If you have ventured into a restaurant lately, you will have noticed that you are required to leave your personal information at the venue. Although most of us will have no problem leaving this information, it is important that you are informed of the obligations of cafes and restaurants with respect to your privacy and that businesses are equally informed of their obligations.
Restaurants and cafes in NSW have been ordered to collect the contact information from those visiting their premises to assist in COVID-19 contact tracing. The COVID Safe Checklist for businesses require that information provided by its patrons, workers and contractors is kept for at least 28 days. There is a requirement that such information is to be kept confidential and securely held.
The obligation on businesses to use and protect the information provided by individuals is encompassed by the Privacy Act (NSW) (“the Act”). The Act also allows those in possession of critical information to provide that information to health authorities to help manage the spread of coronavirus.
Recently, concerns have arisen where businesses have reopened in haste and have resulted to paper documentation to collect information from their patrons. A paper method, without the accompaniment of a spreadsheet or electronic database, is concerning as it may lead to a finding that the information failed to be securely held. Businesses must be seen to have taken reasonable steps to keep personal information secure.
In an attempt to assist businesses in protecting personal information, the Office of the Australian Information Commissioner has developed guidelines for businesses.
The guidelines include:
- Collecting information only required by official directions and orders. Businesses are unable to request further information than what is required. At present, in NSW, businesses are only required to obtain the name and contact details such as a phone number, email address or address of individuals;
- Notifying individuals prior to collecting information. This includes what information you are collecting, what is required by law, who the information can be provided to and the purposes of collection;
- Securely storing this information. The guidelines suggest that businesses should not store this information where other customers may see it;
- Information must only be provided to the relevant authorities at their request;
- Information should be destroyed when it is no longer reasonably necessary for the purpose of contact tracing.
Please note that the above list does not substitute the information provided in the guidelines. The guidelines can be accessed here.
Failing to comply with these orders is a criminal offence under the Public Health Act 2010. For an individual, a breach of this order can see a maximum penalty of $11,000 or imprisonment for 6 months, or both imposed. A $5,500 penalty will also apply for each day the offence continues.
For corporations, breaching this order can lead to a maximum penalty is $55,000 and a further $27,500 penalty may apply for each day the offence continues.
Police may also issue $1,000 on the spot fines.
This blog is merely general and non-specific information on the subject matter and is not and should not be considered or relied on as legal advice. Coutts is not responsible for any cost, expense, loss or liability whatsoever to this blog, including all or any reliance on this blog or use or application of this blog by you.