As seen in the February edition of Queensland Hotels Association's QHA Review magazine.
Shortly after pubs and hotels reopened in mid-2020 and COVID contact tracing requirements were introduced, it was widely acknowledged that paper-based contact tracing registers were problematic insofar as maintaining the customers' privacy. The main concern was that it would be easy for someone to photograph paper-based registers containing the contact details of other patrons.
Enter the QR Code – the 'matrix barcode' that, prior to 2020, was widely known as an obsolete marketing gimmick of the past. But the QR Code has certainly made a comeback in recent months. The little black square can be seen at almost every hospitality venue across Queensland. Scanning the code and entering our contact details upon entry has become part of the 'new normal'. And while it is truly incredible how quickly hospitality operators shifted from paper-based contract tracing to electronic sign-in registers, the speedy transition has left some venues at risk of privacy breaches.
It has led some businesses to believe that merely switching to electronic sign-in registers is enough to secure the privacy of their customers (I note that as of 23 December 2020, all hospitality venues are required to keep all patron contact details electronically and to move away from paper-based records). However, hotel operators with an annual turnover of $3 million or more must also comply with the Australian Privacy Principles (APPs) set out in the Privacy Act 1988 (Cth) (Privacy Act).
What records do you need, and what can you use them for?
Queensland's Public Health Directions require pubs and hotels to keep contact tracing records consisting of patrons' full names, phone numbers, email or residential addresses, and date and time of patronage. These records must be kept for at least 30 days and should be deleted after no more than 56 days.
Ideally, venues should avoid recording anything more than these minimum details. For example, I have seen some check-in systems include a declaration from patrons that "I am not experiencing any symptoms of COVID-19". Under the Privacy Act, such declarations as to a person's health require more sensitive treatment than other contact details, and should only be collected to the extent it is reasonably necessary for preventing or controlling the risk of COVID-19 at your venue.
If asking patrons to make a health declaration such as the above, it is important to understand why you are doing so, and how and why you intend to use this information in future. I suspect many venues ask patrons for such declarations because they think it necessary to comply with the COVID Industry Plan. However, the Industry Plan merely requires you to warn patrons not to enter the venue if they are experiencing symptoms, which can be achieved by warnings posted on your sign-in page or throughout your venue; there is no need for patrons to declare their good health.
If you intend to produce patron health declarations in the event that you are called on by the authorities to turn over your contact tracing records, then you should specifically inform patrons of this and request their consent. Without clear consent, you risk being in breach of the Privacy Act if you later disclose the information to another person, including the health authorities.
Another trend I have noticed is that some businesses now ask customers for consent to use their contact details for marketing purposes. This may not pose a problem under the Privacy Act, but may still amount to a breach of the Public Health Directions which require firstly that contact tracing records must not be used for any purpose other than contact tracing by a public health officer, and secondly that you must delete the records after no more than 56 days. Breach of the Public Health Directions constitutes an offence under the Public Health Act, punishable by up to 6 months imprisonment or fines of up to $13,345.00.
Finally, if outsourcing your contact tracing record capture systems to a third-party app or QR Code service, then you should ensure your service provider has the capability to securely store the records, and that they will delete the records within the 30-56 day window. Most importantly though, the third party must not be allowed to use the contact details for their own data analytics purposes, which would constitute a breach of the Public Health Directions.
When used correctly, the QR Code is a particularly useful tool to assist you in complying with the COVID Industry Plan. However as with all technological advances, it is important to carefully consider all factors to ensure you are upholding your customers' right to privacy. If you have any questions about how your venue is complying with the contract tracing requirements, please contact me on 07 3224 0230.
Article written by Curt Schatz (Managing Partner) and Glen Rolley (Associate)
"The content of this publication is for reference purposes only. It is current at the date of publication. This content does not constitute legal advice and should not be relied upon as such. Legal advice about your specific circumstances should always be obtained before taking any action based on this publication."