Reading time: 6 minutes

New Zealand privacy law requires that anyone who handles personal information must do so in a transparent way and protect privacy. If your business deals with customers’ personal data, such as their names or location data, then you must comply with these privacy law requirements. This affects how you collect, store, use and disclose data. However, COVID-19 has brought a lot of change with it, and businesses have had to adapt. Your business may have to manage more personal data processing than it used to. So how does this affect your privacy law obligations? This article will provide some guidance regarding privacy in your business under COVID-19.

Contact Tracing

As a business, you must display a QR for customers to check-in using the COVID Tracer app. At Level 2 and higher, you also need to have an alternative tracking register for those who do not use the app. This is especially true if you run a business where it is difficult to socially distance, such as a restaurant or hairdressers. On this register, you note down a customer’s:

  • name;
  • phone number; and
  • date and time of visit.

You can use this data to identify an individual, so it counts as personal information. Therefore, your obligations under NZ privacy law apply. You need to protect customer privacy and ensure that customers are also aware that you are collecting this personal information. This applies to the following stages of handling the information.


You can only collect the information you need for contact tracing purposes. This is information that the Ministry of Health can use to contact a person should they come in contact with a COVID-19 case. You cannot collect data outside of this purpose, and you must let customers know that you are collecting this information and why. Only record what you need.

Storage & Security

Like any other personal data your business uses, you must make sure that any personal information you take in for COVID reasons is stored securely. For example, you could lock up your contact tracing register where you hold cash at the end of the day. Ensure that customers cannot see each others’ information on the register, as this could be a privacy breach.


You can only use the information you collect for its intended purpose. You cannot add the numbers or names you collect to your email marketing list, as this was not the purpose you collected it for.


Only disclose the information you collect for contact tracing with the relevant health authorities. If you think there is a COVID-19 risk, contact them first, and go from there.

It is a good idea to display a privacy statement next to your QR code or register, letting customers know what information you are collecting and why you are collecting it. You would list disclosure to the Ministry of Health for COVID contact tracing as one of your reasons. 

Working From Home

When working from home, it is crucial to maintain the same vigilance around privacy and cybersecurity as you would if you were working in the office. You still have to maintain the same security and care when accessing customers’ personal information from your device at home, so make sure you are doing so safely. 

Only use a trusted wifi system and try to use your work devices that already have the necessary security requirements. Using a VPN (virtual private network) would also be a good idea. If you have to use a shared space, do not leave devices unattended.

Access to Information

Your customers have a right to ask to:

  • access their personal information; and
  • correct it.

At all levels, the law still requires that you respond within 20 working days to these requests. However, you may be able to give a notice of extension if there is too much information to search through or there are any consultations that will delay access. If you cannot physically go into work because of lockdown restrictions, let the customer know this and reassure them that you can get the information once lockdown lifts. Make sure to ask the customer whether the request is:

  • urgent;
  • a priority; or
  • able to be delayed.

This will affect what kind of extensions you can give. As long as you respond within 20 days, if you have a legitimate reason, you should be able to delay giving a customer access to the personal information you hold. In some cases, you may be able to refuse outright – for example, if granting that customer access could infringe on another person’s privacy.

Key Takeaways

As we shift between levels during the pandemic, your business will likely deal with more personal information than it has in the past due to contact tracing and shifting operations online. However, this does not lessen your usual privacy obligations. You still have to make sure that customers’ personal information is secure and that you are protecting their privacy. Any disclosures you make related to COVID-19 regarding your customers should only be to the relevant health authorities. If you would like more information or help with meeting your COVID-19 privacy obligations, contact LegalVision’s privacy lawyers on 0800 005 570 or fill out the form on this page.

Frequently Asked Questions

What is personal information?

Personal information is data that you can use to identify living individuals. This personal data includes full names, location data, or financial details.

What is contact tracing?

Contact tracing refers to the process that identifies all individuals that a COVID-19 patient could have come into contact with. Using the COVID Tracer app can help with this.

What are my business’s obligations around contact tracing?

At your business, you need to have a QR code sign for app check-in. At Level 2 and higher, have an alternative register that records customers’ contact details as well. Make sure you are only processing the personal data that you actually need.

How can I protect customer privacy during COVID-19?

Employ the same procedures you have for protecting customer privacy to the new personal information you take in for COVID-19 reasons. It is important to make sure you balance your customers’ fundamental rights to privacy against your disclosure requirements as an agency.

About LegalVision: LegalVision is a commercial law firm that provides businesses with affordable and ongoing legal assistance through our industry-first membership.

By becoming a member, you'll have an experienced legal team ready to answer your questions, draft and review your contracts, and resolve your disputes. All the legal assistance your business needs, for a low monthly fee.

Learn more about our membership

Need Legal Help? Submit an Enquiry

If you would like to get in touch with our team and learn more about how our membership can help your business, fill out the form below.

Our Awards

  • 2019 Top 25 Startups - LinkedIn
  • 2020 Innovation Award 2020 Excellence in Technology & Innovation Finalist – Australasian Law Awards
  • 2020 Employer of Choice Award 2020 Employer of Choice Winner – Australasian Lawyer
  • 2020 Financial Times Award 2021 Fastest Growing Law Firm - Financial Times APAC 500
  • 2021 Law Firm of the Year Award 2021 Law Firm of the Year - Australasian Law Awards
  • 2022 Law Firm of the Year Winner 2022 Law Firm of the Year - Australasian Law Awards