Enter to open, tab to navigate, enter to select
COVID-19: OAIC publishes privacy guidance for businesses collecting personal information for contact tracing
Practical Law ANZ Legal Update w-025-8205 (Approx. 4 pages)
COVID-19: OAIC publishes privacy guidance for businesses collecting personal information for contact tracing
by Practical Law Commercial
| Published on 11 Jun 2020 • Australia, Federal |
This update considers guidance published by the Office of the Australian Information Commissioner (OAIC) for businesses collecting personal information about customers and visitors to their premises for 2019 novel coronavirus disease (COVID-19) contact tracing.
COVID-19: OAIC publishes privacy guidance for businesses collecting personal information for contact tracing
The Office of the Australian Information Commissioner (OAIC) has published guidance for businesses collecting personal information about customers and visitors to their premises for the purposes of 2019 novel coronavirus disease (COVID-19) contact tracing.
In summary, the OAIC notes that where businesses are required to collect "contact information" under the terms of "Orders or Directions", the businesses should:
- Limit the collection of personal information to that which is required under the relevant Order or Direction. For a quick reference guide to the key legislative instruments related to public health and medical matters that have been implemented in response to the COVID-19 pandemic in each Australian jurisdiction, including references to the relevant legislation, regulations, Orders and Directions, see Checklist, COVID-19: Key legislative instruments related to public health and medical matters in Australian states and territories.
- Notify individuals before collecting personal information, to satisfy requirements under Australian Privacy Principle (APP) 5. See also Practice note, Australian Privacy Principles: APP 5: Notification of the collection of personal information. The OAIC guides that businesses can help to achieve this by displaying a prominent notice on their premises and website, and reinforcing the information when speaking with customers or clients.
- Store the information securely once it has been collected, while also taking care to observe obligations under the notifiable data breaches scheme. For more information on the Notifiable Data Breaches Scheme, see Practice note, Notifiable Data Breaches scheme.
- Disclose the information to relevant health authorities involved in contact tracing activities upon the request of those authorities.
- Destroy the information if it is no longer reasonably necessary for the purposes of contact tracing. A Direction or Order may specify a period for which the information must be retained. If no period is specified, the OAIC guides that information should be destroyed after a reasonable period, which would generally be within 28 days.
The OAIC also guides that:
- Where businesses are not required to ask for customer names and contact details for contact tracing purposes under a Direction or Order, those businesses may still collect contact information where doing so would be a normal part of the businesses' functions and activities (for example, booking appointments).
- Businesses continue to have obligations under the Australian Privacy Principles to handle personal information appropriately. See Practice note, Australian Privacy Principles.
For further information on the Privacy Amendment (Public Health Contact Information) Act 2020 (Cth) and its impacts on the collection, use and disclosure of data collected through the Commonwealth's COVIDSafe app, see Legal update, Privacy Amendment (Public Health Contact Information) Act 2020: Privacy protections for data collected through the Commonwealth COVIDSafe app.
For information on privacy in the context of COVID-19, see Toolkit, Practical Law Australia's guide to COVID-19 resources: Privacy.
For information on privacy law in Australia generally, see Practice note: overview, Australian data protection and privacy laws.