Due to the COVID-19 pandemic, Australian states and territories are introducing legislation that requires businesses to collect personal information about their customers. Each state and territory has its own legislation in regards to what information businesses must collect. This article sets out guidelines about collecting information from customers in each state and territory. The information below is correct at the time of writing. However, it is essential to keep up to date with your state and territories current guidelines.
Australian Capital Territory
All non-essential businesses must collect the:
- first name and contact number of any customer or visitor; and
- date and time of visit.
You can also do this using the CBR app, which is a secure way for customers to sign into Canberra venues.
New South Wales
Certain businesses, such as restaurants, pubs, and beauty studios, must collect personal information from anyone entering the premises. In this case, personal information means the person's:
- email address or phone number; and
- time of entry.
You must store the information you collect for 28 days.
There are no guidelines in the Northern Territory at the time of writing.
Restricted businesses must collect and keep the contact information of guests and staff for 56 days. This information must include the person's:
- phone number;
- email address; and
- date and time of the visit.
Restricted businesses include restaurants, cinemas and hairdressers, among many others.
Certain businesses and events must make and retain records of their customers. For example, this includes fitness classes, weddings and property auctions. Details must include the person's:
- date and time of visit;
- name; and
- phone number or email address.
There are no guidelines in Tasmania at the time of writing.
Restricted businesses must collect and keep the contact information of guests and staff who visit the business for more than 15 minutes. This information must include the person's:
- phone number; and
- date and time of visit.
You must store this information for 28 days.
If your business chooses to collect information, it must be reasonable to help with the spread of COVID-19. For example, you may choose to collect the person's name and contact information.
Why Do I Need to Collect Customer Information?
When a person is diagnosed with COVID-19, the state public health unit will commence contact tracing. By collecting customers' personal information, along with the time and date of the visit, you can inform your customers if they have potentially been in close contact with an infected person. Being informed early means a person can self-isolate and get tested earlier. Accordingly, this will help to reduce the spread of COVID-19.
Compliance With the Privacy Act
When collecting information from customers, you must ensure you do not breach the Australian Privacy Act. To meet your privacy obligations, your business must:
- only collect necessary information necessary for contact tracing, such as name, contact details and time and date of visit;
- inform the customer that you will be collecting information and the reason why;
- securely store the information (the information should only be seen by staff in the business who need to see it and should not be visible to the public);
- only share with the necessary health bodies when they require it for contact tracing purposes; and
- dispose of information once you no longer need it (if your state or territory requires you to keep the information for a specified time, then you should dispose of it after this time has surpassed. If no timeframe has been given, you should destroy it after a reasonable time).
What Happens if I Do Not Collect Personal Data?
Breaching COVID-19 legislation, including record-keeping obligations, may result in significant fines for your business. Fines and punishments for a breach will vary depending on which state and territory you are located in.
What Happens if a Customer Refuses to Provide Information?
If legislation in your state or territory states that you must collect information, you must refuse entry to any visitor who refuses to provide this information. If a customer is found on your premises without having provided their details, your business will be responsible for paying the fine.