By Vaughan Granier 

Contact tracing is a key component in maintaining readiness to address any new case or outbreak of COVID-19 as New Zealand moves steadily towards Alert Level 1 and towards a significant freeing up of the economy. Along with testing and isolation, contact tracing is one of the three core components we require to prevent any isolated cases turning into an outbreak, and therefore keeping us at our reduced Alert level.

The ending of the State of National Emergency restored some restrictions on the sharing of private information, which was able to occur more freely under the Emergency Code to assist in the response to the “serious threat to public health or safety”. What that included can be found in more detail here. New provisions (section 11) are included in the COVID-19 Public Health Response Act 2020 to ensure that contact tracing can occur “without impediment”, and these are valid only for one month each time.

As a business owner, there are some important things you need to know about contact tracing for COVID-19. Here we outline what you need to know so that your business remains compliant.

So, what is contact tracing exactly?

According to the New Zealand Government, contact tracing ensures that we can track and trace an individual’s movements and contacts during the period BEFORE they tested positive or were aware of being ill, and thus enabling the Government to quickly warn those people and isolate potential infectious cases to reduce or prevent transmission.

Contact tracing involves passing on of private personal information and this carries with it significant concerns for the safeguarding of personal information. This information includes:

  • Full name;
  • Email address and/or phone numbers;
  • Home address; and
  • Location information (date and time of visit).

Non-retail businesses should record all details of all visitors, but retail companies are not required to store details of all customers.

The ideal, of course, is where all information is retained by the individual until they are requested or required to release it to the contact tracing agency, rather than being collected and retained by venues and businesses that the individual visits. When the information is retained by the individual, privacy is not breached in any way. Where information is collected and retained by people, venues and businesses visited by an individual, then the Principles of Privacy Protection kick in.

The Privacy Act and guidelines issued by the Privacy Commissioner, control or set out what requirements there are for businesses which record personal information, to safeguard that information and use it properly. There are 12 Privacy Principles, but only some of these apply specifically to contact tracing for COVID-19 purposes. The relevant ones are:

Principle 1 – personal information must only be collected when the purpose is lawful, and collecting it is necessary (this is commonly accepted to be lawful under COVID-19).

Principle 2 – it must usually be collected from the person the information is about.

Principle 3 – people should know:

  • why is the information being collected?
  • who will get the information?
  • is collecting the information compulsory or voluntary?
  • what will happen if the information isn’t provided?

Principle 4 – it must not be collected unlawfully, unfairly or in a way that is obtrusive (it is acceptable to say that if a person will not provide their information or record their presence, then they may not be admitted to the premises).

Principle 9 – personal information must not be held for longer than is necessary for the purposes for which the information may be lawfully used.

Principle 10 – anyone collecting information, may ONLY use it for COVID-19 tracing purposes.

Principle 11 – agencies can only disclose personal information where disclosure is for the purpose for which the agency got the information.

Don’t break the rules

In the context of these restrictions, as a business that might collect such information, the requirements are very strict to protect the privacy of information against any unlawful access or from being used for the wrong purpose. You may have seen in the media cases of officials such as police members or medical staff accessing an individual’s personal information on work databases, for non-work purposes, and consistently the consequences are severe.

It might be very tempting to access the contact details of visitors to a site for marketing or sales follow-up reasons, but in the context of Principle 10 and 11, using that information for ANY purpose other than COVID-19 contact tracing would be illegal. Where a business appoints a person to manage and oversee that information, it would be illegal to allow someone else such as the sales and marketing manager access these details. In another example, say an unknown customer dents the CEO’s car in the car park and left without providing details. It would almost certainly be unlawful, even if it was very convenient, for the business to access the contact tracing database for that day to try and find who caused the damage (it might be okay for the police to do that, however).

Principle 2 might get a bit fuzzy when one family member provides details about another family member (e.g. husband and wife), but, it would not be okay to provide details on behalf of another adult.

Principle 4 can easily be breached when asking people to state their details out loud – e.g. “Please state your full name, phone number and address” in the presence of strangers. This should be avoided by ensuring the individual has full privacy in the provision of details.

Principle 9 can easily be breached as well when one day COVID-19 appears to be over, all information collected for contact tracing purposes should then be destroyed. This is also likely to be a bit fuzzy and confusing as we do not know when this pandemic will be over. The Government has repeatedly said this virus “has a long tail”, and we have seen new cases appear four weeks after the likely infection date. We recommend retaining information under very strict security until an official date is notified, and if no notification is made, then set a date in the future to ask the Privacy Commissioner for advice.

An ideal contact tracing process would be:

  1. Equip the site to use the COVID-19 Contact Tracing App.
  2. Request individuals to log on before accessing the venue.


  1. Have written templates available to be filled out, or an electronic access system such as an iPad.
  2. Written templates should be a page per person, or in some other way secure against the next individual seeing the previous person’s data.
  3. No verbal information to be passed over unless circumstances ensure complete privacy.
  4. Notify the individual
    • That it’s voluntary to provide the information.
    • Why it’s being collected.
    • Where it’s being stored and how it’s secured.
    • Who has access to it (they can contact this person with queries).
    • When it will be destroyed.
  5. Have a dedicated person receiving that information confidentially and storing it securely (not left on a clipboard on the reception desk, for example).
  6. Ensure that individuals know who to contact if they need to advise of infection or suspected infection.
  7. Ensure they know to whom and how to report suspected misuse of their private information.

We hope this provides some clarity around contact tracing and the collection of private information. Please feel free to contact HR Assured with any further questions.

Vaughan Granier is the National Workplace Relations Manager for HR Assured NZ. He has over 24 years’ experience in international human resources, health and safety, and workplace relations management. With over 10 years working in New Zealand and Australian companies, he provides in-depth support to leadership teams across all areas of HR, Health and Safety, and employee management.