As businesses re-open across the country, many venues are collecting customers’ personal information to assist COVID-19 tracing efforts, and should turn their minds to the privacy implications.
Cafés and restaurants in Victoria now must request to collect the first name and phone number of visitors who attend their venue for over 15 minutes and store a register on-site for at least 28 days after that visit. Beauty and personal services, libraries, auction houses, and museums, among others, face similar requirements. Since Monday, when cinemas, gyms and other venues have reopened, the obligation has applied more broadly. The obligation applies to all visitors, including staff, customers, maintenance and delivery workers.
Many businesses already have legal obligations when collecting, using and disclosing personal information (like names and contact details), and these obligations extend to personal information collected to trace COVID-19. Generally, businesses with an annual turnover of over $3 million will be subject to the Privacy Act 1988 (Cth) (Act), and can be subject to penalties if they don’t comply. It is also best practice (including for reputational reasons and to meet customer expectations) for smaller businesses to comply with obligations under the Act.
Firstly, venues subject to the Act must take reasonable steps to ensure personal information is not misused, interfered with, lost, modified, disclosed or accessed without authorisation. Personal information that patrons are told has been collected for the purpose of COVID-19 tracing must only be used for that purpose. For example, if it is collected for tracing purposes, it must not be used for marketing to those customers. Venues using existing booking systems should also proceed with caution, to ensure that customers aren’t automatically added to marketing lists. Under the relevant Government health direction, the contact tracing information must be securely stored and only used or disclosed as requested by an officer under the Public Health and Wellbeing Act 2008 (Vic).
Businesses should also display a collection notice informing visitors of the requirement to record their contact details, the purpose of the collection, and that records will be securely destroyed as soon as reasonably practical after the 28 days that it is required to be stored.
Author: Louise Almeida
The information in this publication is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, we do not guarantee that the information in this newsletter is accurate at the date it is received or that it will continue to be accurate in the future.