Privacy considerations for Covid-19 contact tracing registers and tools - August 2020

Friday, August 14, 2020

With the re-emergence of “community transmission” of Covid-19 in August 2020, and the associated change to Level 3 in Auckland and Level 2 in the rest of New Zealand, businesses are now required to do more to help facilitate effective contact tracing. While compliance is mandatory, we suggest businesses are mindful to ensure they do not inadvertently expose customers or clients to privacy issues.

Contact tracing and privacy concerns

One of the key methods for successfully curtailing the spread of Covid-19 is contact tracing – identifying anyone who may have been exposed to the virus through contact with an infected person. While the act of contact tracing itself is a largely manual process, businesses and public facilities in New Zealand are familiar with the various types of tools to support this process by making it easier and faster to contact people who may have been exposed to the virus.

Because gathering data for contact tracing is a crucial part of supporting efforts to protect public health, anyone maintaining a contract tracing register should consider and address the privacy risks for individuals who provide their data. As long as people are confident their data will be kept safe and used only to facilitate contact tracing, there is likely to be a high degree of willingness to share their information. However, any data breaches or unauthorised use of personal information are likely to erode public trust in these systems.

Who needs to keep contact tracing registers

For regions operating under Level 3 restrictions, all businesses are required to maintain contact tracing registers for people on the premises. This includes employees and visitors (such as maintenance workers). Customers cannot come onto your premises — unless you are a supermarket, dairy, petrol station, pharmacy or permitted health service.

For regions operating under Level 2 restrictions, all non-retail businesses are required to maintain contact tracing registers for all people on the premises – this includes employees, visitors and customers. Retail businesses, malls and takeaway food outlets do not need to keep contact tracing registers for customers, but they are required to keep records of other visitors (such as maintenance workers) and employees.

The NZ COVID Tracer app and QR Codes

By 19 August 2020, all businesses must display the government QR code poster for use with the NZ COVID Tracer app.

The NZ COVID Tracer app was launched by the Ministry of Health as a “digital diary” enabling people to keep track of their movements and share these with the National Close Contact Service. This app was developed in consultation with the Office of the Privacy Commissioner (OPC) and has been described as a privacy-friendly solution for contact tracing. However, this app does not replace the obligations on businesses to keep their own contact tracing registers.

How other apps and other systems fit in

Alongside the NZ COVID Tracer app, many businesses and public-facing organisations have implemented other various systems to record visitor details to enable later contact tracing. These include smartphone apps and websites that have been set up for the purpose of contact tracing. While using these apps can provide an easy way to collect details for contact tracing, without careful execution these apps could have some potential pitfalls.

In May, the OPC published a stocktake of tracing apps, and the Privacy Commissioner has stated that complaints to the OPC could lead to liability for the business and the technology platform provider. The Commissioner has also suggested the government should regularly review contact tracing apps to check how the data is collected and stored. It is therefore important to ensure that you are aware of your responsibilities and the potential risks relating to contact tracing apps and registers.

Types of potential contact tracing data breaches

Under New Zealand’s privacy laws, once personal information has been collected from an individual, the agency that holds it is responsible for managing that information properly – this means keeping the information secure, giving the individual access to their information upon request, and being careful about using and disclosing it.

The Privacy Act also places limits on the use of personal information collected for a particular purpose. Personal information collected for the purposes of contact tracing must not be used for any other reason, subject to limited exceptions in the Privacy Act. One example of “what not to do” made headlines after an employee of a fast-food outlet used a customer’s contact tracing details to approach her on various social media platforms and send text messages – certainly not the purpose for which the customer provided her details.

Another possible misuse of personal information could arise if contact details given for the purposes of contact tracing are used for other purposes such as direct marketing and promotional activity. While some existing customer loyalty apps have been repurposed to capture customer details for contact tracing, if the contact tracing information is not ring-fenced away from the customer loyalty data this repurposing could give rise to privacy issues.

Contact tracing apps and websites also carry the risk of larger-scale data breaches, as has occurred overseas. In the Netherlands, a contact tracing app suffered a data breach affecting approximately 200 individuals. Therefore we suggest that any system put in place for recording individual details for contact tracing has robust protections to prevent data breaches.

Noting the risks around apps and websites, you may think that going analogue could be a way to avoid these issues. However, a paper-based contact tracing register raises its own potential problems, particularly for staff and organisations that do not normally handle customers’ personal information. An unattended visitor log left at the entrance of the premises would allow previous entries to be viewed or even copied by later visitors or passers-by, and there have been reports of lost pages found on footpaths, all of which potentially places the individuals and their personal information at risk. It is important to consider ways that customers can provide their details without the risk of these being disclosed to others – for example, entering details on individual slips of paper that are put in a box or otherwise concealed from view, or keeping the contact tracing register at a counter that is continually staffed.

How to collect and store contact tracing data safely

The following steps can help you avoid unnecessary risk of privacy breaches associated with contact tracing registers:

  • Consider where and how the data is being stored. Is the database stored on a New Zealand server or using an overseas storage provider? How robust are the protections on the database to prevent data breaches? Will the provider inform you if there is a breach?
  • Ensure all staff are aware that details provided for contact tracing are not to be used for any other purpose – this includes not just personal approaches but also work-related contact such as marketing. Monitor access to and use of this information to check whether there’s been misuse.
  • Contact tracing data should be retained for no longer than two months – this is a sufficient period to cover the incubation period of the virus. Check that you have systems in place to ensure contact tracing data is safely destroyed after the designated time period.  
  • Paper-based visitor registers should be monitored to ensure that written entries cannot be copied or viewed by any unauthorised third parties, and past entries should be removed or concealed from public view.

Get in touch

Duncan Cotterill’s privacy experts are here to help, if you have any queries or need advice on best practice for managing your customers’ private information. Please feel free to get in touch with our data protection and privacy team if you require further assistance.


Disclaimer: the content of this article is general in nature and not intended as a substitute for specific professional advice on any matter and should not be relied upon for that purpose.

Share this publication