COVID-19 and data protection: What you need to know (updated)

Tuesday, March 31, 2020

New Zealand businesses are facing unprecedented challenges during the COVID-19 pandemic.

As we adapt to Alert Level 4, it is important to remind ourselves that, while privacy laws do not hinder measures taken in the fight against COVID-19, even in these exceptional times, businesses must ensure the protection of information about identifiable individuals (personal information).

We offer the following general guidelines, and we are here to assist you to ensure that your business continues to comply with privacy laws as your work practices might change during the period of self-isolation and remote working.

Working from home: What security measures should businesses have in place?

Our privacy laws do not inhibit working remotely or implementing different work practices. But, in many cases, staff may be using their own devices and communication equipment.

Right now, Duncan Cotterill is utilising Skype, Zoom, Teams, WhatsApp and other tools to keep communication flowing within and between teams – and with our clients.

Privacy laws do not prevent this but do impose security requirements.

Specifically, businesses need to ensure that the personal information they hold is protected by such security safeguards as it is reasonable in the circumstances to take, against:

  • loss;
  • unauthorised access, use, modification, or disclosure; and
  • other misuse.

Consider implementing the same kinds of security measures for remote working that you’d use in normal circumstances. If you are not able to, then your ability to comply with privacy law will turn on what security safeguards would be reasonable in the circumstances to take.

(Consider also that cyber-attack may increase during these exceptional times, as hackers prey on vulnerability.)

Can I collect COVID-19 health information from employees or visitors to my organisation?

While it is reasonable to ask people to tell you if they are experiencing COVID-19 symptoms or are at risk (for example, because they visited a particular country), these exceptional times do not necessarily mean you need to gather lots of information about employees or visitors to your organisation.

Our privacy laws require that:

  • Organisations do not collect personal information by unlawful means, or by means that (in the circumstances of the case) are unfair or intrude to an unreasonable extent on the personal affairs of the individual concerned.
  • Organisations collecting personal information should collect that information directly from the individual concerned. There are only limited exceptions to this rule.

Consider the extent to which the information is relevant to protecting the health and safety of your employees, and whether such collection may intrude too far into the individual’s personal affairs.

Note that the Government has implemented registers for relevant businesses which are required for contact tracing.  The requirements can change at short notice, so monitor the official COVID-19 website ( and the website of the office of the Privacy Commissioner for details.

Can you tell your staff that a colleague may have potentially contracted COVID-19?

In short, yes. Employers should keep staff informed about cases within the organisation – because you have an obligation to ensure the health and safety of your employees, as well as a duty of care.

Our privacy laws do not prevent sharing such information. Ideally it would be preferable not to identify the individual who may be the source of the exposure, but this may be unavoidable in the context of a small business for example.

An employer may disclose personal information about a member of its staff if the employer believes, on reasonable grounds, that the disclosure is necessary to prevent or lessen a serious threat to “the life or health of the individual concerned or another individual or to “public health or public safety”.

Consider whether the communication needs to name the individual concerned. Remember that the starting point from a privacy perspective is that an employee has a right to expect that their health information is kept confidential from other employees. So, the employer needs to apply discretion in deciding whether or not to disclose the nature of any injury, illness or condition.

Can I share health information with authorities?

As COVID-19 is now a notifiable disease under the Health Act 1956, there are obligations to notify the Medical Officer of Health under that legislation.

The occupier or person in charge of premises where a person suffers from any sickness of which symptoms create a reasonable suspicion that it is a notifiable infectious disease (such as COVID-19) is under a duty to consult a medical practitioner, or to notify the local authority of the existence of a disease expected to be a notifiable infectious disease.

Our privacy laws do not inhibit this.                                                                    

Even if you have not had a request from a Medical Officer, our privacy laws may permit you to tell a Medical Officer. Our privacy laws recognise that personal information may be used or disclosed where you believe that the use or disclosure is necessary in order to prevent or lessen a serious threat to public health or safety.

Get in touch

Duncan Cotterill’s privacy experts are here to help, if you have any queries or need advice to ensure continued privacy compliance through these unprecedented challenges of the COVID-19 pandemic. Please feel free to get in touch with Michael MoyesJonathan Forsey or another member of our data protection and privacy team if you require further assistance. 


Disclaimer: The content of this article is general in nature and not intended as a substitute for specific professional advice on any matter and should not be relied upon for that purpose. While we make every effort to ensure the accuracy of the information contained in this article, this is a rapidly changing environment and the information will be subject to change.

Share this publication