Guidelines for state and territory governments – Creating nationally consistent requirements to collect personal information for contact tracing purposes

3 September 2021
Tags: COVID-19

The Office of the Australian Information Commissioner and state and territory privacy regulators have produced the following guidelines to support health authorities to implement a nationally consistent approach to requirements for businesses and venues to collect contact information.

The non-binding guidelines are intended to be used by state and territory governments when drafting and updating requirements and designing methods to require collection of contact information from individuals by a business or venue. This includes collection via digital check-in services such as apps and QR codes.

As domestic border restrictions change, harmonisation of requirements to collect personal information ensure personal information is handled consistently. This supports businesses and venues to develop solutions to meet the requirements, and individuals to confidently provide accurate personal information for contact tracing purposes. Protecting personal information is central to maintaining public trust and promoting compliance with health orders and contact tracing processes. 

Currently state and territory orders have some common requirements, but others differ. These guidelines suggest ways to harmonise these requirements.

These guidelines apply to the collection of personal information for contact tracing purposes by all entities, including businesses and venues, digital check-in providers and state and territory government agencies (including through state and territory apps and QR codes).

These guidelines are informed by advice from health experts and may change as advice from health experts change.

It is also consistent with the recommendations in the National Contact Tracing Review in regards to contact tracing with attendance apps.

Data minimisation

State and territory orders that require contact details to be collected for contact tracing purposes should be limited to the minimum information necessary for that purpose.

This means that a business or venue should only be required to collect:

  • a first name or pseudonym (where practicable)
  • a contact phone number or email address or, where this information is not available, other means of contacting the individual, and
  • the time and date of attendance at the business or venue

unless the collection of more personal information is required to meet the public health objectives.

Businesses should not collect any other information as part of the collection of personal information for contact tracing purposes.

Security

Contact information should be required to be protected from disclosure to other customers and securely stored by the business or venue, or their chosen provider (where the business or venue is using a third-party digital check-in service).

Reasonable steps should be required to be taken to protect the information from misuse, interference and loss, and from unauthorised access, modification or disclosure. This includes using reasonable physical and/or ICT controls to limit access to the information, including encryption at rest and in transit, wherever feasible. Further guidance on ‘reasonable steps’ can be found in OAIC’s APP 11 Guidelines and Guide to securing personal information.

In line with community expectations, the information should be stored in Australia.

Contact information collected by a business or venue should be required to be securely transmitted to the relevant health department for contact tracing purposes. Where a third-party digital check-in service is used, it is preferable for the contact information to be securely transmitted directly from the provider to the health department, rather than via the business or venue.

Purpose limitation

Information that is collected by a business or venue solely for contact tracing purposes should be required to:

  • only be used and disclosed to health authorities for contact tracing purposes
  • not be used or disclosed for any other purpose, such as direct marketing or for commercial distribution

unless secondary uses and disclosures are required by law (for example, in compliance with a court order).

Where a business or venue collects information for more than one lawful purpose that must be clearly explained prior to collection. Each state and territory public health order must specify the extent to which other uses or disclosures may occur, for example, for law enforcement purposes. Health orders that expressly prohibit access to contact tracing data for law enforcement purposes protect personal information and increase community trust and confidence in using QR Codes.

Retention/deletion

Information in hard copy or electronic form that is required to be collected by a business or venue for contact tracing purposes should be required to be securely destroyed after a maximum of 28 days (including backup contact tracing data). This requirement should apply to all entities, including those collecting personal information on behalf of businesses, such as digital check-in providers and state and territory based apps and QR codes. Further guidance on the reasonable steps that can be taken to destroy personal information can be found in OAIC’s APP 11 Guidelines and Guide to securing personal information.

Regulation by the Privacy Act or a state or territory privacy law

Personal information collected by a business or venue for contact tracing purposes should be protected by an enforceable privacy law to ensure that individuals have redress if their information is mishandled:

  • A business or venue operating a digital check-in service should choose a third-party provider that is covered by Commonwealth, state or territory privacy law or one that has opted in to coverage of the Privacy Act 1988.
  • Digital check-in providers which are not already covered by Commonwealth, state or territory privacy law should opt in to coverage under the Privacy Act (s6EA).

If a business or venue has developed its own digital check-in service, and it is not already covered by the Privacy Act, it should opt in to coverage (s6EA).

States which are implementing government-developed digital check-in services, and which do not have enforceable privacy laws, may choose to opt into coverage of the Privacy Act (s6F) by requesting to be prescribed by the Regulations. This would extend rights and protections to residents of other states and territories where their information is being shared with a state which does not have standalone privacy laws in place.

If a business or venue opts in to coverage of the Privacy Act, that business or venue may revoke such a choice under subsection 33(3) of the Acts Interpretation Act 1901. Similarly, if a State authority has been prescribed under section 6F, that State authority may be un-prescribed under subsection 33(3) of the Acts Interpretation Act. Information on how to opt in to the coverage of the Privacy Act can be found on the OAIC website