your rights, their obligations and privacy concerns
- Written by Mahmoud Elkhodr, Lecturer in Information and Communication Technologies, CQUniversity Australia
While lockdown restrictions have eased in many places, the coronavirus threat isn’t over yet. The number of cases globally has surpassed 9 million, and infections have slowly crept back for Victoria.
Read more: In many countries the coronavirus pandemic is accelerating, not slowing
Restaurants, pubs and cafes have been among the first places to which people have flocked for some respite from social isolation. In many cases, diners must provide their personal details to these venues for potential contact tracing later on.
Unfortunately, there’s a lack of clarity regarding what the best options are for businesses, and many aren’t following official guidelines.
Keeping records
In the rush to reopen while also abiding by government requirements, many businesses are resorting to collecting customer information using pen and paper.
This entails sharing the stationery, which goes against the basic principles of social distancing. Your written details can also be seen by other diners and staff, triggering privacy concerns.
You wouldn’t normally leave your name, phone number, email, address or any combination of these on a piece of paper in public – so why now?
Businesses collecting personal information from customers must abide by the Australian Privacy Principles under the Privacy Act 1988. This requires they “take reasonable steps to protect the personal information collected or held”.
The federal government has also released an updated guide to collecting personal information for contact tracing purposes. Establishments must use this guide in conjunction with individual directions or orders from certain states and territories. See some below.
QLD | Must keep contact information about all guests and staff including name, address, mobile phone number and the date/time period of patronage for a period of 56 days. |
ACT | Businesses should ask for the first name and contact phone number of each attendee. |
SA | Only real estate agents, wedding and funeral businesses should collect personal information from customers. But not restaurants. |
NSW | Keep the name and mobile number or email address for all staff and dine-in customers for at least 28 days. |
The guide also outlines how businesses should handle customers’ contact information. The relevant parts are:
you should only collect the personal information required under the direction or order
you should notify individuals before you collect personal information
you should securely store this information once you have collected it.
One point specifically notes:
Do not place the names and phone numbers or other details in a book or on a notepad or computer screen where customers may see it.
Thus, many establishments are clearly not sticking to official guidance. So could you refuse to give your details in such cases?
No. Customers are required by law to provide the necessary details as per their state or territory’s order. Venues can deny entry to people who refuse.
What would a comprehensive solution look like?
For contact tracing to work effectively, it should be implemented systematically, not in a piecemeal way. This means there should be a system that securely collects, compiles, and analyses people’s data in real time, without impinging on their privacy.
It’s perhaps too much to ask hospitality businesses to take the lead on this. Ideally, government agencies should have done it already.
The COVIDSafe app could have provided this service, but with it being optional — and contact tracing by businesses being mandatory — it’s not a viable option. That’s not to mention the issues with the running of the app, including Bluetooth requirements, battery life drainage, and history of problems with iPhones.
Read more: How safe is COVIDSafe? What you should know about the app's issues, and Bluetooth-related risks
Nonetheless, there are some free technologies that can offer better alternatives to the manual collection of customers’ details. These include:
All these tools have a similar set up process, and provide similar services. Let’s take a look at one of the most popular ones, Google Forms.
Using Google Forms
Google Forms is a tool that comes free with a Google account. The “contact information template” is a good starting point for businesses wanting to make a secure log of visitor details.
Once you create a form to collect customers’ information, you just have to share a URL, and customers can fill the form on their own device.
Data gathered via Google Forms is stored securely on the Google Drive account and can only be accessed through the same login that was used to create the form. The transmission of data from the customer’s device to Google Drive (where the data is then stored) is also secure.
Or use a QR code
If you want to make the whole process even easier, and not use a clunky URL, then using a QR code (linked to the URL of your Google form) is a great option. For this, you can use any free external QR code generator. These will generate a QR code which, when scanned by a smartphone, will direct the user to your URL.
This code can also be printed and hung on a wall, or stuck to tables where it’s easy to access without any human-to-human contact. A comprehensive guide to creating and accessing Google Forms can be found here.
That said, although the process of setting up and using such tools is very simple, there may still be people who are too mistrusting of the way their data is used, and may refuse to hand it over.
Authors: Mahmoud Elkhodr, Lecturer in Information and Communication Technologies, CQUniversity Australia