book a virtual meeting Search Search
brisbane

one eagle – waterfront brisbane
level 30, 1 eagle street
brisbane qld 4000
+61 7 3235 0400

dandenong

40-42 scott st,
dandenong vic 3175
+61 3 9794 2600

melbourne

level 7, 600 bourke st,
melbourne vic 3000
+61 3 8615 9900

sydney

grosvenor place
level 11, 225 george st,
sydney nsw 2000
+61 2 8298 9533

hello. we’re glad you’re
getting in touch.

Fill in form below, or simply call us on 1800 888 966

privacy obligations when collecting customer information for COVID-19 ‘contact-tracing’

26 June 2020
jason kaye greta walters
Read Time 2 mins reading time

With restrictions easing (to varying degrees) throughout Australia in recent weeks, many businesses are now required to collect personal information from customers and visitors who attend their physical premises.

This mandated collection is designed to assist health professionals carry out COVID-19 ‘contact tracing’.

While many industries are happy to adopt this new practice to enable businesses to re-establish themselves in a fundamentally different commercial landscape, it is important not to overlook the privacy considerations attached to the collection of personal information.

Businesses who have obligations under the Privacy Act 1988 (Cth) (Privacy Act) (i.e. generally organisations who have an annual turnover of more than $3 million) must continue to meet these obligations when they collect customers’ and visitors’ information. A failure to observe these obligations may expose your business to the serious risk of breaching the Privacy Act.

what types of businesses are affected?

As part of the plan to ease restrictions, some States and Territories have imposed a requirement on certain types businesses (e.g. those in the hospitality industry) to collect the contact information of customers who visit their physical premises.

If your business falls within a category specified by a Government Direction or Order, the collection of such personal information will be permitted by the Privacy Act, as it is considered necessary to the operation of your business.

how can businesses ensure compliance with the Privacy Act?

The Office of the Australian Information Commissioner (OAIC) has recently published guidelines for businesses to follow when collecting contact information from customers and visitors. It recommends that businesses should:

  • Only collect the information required by the Government Direction/Order (i.e. usually contact information);
  • Before collecting the personal information, notify the individuals of the type of information collected and the purpose of collection (and other matters as required by Australian Privacy Principle 5);
  • Store the information securely (i.e. restrict the number of employees who have access to the information);
  • Only provide the information to the relevant health authorities upon request; and
  • Securely and appropriately destroy the information once it is no longer reasonably necessary for contact tracing (i.e. follow any government-imposed deadline for destruction of the information, and if no deadline is given, consider your obligation to destroy it after a ‘reasonable period of time’).

If you are unsure if your business is complying with its obligations under the Privacy Act, please contact our Privacy Team. We can provide advice about whether your current collection practises satisfy your privacy obligations, or assist by developing policies and procedures that will underpin the proper collection and handling of your customers’ personal information.

The information contained in this article is general in nature and cannot be relied on as legal advice nor does it create an engagement. Please contact one of our lawyers listed above for advice about your specific situation.

stay up to date with our news & insights

privacy obligations when collecting customer information for COVID-19 ‘contact-tracing’

26 June 2020
jason kaye greta walters

With restrictions easing (to varying degrees) throughout Australia in recent weeks, many businesses are now required to collect personal information from customers and visitors who attend their physical premises.

This mandated collection is designed to assist health professionals carry out COVID-19 ‘contact tracing’.

While many industries are happy to adopt this new practice to enable businesses to re-establish themselves in a fundamentally different commercial landscape, it is important not to overlook the privacy considerations attached to the collection of personal information.

Businesses who have obligations under the Privacy Act 1988 (Cth) (Privacy Act) (i.e. generally organisations who have an annual turnover of more than $3 million) must continue to meet these obligations when they collect customers’ and visitors’ information. A failure to observe these obligations may expose your business to the serious risk of breaching the Privacy Act.

what types of businesses are affected?

As part of the plan to ease restrictions, some States and Territories have imposed a requirement on certain types businesses (e.g. those in the hospitality industry) to collect the contact information of customers who visit their physical premises.

If your business falls within a category specified by a Government Direction or Order, the collection of such personal information will be permitted by the Privacy Act, as it is considered necessary to the operation of your business.

how can businesses ensure compliance with the Privacy Act?

The Office of the Australian Information Commissioner (OAIC) has recently published guidelines for businesses to follow when collecting contact information from customers and visitors. It recommends that businesses should:

  • Only collect the information required by the Government Direction/Order (i.e. usually contact information);
  • Before collecting the personal information, notify the individuals of the type of information collected and the purpose of collection (and other matters as required by Australian Privacy Principle 5);
  • Store the information securely (i.e. restrict the number of employees who have access to the information);
  • Only provide the information to the relevant health authorities upon request; and
  • Securely and appropriately destroy the information once it is no longer reasonably necessary for contact tracing (i.e. follow any government-imposed deadline for destruction of the information, and if no deadline is given, consider your obligation to destroy it after a ‘reasonable period of time’).

If you are unsure if your business is complying with its obligations under the Privacy Act, please contact our Privacy Team. We can provide advice about whether your current collection practises satisfy your privacy obligations, or assist by developing policies and procedures that will underpin the proper collection and handling of your customers’ personal information.