What you need to know:

  • The Government has introduced new mandatory requirements on businesses to take reasonable steps to collect and maintain records of individuals’ visits to their premises for the purposes of enabling Covid-19 contact tracing.

  • The new requirements will apply to businesses operating at Alert Levels 3 and 4 from Wednesday 8 September 2021, and for other businesses (such as cafes and hairdressers) operating at Alert Level 2 from Wednesday 15 September.

  • The new requirements potentially entail affected businesses collecting and storing large amounts of personal information, raising questions as to what steps they need to take to ensure they process and store that information in compliance with the Privacy Act 2020.

  • The Office of the Privacy Commissioner (OPC) has helpfully released guidance designed to assist businesses in this regard.


To increase the capability and utility of New Zealand’s contact tracing systems, the Government has recently enacted the COVID-19 Public Health Response (Alert Level Requirements) Order (No 11) 2021.

The Order introduces mandatory requirements for businesses to have record-keeping systems and processes in place to enable a contact record to be kept of all visitors over the age of 12 (including employees and customers).

In addition, at Alert Levels 2, 3 and 4, businesses that are within the scope of the Order will be required to take reasonable steps to ensure that people scan in, or make an alternative record, when they visit the business for the purposes of enabling effective Covid-19 contact tracing. These requirements are already in force for businesses operating at Alert Levels 3 and 4, with the requirements for businesses operating at Alert Level 2 coming into force at 11:59 pm 14 September.

Businesses that will be required to comply at Alert Level 2 include (among others) cafes, restaurants, sports facilities, hairdressers, pharmacies and other health services.  

Affected businesses will quite rightly be concerned about compliance with their Privacy Act 2020 (Privacy Act) obligations given the large influx of personal information they may receive as a result of having to implement these requirements, and the subsequent implications, and potential liability, of being responsible for all of that personal information.

The Office of the Privacy Commissioner (OPC) has recently released guidance to assist businesses in ensuring that they can remain compliant with the Privacy Act. This FYI summarises the OPC guidance and provides other practical tips for businesses to consider.

Transparency requirements

Businesses using alternative record keeping systems (ie non-QR code systems) must inform individuals of the purposes for which the information is collected.  

The OPC has provided a template privacy statement that businesses can use if they have set up a separate system for the sole purpose of complying with these requirements. Alternatively, businesses may use one of the Unite Against COVID-19 posters containing a privacy statement at the bottom to let people know why their information is required.

The OPC acknowledge that some businesses, such as gyms, may use an existing membership or visitor system to collect contact records, and has provided a template privacy statement that businesses may use in that scenario.

Collection of personal information

The Privacy Act requires organisations to collect only personal information that is necessary to achieve the lawful purpose. The OPC recommends that businesses only collect the following information for contact tracing purposes:

  • name;
  • contact number; and
  • date and time of the visit.

Security of personal information

Under  the Privacy Act businesses that hold personal information must ensure that the information is adequately protected against loss, unauthorised access and other misuse.

This means businesses should ensure that their record keeping systems and processes are secure and operate effectively to protect the personal information collected - this includes electronic security for digital records (such as encryption and user-access restrictions) and physical access controls (such as storing the collected information within a locked cabinet).  

Importantly, businesses are advised to avoid using paper sign-in sheets where visitors’ personal information is visible to other visitors, as this may lead to privacy breaches which may, in turn, be notifiable to the OPC.

Rather than public sign-in sheets, businesses should consider utilising more privacy-enabling methods such as a ‘ballot box’ (in which customers can place a paper note containing their personal information in a covered and locked box), an employee manually recording details on a record sheet not visible to other visitors, or an electronic system such as an app.

Businesses should be conscious that any system should facilitate fast access to the data in an authorised manner in the event that the information is required to be used for contact tracing purposes.

Use and disclosure of information

Information which businesses collect solely for contact tracing purposes must not be used for other purposes, such as for a mailing list. Additionally, precautions must be taken to ensure that the information is not shared with other parties, other than contact tracers where necessary. 

Retention of information

Business are legally required to keep the contact tracer information for 60 days, after which time they must securely destroy or dispose of personal information which has been collected.

Special thanks to Toby Major for his assistance in writing this article.


Related Articles