Scanning or signing in to become mandatory – some privacy implications
On 22 August it was announced that mandatory record-keeping is being introduced at all alert levels.
From one week after any alert level change that allows more businesses to open, it will become mandatory for certain businesses to ensure people entering their premises either scan-in on the NZ COVID Tracer App or sign-in manually.
The announcement and further comment from the Minister indicates:
- The obligation is put on the business, rather than any individual.
- It will require either scanning a QR code or making a manual record.
- It will apply to places where people gather consistently and in large numbers, such as cafes, restaurants, bars, concerts, and certain entities with a customer service counter.
- Retail and supermarkets will be exempt, including because they require mandatory face coverings.
- The rule will apply to children aged 12 and over.
- Enforcement includes possible fines.
Some business interest groups and commentators have raised concerns about compliance difficulties, including the risk of aggression from members of the public, and how far businesses can enforce the requirement when individuals refuse.
The record-keeping requirement also gives rise to privacy implications. It is possible that privacy concerns have made people hesitant to use the app and to manually sign-in.
In 2020 the Privacy Commissioner publically supported the NZ COVID Tracer App. The Ministry of Health’s updated Privacy Impact Assessment (released on 24 May 2021) also reflects that the app has various privacy protections and was designed with privacy in mind.
Manual record-keeping is very much less controlled than the app. Following alert level changes in 2020 manual sign-in sheets appeared at almost every business. Manual sign-in sheets created privacy issues. Most were publically displayed, and we all couldn’t help but notice our neighbours’ names as regular visitors to the local café. News media reported that individuals found themselves signed up to unsolicited mailing lists.
Businesses, as agencies under the Privacy Act, must comply with information privacy principles when collecting, storing, using, and disclosing personal information.
Strictly when collecting manual sign-in information businesses should be:
- making individuals aware of why the information is being collected, who will hold the information (including the Ministry of Health) and the particular law under which the collection is required.
- storing the information securely; and
- not otherwise using or disclosing the information.
Minister Hipkins suggested one measure that could be introduced for the new mandatory record-keeping is providing businesses with ballot boxes, limiting public disclosure of contact information.
Other sensible measures to comply with privacy principles would be to not display the sign-in sheet publically or at least regularly refresh the sheet, and to securely store the collated records in a locked office.
Individuals also have a right to access their personal information. It is not entirely beyond the realms of possibility that an individual could request access to their manual sign-in information from a business directly. If the businesses still holds that information it may have to facilitate access to it. However, if that information has been passed on to the Ministry of Health, such a request could rightly be transferred to the Ministry to respond to instead.
It would be helpful for the Government to clearly set out the record-keeping requirements once made, and how it expects businesses to comply with those requirements including privacy concerns.
Want to know more?
If you have any questions about this article, please contact our specialist Employment team.
PDF version: here.