Check In CBR – but don’t check out of your privacy obligations

Everyone across Canberra has seen the Check In CBR posters at venues they have visited. Whether you’re sceptical about the process or happy to Check In, a lot of questions are raised about how the information collected through Check In CBR is used and stored.

What are the contact tracing obligations for non-essential businesses in the ACT?

During the current public health emergency, certain businesses are required to develop and adhere to a COVID Safety Plan, specify the maximum occupancies and undertake contact tracing.  Contact tracing requires businesses to ask each person who attends their premises to record their attendance by using the “Check in CBR” App. Businesses must keep a record of details provided, including names, phone numbers, email addresses and the date and time at which the person attended. Businesses must be able to produce a record of these details if compelled by an authorised person.

“Check In CBR” is a mobile app which was developed to address the concerns of patrons that their personal details were ‘on display’ in venues and restaurants that were using paper-based logs.  The “Check In CBR” app can be differentiated from the COVIDSafe app because of its focus on specific venues, though they are intended to be complimentary. You can read more about the privacy ramifications of the COVIDSafe app here.

Where a business has obligations under the Privacy Act 1988 (Cth), these obligations extend to the information captured for the purpose of contact tracing.  A business must inform a customer:

  • that their information is being recorded for contact tracing purposes (the why); and
  • that the business has measures in place to manage the information appropriately and to prevent the misuse, interference, loss, unauthorised access, modification or disclosure of information (the how). This can be done by way of collection notice or a direction to the business’s Privacy Policy

Mandatory roll out of “Check In CBR”

From 9:00 AM on March 6 2021, the “Check In CBR” app will become mandatory for all restricted business activities in the ACT.

‘Restricted businesses’ includes businesses in hospitality, retail, sports, personal services, entertainment and other non-essential sectors, which will be required to register with “Check In CBR” and transition off of any other contact tracing method they were using; for example, paper logs. Businesses will be issued with a unique QR code and a business or venue starter kit. The rationale behind making the app mandatory is that makes it as easy as possible for business to comply with public health directions and facilitate contact tracing in the ACT. For a more comprehensive list of “restricted business activities” visit the ACT Government’s COVID-19 website.

Importantly, businesses must keep their paper or other digital records for 28 days after they transition over to “Check in CBR”. These records must be stored and made readily available to ACT Health, if requested.

What are my obligations when using “Check In CBR”?

Restricted businesses must do everything within their power to ensure their patrons aged 16 years or older check in using the “Check In CBR” app. The “reasonable steps” businesses are expected to take to secure check in, include:

  • Actively monitor points of entry
  • Request patrons show staff that they have checked in
  • Display QR codes, signing and messaging clearly
  • Use the business profile to manually check in patrons who are unable to check in themselves (e.g. forgot their smart phone)

Restricted businesses who knowingly let a patron aged 16 years or older into the premises without securing check in, will be in breach of the public health direction and subject to a fine.

For businesses owned by an individual the fine is $1,000, and for businesses owned by a corporation the fine is $5,000.

For more information on privacy implications of any App, developing a COVID Safety Plan or assistance with introducing or amending a Privacy Policy for your business, please contact our specialist team of privacy advisors.

Through to the keeper: Do you know your sporting organisation’s privacy obligations?

Despite being 30 years old, organisations can still be confused about their obligations under the Privacy Act 1988 (Cth) (Privacy Act). Whether the Privacy Act even applies can be a minefield for sporting organisations such as sporting clubs, gyms, and governing bodies. Unfortunately, ignorance of the law excuses no one, and fines for a breach of the …
Read more

12 Months of Enforcement – The Trials and Tribulations of the GDPR

The European General Data Protection Regulation (GDPR) came into force on 25 May 2018. We have now seen 12 months since the commencement of the GDRP. Though a revolutionary regional instrument, it imposes obligations on businesses across the globe. In its one year of application, the GDPR has drastically changed the data protection and privacy …
Read more

laptop in the dark with code

Revised data encryption laws explained

A controversial shake up to Australia’s data laws came into force in December 2018. The Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (the Amendment) amended several pieces of legislation to enable the Government to access the communications of individuals in the name of national security. The Amendment was passed to make it …
Read more