COVID-19 contact tracing – will a contact tracing app replace the need for a register?
Last updated 28 May 2020
With the country now in Alert Level 2 and Alert Level 1 on the horizon, many businesses will be gearing up to welcome their customers physically back onto their premises in some way. At the same time, the Government has foreshadowed a continued focus on contact tracing for the foreseeable future. With this in mind, we anticipate that many businesses looking to re-open their doors to onsite customers will need to consider how to keep track of all those who enter their premises, from employees and contractors to suppliers and customers. Each group presents different challenges for contact tracing but the need to protect personal privacy is common to all of them.
Many businesses will also be aware of the Government’s plans to roll out a contact tracing app and may be wondering whether their business will still need to keep a record of visitors. In short, we think they will.
In this article our focus is on customer and visitor contact tracing. We explain why we think that customer or visitor registers will be needed and outline the basic requirements under New Zealand’s current privacy law that will impact how businesses maintain those registers. We also provide a checklist of practical pointers.
Why a contact tracing app is unlikely to replace visitor registers
A contact tracing app is likely to bring many advantages including reach, efficiency, and accuracy. It has value for recording proximity between individuals in public spaces such as beaches or streets.
But we do not think an app will be a complete solution because:
- its uptake will be limited to those individuals who are willing and able to download the app onto a device; and
- the accuracy and completeness of the data will depend on the user carrying the device at all times and using the app consistently and correctly. For example, will the app still collect data if it is running in the background and has not been launched, and will it operate if the device is on locked screen?
We anticipate that an app will simply be another valuable tool in the contact tracing toolbox, and that businesses will still be required to record their on-site customers and other visitors.
The basic requirements for registers
Prior to New Zealand’s COVID-19 Alert Level 4, the Ministry of Health (MOH) Guidelines for Hospitality Establishments on Physical Distancing and Gathering Size Limits (MOH Guidelines) required all hospitality establishments permitted to open to keep a register of guests. Specifically the MOH Guidelines required:
- the register to include date, time, full name, address, phone number and email addresses;
- bars and restaurants to have guests complete the register before being served, and group bookings to sign on entry; and
- guest details to be retained for 8 weeks, to be used for contact tracing at the request of the MOH or local district health boards.
It seems likely that the same principles will apply to all businesses as the country moves to lower alert levels and more businesses are permitted to open their on-site premises to the public. Application may be made compulsory in some way, or it may form a part of a business’s health and safety measures for keeping staff and customers safe in the event a positive case of COVID-19 is tracked to the business. In either case, thinking about privacy issues at the outset is an important step to ensure privacy law compliance.
What businesses need to tell their customers
As at any other time when a business collects personal information, the business must tell the customer why the information is being collected, who it may be given to, how long it will be kept, and who will hold the information. It must also advise the customer of their right to access and correct the information.
All of this can be achieved by a simple privacy statement, along the following lines:
The information [below] is being collected to [comply with COVID-19 guidelines set down by the Ministry of Health/ or to help us keep our staff and customers safe and accurately respond to contact tracing information requests by the Ministry of Health]. The information will be held securely by [entity name] for 8 weeks (or such longer period as may be required by the Ministry of Health), during which time it may be supplied to the Ministry of Health and/or District Health Board on request. If you do not wish to provide this information, we may be unable to serve you or allow you onto our premises. You may access your information, and request a correction, by emailing us at [insert email address].
What information should be collected
Businesses should confine the scope of the information collected to that which is required for COVID-19 purposes, effectively a customer’s name and contact details.
Collection, storage and use
Care must be taken to ensure that a customer’s personal information, once collected, is not visible to subsequent customers. It must also be stored securely to ensure there is no unauthorised access.
Methods of collection and storage
The most obvious and simple method of collection is a paper register, which is then stored in a secure place, such as a safe. However, manual privacy and deletion practices will need to be developed by the business itself which could lead to a greater risk of data breaches. Businesses will also need to ensure appropriate hygiene practices are in place to protect customers and staff using the register.
Many businesses will be able to use their own website or third-party apps to collect and store the information, and we anticipate an increase in new products available for this purpose. One major advantage is the ability to capture information in a contactless manner. However, we anticipate that most businesses will also need to offer a hard copy option for customers who are unable or unwilling to access the relevant website or app.
Regardless of the manner of collection, care should be taken to ensure that personal information collected for COVID-19 purposes is separated from other data to ensure that it is not inadvertently used for any other purpose (such as marketing).
Under the Privacy Act 1993, a business may use personal information for other purposes provided it believes on reasonable grounds that such use is authorised by the customer. However, we are increasingly seeing the Privacy Commissioner remind businesses that to have “reasonable grounds” for such belief the business must have obtained clear, active and informed consent from the person concerned. It is therefore important to be very transparent about the intended use of the personal information. Businesses thinking about using the collected information for other purposes would be wise to consider how that is likely to be perceived by customers and how it will obtain appropriate authorisation from each customer.
Due diligence on third party providers
Businesses using third party apps should also ensure that they have done sufficient due diligence on the app provider to be confident that the terms of collection and storage are consistent with the business’s own privacy statement, that those terms will be adhered to, and that the information will be stored securely and be readily available if required.
There are a number of unknown factors in this new way of operating, such as how any mandatory requirements to keep a register will be enforced. We will be keeping a watching brief on these issues.
In the meantime, here is a summary of key steps to privacy compliance.
- Write an effective privacy statement and have this prominently displayed at the point of collection and/or easily accessible when using a website or app.
- Consider how to protect the personal information, for example if using a hard copy register, have one entry per page or a privacy sheet that covers previous entries, etc.
- Ensure that all personal information collected is stored securely and not used for any unauthorised purposes.
- Diary deletion reminders, and make sure deletion is carried out promptly and securely.
- If considering using a third party app, identify and carry out due diligence on suppliers early rather than leaving it late and rushing to get suppliers lined up.
- If using an app or online register, also maintain a physical register as a back-up for those unable to access the online version.