Skip to content

How to Comply With Privacy Obligations When Collecting Contact Tracing Information

COVID-19 has created a range of new privacy challenges for businesses. One challenge is the obligation for venues to collect COVID-19 contact tracing information. Despite the unusual circumstances businesses find themselves in, the Australian Privacy Commissioner is committed to ensuring the privacy of personal information is a top priority. Therefore, if your business has obligations under the Australian Privacy Act 1988 (Cth), collecting contact tracing information comes with a suite of privacy requirements. This article will outline the steps you must take to ensure you are informed and complying with these privacy obligations.

Do I Have to Collect Contact Tracing Information?

The collection of contact tracing information is controlled by the states and territories in Australia. You need to check the COVID-19 website for your state or territory to confirm whether it has issued a direction order requiring you to collect contact tracing information.

A direction may be included within an order on:

  • businesses;
  • gatherings;
  • premises; or 
  • movement of people.

It may also only apply to certain businesses. 

For example, at the time of writing, New South Wales has an order for contact tracing, which applies to businesses like pubs, cafes and restaurants, but does not apply to grocery shops.

If there is no order to collect contact details for your state or territory, then this will not form a function or activity of your business. You should, therefore, not collect such details.

However, you may continue to collect personal information to carry out your usual functions and activities.

For example, if you need to collect a name and phone number for a dinner booking, then that is permitted.

What Information Should I Collect for Contact Tracing?

If your state or territory has issued an order for contact tracing then in that order you will find a list of the personal information you must capture. This is typically:

  • the person’s name;
  • the person’s telephone number and/or email address; and 
  • when that person was at the venue.

If you are using a third-party digital check-in provider, you will need to check that the provider’s form is not collecting additional details.

Continue reading this article below the form
Loading form

What Do I Need to Tell My Customers About Contact Tracing?

Before or at the time that you collect the contact tracing information, the Privacy Act requires that you make the person aware of:

  • who you are;
  • that you are collecting their personal information as required by law (and outline which law);
  • the purposes for which you are collecting their information (i.e. for contact tracing);
  • who you will disclose it to, including whether you are likely to disclose it overseas;
  • the consequences if you do not collect their information (i.e. that they will not be able to enter your venue); and
  • a statement that they can find more information about how to access or correct their personal information and your complaints process in your privacy policy.

You can tell the person about the above points by having a written notice on:

  • your website;
  • your mobile app; or 
  • the form where you collect their details.

Alternatively, or in addition to a written notice, you can tell them this information over the phone or in person. If it is not practical to tell them before or at the time of collecting their details, for example, if it is too much to say on the phone, then you may flag that you are collecting their personal information for contact tracing and will send the full notice to them via email.

How Can I Use the Information I Collect?

You can only use contact tracing information as permitted by the relevant order. Essentially, this means you should keep that information separate from your usual databases and do nothing other than holding it until the retention period expires. Once you are no longer required to keep the contact information, you should securely destroy it. If the order does not specify how long you must store it for, then you should assess when a reasonable period of time has passed and destroy it after that period.

You can only disclose the information to the relevant contact tracing health authorities, and you should not give it to them unless they request it. It is prudent to confirm that it is a health authority contacting you before disclosing the contact details. This is because COVID-19 has encouraged opportunistic scammers to prey on unsuspecting businesses.

While it is tempting to use the collected information for marketing purposes, the person providing their information is legally obligated to provide it and is under the impression it is being collected for COVID-19 contact tracing. It is unlikely to be reasonably expected by that person that you would use their details for marketing. It is also not fair to use this information for marketing and in some states and territories specifically prohibit it.

How Should I Store Contact Tracing Information?

Secure storage of contact tracing information is crucial. This is because there is an obligation under the Privacy Act to take reasonable steps to protect personal information from:

  • misuse;
  • interference;
  • loss;
  • unauthorised access;
  • modification; or 
  • disclosure.

This means that you need to carefully choose where you store the data.

For example, if you use a third party, you should consider whether they are trustworthy. You can do this by:

  • checking their privacy and security policies;
  • looking at their data breach history; and 
  • reviewing the contract you enter into with them.

Ideally, the contract should require that the third party:

  • protects the personal information;
  • complies with relevant privacy laws;
  • only uses the information to provide the specified services;
  • promptly notifies you of any security incidents; and 
  • agrees to cover you for loss or damage as a result of the breach of their obligations. 

Other measures you should take include:

  • storing the contact tracing information separately to your other data such as booking data or marketing lists;
  • avoiding the use of notebooks or hard copy lists where customers can see, copy down or photograph other customer details;
  • applying technological controls to secure the information such as encryption of the information;
  • limiting staff access to contact tracing data on a ‘need to know’ basis; and
  • implementing your own internal documentation for protecting the privacy and security of the information, including a data breach response plan for responding to suspected data breaches.

Key Takeaways

If your business has obligations under the Privacy Act, these obligations will also apply to contact tracing information. It is important that you understand your responsibilities when collecting, using and disclosing personal information and how these responsibilities impact the handling of contact tracing details. The key obligations include a requirement to notify the person of the circumstances of the collection, to limit the use of the information to contact tracing (as described in the relevant order) and to keep the information secure. If you need any assistance with understanding your privacy obligations and ensuring you are compliant, contact LegalVision’s privacy lawyers on 1300 544 755 or fill out the form on this page.

Register for our free webinars

ACCC Merger Reforms: Key Takeaways for Executives and Legal Counsel

Online
Understand how the ACCC’s merger reforms impact your legal strategy. Register for our free webinar.
Register Now

Ask an Employment Lawyer: Contracts, Performance and Navigating Dismissals

Online
Ask an employment lawyer your contract, performance and dismissal questions in our free webinar. Register today.
Register Now

Stop Chasing Unpaid Invoices: Payment Terms That Actually Work

Online
Stop chasing late payments with stronger terms and protections. Register for our free webinar.
Register Now

Managing Psychosocial Risks: Employer and Legal Counsel Responsibilities

Online
Protect your business by managing workplace psychosocial risks. Register for our free webinar.
Register Now
See more webinars >
Jacqueline Gibson

Jacqueline Gibson

Read all articles by Jacqueline

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2025 Future of Legal Services Innovation Finalist - Legal Innovation Awards

  • Award

    2025 Employer of Choice - Australasian Lawyer

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2022 Law Firm of the Year - Australasian Law Awards