If your business has been monitoring changes to restrictions, you’ve probably come across the new requirement of record keeping. Businesses now need to collect information from customers or anyone visiting their premises for COVID-19 contact tracing.
So you might be wondering: how can I protect my customers’ personal information? What are my legal obligations? We’ve broken it all down for you.
Privacy obligations will generally only apply to businesses that are subject to the Privacy Act. This means any business with an annual turnover of more than $3 million is required to comply with their privacy obligations, such as disclosing how you will use information and who will have access to it.
However, lots of small businesses will now be dealing with personal information. The Office of the Australian Information Commissioner has set out guidelines for how businesses can protect these records, and it’s a good idea to consider these tips regardless of whether your business has formal privacy obligations.
What Information Do I Need To Collect From My Customers?
The information you’ll need to collect will differ depending on your State or Territory:
Keep in mind that you should only collect information required by your State or Territory. For example, if you’re located in NSW, you cannot request your customers’ home addresses, and you cannot use them for marketing purposes.
You are only collecting information for contract tracing, so you cannot use it for anything else (and you’ll need to disclose this to your customers, too).
Who Do I Notify And How?
You need to notify your customers that you will be collecting their personal information before you do it. You can place a notice:
- At the store’s entrance
- At each table
- Verbally before taking their order
- Digitally (e.g. on your website)
When you notify your customers, make sure you tell them:
- What information you’ll be collecting (e.g. their phone number)
- Why you’re collecting it (contact tracing)
- How it will be stored and handled (e.g. through a secure online system)
- Who will have access to that information (e.g. staff and health authorities)
How Can I Collect Customers’ Information?
There are a few ways in which you can collect customers’ information, but you need to make sure that no one else can see it. Here are some options:
- Place a piece of paper at each table for recording information before customers order food. You can collect this paper after they’ve finished and replace it with a new one for the next customer/s.
- Your employees can request the information verbally when taking customers’ orders, and write it down on the receipt.
- Customers can send a text message with their personal details to a specific number.
The way you collect information is really up to you, as long as it’s not visible to other customers and it is handled safely.
How Do I Store This Information?
When storing the information, make sure that only people within your organisation have access to it. This also means you need to train both existing and new staff about how to handle this information safely.
For example, if you’re using an electronic system to store customer information, you need to train your staff to use the system responsibly and safely.
Some methods of storing information may give a third party access to that data. In this case, it’s important to have an agreement with that third party which sets out how they should handle the information, and that you always need to be notified of what they do with it.
Notifiable Data Breach (NDB)
If you choose to store your information online, there may be a risk of a data breach. To avoid losing this personal information, it’s important to have:
- Cyber security systems
- Data Breach Response Plan
This way, you can assure your customers that you’re committed to keeping their information secure.
Who Can I Share This Information With?
You can only share this information with the relevant health authorities (e.g. NSW Health) at their request. This information is being collected for contact tracing, so it can only be disclosed for that purpose.
What Happens When I Don’t Need The Information Anymore?
Usually, the records will need to be disposed of after a certain period of time. When it’s established that you won’t need the information anymore, you need to destroy all copies of it (this is something you need to disclose to customers as well!).
This requirement also depends on your State/Territory:
There are a few ways you can destroy the information:
- Shred documents before disposing
- Delete electronic copies of information
- If a third party had access to it, tell them to destroy the information
Put simply, you need to make sure there’s no way the information can be restored.
What Else Do I Need To Know?
This new regulation operates alongside existing ones. This means you’ll still need to practise social distancing and promote hand hygiene at your workplace.
Some workplaces are also required to develop a COVID-19 Safety Plan. You can read more about the new regulations for NSW businesses here.
Dealing with personal information carries a lot of risk, so whether or not your business is required to comply with the Privacy Act, it’s important to protect your customers’ information.
If your business needs privacy advice or any help meeting your obligations under these new COVID-19 regulations, Sprintlaw has a team of experienced lawyers ready to assist. You can contact us for a free consultation on 1800 730 617 or at firstname.lastname@example.org.
Get your FREE quote now.
We'll get back to you within 1 business day.