Publication date: 29 May 2020

This guidance is for businesses that have obligations under the Privacy Act 1988.

As COVID-19 restrictions are eased around Australia, some States and Territories are managing the ongoing risks of the virus by requiring businesses to collect personal information about customers and visitors to their premises. The purpose of the collection is to assist with COVID-19 contact tracing.

Some States and Territories have issued a Direction or Order, setting out that contact information of customers and visitors must be sought as a condition of particular businesses reopening.

If a Direction or Order applies to your business, the collection of this personal information will be necessary for your organisation’s functions or activities. This means the collection of contact information is permitted under the Privacy Act.

If there isn’t a Direction or Order that applies to your business, you are not required to ask for customer and visitor names and contact details for contact tracing purposes. However, you can still collect contact information if you would normally do so for your functions and activities, like booking appointments.

Links to State and Territory Directions and Orders are found below:

Existing privacy obligations continue to apply in relation to how your business handles the contact information.

The following guidance is designed to assist businesses that are required to collect contact information by Orders or Directions:

1 You should only collect the personal information required under the Direction or Order.
You are not permitted to collect any additional personal information for contact tracing purposes.

2 You should notify individuals before you collect the personal information.
You must clearly inform an individual of the matters set out in APP 5, including what information you are collecting, that the collection is required by law, the purposes of collection, who the information will be disclosed to and the consequences of failing to provide the information. You can do this by displaying a prominent notice on your premises and website, and reiterating the information when you talk to your customer or client.

3 You should securely store this information once you have collected it.
Do not place the names and phone numbers or other details in a book or on a notepad or computer screen where customers may see it. You should restrict access to the information to only those staff in your business who need to see it and ensure that the information is secured and protected at all times. It may be best to record the personal information you collect for contact tracing purposes in a separate record (rather than recording all details in your booking system, for example). This will ensure that you can keep the information secure and destroy it once it is no longer needed. You should also be mindful of your NDB scheme obligations.

4 You should only provide this information to relevant health authorities who undertake contact tracing activities, when requested to do so.
Contact tracing is undertaken exclusively by State and Territory health authorities, and you should only disclose the information to health authorities when they request it for contact tracing purposes.

5 You should destroy this information once it is no longer reasonably necessary for the purpose of contact tracing.
You should destroy the information once you are no longer required to keep it. If there is no set period for which you must retain the information under the Order or Direction, you should destroy it after a reasonable period of time.