Privacy update: COVID-19 and contact tracing

Today, 24 August 2020, the Prime Minister announced that the current Alert Level restrictions would continue for a further week and the following week would see the whole country at Alert Level 2. This status means contact tracing requirements continue in place.

In the weekend (in fact from 11:59pm on Saturday 22 August 2020) these requirements were updated when the COVID-19 Public Health Response (Alert Levels 3 and 2) Order (No 2) 2020 came into effect (Order).

The Order replaces the previous Alert Levels 3 and 2 Order (Previous Order), and makes a number of changes, including in relation to contact tracing. For that reason, this article both updates our previous article and sets out in full all of the requirements around contact tracing.

Key requirements

As with the Previous Order, most businesses and services will need to display the Government QR code in a prominent place at or near the main entrances to the workplace. This covers businesses and services that are open in Auckland under Alert Level 3 and businesses and services open in the rest of the country under Alert Level 2.

The Order also requires businesses and services (in addition to the QR code) to have other record-keeping systems and processes in place to enable the contact tracing of all persons who enter the workplace.

Businesses and services required to comply with these obligations include not for profit services, but exclude not for profit sporting, recreational, social or cultural activities operating in places subject to Alert Level 2.

Such not for profit bodies are still subject to the gatherings record requirements though – see below.

A failure to comply with the contact tracing requirements is an infringement offence under the COVID-19 Public Health Response Act 2020.

New requirements for an Alert Level 3 area

The new Order also contains additional requirements in relation to contact tracing for businesses and services in the Alert Level 3 area (i.e. Auckland).

Businesses and services in the Alert Level 3 area (other than category A and B businesses (i.e. rental car services, veterinary services, supermarkets and pharmacies), education entities and public transport services) must, to the greatest extent practicable, have systems and processes in place to ensure that each person who enters the workplace:

  • scans the QR code for the workplace; or
  • provides details in a contact tracing record that the person in control of the workplace collects.

The contact tracing record must include the name of the person, the date on which and time at which the person entered the workplace, and a telephone number that may be used to easily contact the person. The person in control of the workplace must keep the record collected for a period of 30 days.

Requirements for an Alert Level 2 area

The Order does not specify what the “other record-keeping systems and processes” may be for Alert Level 2 businesses and services. However, guidance can be taken from the updated requirements for Alert Level 3, for example the requirement to scan the QR code in order to enter the workplace or for the business or service to separately collect information on those persons.

If your record-keeping systems and processes involve collecting information, we suggest only collecting name, time of visit, and either an email address or phone number so persons who enter the workplace can be contacted by health authorities if that is required. We recommend keeping an eye on the COVID-19 website for further updates.

As with the Previous Order, for social gatherings in places subject to Alert Level 2, there is also a requirement on the organiser and the person in control of a facility or premises at which there is a social gathering of not more than 100 persons who do not know each other to ensure that one of them or a participant keep contact tracing records to enable contact tracing in relation to the social gathering.

Privacy obligations

Overlaid on all these requirements are the usual privacy obligations. This means all the privacy principles under the Privacy Act 1993 (the IPPs) apply to the collection, storage, use and disclosure of any personal information that a business or service collects in connection with the Order. Importantly, this means you need to:

  • Let people know you are collecting this information and tell them the things required by IPP 3, including that the information is being collected to fulfil the obligations of the business or service under the Order, that its collection is mandatory (if the QR code is not scanned), that the Ministry of Health and the DHBs can be provided with the information, and the consequences of not providing the information (namely they may not come into your workplace). This information can be provided by use of a visible privacy statement (or advised orally when the information is collected).
  • Under IPP5, the records must be protected, by such security safeguards as it is reasonable in the circumstances to take.

It is also important to emphasise that as this information is collected for a specific purpose it cannot be used for any other purpose, and must not be used to send any marketing communications. If you want to sign customers up to marketing communications, that needs to be done separately.

If you use a paper register, to comply with IPP5, you must ensure that the register pages are not visible to the public (unless the individual consents to collection via a visible register). We recommend that any such register is completed by an employee of the organisation to enable the information to be kept confidential and also reduce any risk of contact via a pen or touching of the paper by each individual who is recorded.

If you need any help understanding your privacy obligations under the Order please get in touch.

Click here for other Corporate Law or COVID-19 articles.

Meet the team that makes
things simple.

Graeme Crombie