies in other jurisdictions (such as New Zealand, California and Canada). Please contact us if you need assistance with your privacy obligations.