Beyond the numbers with Grant Thornton: Listen now
As we return to new ways of working, many of us will be required to “check-in”, have our temperature checked, and assert to being “healthy”. If there is a risk of an employee being contagious, or has been in close contact with a confirmed case of COVID, then the workplace has a duty of care to inform other employees, clients, customers and visitors of this risk. Many organisations will be geared up to address this through existing privacy measures, but let’s be honest – those privacy policies were never really intended to cover health related information. However, the same rules surrounding your typical data must apply here as well. If you haven’t checked your privacy policies, or you have new people handling sensitive information, this is a timely reminder to all organisations to obtain consent, collect only what is necessary, collect it lawfully and directly, and limit disclosure to only when it’s absolutely necessary.
Clearly, the scope of data privacy needs to expand for organisations. However, in the larger scheme of things, the workplace is a relatively small ecosystem. It’s easier to control and consent when you are interacting with a defined workplace – but we know that people have far more complex social lives, with many more touchpoints in the community. And this presents a far greater challenge – not only for our health, but also when it comes to privacy.
In the absence of every Australian downloading the government track and trace app, and the little quirk of the app only registering a connection after 15 minutes of close contact, we have seen many retailers and businesses implementing their own contact tracing or check-in methods. Many of these appear to rely on QR codes, your mobile device and the user filling out a form on entry to a venue. But what is happening to your personal data once you hit submit? In the rush to roll out check-in and tracing apps, the capture (and sharing?) of personal information appears to have been overlooked. Indeed many of the organisations using these types of apps for the first time won’t have a privacy policy in place.
You may shrug and think this is fine. It’s not a lot of information and what sort of privacy breach could there be when you’re picking up your morning coffee? However, these check-in apps will pull in a fairly rich picture of customer behaviour – think visiting patterns, dwell time on site, possibly orders, almost certainly lots of device information and so on. What these venues are capturing under the guise of COVID contact tracing might surprise you. How they wish to use this information for marketing purposes might do the same. The problem is, if you asked, most places probably can’t answer a few key questions about their use of the data they are collecting, let alone where it is stored and for how long it will be retained.
I’ve seen calls recently for a government supplied check-in app. Whilst in theory I think the approach has merit, based on the COVIDSafe app rollout I think it would be a very hard sell to the public with very low take up rates. That said, is an app provided by a third party without any privacy disclosures or detailed design scrutiny any better? I think not. Perhaps the opportunity here is for the Government to extend the use of the COVIDSafe app to include check-in functionality, at least it would be more transparent than many others.
COVID has meant getting your morning coffee or popping out for a bite just got that little bit more complex. In the past, you told the barista a name (maybe your real one) which they may or may not remember for your next order. However, now you’re being asked to hand over much more information in exchange for that $4 latte. It’s fair to ask for some assurance on how that data will be used and stored in return.
Grant Thornton uses cookies to monitor the performance of this website and improve user experience. If you are happy to accept cookies from this site, please check the box. To find out more about cookies, what they are and how we use them, please see our privacy notice, which also provides information on how to delete cookies from your hard drive.
