privacy obligations when collecting customer information for COVID-19 ‘contact-tracing’
2 mins reading time
With restrictions easing (to varying degrees) throughout Australia in recent weeks, many businesses are now required to collect personal information from customers and visitors who attend their physical premises.
This mandated collection is designed to assist health professionals carry out COVID-19 ‘contact tracing’.
While many industries are happy to adopt this new practice to enable businesses to re-establish themselves in a fundamentally different commercial landscape, it is important not to overlook the privacy considerations attached to the collection of personal information.
Businesses who have obligations under the Privacy Act 1988 (Cth) (Privacy Act) (i.e. generally organisations who have an annual turnover of more than $3 million) must continue to meet these obligations when they collect customers’ and visitors’ information. A failure to observe these obligations may expose your business to the serious risk of breaching the Privacy Act.
what types of businesses are affected?
As part of the plan to ease restrictions, some States and Territories have imposed a requirement on certain types businesses (e.g. those in the hospitality industry) to collect the contact information of customers who visit their physical premises.
If your business falls within a category specified by a Government Direction or Order, the collection of such personal information will be permitted by the Privacy Act, as it is considered necessary to the operation of your business.
how can businesses ensure compliance with the Privacy Act?
The Office of the Australian Information Commissioner (OAIC) has recently published guidelines for businesses to follow when collecting contact information from customers and visitors. It recommends that businesses should:
- Only collect the information required by the Government Direction/Order (i.e. usually contact information);
- Before collecting the personal information, notify the individuals of the type of information collected and the purpose of collection (and other matters as required by Australian Privacy Principle 5);
- Store the information securely (i.e. restrict the number of employees who have access to the information);
- Only provide the information to the relevant health authorities upon request; and
- Securely and appropriately destroy the information once it is no longer reasonably necessary for contact tracing (i.e. follow any government-imposed deadline for destruction of the information, and if no deadline is given, consider your obligation to destroy it after a ‘reasonable period of time’).
If you are unsure if your business is complying with its obligations under the Privacy Act, please contact our Privacy Team. We can provide advice about whether your current collection practises satisfy your privacy obligations, or assist by developing policies and procedures that will underpin the proper collection and handling of your customers’ personal information.
more
insights
stay up to date with our news & insights
privacy obligations when collecting customer information for COVID-19 ‘contact-tracing’
With restrictions easing (to varying degrees) throughout Australia in recent weeks, many businesses are now required to collect personal information from customers and visitors who attend their physical premises.
This mandated collection is designed to assist health professionals carry out COVID-19 ‘contact tracing’.
While many industries are happy to adopt this new practice to enable businesses to re-establish themselves in a fundamentally different commercial landscape, it is important not to overlook the privacy considerations attached to the collection of personal information.
Businesses who have obligations under the Privacy Act 1988 (Cth) (Privacy Act) (i.e. generally organisations who have an annual turnover of more than $3 million) must continue to meet these obligations when they collect customers’ and visitors’ information. A failure to observe these obligations may expose your business to the serious risk of breaching the Privacy Act.
what types of businesses are affected?
As part of the plan to ease restrictions, some States and Territories have imposed a requirement on certain types businesses (e.g. those in the hospitality industry) to collect the contact information of customers who visit their physical premises.
If your business falls within a category specified by a Government Direction or Order, the collection of such personal information will be permitted by the Privacy Act, as it is considered necessary to the operation of your business.
how can businesses ensure compliance with the Privacy Act?
The Office of the Australian Information Commissioner (OAIC) has recently published guidelines for businesses to follow when collecting contact information from customers and visitors. It recommends that businesses should:
- Only collect the information required by the Government Direction/Order (i.e. usually contact information);
- Before collecting the personal information, notify the individuals of the type of information collected and the purpose of collection (and other matters as required by Australian Privacy Principle 5);
- Store the information securely (i.e. restrict the number of employees who have access to the information);
- Only provide the information to the relevant health authorities upon request; and
- Securely and appropriately destroy the information once it is no longer reasonably necessary for contact tracing (i.e. follow any government-imposed deadline for destruction of the information, and if no deadline is given, consider your obligation to destroy it after a ‘reasonable period of time’).
If you are unsure if your business is complying with its obligations under the Privacy Act, please contact our Privacy Team. We can provide advice about whether your current collection practises satisfy your privacy obligations, or assist by developing policies and procedures that will underpin the proper collection and handling of your customers’ personal information.