Disclosure: Privacy Australia is community-supported. We may earn a commission when you buy a VPN through one of our links. Learn more.
Restaurant and Café Privacy Obligations Following COVID-19 Reopenings
While some states in Australia are being forced to return to a stage three lockdown as the number of new COVID-19 cases continues to rise, other areas are finally beginning to ease lockdown restrictions.
As life in Australia returns to normal, restaurants, cafés and pubs are among the first places to reopen. But if you plan on heading to your local eatery this summer, grabbing a bite to eat may not be as simple as it used to be.
In many states, diners are now required to provide venues with their personal information for future COVID-19 contact tracing, including their first name, email address and phone number. Restaurants and cafés in certain states must also request to collect the number of guests who visit their venue for more than 15-minutes. In Victoria, this information can then be stored on an on-site register for up to 28-days. Museums, libraries and other businesses set to reopen also face similar requirements.
Sadly, when it comes to gathering, using and disclosing personal information, many businesses haven’t been following official government guidelines.
Collection of Personal Information: Privacy Policies and Australian Law
When collecting, using and disclosing personal information, businesses in Australia must comply with the Australian Privacy Principles (APP) guidelines under the Privacy Act 1988 (Cth). This covers organisations and Australian Government agencies with an annual turnover of $3 million or more. Smaller businesses with an annual turnover of $3 million or less may also have certain responsibilities, though many are not legally bound by the act. However, businesses that are legally bound by the Privacy Act may be liable to penalties for privacy data breaches.
Every venue under the Privacy Act must take appropriate measures to guarantee that personal information is not misused, modified, lost, accessed or disclosed without authorisation. If venues do not take “reasonable steps to protect the personal information from unauthorised access,” it may be breaching specific privacy principles.
Unfortunately, many restaurants and cafés still aren’t taking this into account as they rush to reopen.
In recent weeks, businesses across Australia have been collecting customer personal information using merely a pen and paper forms. Given that this written information can likely be seen by staff members and other diners, many Australians have raised fears over the potential for data breaches.
“These bars, clubs and (other businesses) are going to be collecting a large amount of personal information,” said Queensland Council for Civil Liberties president Michael Cope. “We think they need to be more specific. They need to go into detail about making sure there is limited access to them and the public doesn’t have access to them.”
Guidance for Businesses Collecting Personal Information for Contact Tracing
At the end of May, the government released a guide for businesses that are covered by the Privacy Act. In some States and Territories, this must be used along with specific Directions or Orders.
Here are some important State and Territory Directions and Orders:
- ACT: Businesses must request the first name and phone number of every guest.
- NSW: Businesses must keep the name and email address or contact phone number for all dine-in guests and employees for a minimum of 28 days.
- QLD: Businesses must keep contact information about all employees and customers, such as their name, mobile number and address for 56 days.
The guidance for businesses also summarises how companies should handle contact information. The following three requirements were designed to assist businesses expected to collect information by Orders or Directions:
- You should only collect the personal information required under the Direction or Order.
- You should notify individuals before you collect the personal information.
- You should securely store this information once you have collected it.
As many establishments are now legally required to collect personal information, they can deny entry if you refuse to give them your details, even if they do not follow official guidance.