COVID-19: Practical steps for protecting privacy while contact tracing

Last updated 9 September 2021.

The need to protect privacy while enabling contact tracing for COVID-19 cases remains top of mind as more New Zealand businesses move between alert levels and the government mandates record keeping.

From 7 September 2021, record-keeping will become mandatory for many businesses at all alert levels.  This will include displaying the unique identifying code issued by the government (QR code) and also having another means of allowing people to record their visit.

Businesses will need to determine their specific obligations, but this article discusses the practicalities of maintaining contact tracing records (other than the government QR codes), in a way that complies with privacy law.

The basic requirements for contact tracing records

Under the Public Health Response (Alert Level Requirements) Order (No. 10) 2021 (Order), a contact record should contain:

  • the name of the person;
  • the date on which they entered the workplace or attended the gathering; and
  • a contact phone number.

It follows that no other information needs to be, or should be, collected, if the record is solely for contract tracing purposes.

The Order requires that contact records be retained for 60 days, and then disposed of after that time, if they are collected solely for contract tracing purposes.

What businesses need to tell their customers

As at any other time when a business collects personal information, it is important to keep your customers, and others whose information you collect, informed of what you are doing and why.  You must tell them:

  • why the information on the register is being collected;
  • who will hold the information;
  • who it may be given to; and
  • how long it will be kept.

You must also advise those using the register of their right to access and correct the information they provide.

All of this can be achieved by a simple privacy statement, along the following lines:

This information is being collected by [insert name of business or organisation] for COVID contact tracing purposes.  The information will be held securely by us for 60 days and will then be destroyed.  If you do not wish to provide this information, we may be unable to serve you or allow you onto our premises.  You may access your information, and request a correction, by emailing us at [insert email address].

Collection, storage, and use

Care must be taken to ensure that a person’s personal information, once collected, is not visible to others, such as subsequent customers.  It must also be stored securely to ensure there is no unauthorised access.

Methods of collection and storage

The simplest method of collection is a paper-based system, which is then stored in a secure place, such as a safe.  However, manual privacy and deletion practices will need to be developed by the business itself, which could lead to a greater risk of data breaches.  Businesses also need to ensure appropriate hygiene practices are in place to protect customers and staff using the register.  In particular, care should be taken to ensure that each individual’s information is not left in sight for subsequent visitors to see.  Using a ballot box, rather than a large sheet of paper, is one way to achieve this.

Authorised use

Regardless of the manner of collection, care should be taken to ensure that personal information collected for COVID-19 purposes is separated from other data to ensure that it is not inadvertently used for any other purpose (such as marketing).

Under the Privacy Act 2020, a business may use personal information for other purposes provided it believes on reasonable grounds that such use is authorised by the customer.  However, we are increasingly seeing the Privacy Commissioner remind businesses that to have “reasonable grounds” for such belief the business must have obtained clear, active, and informed consent from the person concerned.  It is therefore important to be very transparent about the intended use of the personal information.  Businesses thinking about using the collected information for other purposes would be wise to consider how that is likely to be perceived by customers, and how it will obtain appropriate authorisation from each customer.

Due diligence on third party providers

Businesses using third party apps should also ensure that they have carried out sufficient due diligence on the app provider to be confident that the terms of collection and storage are consistent with the business’s own privacy statement, that those terms will be adhered to, and that the information will be stored securely and be readily available if required.

Practical steps

Below is a summary of key steps to achieve privacy compliance while also meeting contact tracing obligations:

  • Write an effective privacy statement and have this prominently displayed at the point of collection and/or easily accessible when using a website or app.  Refer above for an example.
  • Consider how to protect the personal information, for example if using a hard copy register, have one entry per page, a ballot box, or a privacy sheet that covers previous entries.
  • Ensure that all personal information collected is stored securely, and not used for any unauthorised purposes.
  • Diarise deletion reminders, and make sure deletion is carried out promptly and securely.
  • If considering using a third party app, identify and carry out due diligence on suppliers early – start now to avoid a last minute rush to get suppliers lined up.
  • If using an app or online register, maintain a physical register as a back-up for those unable to access the online version.

Who can help