Insights, Privacy

Complying with Mandatory Sign-in Requirements and the Privacy Act

A recently enacted Public Health Order introduces mandatory requirements for all businesses to have record-keeping systems in place to record all visitors aged 12 and over for contact-tracing purposes. In addition, it requires that specified businesses in Alert Levels 2, 3 and 4 take reasonable steps to ensure that people scan in or make an alternative record when visiting the business. These requirements have been in force for businesses at Level 3 and 4 for some time, and as at 11:59 14 September are now in force for businesses at Level 2.

Businesses that must comply at Level 2 include (among others) cafes, restaurants, sports facilities, hairdressers, pharmacies and other health services.

These requirements to collect visitor information incurs obligations under the Privacy Act 2020. Helpfully, the Office of the Privacy Commissioner (OPC) has released some guidance to assist businesses, summarised below.

Businesses using alternative record-keeping (i.e. non-QR code) systems must inform individuals of the purpose for which the information is collected. For this purpose, the OPC has provided a temporary privacy statement businesses can use, or alternatively they can use one of the Unite Against Covid-19 posters that contains a privacy statement at the bottom. The OPC has also provided a specific privacy statement for businesses that use an existing membership or visitor systems (e.g. gyms).

The Privacy Act requires that organisations collect only personal information to achieve the lawful purpose. The OPC recommends that businesses only collect name, contact number and date and time of the visit.

The Privacy Act also requires that businesses that hold personal information ensure that it is adequately protected against loss, unauthorised access and misuse. Practically, this includes using electronic security for digital records (e.g. encryption and user-access restrictions) and physical access controls (e.g. storing the information in a locked cabinet).

Importantly, businesses are advised to avoid using paper sign-in sheets where visitor information is visible to others, as this may lead to privacy breaches which may be notifiable to the OPC. Better options include putting slips of paper containing visitor information into covered and locked ‘ballot boxes’, an employee manually recording details on a visitor sheet not visible to other visitors, or an electronic system such as an app.

Information collected for contact-tracing purposes must also not be used for other purposes, such as mailing-lists, and precautions must be taken to ensure it is not shared with other parties (except contact tracers).

Businesses are legally required to keep contact-tracing information for 60 days, after which time they must securely destroy or dispose of the personal information.

If you have any questions about complying with the sign-in requirements and privacy law, please get in touch.