COVID-19 Contact Tracking with Office365
Before you roll-out a 3rd party app for the job – find out what you already have at your fingertips within Microsoft Office 365 to get the job done!
Plus you’ll have all your data right where you need it – in house!
Whilst COVID-19 restrictions across Victoria have ever so gradually relaxed for gatherings, and the local travel and hospitality sectors, office workers have watched on from their work-from-home stations, patiently waiting for their chance to regroup and starting bringing their teams back to the office.
This week marks a major step forward in getting Victorian office workers back into the office with businesses now allowed to welcome up to 25% of their workforce back onsite with COVID-Safe Plans in place.
With this comes new responsibilities for – not only protecting the health and safety of your onsite workers, but being able to track and report on attendance and contacts as required.
Last Step and COVID Normal Contract Tracking Requirements for Businesses and Workplaces
Under the Department of Health and Human Services Last Step requirements, businesses and workplaces have specific record keeping requirements for their workplaces. And indeed as we seek to transition from the Last Step and towards COVID-Normal, health and safety best practices would probably suggest this is a requirement for all workplaces as groups of staff start working together back onsite.
The DHHS requirements state that:
To support contact tracing, some businesses, workplaces and premises must request that each person who attends the premise for more than 15 minutes (including staff) provide:
· First name
· Phone number
Businesses must keep a record of those details, and the date and time at which the person attended the facility. Where the patrons spend most of their time in a single space (i.e. a dining room, or a cinema), a record of the space used should also be kept. There is no need to keep multiple records if patrons move through multiple spaces. Records can be kept electronically or in hard copy and should be kept for 28 days.
By now, most of us have entered a shop or café and had to scan a QR code to leave your details, or *nervous shudder* been directed to use a communal pen and paper-based set-up to provide our contact details at the door.
The hospitality sector was quick to rise to this challenge and many managed to roll-out some quick-to-market contact tracing apps in record time. But since then questions have started to be raised around how that data being captured is stored, disposed of or potentially even used by third party app providers. There have been recent media articles raising privacy concerns over QR Code check-in processes and the Office of the Australian Information Commissioner, the Australian gatekeepers of privacy protections, have recently released more concrete Guidelines for digital check-in providers collecting personal information.
Why businesses need to “buyer beware” when it comes to 3rd party apps
Under the Privacy Act and the Australian Privacy Principles, Australian businesses and organisations have very specific regulatory requirements in relation to the handling of personal information of staff, clients and visitors, with an added layer of requirements set out for the collection and sharing of information relating to the health of customers, visitors and staff.
In many cases, the questions asked of staff, clients and visitors to workplaces will require a declaration that they are not awaiting COVID test results, are not displaying COVID-19 symptoms and have not recently been in contact with a confirmed COVID case or in a COVID-19 hotspot.
According to law firm Clayton Utz,
It is important to remember that any information or opinion relating to the health of customers, visitors and staff is sensitive information under the Privacy Act and attracts additional privacy obligations and protections, compared to other personal information.
What’s wrong with using one of those visitor entry apps?
Nothing in theory – provided they suit your data privacy needs and requirements AND those of your staff, clients and visitors. Based on your business, industry and your obligations under the Privacy Act, you need to do some due diligence. Especially if granting entrance to your workplace under your COVID-Safe plan means that you have to ask people to confirm that they are not displaying symptoms or awaiting test results, i.e. provide personal health data.
Due diligence considerations for your business must include confirming
- where the data collected by app services is stored (in many cases it will be offshore, which may be in direct contravention of your industry’s regulatory requirements)
- who or what bodies may have access to the data you collect, and how they state they intend to use it for reporting, marketing or even data analytics purposes
- how the disclosure and transmission of any data stored on your behalf would be controlled in accordance with your obligations under the Australian Privacy Principles
You might find, for example, that that free web-based app that looked so easy upfront stores data offshore and provides it for aggregated analytics purposes elsewhere. That is not something you would want to have to go back and disclose to your staff, clients or visitors after the fact!
A better, more compliant solution…that you probably already have!
As the old saying goes, if you want something done right, do it yourself!
Before you go looking for a 3rd party app or visitor registration solution for your workplace, have you considered that you may already have all the tools you need in cloud-software that you’re already using and that you’ve already done the due diligence for?
Here’s one great example. If your business is using Microsoft Office 365 for cloud-based business communication via email and Microsoft Teams, did you know that your Office 365 licence most likely already includes ALL the elements you need to deploy your own contract tracing set-up AND keep your data wholly and solely in your control only?
Step 1: Create your own data capture form using Microsoft Forms. Microsoft Forms is a simple, customizable form creation tool to create a custom set of questions you need answered by staff, clients or visitors attending your premises.
Step 2: Choose how you want to display the form.
Once your form is created, you have access to 3 great tools right there in Microsoft Forms
- You can create a QR code that will direct anyone who scans the code on their smart phone directly to the form you’ve created. You can download the code as an image file and add it to posters, business cards, etc.
- You can obtain weblinks to display the form directly using a short URL code or similar to accommodate people who may not know how to use the QR code
- And, you can capture an embed code for the form and display it directly as a non-public facing page on your website, for example, if you require people to complete the data entry BEFORE attending onsite for example.
Step 3. Create a SharePoint List where the data capture via the form will live.
Step 4. Use Power Automate (formerly Microsoft Flow) to file the data captured in the form along with the time and data stamps in the SharePoint list.
Authorised people in your organisation granted access to this list can then do a range of things:
- They can filter by date, time, response, site etc to provide a given set of attendance or contact data
- The data can be downloaded for reporting or submission purposes if required
- The list can be configured to auto delete data entries once they are 28 days, for example, to comply with record retention time limits.
- If your organisation is already using Microsoft Teams, notifications of responses can be sent through to particular channels.
Step 5. Rest assured because you’ve rolled out a solution that was already available through your existing Microsoft Office 365 licence AND you have total control over the data you ask for, how it is stored, accessed and managed.
See how it works right here!