At 11:59am Wednesday 12 August 2020 the COVID-19 Public Health Response (Alert Levels 3 and 2) Order 2020 came into effect (Order).
Among other matters, the Order sets out requirements for contact tracing. There a couple of key changes from the previous Level 2 Order. The first change is that most businesses will need to display the Government QR code in a prominent place at or near the main entrances to the workplace. This covers businesses that are open in Auckland under Alert Level 3 and businesses open in the rest of the country under Alert Level 2. This new requirement comes into effect from 11:59am on 19 August 2020.
The previous Level 2 Order prescribed certain record keeping requirements, including the type of information to be collected by businesses. The new Order does not prescribe what information is to be collected. Instead, it requires businesses (in addition to the QR code) to have other systems and processes in place to support contact tracing of persons who enter the workplace (i.e. customers and visitors) or carry out work for that business (i.e. employees and contractors).
The Order does not specify what these other systems and processes may be. They could potentially be a requirement to scan the QR code in order to enter the workplace or for the business to separately collect information on those persons. If your systems and processes involve collecting information, we suggest only collecting name, time of visit, and either an email address or phone number so persons who enter the workplace can be contacted by health authorities if that is required. We recommend keeping an eye on the COVID-19 website for further updates.
As with the previous Level 2 Order, for social gatherings in places subject to Alert Level 2, there is also a requirement on the organiser and the person in control of a facility or premises at which there is a social gathering of not more than 100 persons who do not know each other to keep records of the people at the gathering to enable contact tracing.
We note that businesses required to comply with the above obligations include not for profit services, but exclude not for profit sports bodies operating in places subject to Alert Level 2. Such not for profit sports bodies are still subject to the gatherings record requirements.
Overlaid on these requirements are the usual privacy obligations. This means all the privacy principles under the Privacy Act 1993 (the IPPs) apply to the collection, storage, use and disclosure of any personal information that a business collects in connection with the Order. Importantly, this means you need to:
- Let people know you are collecting this information and tell them the things required by IPP 3, including that the information is being collected to fulfil the business’ obligations under the Order, that the Ministry of Health and the DHBs can be provided with the information, and the consequences of not providing the information (namely they may not come into your workplace). This information can be provided by use of a visible privacy statement (or advised orally when the information is collected).
- Under IPP5, the records must be protected, by such security safeguards as it is reasonable in the circumstances to take.
It is also important to emphasise that as this information is collected for a specific purpose it cannot be used for any other purpose, and must not be used to send any marketing communications. If you want to sign customers up to marketing communications, that needs to be done separately.
If you use a paper register, to comply with IPP5, you must ensure that the register pages are not visible to the public (unless the individual consents to collection via a visible register). We recommend that any such register is completed by an employee of the organisation to enable the information to be kept confidential and also reduce any risk of contact via a pen or touching of the paper by each individual who is recorded.
If you need any help understanding your privacy obligations under the Order please get in touch.