Compulsory collection of information “at the door” to contain COVID-19
With the easing of COVID-19 restrictions, Victoria is managing the ongoing risks associated with the disease by requiring that particular organisations collect personal information about customers and visitors to their premises to assist with COVID-19 contact tracing.
The Victorian Government has issued specific Directions and Orders stating that contact information of customers and visitors must be sought as a condition of particular organisations re-opening.
If a Direction or Order applies to you, the collection of this personal information will be necessary for your organisation’s functions or activities.
Government orders to collect personal information
If you are subject of a Direction or Order, then this means the collection of contact information is permitted under the Privacy Act 1988.
The Restricted Activity Directions (No 9) – Public Health and Wellbeing Act 2008 (Vic) – (the Act) provides Directions or Orders for facilities, including:
- Community facilities which host essential public support such as food banks, or homeless persons services, or that host weddings or funerals;
- Places of worship; and
- Accommodation facilities (such as hotels, guesthouses or Airbnbs) which are operating for the purposes of providing emergency accommodation, including in relation to family violence or other vulnerable groups
Records required to be kept
The Acts states that these facilities are subject to a “records requirement” which requires them to request that each person who attends the facility for more than 15 minutes provide their first name and contact phone number.
The facility must keep a record of these details for 28 days together with the information about the date and time at which the person attended the facility and if there are multiple indoor spaces, the indoor space(s) which the person visited.
We note that requirements in relation to signage, cleaning and the number of people permitted per indoor space are specific to each facility and detailed in the Act.
What do you need to do if you are required to collect personal information for contact tracing?
If you are required to collect contact information due to government Orders or Directions, you should abide by the following principles:
- Notify people prior to collecting personal information and include details regarding: what information you are collecting, that the collection is required by law, the purpose of collection, who the information will be disclosed to and consequences of failing to provide the information (i.e. they will not be allowed into the facility).
- Only collect personal information which is required under the direction or order i.e. only collect first names and phone numbers;
- Securely store the information once you have collected it. Only provide access to staff that need to see it.
- Only disclose if the Victorian health authority requests it. You may not use the information for mailing lists or to share within your group.
- Destroy the information as soon as reasonably practicable following 28 days after the visit, unless another statutory requirement permits or requires that the personal information is retained. If you have collected personal information and believe you have another obligation, for example to disclose the information under the Family Violence Information Sharing Scheme, quarantine the information and assess it against the guidelines, or seek advice.
What about services that rely on anonymity?
There are some exceptions to the “records requirement”, including for support groups held in community facilities or places of worship where confidentiality is typically required such as drug and alcohol or domestic violence support groups (such as Alcoholics Anonymous) and private worship at places of worship.
Your obligations to protect people may require you to nevertheless ask for personal information, for example, in an emergency or if a participant in an anonymous group falls ill during a meeting.
Can you collect customer information if you are not required to?
If there isn’t a Direction or Order that applies to your operation, you are not required to ask for customer and visitor names and contact details for contact tracing purposes. However, you can still collect contact information if you would normally do so for the functions and activities of your business.
What about COVID-19 related information?
You can collect information from employees or visitors in relation to COVID-19 which is ‘reasonably necessary for preventing or managing COVID-19’ such as:
- Whether a person or a close contact has been exposed to a confirmed case of COVID-19
- Whether the person has recently travelled overseas and to which countries
If an employee or visitor has or may have contracted COVID-19, you should only disclose personal information which is reasonably necessary in order to prevent or manage COVID-19 in the workplace.
For more information on workplace obligations, please read our article on safeguarding against COVID-19.
Next steps
Organisations still need to be mindful of privacy laws when collecting information for the purposes of contact tracing, or to prevent or manage the spread of COVID-19. It is essential for employers to have clear policies and processes which detail how personal and health information is collected, stored, used or disclosed so that these processes can be adhered to during the process.
How we can help
If you need assistance with ensuring your privacy policy or processes are up to date, please do not hesitate to contact us.
A full list of operations subject of a direction or order is available here.