Add Your VPN Review
Search

Disclosure: Privacy Australia is community-supported. We may earn a commission when you buy a VPN through one of our links. Learn more.

Restaurant and Café Privacy Obligations Following COVID-19 Reopenings

By Will Ellis
Last Updated on October 20, 2021
Restaurant and Café Privacy Obligations Following COVID-19 Reopenings

While some states in Australia are being forced to return to a stage three lockdown as the number of new COVID-19 cases continues to rise, other areas are finally beginning to ease lockdown restrictions.

As life in Australia returns to normal, restaurants, cafés and pubs are among the first places to reopen. But if you plan on heading to your local eatery this summer, grabbing a bite to eat may not be as simple as it used to be.

In many states, diners are now required to provide venues with their personal information for future COVID-19 contact tracing, including their first name, email address and phone number. Restaurants and cafés in certain states must also request to collect the number of guests who visit their venue for more than 15-minutes. In Victoria, this information can then be stored on an on-site register for up to 28-days. Museums, libraries and other businesses set to reopen also face similar requirements.

Sadly, when it comes to gathering, using and disclosing personal information, many businesses haven’t been following official government guidelines.

Collection of Personal Information: Privacy Policies and Australian Law

When collecting, using and disclosing personal information, businesses in Australia must comply with the Australian Privacy Principles (APP) guidelines under the Privacy Act 1988 (Cth). This covers organisations and Australian Government agencies with an annual turnover of $3 million or more. Smaller businesses with an annual turnover of $3 million or less may also have certain responsibilities, though many are not legally bound by the act. However, businesses that are legally bound by the Privacy Act may be liable to penalties for privacy data breaches.

Every venue under the Privacy Act must take appropriate measures to guarantee that personal information is not misused, modified, lost, accessed or disclosed without authorisation. If venues do not take “reasonable steps to protect the personal information from unauthorised access,” it may be breaching specific privacy principles.

Unfortunately, many restaurants and cafés still aren’t taking this into account as they rush to reopen.

In recent weeks, businesses across Australia have been collecting customer personal information using merely a pen and paper forms. Given that this written information can likely be seen by staff members and other diners, many Australians have raised fears over the potential for data breaches.

“These bars, clubs and (other businesses) are going to be collecting a large amount of personal information,” said Queensland Council for Civil Liberties president Michael Cope. “We think they need to be more specific. They need to go into detail about making sure there is limited access to them and the public doesn’t have access to them.”

Guidance for Businesses Collecting Personal Information for Contact Tracing

At the end of May, the government released a guide for businesses that are covered by the Privacy Act. In some States and Territories, this must be used along with specific Directions or Orders.

Here are some important State and Territory Directions and Orders:

  • ACT: Businesses must request the first name and phone number of every guest.
  • NSW: Businesses must keep the name and email address or contact phone number for all dine-in guests and employees for a minimum of 28 days.
  • QLD: Businesses must keep contact information about all employees and customers, such as their name, mobile number and address for 56 days.

The guidance for businesses also summarises how companies should handle contact information. The following three requirements were designed to assist businesses expected to collect information by Orders or Directions:

  1. You should only collect the personal information required under the Direction or Order.
  2. You should notify individuals before you collect the personal information.
  3. You should securely store this information once you have collected it.

As many establishments are now legally required to collect personal information, they can deny entry if you refuse to give them your details, even if they do not follow official guidance.

Share:

Leave a Reply

Your email address will not be published. Required fields are marked *

  • etoro logo

    #1 Stock Trading Platform

    • Multi-Asset Brokerage Company
    • 24/7 Customer Support
    • No Virtual Private Server
    • Non-Trading Fees

    VISIT ETORO

    eToro Review

    eToro Service ARSN 637 489 466. Capital at risk. See PDS and TMD.

    • Related news
    Surfshark vs NordVPN: The Ultimate VPN Showdown for Privacy-Conscious Australians
    News
    Surfshark vs NordVPN: The Ultimate VPN Showdown for Privacy-Conscious Australians

    Starting in December 2020, ResistSurveillance.org will join forces with PrivacyAustralia.net. The teams responsible for the creation of these two websites will […]

    Last Updated on July 11, 2024
    Unravelling the Enigma: NordVPN vs PureVPN – A Comprehensive Showdown
    News
    Unravelling the Enigma: NordVPN vs PureVPN – A Comprehensive Showdown

    Starting in December 2020, ResistSurveillance.org will join forces with PrivacyAustralia.net. The teams responsible for the creation of these two websites will […]

    Last Updated on July 2, 2024
    ‘X’ Platform Updates its Privacy Policy to Start Collecting Biometric Data
    News
    ‘X’ Platform Updates its Privacy Policy to Start Collecting Biometric Data

    Starting in December 2020, ResistSurveillance.org will join forces with PrivacyAustralia.net. The teams responsible for the creation of these two websites will […]

    Last Updated on December 4, 2023
    Load more