Privacy law update: contact tracing and recent high court case
There have been two recent notable privacy developments. The first concerns contact tracing obligations arising from COVID-19, where there are now new obligations to maintain records for contact tracing purposes. There is also an app provided by the Ministry of Health for individuals to maintain a diary of whereabouts in case a need arises to trace their contacts. The other development is a recent High Court case that has clarified the definition of “personal information” where another person’s information also appears on a document to be provided in response to an information request. We discuss both of these developments in this update.
We also thought it timely to remind you that the new Privacy Bill is expected to commence on 1 November 2020. While it is still before Parliament, we expect it will be passed soon, and so now is the time to get your privacy policies and practices reviewed to ensure you are compliant with your privacy obligations.
Contact tracing register
On 14 May 2020 the COVID-19 Public Health Response (Alert Level 2) Order 2020 came into effect. It has since been amended, with effect on midday 29 May 2020. This article discusses the obligations under the Order as amended.
Among other matters, the Order requires various organisations and certain persons to keep records to enable contact tracing. There are two types of records envisaged, one in respect of workers and one in respect of other persons (i.e. your customers and visitors).
What records need to be kept can be summarised as follows:
|Who has a record keeping obligation||Who is to be recorded in the record|
|All businesses and services||All workers who enter the workplace or carry out work for the business or service|
|Non retail businesses and services, including public and event facilities||People who enter the workplace, use its services, or carry out work for the business or service|
|Certain retail businesses, such as a business or service that cannot operate without physical contact or close proximity (e.g. hairdressers)||People who enter the workplace or use its services|
|Food and drink businesses, where food and drink can be consumed on those premises (e.g. cafes)||Customers or clients, whether or not they are paying|
|The organiser and the person in control of the facility or premises at which there is a social gathering of not more than 100 persons who do not know each other, including where a facility or the premises of a business or service are hired as a venue.||People at the gathering|
Note: Businesses and services include not for profit services, but exclude not for profit sports bodies. The not for profit sports bodies are still subject to the gatherings record requirements. Certain matters are also excluded from the Order, such as people using public transport services.
The record required must contain three things in relation to each individual who is recorded:
- the person’s full name;
- an effective means of communicating with them (e.g. an active phone number or email address);
- the date on which, and the times at which, the person arrived and left the relevant place.
The amendment to the Order made a number of changes that have affected record keeping requirements. For instance, it removed the requirement to collect residential address information and replaced the specific gathering requirements (e.g. for a funeral service or tangihanga) with a general requirement around social gatherings. It increased permitted gatherings from 10 to 100 persons. It also brought the services provided by small passenger service vehicles within the exclusion in relation to public transport services.
The Government’s COVID-19 website provides that the information for each individual must be kept for two months and then destroyed. This means the obligation is essentially to keep a two month rolling record of who was at your premises. The obligation to record this information has already begun. The need to destroy will start on 14 July 2020, when the information collected on the first day of Alert Level 2 will need to be destroyed.
Overlaid on these requirements are the usual privacy obligations. This means all the privacy principles under the Privacy Act 1993 (the IPPs) apply to the collection, storage, use and disclosure of these records. Importantly, this means you need to:
- Let people know you are collecting this information and tell them the things required by IPP 3, including that the information is being collected under the Order, that its collection is mandatory, that the Ministry of Health and the DHBs can be provided with the information, and the consequences of not providing the information (namely they may not come into your workplace). This information can be provided by use of a visible privacy statement (or advised orally when the information is collected).
- Under IPP5, the records must be protected, by such security safeguards as it is reasonable in the circumstances to take.
It is also important to emphasise that as this information is collected for a specific purpose it cannot be used for any other purpose, and must not be used to send any marketing communications. If you want to sign customers up to marketing communications, that needs to be done separately.
The Government’s COVID-19 website has examples of the form of paper register that could be used. These can be found here. If you use a paper register, to comply with IPP5, you must ensure that the register pages are not visible to the public (unless the individual consents to collection via a visible register). We recommend that any such register is completed by an employee of the organisation to enable the information to be kept confidential and also reduce any risk of contact via a pen or touching of the paper by each individual who is recorded. While the forms on that website allow for a signature, this is not a requirement of the Order, and is not something that needs to be recorded. The address column in that form is also no longer required.
There are also a number of apps available to organisations to enable this information to be captured electronically, including through the use of QR codes. Some apps were created before the Order was issued, so it is important to check any app you use complies with the Order. However, as the need to record address information has been removed, it is likely that most, if not all, apps will now comply with the Order. The Privacy Commissioner has also now reviewed the available apps from a privacy perspective, and you can see their assessment here.
If you need any help understanding your privacy obligations under the Order please get in touch.
COVID Tracer app
Alongside these requirements on organisations, the Ministry of Health also released its COVID Tracer app. This is a voluntary initiative which can be used by individuals to keep track of where they have been (i.e. the individual’s own digital diary).
Organisations can help make it easier for individuals using the COVID Tracer app by registering with Business Connect (which is a part of the Ministry of Business, Innovation and Employment) and printing out posters with a QR code for their organisation. Individuals then just need to scan the QR code to log that they have visited that business in their own digital diary.
However, this app does not replace an organisation’s own record keeping obligations outlined above. Accordingly, it will be important to explain to customers and visitors that the organisation also needs the individual’s details for its own record keeping obligations and that it does not get that information from the individual using the COVID Tracer app. An organisation may also need posters for two QR codes, one of the QR code generated in relation to any app the organisation uses for its own records and one generated from Business Connect for individuals using the COVID Tracer app. An explanation of the need to scan both QR codes would also need to be given to individuals.
High Court Case on the meaning of Personal Information
Just prior to the Country entering Alert Level 4, the High Court released its judgment in Taylor v Chief Executive of the Department of Corrections  NZHC 383. This case involved an appeal by Mr Taylor against a Human Rights Review Tribunal decision on the definition of “personal information” under the Privacy Act 1993. The key question was what constitutes “personal information”. This term is essential to understanding the obligations of privacy throughout the entire Act.
Mr Taylor had made a broad request for all his personal information from the Department. The Department provided the information; however it withheld the names and contact details of staff on emails provided. The Tribunal found that the information withheld was not personal information about Mr Taylor and so should not be disclosed.
The Privacy Commissioner and the Director of Human Rights Proceedings (who both intervened in the case given the important question being raised) advocated for a broad definition of “personal information”, and to leave the need to filter content issues in the response to access requests. Mr Taylor adopted the Privacy Commissioner’s submissions on the definition of this term, and argued that his personal information should include the names of the officers redacted so he would know which officers were mentioning him, and how often.
The Court said that the term “‘personal information’ is a legal definition that sets the boundaries within which the privacy principles operate”. It was not prepared to give the term a wide meaning, as that would have ramifications for all of the privacy principles, not just access requests.
This meant the question to be considered was whether the redacted information was Mr Taylor’s personal information. The Court agreed with the Tribunal that Mr Taylor’s personal information is information “about” Mr Taylor. It concluded that the redacted information “while appearing on the same pages as Mr Taylor’s personal information, was not ‘about’ him. It was essentially administrative information.”
The Court also dismissed an argument that the information was mixed information about the corrections staff members in the emails and Mr Taylor. The Court said that the “information that is plainly Mr Taylor’s personal information merely appears on the same page as the redacted information (the personal information of the Corrections officers). The two are not intertwined and the material provided to Mr Taylor is not rendered unintelligible by reason of the redactions.”
This case helps clarify the redactions that can be made when providing documents to an individual who has requested their personal information. For instance, if personal information happens to be in an internal email and the sender and recipient have no relevance to the personal information, then details of the sender and recipient of the email can be redacted.
There are also a number of specific grounds on which information can be redacted from requested documents. If your business deals with privacy information requests and you need help working out what can be redacted from documents containing the requester’s personal information please get in contact with a member of our team.
Business Law Team
Gerard Dale, Claire Evans, Graeme Crombie, Evelyn Jones, Anna Ryan, Joelle Grace, Nicola Hardy, Peter Orpin, Ellen Sewell, Matt Tolan, Carlo Wan, Kristina Sutherland, Jacob Nutt, Danita Ferreira, Whitney Moore, Alex Stone, Stephanie Bode, Ben Cooper, Cameron Hart, Lisa Catto