Woolworths gave data about customers who use its Everyday Rewards scheme to NSW Health in order to assist contact tracers.

At the outbreak of the recent Berala cluster linked to a BWS in Sydney’s west, Woolworths analysed information from its Everyday Rewards loyalty scheme to find customers who visited the store at times when they may have been in close contact with a person infected with COVID-19, the Australian Financial Review reported on Thursday.

The retail giant then contacted people who may have been exposed to the virus and shared their information with NSW Health.

“At the request of NSW Health, customers who scanned their Everyday Rewards card or signed-in via a QR Code at these stores on relevant dates had their contact details passed on securely to NSW Health for contact tracing purposes,” a Woolworths spokesperson said in a statement to Information Age.

“This allowed NSW Health to send urgent and direct public health advice to customers for their safety.”

A NSW Health spokesperson said the department "treats all personal information it receives confidentially and in accordance with its privacy obligations".

Woolworth’s privacy policy – one of what author of The Age of Surveillance Capitalism, Shoshana Zuboff, sardonically refers to as ‘surveillance policies’ – outlines how customers can expect the retailer to use private information they provide when scanning their orange Everyday Rewards cards at the checkout.

“When we collect, hold and use your personal information, we do so primarily to sell and promote goods and services to you,” the Woolworths policy says.

After offering examples of how the company may use that data, such as by “learn[ing] of your likely preferences”, the privacy policy also says Woolworths “may collect, hold, use and disclose your personal information for other purposes which are within reasonable expectations or where permitted by law”.

Your privacy is supposedly protected by the Commonwealth Privacy Act 1988, which says organisations that gather and hold data “that was collected for a particular purpose […] must not use or disclose the information for another purpose”.

But there are plenty of exceptions.

Under the Privacy Act, organisations are allowed to use or give out data for a “secondary purpose” – in this instance, a purpose other than to sell or promote Woolworths products – if they have consent to do so; are compelled by a court order; if it would be “reasonably necessary” to give to law enforcement or regulators; or there exists “a permitted health situation” – a term which specifically relates to health information.

Then there is the set of “permitted general situations” in which an organisation can disclose data for reasons other than its stated collection aims.

One of those situations is when an organisation “reasonably believes” such disclosure “is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety”.

Like a pandemic.

Parliament is currently undergoing a review of the Privacy Act.

This story has been updated to include a statement from NSW Health.