COVID-19 has created a range of new privacy challenges for businesses. One challenge is the obligation for venues to collect COVID-19 contact tracing information. Despite the unusual circumstances businesses find themselves in, the Australian Privacy Commissioner is committed to ensuring the privacy of personal information is a top priority. Therefore, if your business has obligations under the Australian Privacy Act 1988 (Cth), collecting contact tracing information comes with a suite of privacy requirements. This article will outline the steps you must take to ensure you are informed and complying with these privacy obligations.

Do I Have to Collect Contact Tracing Information?

The collection of contact tracing information is controlled by the states and territories in Australia. You need to check the COVID-19 website for your state or territory to confirm whether it has issued a direction order requiring you to collect contact tracing information.

A direction may be included within an order on:

  • businesses;
  • gatherings;
  • premises; or 
  • movement of people.

It may also only apply to certain businesses. 

For example, at the time of writing, New South Wales has an order for contact tracing, which applies to businesses like pubs, cafes and restaurants, but does not apply to grocery shops.

If there is no order to collect contact details for your state or territory, then this will not form a function or activity of your business. You should, therefore, not collect such details.

However, you may continue to collect personal information to carry out your usual functions and activities.

For example, if you need to collect a name and phone number for a dinner booking, then that is permitted.

What Information Should I Collect for Contact Tracing?

If your state or territory has issued an order for contact tracing then in that order you will find a list of the personal information you must capture. This is typically:

  • the person’s name;
  • the person’s telephone number and/or email address; and 
  • when that person was at the venue.

If you are using a third-party digital check-in provider, you will need to check that the provider’s form is not collecting additional details.

What Do I Need to Tell My Customers About Contact Tracing?

Before or at the time that you collect the contact tracing information, the Privacy Act requires that you make the person aware of:

  • who you are;
  • that you are collecting their personal information as required by law (and outline which law);
  • the purposes for which you are collecting their information (i.e. for contact tracing);
  • who you will disclose it to, including whether you are likely to disclose it overseas;
  • the consequences if you do not collect their information (i.e. that they will not be able to enter your venue); and
  • a statement that they can find more information about how to access or correct their personal information and your complaints process in your privacy policy.

You can tell the person about the above points by having a written notice on:

  • your website;
  • your mobile app; or 
  • the form where you collect their details.

Alternatively, or in addition to a written notice, you can tell them this information over the phone or in person. If it is not practical to tell them before or at the time of collecting their details, for example, if it is too much to say on the phone, then you may flag that you are collecting their personal information for contact tracing and will send the full notice to them via email.

How Can I Use the Information I Collect?

You can only use contact tracing information as permitted by the relevant order. Essentially, this means you should keep that information separate from your usual databases and do nothing other than holding it until the retention period expires. Once you are no longer required to keep the contact information, you should securely destroy it. If the order does not specify how long you must store it for, then you should assess when a reasonable period of time has passed and destroy it after that period.

You can only disclose the information to the relevant contact tracing health authorities, and you should not give it to them unless they request it. It is prudent to confirm that it is a health authority contacting you before disclosing the contact details. This is because COVID-19 has encouraged opportunistic scammers to prey on unsuspecting businesses.

While it is tempting to use the collected information for marketing purposes, the person providing their information is legally obligated to provide it and is under the impression it is being collected for COVID-19 contact tracing. It is unlikely to be reasonably expected by that person that you would use their details for marketing. It is also not fair to use this information for marketing and in some states and territories specifically prohibit it.

How Should I Store Contact Tracing Information?

Secure storage of contact tracing information is crucial. This is because there is an obligation under the Privacy Act to take reasonable steps to protect personal information from:

  • misuse;
  • interference;
  • loss;
  • unauthorised access;
  • modification; or 
  • disclosure.

This means that you need to carefully choose where you store the data.

For example, if you use a third party, you should consider whether they are trustworthy. You can do this by:

  • checking their privacy and security policies;
  • looking at their data breach history; and 
  • reviewing the contract you enter into with them.

Ideally, the contract should require that the third party:

  • protects the personal information;
  • complies with relevant privacy laws;
  • only uses the information to provide the specified services;
  • promptly notifies you of any security incidents; and 
  • agrees to cover you for loss or damage as a result of the breach of their obligations. 

Other measures you should take include:

  • storing the contact tracing information separately to your other data such as booking data or marketing lists;
  • avoiding the use of notebooks or hard copy lists where customers can see, copy down or photograph other customer details;
  • applying technological controls to secure the information such as encryption of the information;
  • limiting staff access to contact tracing data on a ‘need to know’ basis; and
  • implementing your own internal documentation for protecting the privacy and security of the information, including a data breach response plan for responding to suspected data breaches.

Key Takeaways

If your business has obligations under the Privacy Act, these obligations will also apply to contact tracing information. It is important that you understand your responsibilities when collecting, using and disclosing personal information and how these responsibilities impact the handling of contact tracing details. The key obligations include a requirement to notify the person of the circumstances of the collection, to limit the use of the information to contact tracing (as described in the relevant order) and to keep the information secure. If you need any assistance with understanding your privacy obligations and ensuring you are compliant, contact LegalVision’s privacy lawyers on 1300 544 755 or fill out the form on this page.

COVID-19 Business Survey
LegalVision is conducting a survey on the impact of COVID-19 for businesses across Australia. The survey takes 2 minutes to complete and all responses are anonymous. We would appreciate your input. Take the survey now.

About LegalVision: LegalVision is a tech-driven, full-service commercial law firm that uses technology to deliver a faster, better quality and more cost-effective client experience.

The majority of our clients are LVConnect members. By becoming a member, you can stay ahead of legal issues while staying on top of costs. For just $199 per month, membership unlocks unlimited lawyer consultations, faster turnaround times, free legal templates and members-only discounts.

Learn more about LVConnect

Jacqueline Gibson
Need Legal Help? Get a Free Fixed-Fee Quote

If you would like to receive a free fixed-fee quote or get in touch with our team, fill out the form below.

  • By submitting this form, you agree to receive emails from LegalVision and can unsubscribe at any time. See our full Privacy Policy.
  • This field is for validation purposes and should be left unchanged.
Our Awards
  • 2019 Top 25 Startups - LinkedIn 2019 Top 25 Startups - LinkedIn
  • 2019 NewLaw Firm of the Year - Australian Law Awards 2019 NewLaw Firm of the Year - Australian Law Awards
  • 2020 Fastest Growing Law Firm - Financial Times APAC 500 2020 Fastest Growing Law Firm - Financial Times APAC 500
  • 2020 AFR Fast 100 List - Australian Financial Review 2020 AFR Fast 100 List - Australian Financial Review
  • 2020 Law Firm of the Year Finalist - Australasian Law Awards 2020 Law Firm of the Year Finalist - Australasian Law Awards
  • Most Innovative Law Firm - 2019 Australasian Lawyer 2019 Most Innovative Firm - Australasian Lawyer
Privacy Policy Snapshot

We collect and store information about you. Let us explain why we do this.

What information do you collect?

We collect a range of data about you, including your contact details, legal issues and data on how you use our website.

How do you collect information?

We collect information over the phone, by email and through our website.

What do you do with this information?

We store and use your information to deliver you better legal services. This mostly involves communicating with you, marketing to you and occasionally sharing your information with our partners.

How do I contact you?

You can always see what data you’ve stored with us.

Questions, comments or complaints? Reach out on 1300 544 755 or email us at

View Privacy Policy