Reading time: 6 minutes

New Zealand privacy law requires that anyone who handles personal information must do so in a transparent way and protect privacy. If your business deals with customers’ personal data, such as their names or location data, then you must comply with these privacy law requirements. This affects how you collect, store, use and disclose data. However, COVID-19 has brought a lot of change with it, and businesses have had to adapt. Your business may have to manage more personal data processing than it used to. So how does this affect your privacy law obligations? This article will provide some guidance regarding privacy in your business under COVID-19.

Contact Tracing

As a business, you must display a QR for customers to check-in using the COVID Tracer app. At Level 2 and higher, you also need to have an alternative tracking register for those who do not use the app. This is especially true if you run a business where it is difficult to socially distance, such as a restaurant or hairdressers. On this register, you note down a customer’s:

  • name;
  • phone number; and
  • date and time of visit.

You can use this data to identify an individual, so it counts as personal information. Therefore, your obligations under NZ privacy law apply. You need to protect customer privacy and ensure that customers are also aware that you are collecting this personal information. This applies to the following stages of handling the information.

Collection

You can only collect the information you need for contact tracing purposes. This is information that the Ministry of Health can use to contact a person should they come in contact with a COVID-19 case. You cannot collect data outside of this purpose, and you must let customers know that you are collecting this information and why. Only record what you need.

Storage & Security

Like any other personal data your business uses, you must make sure that any personal information you take in for COVID reasons is stored securely. For example, you could lock up your contact tracing register where you hold cash at the end of the day. Ensure that customers cannot see each others’ information on the register, as this could be a privacy breach.

Usage 

You can only use the information you collect for its intended purpose. You cannot add the numbers or names you collect to your email marketing list, as this was not the purpose you collected it for.

Disclosure

Only disclose the information you collect for contact tracing with the relevant health authorities. If you think there is a COVID-19 risk, contact them first, and go from there.

It is a good idea to display a privacy statement next to your QR code or register, letting customers know what information you are collecting and why you are collecting it. You would list disclosure to the Ministry of Health for COVID contact tracing as one of your reasons. 

Working From Home

When working from home, it is crucial to maintain the same vigilance around privacy and cybersecurity as you would if you were working in the office. You still have to maintain the same security and care when accessing customers’ personal information from your device at home, so make sure you are doing so safely. 

Only use a trusted wifi system and try to use your work devices that already have the necessary security requirements. Using a VPN (virtual private network) would also be a good idea. If you have to use a shared space, do not leave devices unattended.

Access to Information

Your customers have a right to ask to:

  • access their personal information; and
  • correct it.

At all levels, the law still requires that you respond within 20 working days to these requests. However, you may be able to give a notice of extension if there is too much information to search through or there are any consultations that will delay access. If you cannot physically go into work because of lockdown restrictions, let the customer know this and reassure them that you can get the information once lockdown lifts. Make sure to ask the customer whether the request is:

  • urgent;
  • a priority; or
  • able to be delayed.

This will affect what kind of extensions you can give. As long as you respond within 20 days, if you have a legitimate reason, you should be able to delay giving a customer access to the personal information you hold. In some cases, you may be able to refuse outright – for example, if granting that customer access could infringe on another person’s privacy.

Key Takeaways

As we shift between levels during the pandemic, your business will likely deal with more personal information than it has in the past due to contact tracing and shifting operations online. However, this does not lessen your usual privacy obligations. You still have to make sure that customers’ personal information is secure and that you are protecting their privacy. Any disclosures you make related to COVID-19 regarding your customers should only be to the relevant health authorities. If you would like more information or help with meeting your COVID-19 privacy obligations, contact LegalVision’s privacy lawyers on 0800 005 570 or fill out the form on this page.

Frequently Asked Questions

What is personal information?

Personal information is data that you can use to identify living individuals. This personal data includes full names, location data, or financial details.

What is contact tracing?

Contact tracing refers to the process that identifies all individuals that a COVID-19 patient could have come into contact with. Using the COVID Tracer app can help with this.

What are my business’s obligations around contact tracing?

At your business, you need to have a QR code sign for app check-in. At Level 2 and higher, have an alternative register that records customers’ contact details as well. Make sure you are only processing the personal data that you actually need.

How can I protect customer privacy during COVID-19?

Employ the same procedures you have for protecting customer privacy to the new personal information you take in for COVID-19 reasons. It is important to make sure you balance your customers’ fundamental rights to privacy against your disclosure requirements as an agency.

About LegalVision: LegalVision is a tech-driven, full-service commercial law firm that uses technology to deliver a faster, better quality and more cost-effective client experience.

The majority of our clients are LVConnect members. By becoming a member, you can stay ahead of legal issues while staying on top of costs. From just $119 per week, get all your contracts sorted, trade marks registered and questions answered by experienced business lawyers.

Learn more about LVConnect

Need Legal Help? Get a Free Fixed-Fee Quote

If you would like to receive a free fixed-fee quote or get in touch with our team, fill out the form below.

  • 2019 Top 25 Startups - LinkedIn 2019 Top 25 Startups - LinkedIn
  • 2020 Excellence in Technology & Innovation – Finalist – Australasian Law Awards 2020 Excellence in Technology & Innovation Finalist – Australasian Law Awards
  • 2020 Employer of Choice – Winner – Australasian Lawyer 2020 Employer of Choice Winner – Australasian Lawyer
  • 2020 Fastest Growing Law Firm - Financial Times APAC 500 2020 Fastest Growing Law Firm - Financial Times APAC 500
  • 2020 Law Firm of the Year Finalist - Australasian Law Awards 2020 Law Firm of the Year Finalist - Australasian Law Awards
  • Most Innovative Law Firm - 2019 Australasian Lawyer 2019 Most Innovative Firm - Australasian Lawyer