Guidance for digital check-in providers collecting personal information for contract tracing

As a result of the COVID-19 pandemic, state and territory health authorities have required some businesses to collect personal information from their patrons as a condition of re-opening. Developers have moved quickly to help Australian businesses comply with these requirements and fill an urgent business need.

The OAIC has prepared the following draft guidance to assist app and QR code developers to provide technological solutions that are compliant with the Privacy Act. This draft guidance complements the OAIC Guidelines for businesses collecting the personal information of individuals for contact tracing.

Draft guidance

This guidance has been developed to assist entities that are developing – or have developed – digital check-in services that collect personal information for contact tracing purposes.

In accordance with current COVID-19 restrictions, businesses have obligations to record customer contact details which may be shared with public health authorities to conduct contact tracing.  Some businesses are utilising digital check-in methods (such as a QR code or a webpage) to collect customer contact details and ensure compliance with the relevant public heath Orders and Directions[1].

This guidance is designed to assist digital check-in providers to ensure they meet their obligations under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). It sets out key principles to consider in the design and implementation of these services.

1. You should build privacy into the design of the service

Privacy protections must be built into the design of these services at an early stage to ensure that personal information is appropriately handled and secured at all times.  A Privacy Impact Assessment (PIA) should be undertaken to assess what impact the service will have on the privacy of individuals and how these impacts will be managed, minimised or eliminated.[2] A PIA should also address compliance with obligations in relevant public health Orders and Directions, as well as with the Privacy Act and the APPs.

2. Services should only collect personal information in accordance with the Direction or Order that applies in the relevant jurisdiction

Digital check-in services are not permitted to collect more personal information than is required by the relevant public health Orders or Directions.  For example, if there is a requirement in a public health Order to only collect customer names and phone numbers, the service should not collect emails or addresses (or any additional details) from customers. This may require services to be tailored in a way that reflects the specific requirements of each jurisdiction’s Directions and Orders, where they are divergent.

3. Services should notify individuals before collecting personal information

Services must notify an individual about the matters set out in APP 5, including what personal information is being collected, where the collection is required by law, the purposes of collection, who the information will be disclosed to (such as the venue operator or relevant health authority for contact tracing purposes) and the consequences of failing to provide the information. Services should have a clear and up to date privacy policy which clearly sets out its personal information handling practices.

4. Services should securely store this information once it has been collected

Services must have robust security measures in place to protect personal information. APP 11[3] requires that reasonable steps must be taken to protect personal information from misuse, interference and loss as well as unauthorised access, modification or disclosure. Services should consider measures such as physical and technological controls to limit access to customer information including encryption of data in transit and at rest, and do a risk assessment of where to store the data[4]. Services should also have in place systems to meet their obligations under the Notifiable Data Breaches scheme, including a data breach response plan.

5. Personal information collected through the service should only be used and disclosed for contact tracing purposes

Some public health Orders and Directions specifically prohibit secondary use and disclosure of customer contact details. It is not appropriate to use this information for any other purposes such as direct marketing, particularly as customers are legally required to provide this information for contact tracing purposes in order to access venues like cafes and restaurants. The information cannot be sold to third parties. Services should have secure processes in place to facilitate the disclosure of personal information, including clear protocols for disclosure either directly to health authorities or to the business who is obligated to provide this information to health authorities for contact tracing purposes.

6. Services should destroy personal information once it is no longer reasonably necessary for contact tracing purposes

Services should destroy customer contact information once it is no longer required. This is a requirement under APP 11.2 and services should consult the public health Orders and Directions to ensure that information is deleted in accordance with the specific requirements of each jurisdiction. Once the period of time specified in the Order or Direction has passed, it is no longer reasonably necessary to retain the information.  If there is no set period for which the information must be retained, it should be destroyed after 30 days.