COVID-19: Information for Agencies

Proactive release of COVID-19 related information and specialised COVID-19 transfers of access applications

As we move from response to the pandemic to recovery and reform agencies will acquire and manage new information relevant to COVID-19 that informs decision making and service delivery. Agencies will also receive access applications seeking information related to the pandemic.

The GIPA Act mandates the release of open access information which includes:

• Identification of information held by agencies that is or is not made publicly available
• Policy documents that affect or are likely to affect rights, privileges/benefits, obligations/penalties to which members of the public might be subject to, or benefit from
• Documents containing particulars of administrative schemes and the documents describing the operation of these schemes
• A register of contracts entered into by the agency
• For government departments, a register of major assets

The GIPA Act also encourages proactive release of other information and provides immunity from civil and criminal action when information is released in good faith.

Each agency should monitor, manage and where mandated, or where the public interest favours release of information related to the pandemic, ensure that this information is publicly available. Data and other resources including public procurement, budgets and funds can be collated and proactively released under the GIPA Act.

It is also important to consider how this information can be accessed by the public and reused. Publication in open formats and licence-free for reuse will ensure that the intent of open government is realised to provide both access to information and enhance citizen participation and engagement. Access to information and public engagement will build public trust as we move forward.

Agencies are also encouraged to identify and collate information relevant to the pandemic including access applications that seek information related to COVID-19. This information will be important in enabling government to promote recovery and reform.

Access applications should be reviewed to ensure that they are appropriately transferred to agencies that hold the information sought. In some instances, a knowledge of the newly created taskforces and administrative/governance arrangements will be required to properly direct the transfer of applications. Accordingly, escalation to identified specialists within agencies may be required to ensure that the transfers are effective.

Agencies are encouraged to proactively consider these issues and implement arrangements to promote access to information.

The IPC is taking action to provide guidance and support to agencies in managing these new and significant issues. The IPC is also monitoring applications relevant to COVID-19 to provide reports and guidance to assist agencies and citizens; where relevant reports may also be made to the NSW Parliament.

COVID-19 and GIPA

The current unprecedented events in managing and responding to the COVID-19 outbreak in New South Wales (NSW) has required all agencies to review and consider their business continuity arrangements. In NSW this event may result in an increase in agency staff working from home, on sick or recreation leave, or in being redirected to alternative duties to provide essential services. This may impact on the ability of agencies to meet the timeframes prescribed under the Government Information (Public Access) Act 2009 (GIPA Act) for making access application decisions or in responding to a complaint under the Government Information (Information Commissioner) Act 2009 (GIIC Act). Each agency’s arrangements will vary and need to be informed by the particular operating circumstances of that agency.

The IPC has received some inquiries from agencies about responding to access applications in this evolving environment. These enquiries have included questions about the prevention of applications from becoming deemed refusals if an agency’s office shuts down as part of COVID-19 prevention or containment, particularly if right to information officers do not have the ability to work remotely.

It is important to recognise that access to government information and the preservation of the right to access government information is important in this time of rapid change. Therefore it is important that agencies take steps to respond to this dynamic environment. Agencies are encouraged to:

1. Update their GIPA page to provide information on contact details and arrangements in place for responding to access applications. There is no mechanism in the GIPA Act to suspend or preclude applications from continuing to be made. It is therefore important that agencies update and include information about the arrangements that are in place and how timeframes may be impacted. This may include any advice redirecting staff to contact applicants via email.
    
2. Assess existing applications and identify where extensions of time may be required. The GIPA Act provides mechanisms for agencies to seek agreement for an extension of time under section 57(4) of the GIPA Act. The IPC already has available a fact sheet on extensions of time under the GIPA Act available here.
    
3. For correspondence that requires an action on the part of the applicant. Agencies are encouraged to seek an extension of time if it is required. For example by including a request in a notice of charges estimate notices. This way, if your offices close and the applicant actions the correspondence during that time, the extension will begin if the processing period expires, preventing a deemed decision or a decision to refuse to deal.
    
4. For other correspondence, such as acknowledgement letters or update emails, you can send correspondence specifically to request an extension.
    
5. Where an agency is due to make a decision on an access application within the coming weeks and is not able to issue the decision within the statutory timeframe due to delays caused by officers working out of the office, it can ask the applicant, under section 57(4) of the GIPA Act for extra time to make its decision.  

When asking for an extension, you can explain why it is being requested. Each agency will need to decide how best to phrase the request in their specific circumstances but given the current events and the possibility of office closures, requesting extensions is a reasonable way for agencies to manage any potential disruption to application processing.

Lodgement of applications by legal representatives

During the COVID-19 pandemic, solicitors requesting information from government agencies on behalf of their clients may struggle to obtain a written client authority. This may be due to solicitors working remotely and clients lacking the means to provide their authority electronically.

It is important for agencies to confirm that any request for information is made with the appropriate authority. However, recognising that the COVID-19 pandemic has disrupted ordinary practices, agencies are encouraged to show flexibility in accepting applications and in dealing with legal representatives.

Where a solicitor is unable to obtain a written authority, they should provide a written statement confirming that they have been instructed by the client and that they have the client’s express verbal authority to make a formal access application or request for information on their behalf. If a delay in making an application would prejudice a client’s rights, this should also be explained by the solicitor.

This information from legal representatives should accompany any application for information to an agency and/or to the Information and Privacy Commission.

Agencies are encouraged to liaise with solicitors where further information is required rather than automatically refusing a request or access application made on a client’s behalf due to the absence of a written authority.  It is also recognised that solicitors are under a duty to act ethically and in accordance with the principles of professional conduct under the Legal Profession Uniform Law 2015.

Agency Decision making

If a decision on an access application will not be made within the statutory timeframe due to delays, this will result in a deemed decision being made under section 63 of the GIPA Act. The applicant will therefore be entitled to apply to IPC for external review of the deemed decision. An applicant will also be entitled to a refund of the application fee under section 63 (1) of the GIPA Act.

While an applicant does not have to agree to a request for an extension of time, explaining the agency’s reasons will assist the applicant to understand the unusual circumstances which have caused the request. If an applicant does not agree, where possible an agency should endeavour to continue to work on the application.

Each agency will need to consider its individual circumstances and arrangements. In deciding the appropriate amount of additional time required for deciding the access application, the agency may take into account factors including:

• length of time the agency was unable to operate due to the outbreak
• whether agency staff numbers were affected by decisions to allow officers to work out of the office, staff leave or diversion of resources to essential services
• whether staff dealing with the access application are able to access the information from other parts of the agency that may be impacted by resource limitations.

Current IPC external reviews

If agencies are unable to meet a timeframe set by the IPC to provide submissions or information in relation to an external review, they should contact their review officer prior to the due date to request an extension of time:

• Telephone 1800 472 679
• Email: ipcinfo@ipc.nsw.gov.au

At this time, the IPC is continuing to progress applications for external review made to the IPC and will work with agencies and applicants to do so. There may be delays experienced resulting from arrangements put in place to respond to COVID-19 which may impact on our usual service standards. There may be circumstances which will require the IPC to contact applicants and discuss the progress of their applications, including if necessary, to seek an extension under section 92A(2) of the GIPA Act.

Current complaints to the IPC under the GIIC Act

If agencies are unable to meet a timeframe set by the IPC to provide submissions or information in relation to a complaint, they should contact their case officer prior to the due date to request an extension of time:

• Telephone 1800 472 679
• Email: ipcinfo@ipc.nsw.gov.au

The IPC has established a dedicated page on its website to provide updates to clients and agencies

IPC Services

At this time, the IPC is continuing to progress complaints and applications for external review made to the IPC and will work with agencies, complainants and applicants to do so. Our services will continue however our service standards may be impacted as we put in place arrangements to respond to COVID-19. We may also need to engage with citizens to seek an extension under section 92A(2) of the GIPA Act to complete external reviews. This will be managed on a case by case basis and we will communicate as expeditiously and fairly as possible. The IPC will continue to update information relevant to the provision of IPC services to assist citizens and agencies.

The above general information has been prepared to provide guidance to those agencies who may be concerned about meeting GIPA Act timeframes.

The IPC has established this dedicated page on its website to provide updates to clients and agencies as circumstances unfold. You are encouraged to continue to review our website for updates.

For further guidance, please contact the IPC Enquiries Service by email to ipcinfo@ipc.nsw.gov.au

COVID-19: The duty to document does not cease in a crisis, it becomes more essential
The Australian and New Zealand Information Access Commissioners join with their international counterparts in their clear call for documentation, preservation and access to information as governments, businesses and citizens deal with the COVID-19 pandemic. 

Statement - Transparency and access to information in the context of  a global pandemic
The Australian Information Access Commissioners join with their international counterparts in their clear call for transparency and the right to access information as governments, businesses and citizens deal with the COVID -19 pandemic.  

COVID-19 statement by the Information Commissioner
The NSW Information Commissioner and Open Data Advocate has released a statement on Information Access, Data Sharing and the COVID-19 Pandemic.

COVID-19 and NSW Privacy Legislation

As the COVID-19 pandemic progresses, it is important that agencies continue to meet their privacy obligations to their staff and the public while managing the impact of the pandemic.

In general, agency obligations under the Privacy and Personal Information Protection Act 1998 (PPIP Act) and Health Records and Information Privacy Act 2002 (HRIP Act) continue to apply in respect of dealing with issues relating to COVID-19.

Special arrangements that apply during the pandemic

Commencing in March 2020, the Minister for Health and Medical Research has made a number of Public Health Orders under s 7 of the Public Health Act 2010. Included in the provisions of these orders are measures to facilitate the exchange of information between NSW government agencies. These authorise government sector agencies to exchange personal or health information with other government sector agencies if necessary for the purposes of protecting the health or welfare of members of the public during the COVID-19 pandemic.

The government response to the pandemic is evolving rapidly and updates to the Public Health (COVID-19 Restrictions on Gathering and Movement) Order 2020 are likely to be issued on a regular basis. Agencies will need to stay up to date with any requirements as they change. Orders are published in the NSW Government Gazette which can be accessed online at: https://www.legislation.nsw.gov.au/#/gazettes/2020

Agencies will need to take account of these special arrangements when responding to requests for privacy internal reviews.

The following recommendations will assist agencies to ensure they continue to comply with NSW privacy law while managing the health and welfare of the community during the pandemic.

Only collect what is necessary

In order to prevent or manage the risk of COVID-19 in the workplace, agencies need to consider how they will collect, use and disclose personal and health information. This includes the handling of personal information of employees and employees’ family members, visitors to agency premises, as well as individuals to whom the agency provides services and members of the general public.

Agencies should take steps to ensure they limit the collection, use and disclosure of personal information to what is necessary to prevent and manage COVID-19, and take reasonable steps to keep it secure.

Only personal information that is reasonably necessary in order to prevent or manage COVID-19 in the workplace should be collected, used or disclosed.

Personal information that is reasonably necessary to collect includes information that NSW Health has indicated is necessary in order to identify risk and implement appropriate controls to prevent or manage the risk and/or reality of COVID-19, for example:

• whether the individual or a close contact has been exposed to a known case of COVID-19

• whether the individual has recently travelled overseas and to which countries.

Provide appropriate notification

Agencies should consider taking steps now to notify staff of how they will handle their information in responding to any potential or actual case of COVID-19 in the workplace. Where practicable, agencies should seek consent before collecting an individual’s personal or health information for inclusion in a record.

Seek consent where possible

Where practicable, seek consent from the individual to collect, use or disclose their personal or health information.

Where obtaining consent is not practicable, there may be exemptions that apply under the PIPP or HRIP Acts or under the agency’s governing legislation. For example, s17(c) and 18(c) provide exemptions where use or disclosure is necessary to prevent or lessen and serious and imminent threat to life or health of the individual to whom the use or disclosure relates. These exemptions require that the threat to life or health justifying use or disclosure is both ‘serious and imminent’.

Disclosing information to staff

Staff may be informed that a colleague or visitor has or may have contracted COVID-19, but only personal information that is reasonably necessary to prevent or manage COVID-19 in the workplace should be used or disclosed. Depending on the circumstances, it may not be necessary to reveal the name of an individual in order to prevent or manage COVID-19, or the disclosure of the name of the individual may be able to be safely restricted to a limited number of people on a ‘need to know basis’. Whether disclosure is necessary should be informed by up to date information from NSW Health.

Privacy by Design and Privacy Impact Assessments

While it is recognised that agencies will need to respond rapidly to manage pandemic related issues, privacy-by-design and Privacy Impact Assessments (PIAs) are important tools that can assist agencies to ensure personal information is handled in a way that is necessary, reasonable and proportionate. Where time pressures prevent a full PIA from being conducted, there is still value for agencies in conducting a short-form assessment.

This is particularly important in cases where information is being collected via an App, to ensure that issues relating to storage and retention of the information are considered. It is also important where there is a need to share information publicly and de-identification of the information is planned, to mitigate against the risk of re-identification of personal information.  

Remote working & information security

Agencies should ensure reasonable steps are in place to keep personal information secure where employees are working remotely. 

Australian Privacy Regulators

Australian privacy regulators have convened a National COVID-19 Privacy Team between the Office of the Australian Commissioner (OAIC) and states and territories with privacy laws to respond to proposals with national implications.

• COVID-19 response from Australian privacy regulators.

They have also produced universal privacy principles to support a nationally consistent approach to solutions and initiatives designed to address the ongoing risks related to the COVID-19 pandemic. 

• National COVID-19 Privacy Principles

COVIDSafe app enquiries

The Information and Privacy Commission has received enquiries from NSW government sector agencies concerning the Australian Government’s COVIDSafe app and whether agencies can require their staff to download and use the app on work issued devices such as mobile phones or tablets.

The IPC recommends that agencies review the advice published by Safework Australia on the COVIDSafe app. The key points to note are:

• the use of the COVIDSafe App is completely voluntary
• a person (including an employer) must not require a worker or other person to download or use the COVIDSafe app. This includes requiring workers to download the COVIDSafe app onto work issued and private mobile phones.

For further information please see: https://covid19.swa.gov.au/covid-19-information-workplaces/other-resour… 

COVIDSafe legislation passed by Parliament

The Privacy Amendment (Public Health Contact Information) Bill was passed by Parliament on 14 May 2020, enforcing new privacy safeguards for COVIDSafe app data into the Privacy Act 1988. The Privacy Act is overseen by the Office of the Australian Information Commissioner (OAIC), read the full statement here: https://www.oaic.gov.au/updates/news-and-media/oaic-expands-oversight-role-as-privacy-safeguards-for-covidsafe-app-made-law/

Office of the Australian Information Commissioner public consultation

Please see the Office of the Australian Information Commissioner (OAIC) consultation page regarding draft guidelines to support a nationally consistent approach to requirements for businesses and venues to collect contact information.

https://www.oaic.gov.au/engage-with-us/consultations/requirements-to-co… 

Collection of COVID-19 Vaccination Information 

A NSW public sector agency that collects, uses, stores, or discloses employee health information related to the COVID-19 vaccine must comply with the Health Privacy Principles (HPPs) under the Health Records and Information Privacy Act 2002 (HRIP Act). The IPC has published a fact sheet on the collection of COVID-19 vaccination information with more information.