With the gradual alleviation of COVID-19 restrictions, some reopening businesses are subject to new rules under which they must collect personal information of customers and visitors to their premises for the purposes of contact tracing. These rules take the form of Directions or Orders implemented by the relevant State or Territory.

For these businesses, an added complexity within the post-COVID business environment is that their collection of this contact tracing information may be subject to the Privacy Act 1988 (Cth) (Privacy Act), including the Australian Privacy Principles (APPs). To assist affected businesses, the Office of the Australian Information Commissioner (OAIC) has recently published guidance which provides some clear tips as to how to collect, store and use contact tracing information.

The first relevant enquiry for any business affected by the contact tracing rules is to determine whether the business is subject to the Privacy Act. Some small businesses with an annual turnover of less than $3 million are exempt from the Privacy Act. See here for the OAIC’s guidance on which small businesses are subject to the Privacy Act.

For businesses that are subject to the Privacy Act and are required to collect contact tracing information, the OAIC has provided five tips, which we have outlined below:

1. Businesses should only collect personal information required under the relevant Direction or Order

Where a business is covered by a Direction or Order, the collection of contact tracing information required by that Direction or Order is permitted under the Privacy Act, as collection of this information is necessary for the business’s functions or activities. See APP 3.2 (for private-sector organisations; APP 3.1 applies to agencies). However, businesses must not collect any other information that is not subject to a Direction or Order, or the collection of which is not otherwise permitted by the Privacy Act.

2. Businesses should notify individuals before the information is collected

Businesses should notify individuals whose information is collected of certain details described in APP 5. This includes what personal information is being collected, that the collection is required by law, why the information is being collected, the consequences of not collecting the information as well as who the information will be shared with (See APP 5.2.).

3. Information should be securely stored

The OAIC recommends that:

  • contact tracing information is not recorded in a book or on a notepad or computer screen that may be visible to customers;
  • access to the information is restricted only to the business’s personnel who need to see it; and
  • ideally, the information is stored in a separate record, rather than in the same record or system as the rest of the business’s information (for example, booking or scheduling information). At a practical level, this will allow the information to be clearly distinguished from other personal information held by the business, and treated differently where needed (for example, protected using more stringent measures, or deleted earlier once the business no longer requires it).

4. Businesses should only disclose the contact tracing information to health authorities who perform contact tracing activities, and only on request

Any contact tracing information should only be provided to the relevant State or Territory health authority when directly requested. Disclosure or use of the information for any other purpose may constitute a breach of the Privacy Act.

5. Businesses should destroy the information once it is no longer required for contact tracing

The OAIC has recommended that contact tracing information only be retained for a ‘reasonable period of time’, which it advises will usually be no longer than 28 days where there is no other retention period specified in the applicable Order or Direction. Following this period, the business should destroy the information.

Finally, more information about Directions and Orders issued by each State or Territory can be found at the links below:


Authors: Tim Gole, Stephanie Essey, Christopher Ashen