LEGAL COVID CONTACT TRACING: RISKS AND REQUIREMENTS As most of Australia begins to emerge from lockdowns and retail stores reopen, contract tracing is a requirement that many businesses will have to manage. IBy Gladwin Legal partner Rosalyn Gladwin. n the ongoing fight against the spread of Covid-19, many businesses, including cafes, restaurants and beauty services, will be required to collect personal information from customers who attend their store. This could involve collecting and keeping a record of the first name and phone number of each person who attends the store for more than 15 minutes. The specific details of what is required will depend on the applicable directions or orders given by each state or territory government. The purpose of contact tracing is to provide a link from an infected person to other people they may have been in contact with. How to collect this information The first option that comes to mind and one that many businesses have already implemented is to record this personal information manually on a piece of paper by the register. The concern here is customer privacy (not to mention sharing of pens). These written details can be seen by staff and other patrons of the store, which can trigger a breach of your obligations under the Privacy Act 1988. Privacy requirements If you’re a retailer with an annual turnover of that exceeds $3 million, you must comply with the Privacy Act, the Australian Privacy Principles and the Notifiable Data Breach Scheme – this excludes those under the small-business exemption. These requirements impose obligations on businesses to “take reasonable steps to protect the personal information collected or held”. Retailers must ensure reasonable steps are taken to destroy or de-identify personal information when it’s no longer needed, and ensure procedures are in place to store customer information securely. While a direction or order to collect personal information may apply to a business that falls within the small- business exemption, these businesses will not be legally bound under the Privacy Act. It’s nonetheless important to manage customer data appropriately, as a failure to adequately protect consumers’ privacy can tarnish your reputation, hinder the ability to build a trusting relationship with consumers, and attract hefty costs. How to ensure compliance The Office of the Australian Information Commissioner published a guideline for businesses that have obligations under the Privacy Act. They suggested: • Collect only personal information required under the direction or order (ie, name, phone number). • Before collecting this information, notify the individuals of the type of information collected and the purpose of collection. • Ensure you have a method of securely storing this information. • Only provide the information to health authorities on request. • Appropriately destroy the information once it is no longer needed according to the timeframe provided by the direction or order. Alternatives to pen and paper records To protect customer privacy and streamline the process, you may want to consider using a QR code linked to, for example, a Google document. This will allow you to place the printed QR code in an easily accessible location (such as on tables, at the register, on the wall) minimising face-to-face contact and protecting your customers’ privacy. The QR code, when scanned by a customer, will direct the user to the Google document to fill in the relevant information. Use of data We don’t recommend use of this data to pad out your mailing list. Consumers expect that the sole purpose of this data collection will be for contact tracing. However, you’re not prevented from including an ‘opt in’ button should you wish for customers to have the ability to sign up. Obligation to disclose The obligation to disclose is held exclusively by state and territory health authorities. You should disclose the information to health authorities only when they request it for contact tracing purposes. For example, a public health officer will contact your business if an individual diagnosed with Covid-19 states they attended the business at a time when they were considered infectious. Alternatively, if a customer contacts you stating that they have tested positive and had attended your business, under s55 of the Victorian Public Health and Wellbeing Act 2008, you’re entitled to disclose their details to an authorised “Retailers must ensure  reasonable steps are taken  to destroy or de-identify  personal information when  it’s no longer needed.”  health officer.                                                                        About Rosalyn Gladwin Rosalyn is the principal of Gladwin Legal, being an expert in all facets of retail law, including commercial and corporate law and retail leasing. About Gladwin Legal Gladwin Legal is the law firm for retailers. As experts in retail law, the firm understands the legal matters that challenge retailers daily. Its areas of expertise include retail and commercial leasing, supply and distribution agreements, intellectual property, ecommerce and IT agreements, sale of business and competitions and trade promotions. Get in touch at gladwinlegal.com.au.     66 RETAIL WORLD SEP, 2020