Spotlight on Privacy: Ensuring Privacy Obligations are met during COVID-19 Alert Levels
24 Aug 2020With Auckland currently at Alert Level 3 and the rest of New Zealand at Alert Level 2, businesses and services must be able to contact trace any person who enters the workplace and support physical distancing in the workplace.
At 11.59am on 19 August 2020 it became mandatory for businesses and services to display a copy of the official NZ COVID Tracer QR code near the main entrances of the workplace, or in a prominent place.[1] However, businesses and services are also required to have other systems in place to support contact tracing of persons entering the workplace who are not using the NZ Covid Tracer app.
Privacy considerations
When using systems other than the QR code to contact trace, businesses and services will need to consider the protection of an individual’s personal information and the Privacy Act’s Information Privacy Principles (IPP).[2] A privacy breach can occur where there has been a breach of any IPP and that breach caused harm to the individual. The IPP’s can be applied to contact tracing systems in the following ways:
IPP 1 – Purpose of collection of personal information
The purpose of collecting the information should be made clear to the individual. In this case the purpose may be to assist in contact tracing possible contacts of Covid-19 cases in accordance with the Covid-19 Public Health Response (Alert Levels 3 and 2) Order 2020. A short privacy statement may be sufficient to make individuals aware of the purpose of collection.
Any information collected should be directly linked to the purpose of collection. Accordingly, collection of information should be limited to only that needed to contact trace the individual. A business or service may only need limited information to achieve this, such as the individual’s name, time of visit, and a phone number or email address.
IPP 5 – Storage and security of personal information
It is important for a business or service holding personal information to reasonably protect that information from access, misuse, modification, and disclosure. This is specifically applicable to businesses and services which collect personal information via a paper register recording several individuals’ details on each page and can be accessed by anyone attending the workplace. This type of system may breach an individual’s privacy and may be a risk for businesses and services.
A possible alternative would be to have a staff member collect and hold the information. Doing this may prevent access to the information by other persons. This may also prevent contamination of surfaces (e.g. sharing pens/stationery).
Contact tracing information should be stored securely after work hours to minimise any potential loss, or misuse of the information.
IPP 9 – Agency not to keep personal information for longer than necessary
The information collected from individuals should only be held by the business or service for as long as is necessary to contact trace individuals entering the workplace. Therefore, information should only be kept while there is a need to have the information. Once there is no longer a need for that information it should be securely disposed of.
IPP 10 – Limits on use of personal information
As the purpose for collection sets out how the business or service will use the individual’s information, the information collected should not be used in any other way except where it is authorised by the individual.
IPP 11 – Limits on disclosure of personal information
It needs to be clear to individuals that the information may be disclosed to the relevant agency to assist in contact tracing people who may have come into contact with Covid-19.
By reviewing contact tracing systems with the IPP’s as a focus, potential privacy breaches may be minimised.
Our specialist team at DTI Lawyers can assist you in relation to privacy law, including review of policy and compliance as well as privacy training. To discuss specific matters please contact our experts on 07 282 0174.
Content from: www.dtilawyers.co.nz/news-item/spotlight-on-privacy-ensuring-privacy-obligations-are-met-during-covid-19-alert-levels