COVID-19: Practical steps for protecting privacy while contact tracing

Last updated 28 May 2020

The need to protect privacy while enabling contact tracing for COVID-19 cases is top of mind as more New Zealand businesses prepare to reopen their doors under Alert Level 2.

While the basic requirements for contract tracing registers seem simple enough to follow, there are some practical steps businesses should take to ensure compliance with current privacy law.

The basic requirements for contact tracing registers

At Alert Level 2 businesses can have customers on their premises if they can meet public health requirements. This will include having a register in place to enable any contact tracing that becomes needed.  The register will need to record everyone who you and your staff interact with on your premises, while also keeping physical distancing rules.

To allow for contact tracing, the system or register should capture the date, time, full name and a preferred method of contact (whether phone number or email address).  Businesses should have similar registers for suppliers and to keep track of staff rostered at different times.

The register should be retained for 8 weeks, to be used for contact tracing at the request of the Ministry of Health or local district health boards.

Collecting personal information for any purpose creates privacy issues and businesses should ensure their registers comply with privacy law.

What businesses need to tell their customers

As at any other time when a business collects personal information, it is important to keep your customers and others whose information you collect informed of what you are doing and why.  You must tell your customers and others who come on to your premises:

  • why the information on the register is being collected;
  • who will hold the information;
  • who it may be given to; and
  • how long it will be kept.

You must also advise those using the register of their right to access and correct the information they provide.

All of this can be achieved by a simple privacy statement, along the following lines:

The information [below] is being collected to [comply with COVID-19 guidelines set down by the Ministry of Health/ or to help us keep our staff and customers safe and accurately respond to contact tracing information requests by the Ministry of Health]. The information will be held securely by [entity name] for 8 weeks (or such longer period as may be required by the Ministry of Health), during which time it may be supplied to the Ministry of Health and/or District Health Board on request. If you do not wish to provide this information, we may be unable to serve you or allow you onto our premises. You may access your information, and request a correction, by emailing us at [insert email address].

Collection, storage and use

Care must be taken to ensure that a customer or other person’s personal information, once collected, is not visible to others such as subsequent customers. It must also be stored securely to ensure there is no unauthorised access.  This means that traditional paper registers that allow for multiple entries on the one page are not a best practice option.

Methods of collection and storage

The most simple method of collection is a paper based system, which is then stored in a secure place, such as a safe. However, manual privacy and deletion practices will need to be developed by the business itself which could lead to a greater risk of data breaches. Businesses also need to ensure appropriate hygiene practices are in place to protect customers and staff using the register.

Many businesses will be able to use their own website or third-party apps to collect and store the information, and we anticipate an increase in new products available for this purpose including one or more under development by the Government. One major advantage of app based solutions is the ability to capture information in a contactless manner. However, we anticipate that most businesses will also need to offer a paper-based option for customers who are unable or unwilling to access the relevant website or app.

Authorised use

Regardless of the manner of collection, care should be taken to ensure that personal information collected for COVID-19 purposes is separated from other data to ensure that it is not inadvertently used for any other purpose (such as marketing).

Under the Privacy Act 1993, a business may use personal information for other purposes provided it believes on reasonable grounds that such use is authorised by the customer. However, we are increasingly seeing the Privacy Commissioner remind businesses that to have “reasonable grounds” for such belief the business must have obtained clear, active and informed consent from the person concerned. It is therefore important to be very transparent about the intended use of the personal information. Businesses thinking about using the collected information for other purposes would be wise to consider how that is likely to be perceived by customers and how it will obtain appropriate authorisation from each customer.

Due diligence on third party providers

Businesses using third party apps should also ensure that they have carried out sufficient due diligence on the app provider to be confident that the terms of collection and storage are consistent with the business’s own privacy statement, that those terms will be adhered to, and that the information will be stored securely and be readily available if required.

Practical steps

Below is a summary of key steps to achieve privacy compliance while also meeting contact tracing obligations.

  • Write an effective privacy statement and have this prominently displayed at the point of collection and/or easily accessible when using a website or app. Refer above for an example.
  • Consider how to protect the personal information, for example if using a hard copy register, have one entry per page or a privacy sheet that covers previous entries.
  • Ensure that all personal information collected is stored securely and not used for any unauthorised purposes.
  • Diarise deletion reminders, and make sure deletion is carried out promptly and securely.
  • If considering using a third party app, identify and carry out due diligence on suppliers early – start now to avoid a last minute rush to get suppliers lined up.
  • If using an app or online register, maintain a physical register as a back-up for those unable to access the online version.

Who can help