As businesses re-open across the country, many venues are collecting customers' personal information to assist COVID-19 tracing efforts, and should turn their minds to the privacy implications.

Cafés and restaurants in Victoria now must request to collect the first name and phone number of visitors who attend their venue for over 15 minutes and store a register on-site for at least 28 days after that visit. Beauty and personal services, libraries, auction houses, and museums, among others, face similar requirements. Since Monday, when cinemas, gyms and other venues have reopened, the obligation has applied more broadly. The obligation applies to all visitors, including staff, customers, maintenance and delivery workers.

Many businesses already have legal obligations when collecting, using and disclosing personal information (like names and contact details), and these obligations extend to personal information collected to trace COVID-19. Generally, businesses with an annual turnover of over $3 million will be subject to the Privacy Act 1988 (Cth) (Act), and can be subject to penalties if they don't comply. It is also best practice (including for reputational reasons and to meet customer expectations) for smaller businesses to comply with obligations under the Act.

Firstly, venues subject to the Act must take reasonable steps to ensure personal information is not misused, interfered with, lost, modified, disclosed or accessed without authorisation. Personal information that patrons are told has been collected for the purpose of COVID-19 tracing must only be used for that purpose. For example, if it is collected for tracing purposes, it must not be used for marketing to those customers. Venues using existing booking systems should also proceed with caution, to ensure that customers aren't automatically added to marketing lists. Under the relevant Government health direction, the contact tracing information must be securely stored and only used or disclosed as requested by an officer under the Public Health and Wellbeing Act 2008 (Vic).

Similar collection obligations are also being enforced in NSW. The NSW Government has provided cafes and restaurants, including food courts, guidelines (see here) on their obligation to collect and maintain the name and mobile number or email address of dine-in customers. However, there is not much guidance on information security for these businesses, which is of concern as many small businesses fall below the $3 million annual revenue threshold to be subject to the Act and may not have a robust privacy policy or procedure in place.

Businesses should also display a collection notice informing visitors of the requirement to record their contact details, the purpose of the collection, and that records will be securely destroyed as soon as reasonably practical after the 28 days that it is required to be stored.

This publication does not deal with every important topic or change in law and is not intended to be relied upon as a substitute for legal or other advice that may be relevant to the reader's specific circumstances. If you have found this publication of interest and would like to know more or wish to obtain legal advice relevant to your circumstances please contact one of the named individuals listed.