COVID-19 and privacy considerations

15 Dec 21

The response to COVID-19 continues to involve the sharing of vast amounts of personal information.  

In light of the Government’s announcement of the development and use of Vaccine Certificates, sharing and collecting personal information looks set to become part of the new normal of conducting business in New Zealand.

However, there are checks and balances on the use of such information. Organisations should be aware of their obligations under the Privacy Act 2020 (the Act) which sets out the relevant legal framework.

Below we answer a number of privacy related questions specific to COVID-19 in the workplace.

Can employers ask workers whether they are vaccinated?

Yes, provided there is a legitimate reason (i.e. health and safety) for seeking that information. Note that workers are free to refuse to disclose their vaccination status, and, provided they have advised the worker of their intention to do so, the employer can assume that the worker is unvaccinated.

Where being unvaccinated could have implications on a workers ability to work, they should be advised of those potential implications, particularly where the employer intends to assume non-responsive workers are unvaccinated.

Can employers share workers’ COVID-19 information?

Personal information, including vaccination status, can only be used for purpose it was collected. For example, vaccination information collected for health and safety reasons could not be disclosed for commercial reasons (without consent of the individuals concerned). When seeking to collect personal information from workers, all of the potential uses of that information should be listed for the workers to consider.

How should workers’ COVID-19 information be stored?

All personal information must be stored securely. The Act requires personal information to be protected by the use of reasonable security safeguards against loss, unauthorised access, use, and disclosure. Storage systems (whether physical or digital) need to be robust.

Complicating factors

COVID-19 in the workplace sees the overlap of employers obligations under the Act intersect with the Health and Safety at Work Act 2015 (in particular the obligation to ensure the health and safety of persons connected with work), and the Employment Relations Act 2000 (including the duty of good faith and obligation to act fairly and reasonably), among other statutes.

Additionally, specific obligations apply to the organisations and workers encompassed by the COVID-19 Public Health Response (Vaccinations) Order 2021. The Order requires specific roles in MIQ facilities, border workers, health and disability, and education sectors to be performed by a vaccinated worker.

Each of the above statutes have their own fine/penalty framework for non-compliance.

Dealing with COVID-19 privacy issues

Privacy issues pertaining to COVID-19 are complex, novel, and subject to change. We suggest that organisations take a cautious approach to collecting COVID-19 information, and take specific advice when faced with uncertainty in this area.

At a minimum, organisations should ensure that requests for personal information relate to a lawful purpose, that information is held securely, and is used only in accordance with its stated purpose.


Want to know more? 

If you have any questions about these issues, please contact our specialist Employment Team who are available to assist.

PDF version: here.


For more information contact:

AJ Lodge