Privacy: Collecting and storing customer information during COVID-19

Collecting contact information during COVID-19

Some businesses are required to collect contact information for visitors and staff on their premises to assist with contact tracing in the event of an outbreak. This requirement is set out in the Public Health and Social Measures linked to vaccination status Direction.

Read more about collecting contact information for COVID-19.

Considerations for collecting information

The Queensland Chief Health Officer has powers under the Public Health Act 2005 to make any directions necessary to assist in containing, or responding to, the spread of COVID-19 within the community.

Consequently, businesses are required to collect information in a way that complies with the Public Health and Social Measures linked to vaccination status Direction. A breach of these principles can lead to regulatory action and penalties.

Penalties for non-compliance

If an individual or business does not comply with the Public Health Direction they may receive a fine of up to a maximum of 100 penalty units or 6 months’ imprisonment under section 362D of the Public Health Act 2005 unless the person has a reasonable excuse.

On this page:


Electronic collection of contact information

A business operator must electronically collect contact information about all guests, patrons and staff at the time of entry unless otherwise specified, by either:

  • the Check In Qld app; or
  • registering guests, patrons and staff through the Business Profile mode of the Check In Qld app.

If a person is unable to use the Check In Qld app due to age, disability, language barriers or does not possess the technology or own a mobile phone, the business must register the guest through the Business Profile mode.

A business operator is not required to request a person’s contact information if:

  • the person appears to be younger than 16 years and is not accompanied by a parent or guardian who can provide information on their behalf
  • the person is primary or secondary school-aged and is taking part in a group activity organised by a school, sporting team or community group
  • the person has an exemption that is complaint with the Public Health and Social Measures linked to vaccination status Direction
  • it is not reasonable to collect contact information due to a risk to a person’s safety.

Back to top ↑


Collection of contact information using another method

If the business is unable to electronically collect contact information from visitors or staff because it is not possible to use the Check In Qld app due to unexpected circumstances, there is a risk to safety issue, or the business is located in a place that does not have mobile internet data connection, the business must collect and keep contact information using another method. For example, the business can collect contact information using a paper-based form or a spreadsheet.

If the contact information is collected using another method, the businesses must:

  • collect the name, phone number, email address, and the date and time of attendance of the patrons or staff, and
  • securely store the contact information and not use it for any other purpose, and
  • delete the information after not less than 30 days and not more than 56 days, and
  • if requested, provide the contact information to a public health officer within a stated time.

Businesses must take reasonable steps to ensure that the contact information collected is accurate.

Any changes to collecting contact information requirements will be detailed in the Public Health and Social Measures linked to vaccination status Direction.

Privacy: Collecting and storing personal information

Businesses that are unable to collect contact information using the Check In Qld app must consider what appropriate security measures are required to protect the personal information – this applies to both hard copy and online systems.

The Office of the Australian Information Commissioner (OAIC) guidance makes clear that the Privacy Act 1988 will not stop critical information sharing in the context of the pandemic but notes that organisations have obligations to handle staff and visitor personal information appropriately and in accordance with the Privacy Act. That is, businesses must take active measures to protect personal information they hold from misuse, interference and loss, as well as unauthorised modification or disclosure.

Collection obligations

Staff should only ask for as much personal information as required under the Direction.

Businesses must:

  • use personal information only for the purpose it is being collected for.  That is, personal information must not be used for marketing or research purposes, or sold to third party organisations
  • store personal information in a secure and safe place
  • delete personal information no less than 30 days and no more than 56 days (or otherwise specified)
  • not give personal information to anyone except Queensland Health (and only if requested)
  • not transfer patrons’ personal information outside of Australia.

OAIC provides further guidance for businesses collecting personal information for contact tracing.

Depending on the nature of your dealings with patrons, it is understood you may collect and hold other types of personal information ordinarily collected by your business, such as loyalty cards or booking information that will only be used to provide patrons with those services. The information collected for the purpose of contact tracing cannot be used for that purpose. Businesses must maintain privacy compliance in this regard.

Disclaimers

For businesses that are unable to collect contact information using the Check In Qld app, the use of a disclaimer on a collection template may assist in reducing staff exposure to challenges in collecting people’s personal information.

An example of a disclaimer you may choose to use:

Disclaimer:

Your contact information is being collected for the purpose of contact tracing in the event of positive COVID-19 diagnosis involving this business. Information is being collected under the Queensland Chief Health Officer’s Restrictions on Businesses, Activities and Undertakings Direction. Should your duration in premises not be indicated on this form you may be contacted by Health compliance officers.

Your personal information will be stored securely and destroyed after no less than 30 days and no more than 56 days, unless otherwise required by public health officials in the event of a Coronavirus (COVID-19) outbreak. It will NOT be used for marketing or research purposes, given or sold to third parties.

Depending on the nature of your dealings with us, we may collect and hold other types of personal information ordinarily collected by us, such as loyalty cards, booking information, etc., which will only be used to provide you with those services.

View/download a sample collection proforma for patrons to complete.

Back to top ↑


Storing and retrieval of information

In situations where your business is unable to use the Check In Qld app, the standard approach to storing your patrons’ personal information also applies to business who collect information during COVID-19.

Personal information security is about more than just ensuring compliance with the requirements of the Privacy Act. If you mishandle your patrons’ personal information, it may lead to a loss of trust and considerable harm to your reputation. A significant breach may result in a loss of customers or business partners and revenue.

It is essential as part of your business practices to prevent the misuse, interference, loss or unauthorised accessing, modification or disclosure of personal information.  As such, you need to take all reasonable steps to ensure good handling of this information.

Once you have collected and hold your patrons’ personal information, consider what appropriate security measures are required to protect the personal information – this applies to both hard copy and online systems.

For example -

  • Online storage:
    • To ensure all reasonable steps are taken to eliminate unauthorised access, the information collected via electronic means must be password protected or encrypted.
    • Recommend confirmation with providers of QR code / apps of what steps they take to eliminate unauthorised access and where the data may be stored (onshore / offshore).
    • Your ICT security measures ensure that all your systems are secure and that they provide a safe storage environment and you have an adequate back up system.
    • You are aware of the personal information you hold on your ICT system and where it is located.
  • Physical / hard copies storage:
    • Information is locked away in a filing cabinet with key access controlled.
    • Information is stored at the end of each shift, or periodically throughout the day, so it cannot be inappropriately accessed.
    • Information is stored in a way that it can be easily retrieved if required by health officers.
    • On what basis can access to the physical files granted.
    • If loss or theft occurs can it be easily traced via staff logs or CCTV.
    • Your record management system identifies files and the location of information.

Make sure staff are aware of, and have access to, the relevant policies and procedures and are trained regarding their responsibilities.

The OAIC has developed tips for good privacy practice to assist businesses in storing and collecting personal information. Find more information about storing personal information on the Office of the Information Commissioner website.

Back to top ↑


Destruction of information

If collecting contact information via a method other than the Check In Qld app, businesses must take reasonable steps to destroy the personal information no less than 30 days and no more than 56 days, or otherwise specified. This obligation applies even where the business does not physically possess the personal information but has the right or power to deal with it.

De-identification of this information is not permitted.

The steps that are reasonable for a business to take to destroy personal information will depend on whether the personal information is held in hard copy or electronic form.

Ensure you have policies, procedures and resources in place to ensure proper destruction procedures and that your staff are informed of the destruction procedures.

Consider:

  • Is destruction of personal information done in-house or outsourced? If outsourced, what steps have you taken to ensure appropriate handling of the personal information?
  • Has personal information contained in hard copy records that are disposed of through garbage or recycling collection been destroyed through a process such as pulping, burning, pulverising, disintegrating or shredding?
  • Is hardware containing personal information in electronic form properly ‘sanitised’ to completely remove the stored personal information?
  • Have steps been taken to verify the irretrievable destruction of personal stored by a third party on a third party’s hardware, such as cloud storage? Where the third party has been instructed by the organisation to irretrievably destroy the personal information, have steps been taken to verify that this has occurred?
  • Are back-ups of personal information also destroyed? Are backups arranged in such a way that destruction of backups is possible?

Where it is not possible for an entity to irretrievably destroy personal information held in electronic format, reasonable steps to destroy it would include putting the personal information ‘beyond use’. For example, this could include where technical reasons may make it impossible to irretrievably destroy the personal information without also irretrievably destroying other information held with that personal information.

Personal information is ‘beyond use’ if you:

  • are not able, and will not attempt, to use or disclose the personal information
  • cannot give any other entity access to the personal information
  • surround the personal information with appropriate technical, physical and organisational security. This should include, at a minimum, access controls including logs and audit trails
  • commit to take reasonable steps to irretrievably destroy the personal information if, or when, this becomes possible.

It is expected that only in very limited circumstances would it not be possible for an organisation to destroy personal information held in electronic format.

Back to top ↑


Handling a breach

For businesses

If patrons breach any of the conditions of entry, your main solution will be not to seat them in your venue or you may refuse entry at your discretion.

Allowing them to remain on the premises may result in your business being non-compliant with Public Health Directions, which could result in a hefty fine.

You cannot seek compensation from the customer if they breach the terms of conditions. That is because of the one-sided nature of the conditions of entry.

Enforcing financial penalties may look like an unfair contract term under the Australian Consumer Law.

For patrons

Government takes privacy seriously.

If you are concerned a business has used your personal information incorrectly and breached your privacy, please discuss with the proprietor (business owner) as a privacy complaint in the first instance.

Should you not be satisfied with their advice please contact the Office of the Australian Information Commissioner.

Back to top ↑


Further information

Information for businesses and uses of the Check In Qld app:

Information to help you understand what the Public Health and Social Measures linked to vaccination status Direction means, including Questions and Answers,:

Last updated:
25 January 2022