Privacy: Collecting and storing customer information during COVID-19

Privacy: Collecting and storing personal information during COVID-19

Queensland Health requires businesses keep a register of contact details for all attendees on their premises to assist with contact tracing in the event of an outbreak.

In addition to businesses, as of 16 June 2020 Queensland Health has requested that organisers of the funerals, i.e. the next of kin of the person who is deceased, must maintain a list of all funeral attendees (including funeral staff).

Under the Australian Privacy Principles (APP 3)

An APP entity may collect sensitive information if the entity reasonably believes the collection is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety.’

Refer to the Office of the Australian Information Commissioner.

The Queensland Chief Health Officer also has powers under the Public Health Act 2005 to make any directions necessary to assist in containing, or responding to, the spread of COVID-19 within the community.

Consequently, businesses are required to collect and store information in a way which complies with the Australian Privacy Principles that govern standards, rights and obligations of an individual including the collection, use and disclosure of personal information and an organisation or agency’s governance and accountability. A breach of these principles can lead to regulatory action and penalties.

In many cases businesses will already be collecting this information and will be adequately equipped to adhere to privacy requirements.

On this page:


Collecting information

Under the Queensland Government’s approach to easing restrictions for COVID 19, with particular reference to the Restrictions on Businesses, Activities and Undertakings Direction (No. 3) (or its successor) item 9, businesses are required to collect and keep contact information for all guests/patrons and staff (this includes contractors) for contact tracing purposes for a period of 56 days (unless otherwise specified). This is not required for takeaway or home delivery. If requested, this information must be provided to public health officers. The information should be securely stored and not used for any other purpose.

Next of kin must also to collect contact and keep contact information of all funeral attendees for contract tracing purposes for a period of 56 days.

The COVIDSafe app is not an alternative to collecting and retaining contact information.

The information must include:

  • full name
  • email address (residential address if unavailable)
  • phone number
  • date of entry
  • time period (time in and time out)

To capture time period, businesses must keep a person’s ‘in-time’ and either the person’s ‘out-time’, have policies that restrict time periods (e.g. two-hour table limit) or inform the person they are more likely to be contacted by authorities in the event of contract tracing if an ‘out-time’ is not provided.

Depending on the nature of your dealings with patrons, it is understood you may collect and hold other types of personal information ordinarily collected by your business, such as loyalty cards, booking information, etc., that will only be used to provide patrons with those services. The information collected for the purpose of contact tracing cannot be used for that purpose. Businesses must maintain privacy compliance in this regard.

Organisations following a COVID Safe Industry Plan may be required to collect additional information – examples of these are listed below (but not limited to):

Industry Additional requirements
Aquatic Sport Sector / Field Team Sports / Indoor Sports Group Club and team/group
Cinemas Record if a person is a minor, if so carers name and contact details must be included.
Dance and Physical Performing Arts

Activity / purpose of visit

Record if a person is a minor, if so carers name and contact details must be included.

Fitness Facilities CCTV footage will be available to support contact tracing
Outdoor Team Sports

Club and team/group

Role

COVID-19 symptoms check

Queensland Hotels and Clubs Courtesy transport to record tracing details
Tourism and Accommodation Details must be kept for a two (2) months period.

Why is this important?

When a person is diagnosed with COVID-19, the local public health unit commences contact tracing. Public health officers will assess the movements of the person with COVID-19 while they were infectious and determine who in the community are considered ‘close contacts’. Close contacts will be directed to quarantine and may also be tested for COVID-19. Information kept about guests and staff will assist in identifying and contacting the relevant close contacts.

Collection methods

The time and cost involved of collecting information from each patron is acknowledged and appreciated. In some instances, it understood this current impost may significantly slow down business flow or cause potential customers to walk away.

Human error is regularly claimed as the cause of privacy incidents. Haste, carelessness or inappropriate collection methods may result in threats to personal information.

Businesses need to be careful as to how they are collecting information to ensure they do not expose their valuable patrons to possible information theft. For example, an A4 notebook left out the front of a restaurant with all seated guests’ details on display for the next person to see, copy / take a photo of, or handing over the electronic device for patrons to enter their information, is highly discouraged.

An example of a collection proforma is available for patrons to complete. It is not mandatory to use the proforma, but please consider using a disclaimer and the means in which you collect the contact details of an individual patrons is done in a way which protects their privacy.

View/download a sample collection proforma for patrons to complete.

Physical and electronic security is an important part of ensuring that personal information is not inappropriately accessed. You need to consider what steps, if any, are necessary to guarantee copies of personal information are secure and the workspace can facilitate good privacy practices.

Electronic collection

Businesses collecting personal data via electronic means (via an app or electronic point of sale) must ensure systems are privacy compliant.

Further, devices must not be handed to patrons to enter their personal details (hygiene risk), only authorised staff are provided with passwords (which are changed regularly), and you ensure your application protects patron data against unauthorised access, e.g. hacking.

Collection obligations

The person collecting the information on behalf of the business should inform their patrons as to why they are collecting their personal information and what will happen to it.

Staff should only ask for as much personal information as outlined above (see Collecting information).

Businesses must:

  • use personal information only for the purpose it is being collected for.  That is, personal information must not to be used for marketing or research purposes, or sold to third party organisations
  • store personal information in a secure and safe place
  • destroy personal information after the 56-day period (or otherwise specified)
  • not give personal information to anyone except Queensland Health (and only if requested)
  • not transfer patrons’ personal information outside of Australia.

The Office of the Information Commissioner provides further guidance for businesses collecting personal information for contact tracing.

Penalties for non-compliance

There is no single method for collecting and storing contact tracing information, this is a decision for the individual businesses. However, information must be provided immediately (i.e. within 1 hour) when required by a public health officer.

Public health officers will contact the business owner or operator if a person diagnosed with COVID-19 states they attended the business at a time when they were considered infectious.  This may be in person or via telephone.  Public health officers will require the information on each patron or staff for a specific date and time period.  Public health officers will not provide details of the person diagnosed with COVID-19.

If businesses do not comply, they may receive an on-the-spot fine of $1334 for individuals and $6672.50 for corporations under the Public Health Act 2005.

Disclaimers

The use of a disclaimer on your collection template may assist in reducing yours or your staff’s exposure to challenges in collecting people’s personal information.

An example of a disclaimer you may choose to use:

Disclaimer:

Your contact information is being collected for the purpose of contact tracing in the event of positive COVID-19 diagnosis involving this business. Information is being collected under the Queensland Chief Health Officer’s Restrictions on Businesses, Activities and Undertakings Direction (No. 3) (or its successor). Should your duration in premises not be indicated on this form you may be contacted by Health compliance officers.

Your personal information will be stored securely and destroyed after
56 days, unless otherwise required by public health officials in the event of a Coronavirus (COVID-19) outbreak. It will NOT be used for marketing or research purposes, given or sold to third parties.

Depending on the nature of your dealings with us, we may collect and hold other types of personal information ordinarily collected by us, such as loyalty cards, booking information, etc., which will only be used to provide you with those services.

View/download a sample collection proforma for patrons to complete.

Condition of entry

Our main priority is to keep people safe; in business, this includes your staff.

To protect your staff from patrons becoming heated when asked to provide their contact details or refusing to because they have the COVIDSafe app for instance, you may like to consider displaying conditions of entry to protect your business. As conditions of entry operate like a contract, the document should be able to apply to anyone who enters your premises.

View/download a sample Conditions of Entry.

Conditions of entry signs should be displayed in an area obvious to anyone who enters the premises. For example, as a restaurant owner, you can put the sign near the door, for a café owner with outdoor seating, you can place the sign on the table. Those positions allow people to read and consider them.

Conditions of entry are only binding if you can prove people had the chance to read and accept the terms before entry.

These conditions do not need to apply to deliveries, over the counter purchasing or takeaway.

Back to top ↑


Storing and retrieval of information

The standard approach to storing your patrons’ personal information also applies to business who collect information during COVID-19.

Personal information security is about more than just ensuring compliance with the requirements of the Privacy Act. If you mishandle your patrons’ personal information it may lead to a loss of trust and considerable harm to your reputation. A significant breach may result in a loss of customers or business partners and revenue.

It is essential as part of your business practices to prevent the misuse, interference, loss or unauthorised accessing, modification or disclosure of personal information.  As such, you need to take all reasonable steps to ensure good handling of this information.

Once have collected and hold your patrons’ personal information, consider what appropriate security measures are required to protect the personal information – this applies to both hard copy and online systems.

For example -

  • Online storage:
    • To ensure all reasonable steps are taken to eliminate unauthorised access, the information collected via electronic means must be password protected or encrypted.
    • Your ICT security measures ensure that all your systems are secure and that they provide a safe storage environment and you have an adequate back up system.
    • You are aware of the personal information you hold on your ICT system and where it is located.
  • Physical / hard copies storage:
    • Information is locked away in a filing cabinet with key access controlled.
    • Information is stored at the end of each shift, or periodically throughout the day, so it cannot be inappropriately accessed.
    • Information is stored in a way that it can be easily retrieved if required by health officers.
    • On what basis can access to the physical files granted.
    • If loss or theft occurs can it be easily traced via staff logs or CCTV.
    • Your record management system identifies files and the location of information.

Make sure staff are aware of, and have access to, the relevant policies and procedures and are trained regarding their responsibilities.

The Australian Office of the Information Commissioner has developed tips for good privacy practice to assist businesses in storing and collecting personal information. Find more information about storing personal information on the Office of the Information Commissioner website.

Back to top ↑


Expectations

It is critical that contact tracing is conducted in a timely manner to limit the spread of COVID-19. While each business may have different methods for collecting and storing information, there is an expectation that details of relevant staff and guests will be provided immediately to a public health officer when required. Should a business be unable to immediately produce this information when required, it may result in a breach of the Chief Health Officer’s public health direction.

Back to top ↑


Destruction of information

After the 56-day period (or otherwise specified) and the information is no longer needing to be kept, businesses must ensure that it takes reasonable steps to destroy the personal information. This obligation applies even where the business does not physically possess the personal information but has the right or power to deal with it.

De-identification of this information is not permitted.

The steps that are reasonable for a business to take to destroy personal information will depend on whether the personal information is held in hard copy or electronic form.

Ensure you have policies, procedures and resources in place to ensure proper destruction procedures and that your staff are informed of the destruction procedures.

Consider:

  • Is destruction of personal information done in-house or outsourced? If outsourced, what steps have you taken to ensure appropriate handling of the personal information?
  • Has personal information contained in hard copy records that are disposed of through garbage or recycling collection been destroyed through a process such as pulping, burning, pulverising, disintegrating or shredding?
  • Is hardware containing personal information in electronic form properly ‘sanitised’ to completely remove the stored personal information?
  • Have steps been taken to verify the irretrievable destruction of personal stored by a third party on a third party’s hardware, such as cloud storage? Where the third party has been instructed by the organisation to irretrievably destroy the personal information, have steps been taken to verify that this has occurred?
  • Are back-ups of personal information also destroyed? Are backups arranged in such a way that destruction of backups is possible?

Where it is not possible for an entity to irretrievably destroy personal information held in electronic format, reasonable steps to destroy it would include putting the personal information ‘beyond use’. For example, this could include where technical reasons may make it impossible to irretrievably destroy the personal information without also irretrievably destroying other information held with that personal information.

Personal information is ‘beyond use’ if you:

  • are not able, and will not attempt, to use or disclose the personal information
  • cannot give any other entity access to the personal information
  • surround the personal information with appropriate technical, physical and organisational security. This should include, at a minimum, access controls including logs and audit trails
  • commit to take reasonable steps to irretrievably destroy the personal information if, or when, this becomes possible.

It is expected that only in very limited circumstances would it not be possible for an organisation to destroy personal information held in electronic format.

Back to top ↑


Handling a breach

For businesses

If patrons breach any of the conditions of entry, your main solution will be not to seat them in your venue or you may refuse entry at your discretion.

Allowing them to remain on the premises may result in your business being non-compliant with Public Health Directions, which could result in a hefty fine.

You cannot seek compensation from the customer if they breach the terms of conditions. That is because of the one-sided nature of the conditions of entry.

Enforcing financial penalties may look like an unfair contract term under the Australian Consumer Law.

For patrons

Government takes privacy seriously.

If you are concerned a business has used your personal information incorrectly and breached your privacy, please discuss with the proprietor (business owner) as a privacy complaint in the first instance.

Should you not be satisfied with their advice please contact the Office of the Australian Information Commissioner.

Back to top ↑


Frequently asked questions

  • Under the Queensland Chief Health Officer’s Public Health Direction, Restrictions on Businesses, Activities and Undertakings Direction (No. 3) (or its successor), businesses are required to keep a register of contact details for all attendees on their premises to assist with contact tracing in the event of an outbreak.

    In addition to businesses, as of 16 June 2020, Queensland Health has also requested the organiser of the funeral, i.e. the next of kin of the person who is deceased, must maintain a list of all funeral attendees (including funeral staff).

    Contact tracing information must include:

    • full name
    • email address (residential address if not available)
    • phone number
    • date of entry
    • time period (time in and time out)

    To capture time period, businesses must keep a person’s ‘in-time’ and either the person’s ‘out-time’, have policies that restrict time periods (e.g. two-hour table limit) or inform the person they are more likely to be contacted by authorities in the event of contract tracing if an ‘out-time’ is not provided.

    This information must be stored securely and not used for any other purpose for a period of 56 days (or otherwise specified) and then it is to be destroyed.

    View/download a sample collection proforma for patrons to complete.

    Penalties apply for failure to comply with the Public Health Directions.

    The COVIDSafe app is not an alternative to collecting and retaining contact information.

    Depending on the nature of your dealings with patrons, it is understood businesses may collect and hold other types of personal information ordinarily collected by the business, such as loyalty cards, booking information, etc., that will only be used to provide patrons with those services. The information collected for the purpose of contact tracing cannot be used for that purpose. Businesses must maintain privacy compliance in this regard.

  • Information must be provided immediately (i.e. within 1 hour) when required by a public health officer.

    Public health officers will contact the business owner or operator if a person diagnosed with COVID-19 states they attended the business at a time when they were considered infectious. This may be in person or via telephone.

    Public health officers will require the information on each patron or staff for a specific date and time period. Public health officers will not provide details of the person diagnosed with COVID-19.

    To confirm if your business has additional record keeping obligations under Queensland Public Health Directions, please visit the Queensland Health website, your relevant COVID Safe Industry Plan or COVID Safe Checklist (if applicable).

  • Businesses like restaurants, cafes, pubs, and clubs who offer dining in services need to collect from their customers first name, last name, email address and phone number as per the Food Services Industry Plan. In addition to this, date and time of patronage is also required.

    This applies for pre- bookings to walk-ins, workers and contractors.

    Contact information must be kept for a period of at least 56 days, then it may be destroyed.

  • There is no single method for collecting and storing contact tracing information. This is a decision for the individual businesses.

    Physical and electronic security is an important part of ensuring that personal information is not inappropriately accessed. Information must be provided immediately (i.e. within 1 hour) when required by a public health officer.

    For guidance on storing of information, please refer to the Storing and retrieval of information section.

    Businesses are only required to keep personal information for 56 days (or otherwise specified) under the Restrictions on Businesses, Activities and Undertakings Direction and must destroy this information after this time.

  • If a patron refuses to provide their information a business has the right to refuse service.

    Under the Restrictions on Businesses, Activities and Undertakings Direction (No. 3) (or its successor) some businesses cannot offer some of their services without collecting information for each customer or person they interact with.

    The COVIDSafe app is not an alternative to collecting and retaining contact information. Patrons may have this installed on their personal device but it may not be used as their reason for not providing contact tracing details.

    Penalties apply for non-compliance with the Direction.

  • Under the Restrictions on Businesses, Activities and Undertakings Direction (No. 3) (or its successor) a business must collect the name, email address, phone number and date and time period of patronage for ALL patrons. A patron having installed the COVIDSafe app does not discharge this requirement.

  • Yes. You can refuse to provide your details. However, to ensure businesses and other patrons are protected you will not be able to be seated in the premises.

    Should you refuse to leave, the business has the right to seek law enforcement services to assist in your removal.

    Under the Chief Health Officer’s direction, you are required to provide your full name, email address (residential address if unavailable), phone number, date of entry and time period (time in and time out).

    To capture time period, businesses must keep your ‘in-time’ and either your ‘out-time’ or they may have policies that restrict the time you are allowed in their venue or location (e.g. two-hour table limit). If you do not provide an ‘out-time’ you are more likely to be contacted by authorities in the event of contract tracing if this is not provided.

  • Privacy

    Government takes your privacy seriously.

    If you are concerned a business has used your personal information incorrectly and breached your privacy, please discuss with the proprietor (business owner) as a privacy complaint in the first instance.

    Should you not be satisfied with their advice please contact the Office of the Australian Information Commissioner.

    Other enquiries or concerns

    Should you have any other enquiries or concerns about whether a business is complying with the Checklist or Industry Plan you can call 134 COVID (13 42 68).

    If you think a business has broken any rules (not privacy related), please contact 134 COVID in the first instance. Alternatively, you can report them directly to PoliceLink on 131 444, or to their relevant industry regulator.

Last updated:
24 July 2020