Contact Tracing Records and Privacy

As churches start to open their doors for public gathering, how does the collection of personal information for the purpose of contact tracing comply with the Privacy Act? And how should a church manage this?

Is our church allowed to collect contact tracing information?

In response to the outbreak of the human disease COVID-19, a major emergency was declared in South Australia. When the Prime Minister makes recommendations to the states about restriction guidelines relating to COVID-19, each state must then consider how those recommendations will be applied. They are not enforceable in South Australia until the State Coordinator, Commissioner Grant Stevens, enacts a Direction. The South Australian Directions apply to everyone living in, and entering, South Australia.

The current Direction (the Emergency Management (Public Activities No 2) (COVID-19) Direction 2020) came into effect at 12:01am on Friday 19 June 2020, and revokes the previous Direction.

Under the current Direction, any organisation holding a public gathering “must keep records of each attendee to each ceremony, service or gathering, including the contact details of each attendee, to assist with contact tracing if required.

So, YES, a church can (and must) collect contact tracing information before allowing anyone into the building.

How can we manage this in line with the Privacy Act?

If your church collects contact information in line with government Directions, you should abide by the following principles:

  1. Notify people prior to collecting personal information and include details regarding: what information you are collecting, that the collection is required by law, the purpose of collection, who the information will be disclosed to and consequences of failing to provide the information (i.e. they will not be allowed into the facility).
  2. Only collect personal information which is required under the direction or order  i.e. only collect names and phone numbers.
  3. Securely store the information once you have collected it. Do this as soon as possible after the collecting of the information for that activity. Only provide access to staff that need to see it.
  4. Only disclose if the South Australian health authority requests it.  You may not use the information for mailing lists or to share within your group.
  5. Destroy the information as soon as reasonably practicable following 28 days after the visit, unless another statutory requirement permits or requires that the personal information is retained.

What activities do I need to collect this information for?

Any church activity where a member of the public can attend needs to have appropriate contact tracing records kept. This includes, but is not limited to:

  • Church services (Sunday and mid-week)
  • Youth groups
  • Kids church (a parent should be the nominated contact next to the child’s name)

If there are other meetings or member gatherings on the church property, there should also be a record of who is in attendance (as these would generally be members, the full contact details should be available via the church office if necessary). This could include:

  • Leadership meetings
  • Small groups meeting at the church
  • Committee meetings

Next Steps

Churches still need to be mindful of privacy laws when collecting information for the purposes of contact tracing, or to prevent or manage the spread of COVID-19. It is essential for churches to have clear policies and processes which detail how personal and health information is collected, stored, used or disclosed so that these processes can be adhered to during the process.

If you have any further questions around the collection of information and the church’s requirements under the Privacy Act, please seek official legal guidance.

Thanks to Moores Legal for the original article from which I gathered a lot of this information.

Photo by Markus Winkler on Unsplash