If you haven't been constantly hitting refresh on news websites to check the latest coronavirus stats and updated rules and restrictions, then... you're definitely not in the hospitality industry, with newly returned businesses and workers concerned about the possible re-implementation of stricter restrictions and another lockdown.

The recent coronavirus outbreak linked to the Crossroads Hotel in Sydney's south-west is a reminder that the return to 'normal' may still be a long way off.

One of the biggest issues to emerge from the police investigation into the outbreak is the Crossroads Hotel's failure to collect all patrons' contact details before entering the venue. As we're talking about a venue that hosted around 600 patrons in one day, tracking down the potentially infected patrons has been quite the debacle (not to mention, a significant health threat to the general community).

Bars, pubs, restaurants and cafes (...and small bars, cellar doors, karaoke bars and strip clubs) are required to have a COVID-19 Safety Plan in place to create and maintain a safe environment for workers and customers. The Safety Plan covers off 4 main areas: wellbeing of staff and customers, physical distancing, hygiene and cleaning and record keeping – all of which are very good things.

As part of the record keeping component of the Safety Plan, venues are required to collect contact details for customers and retain this information for at least 28 days. This is where the Crossroads Hotel came unstuck. It's not enough to display a contact details register or a QR code and hope that customers will take the initiative to register themselves upon entry to a venue. This responsibility belongs to the venue, so having a doorperson/maître d'/security guard/anyone at the entrance is well worthwhile (and, pretty much required).

Keep in mind that patrons' contact details must be stored confidentially and securely and cannot be used for any purpose other than tracing coronavirus infections. That said, if you obtain active consent from a patron to use their contact details for marketing purposes, you can go right ahead.

One last handy tip for business with an annual turnover of more than $3 million – be aware of your obligations under the Privacy Act when collecting customers' contact details. The Office of the Australian Information Commissioner has made it easy to comply with privacy obligations by publishing guidelines, which include:

  1. Only collect the required personal information (name and mobile number or email address).
  2. Display a notice that informs patrons that the collection of that personal information is required by law, the purposes of the collection, who the information will be disclosed to and the consequence of failing to provide the information.
  3. Store information securely and only provide access on a 'need-to-know' basis (i.e. store it separately to the marketing list!).
  4. Only provide the information to the relevant health authorities upon request.
  5. Destroy the information (securely) once it's no longer necessary for contact tracing purposes – check the current government imposed deadline for this.

We do not disclaim anything about this article. We're quite proud of it really.