| 4 min read

Privacy considerations for businesses establishing contact tracing

By  Kordia,
 27 May 2020

Customer entering pin number into machine at counter in cafe

For many businesses, New Zealand’s response to COVID-19 has meant quickly adapting to new ways of doing businesses – from contactless deliveries to using new eCommerce platforms to sell to customers. With so many other challenges competing for our attention right now, data privacy probably isn't front-of-mind.

At Alert Level 2 most businesses must maintain a contact tracing register with the full name, home address and contact details of workers, customers and guests, along with the time and date of their visit. This means businesses are now guardians of highly sensitive information, a responsibility that shouldn't be taken lightly. We only have to look at some recent local examples to see how misused information can cause damage to your business.

Earlier this month media reports surfaced of a worker at an Auckland fast food restaurant who took a customer's contact information from the store’s contact tracing register and used it to send her personal messages without her permission.  

“Contact tracing registers collect people’s information for a specific purpose,” says Aura Senior Security Consultant Petra Smith.

“Using that information for another purpose is a violation of trust, which as we saw in this case, impacted the business’ reputation as well as jeopardised the employee's job. This example shows why it’s really important to have good processes in place to protect sensitive data from misuse.”

Smith acknowledges it can be hard for businesses setting up new ways of working to know how they should protect sensitive information from misuse or accidental exposure.

“The measures we’ve seen in response to COVID-19 are unprecedented and the rules for businesses can change quickly. Just in the last couple of weeks official advice has changed on which businesses are required to keep a contact tracing register, what information needs to be captured, and how long records need to be kept for. For businesses trying to adjust to life at Level 2 it can be overwhelming to keep on top of what needs to be done.”

For businesses in this position, Smith recommends using the Privacy Act’s privacy principles as a guide on how to handle sensitive data.

“The principles can be applied to any situation where you’re handling personal data, so they’re a great guide if you need to make decisions quickly,” says Smith.


Only collect information you need

The more information you collect, the more responsibility you shoulder to keep it safe. At Level 2 businesses are required to collect personal information for those who enter the premise at any time for contact tracing purposes.  Storing this information could be a first for many local businesses who haven’t needed to before. If you plan to use a third-party mobile application, you’re responsible for the information it collects and stores on your behalf, so read the fine print to make sure it doesn’t collect any data beyond what is needed.


Explain why you must collect details

Let people know why you need their information, how you’ll use it, and when you might share it with someone else. Being transparent and open about the reasons for collecting data will help you manage your customers’ expectations and retain their trust. Informing customers that you’re required to collect this information to provide them with a service, and explaining that it will only be used as the law requires, is reassuring to people who might be reluctant to hand over their contact details. Having a written privacy policy can help you communicate this information to anyone who wants it.


Only allow data to be used for the purpose you collected it

It’s understandable that businesses are looking for ways to make up for any lost revenue during lockdown, but as tempting as it might be, contact tracing records aren’t an opportunity to add more customers to your newsletter or loyalty programme. Using people’s information for another purpose than the one you collected it for doesn’t just go against the Privacy Act, it can be upsetting and offensive to customers and end up damaging the relationship you’re trying to build. If you do want to reconnect with your customers, it’s best to keep the sign-up process completely separate from contact tracing registration so there’s no confusion.


Store data securely and restrict access to people who need to see it

If you’re keeping records digitally, you’re responsible for finding out what the vendor does to protect the data it collects on your behalf. Good security practices are also important, so limit the people who can access your business’ records and protect the accounts you use to log in with strong passwords and two-factor authentication. There are some contact tracing apps that keep user contact details and check-ins on their phone and don’t share it with the business at all. Paper records make it hard to stop people seeing details of others who have signed in, so businesses should think about how they can minimise exposure by having detachable sheets and removing them as soon as they’re full. You’ll need some secure storage space like a lockable cabinet to keep your records for the retention period. 


Only keep personal data as long as you need it

Businesses’ contact tracing records need to be kept for two months and then destroyed. Holding onto sensitive data longer than you need it just means you’re taking on extra cost and risk. Smith advises it’s easiest to manage your data privacy and security risks if you’ve got defined processes.

“Consistency is key. Most privacy breaches are a result of people taking shortcuts and bending the rules, rather than someone setting out to break them. Have clear processes for how you’ll collect, store and destroy data, and make sure everyone knows about them.”