COVID-19 has created a range of new privacy challenges for businesses. One challenge is the obligation for venues to collect COVID-19 contact tracing information. Despite the unusual circumstances businesses find themselves in, the Australian Privacy Commissioner is committed to ensuring the privacy of personal information is a top priority. Therefore, if your business has obligations under the Australian Privacy Act 1988 (Cth), collecting contact tracing information comes with a suite of privacy requirements. This article will outline the steps you must take to ensure you are informed and complying with these privacy obligations.
Do I Have to Collect Contact Tracing Information?
The collection of contact tracing information is controlled by the states and territories in Australia. You need to check the COVID-19 website for your state or territory to confirm whether it has issued a direction order requiring you to collect contact tracing information.
A direction may be included within an order on:
- businesses;
- gatherings;
- premises; or
- movement of people.
It may also only apply to certain businesses.
For example, at the time of writing, New South Wales has an order for contact tracing, which applies to businesses like pubs, cafes and restaurants, but does not apply to grocery shops.
If there is no order to collect contact details for your state or territory, then this will not form a function or activity of your business. You should, therefore, not collect such details.
However, you may continue to collect personal information to carry out your usual functions and activities.
For example, if you need to collect a name and phone number for a dinner booking, then that is permitted.
What Information Should I Collect for Contact Tracing?
If your state or territory has issued an order for contact tracing then in that order you will find a list of the personal information you must capture. This is typically:
- the person's name;
- the person's telephone number and/or email address; and
- when that person was at the venue.
If you are using a third-party digital check-in provider, you will need to check that the provider's form is not collecting additional details.
What Do I Need to Tell My Customers About Contact Tracing?
Before or at the time that you collect the contact tracing information, the Privacy Act requires that you make the person aware of:
- who you are;
- that you are collecting their personal information as required by law (and outline which law);
- the purposes for which you are collecting their information (i.e. for contact tracing);
- who you will disclose it to, including whether you are likely to disclose it overseas;
- the consequences if you do not collect their information (i.e. that they will not be able to enter your venue); and
- a statement that they can find more information about how to access or correct their personal information and your complaints process in your privacy policy.
You can tell the person about the above points by having a written notice on:
- your website;
- your mobile app; or
- the form where you collect their details.
Alternatively, or in addition to a written notice, you can tell them this information over the phone or in person. If it is not practical to tell them before or at the time of collecting their details, for example, if it is too much to say on the phone, then you may flag that you are collecting their personal information for contact tracing and will send the full notice to them via email.
How Can I Use the Information I Collect?
You can only use contact tracing information as permitted by the relevant order. Essentially, this means you should keep that information separate from your usual databases and do nothing other than holding it until the retention period expires. Once you are no longer required to keep the contact information, you should securely destroy it. If the order does not specify how long you must store it for, then you should assess when a reasonable period of time has passed and destroy it after that period.
You can only disclose the information to the relevant contact tracing health authorities, and you should not give it to them unless they request it. It is prudent to confirm that it is a health authority contacting you before disclosing the contact details. This is because COVID-19 has encouraged opportunistic scammers to prey on unsuspecting businesses.
While it is tempting to use the collected information for marketing purposes, the person providing their information is legally obligated to provide it and is under the impression it is being collected for COVID-19 contact tracing. It is unlikely to be reasonably expected by that person that you would use their details for marketing. It is also not fair to use this information for marketing and in some states and territories specifically prohibit it.
How Should I Store Contact Tracing Information?
Secure storage of contact tracing information is crucial. This is because there is an obligation under the Privacy Act to take reasonable steps to protect personal information from:
- misuse;
- interference;
- loss;
- unauthorised access;
- modification; or
- disclosure.
This means that you need to carefully choose where you store the data.
For example, if you use a third party, you should consider whether they are trustworthy. You can do this by:
- checking their privacy and security policies;
- looking at their data breach history; and
- reviewing the contract you enter into with them.
Ideally, the contract should require that the third party:
- protects the personal information;
- complies with relevant privacy laws;
- only uses the information to provide the specified services;
- promptly notifies you of any security incidents; and
- agrees to cover you for loss or damage as a result of the breach of their obligations.
Other measures you should take include:
- storing the contact tracing information separately to your other data such as booking data or marketing lists;
- avoiding the use of notebooks or hard copy lists where customers can see, copy down or photograph other customer details;
- applying technological controls to secure the information such as encryption of the information;
- limiting staff access to contact tracing data on a 'need to know' basis; and
- implementing your own internal documentation for protecting the privacy and security of the information, including a data breach response plan for responding to suspected data breaches.
Key Takeaways
If your business has obligations under the Privacy Act, these obligations will also apply to contact tracing information. It is important that you understand your responsibilities when collecting, using and disclosing personal information and how these responsibilities impact the handling of contact tracing details. The key obligations include a requirement to notify the person of the circumstances of the collection, to limit the use of the information to contact tracing (as described in the relevant order) and to keep the information secure.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.