Lucinda Smith and Samantha Culshaw

COVID-19 and privacy – What it means for RV operators and RAC providers in managing collection, use or disclosure of personal information

Lucinda Smith and Samantha Culshaw

April 9, 2020

Aged Care Legislation Updates Retirement Villages

Key points

All retirement village operators and residential aged care providers have an important obligation to maintain a safe workplace for their staff, and a safe environment for residents.  The Privacy Act 1988 (Cth) (Privacy Act) will not stop critical information from being shared.  However, only information that is reasonably necessary to prevent or manage COVID-19 should be collected, used or disclosed.

Consent is not required for collection, use and disclosure in the current pandemic situation as the ‘permitted general situation’ exemption would apply.  This allows collection, use and disclosure of information to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety.

Practical steps

Operators and providers should be proactive and take steps now to notify staff, residents and visitors about how their personal information will be handled in responding to any potential or confirmed cases of COVID-19 at the facility.  This can be done by:

  • circulating a notice to staff and residents, outlining the facility’s approach, including that their personal information may be disclosed if that is reasonably necessary to prevent or manage infection;
  • putting up signage at the front of the facility, or in reception, and on its website, about the facility’s approach to collecting, using and disclosing personal information to manage and prevent COVID-19; and
  • requiring visitors and delivery staff to sign in and confirm whether they have been in contact with anyone exposed to COVID-19 or whether they have travelled overseas in the last 14 days, and to which countries.

It would also be useful for operators and providers to put in place a process for dealing with a confirmed case of COVID-19, or exposure to confirmed case of COVID-19 such as:

  • notifying residents, staff and visitors (as relevant) by SMS/email/telephone/whatsapp; and
  • setting up a website or other contact point for individuals to keep updated, and advising that information will be used to notify impacted individuals and assist government health departments/ministries for all necessary purposes, including contact tracing.

In circumstances of suspected cases it would be useful for operators and providers to put in place procedures that isolate the person. Practically, it is important for operators and providers to provide an environment free from stigma and associated negative experiences for residents and staff. With this in mind, any isolation policy for suspected cases should be done in a sensitive way. This might include explaining that the resident is no longer accepting visitors without necessarily specifying the reason.

It is important to ensure that all personal information collected is kept secure.

The OAIC has prepared helpful guidelines for understanding privacy obligations to staff regarding COVID-19 which can be accessed here.

Can an operator/provider collect information from residents, employees and visitors to the facility in relation to COVID-19?

Provided the information collected is reasonably necessary for preventing or managing COVID-19, operators and providers can collect information from residents, employees and visitors to the facility.

For example, it may be appropriate to collect the names of each visitor attending the facility together with a contact number/address/email, but it would not be appropriate to collect information about their religious beliefs or ethnic origin.

Operators and providers should familiarise themselves with the information needed to identify risk and symptoms and put in place appropriate measures to have employees, visitors or residents notify if they have:

  • come into contact with anyone exposed to COVID-19; or
  • travelled overseas in the last 14 days, and to which countries.

Can an operator/provider tell staff or residents, that a staff member, visitor or resident has or may have contracted COVID-19?

Provided the information being disclosed is reasonably necessary to manage or prevent COVID-19 in the facility/workplace, this is allowed.

For example, it may not be necessary to reveal the name of an individual in order to prevent or manage COVID-19, or the disclosure of the individual’s name may be restricted to a limited number of people on a ‘need to know’ basis.  This may be the case in a particularly large facility, or where the person exposed was a visitor to the facility.  However, where a facility is relatively small, and it is a resident that is infected, it may not be practical or reasonable to withhold details of that resident. This requires a case by case assessment.

Do operators/providers have any obligation to notify government health departments?

State and Territory health departments require notification of all confirmed cases of COVID-19. Health authorities are usually already aware of confirmed cases due to obligations placed on health practitioners to notify the authorities.

Generally, in circumstances where there is a suspected case, it is recommended that an operator/provider only notify relevant health departments of a suspected case at the workplace without detailing any specifics.  Providers should indicate that the case is not confirmed and that necessary precautions are being taken by the suspected person and the workplace.  In the course of notifying the relevant authorities, it is recommended that providers seek guidance about what steps to follow next.

The Department of Health has released some useful FAQs regarding information for employers and their obligations around COVID-19 which can be found here.


If you would like to discuss any aspect of this article and/or would like us to provide advice, please contact a member of Thomson Geer’s Health, Aged Care and Retirement Villages team.