The shift in Alert Levels in parts of the country means that the signaled mandatory record keeping requirements are now in effect. That means that certain businesses are required to take all reasonably practicable steps to ensure each visitor aged 12 and over either scans in using the NZ COVID-19 Tracer app or provides an alternative contact record. Those records need to be kept for 60 days.
Only certain businesses are legally required to comply with the mandatory contact record regime (essentially, those permitted to operate during Alert Levels 3 and 4).
But you should expect that similar requirements will be rolled out for a broader range of businesses as we move down Alert Levels. Now is the time for all businesses to ensure that their contact records systems are working and compliant.
You are responsible for ensuring that your alternative contact record system works in a way that enables you to meet your obligations under the Privacy Act 2020. The Privacy Commissioner has published useful guidance about what this means for your business in practice.
By way of quick rundown:
- A paper sign-in register system that enables visitors to see the details of other people is not permissible under the Privacy Act 2020. If you have previously relied on that system, you will need to roll out a replacement.
- A ballot-box, text in system (to a special purpose mobile phone number), and manual collection by an employee are each likely to be permissible from a privacy perspective. The key point is ensuring your system is secure and does not inadvertently disclose the details of your visitors to other visitors.
- You need to make visitors aware of the fact and purposes for which your business is collecting contact information. For most businesses, providing a simple statement alongside your record keeping system will do the trick. The Privacy Commissioner has suggested the following language: This information is being collected to assist in the management of the COVID-19 pandemic. It will be given to public health officials in the event that it is required for contact tracing. We will not use it for any other purpose and will destroy it after 60 days. It will be kept securely here at [name of the establishment].
- Crucially, the system you use should be set up in a way that allows you to quickly retrieve relevant contact information. Storing the information by date (and ideally time) is essential. If you are using a ballot box system, this means clearing the box at the end of each day and providing a space for visitors to record their time on the ballot slip. Ballots should be securely stored, perhaps in an envelope for each day.
- Don’t collect more information than you need to – where possible, limit your collecting to a visitor’s name, contact number, and date and time they visited.
Don’t use information you collect for contact tracing for other purposes – do not use a visitor’s information to send them marketing materials (unless you have separately obtained their permission).
- Keep your records secure – don’t let employees view your records if they do not need to. If you are using a cellphone to receive contact information, don’t use the phone for other purposes and keep it in a secure location at all times.
- When the mandatory 60 day retention period is up, destroy the records securely.