11 Oct 2021
Author: Andrea Twaddle

As management of Covid-19 in the community develops, including the use of the Covid-Tracer App, vaccinations, vaccine certificates and rapid-testing in the workplace, there are important privacy considerations that need to be addressed. We set out common questions following about Covid-19 and information requests. 

Can I be made to sign into businesses? 

Yes. The Covid-19 Public Health Response Act created a power to place all or parts of New Zealand into Alert Levels and prescribe associated rules. 

The mandatory requirement for businesses to display QR codes to improve contract tracing are enabled by this Act, as is the requirement to ‘scan in’ when entering businesses. 

What about my privacy when I scan or sign into a business? 

Proportionate measures to prevent the spread of Covid-19 will be justified.  The Government remains bound by the Privacy Act when it collects information through the Covid Tracer App. This requires that data is collected, stored, accessed, and shared consistently with obligations under the Privacy Act. For example, not sharing information with other agencies. 

Where Scanning QR codes is not used, and businesses use a register, there is a need for businesses to also meet privacy obligations. Under the current Order (which provides the legal backing for current Alert Level restrictions), if a business or service keeps a contact record for the sole purpose of enabling contract tracing, they must dispose of it after 60 days. The information should not be used for any other purpose. 

There have been calls for increased privacy protections for contact tracing data, but greater legal protections have not yet been actioned. (For example, introducing penalties for the misuse of contact trading information, preventing businesses from asserting multiple purposes for the collection of information such as for contact tracing and marketing purposes). 

What is personal information? 

Personal information is data that identifies a living individual. This includes your name, location data, financial and medial information. 

I’m a business, how can I protect the information I collect on my Covid-19 visitor register? 

Customers should not be able to see anyone else’s information when they enter their details.  An open sheet or register left in a public facing position where personal information is visible to others gives rise to risk of a privacy breach.  An option is to use a ballot box where customers fill out the required information on a paper form and this is put into the box (i.e. full name, phone number or contact email, date and time of visit). Alternatively, staff could enter customer details on a device where details are not seen by customer.   

Information should be stored safely, and when no longer needed, disposed of securely.   

If you are in business, we encourage staff to be trained to understand privacy obligations owed by your business, including only collecting the minimum information necessary, the need to store it safely and that it must be held for 60 days before being safely destroyed. 

I’m a business, if someone asks for their personal information, what do I do? 

Customers have a right to ask to access their personal information, and if necessary, to have it corrected. At all Alert levels, an information request must be responded to within 20 working days. However, notice of an extension may be given in certain circumstances (for example, where due to lockdown restrictions you are not able to physically access work to obtain the information).   

Can I ask if people in a business that I want to visit are vaccinated? 

You are entitled to ask if people in a workplace (including schools) are vaccinated. However, individuals must give their consent for this personal information to be shared. They are entitled to refuse to disclose their vaccination status. 

Is my employer allowed to ask if I am vaccinated? 

Yes, an employer may ask workers whether they are vaccinated, and a worker may consent or decline to provide that information. Businesses should be advising workers what the question is being used for (which will ordinarily be for the purposes of a health and safety assessment of the workplace), and any presumption if the information is not provided. For example, if a worker refuses to advise their vaccination status, that they will be presumed not to be vaccinated. 

If a business asks for personal information, such as vaccination status, it should be able to provide you with information about where the information will be securely stored, who may access the information, and what purpose might it be used for. 

Some workforces are covered by mandatory vaccination. This is to be extended to high risk workers in the education and health sectors under a revised Covid-19 Public Health Response Vaccination Order.[1] In those circumstances, it is reasonable for an employer to be requesting vaccination status from employees in order to prepare for and meet their obligations under that Order.

What are vaccine certificates and vaccine passports and how are they used? 

Vaccine passports are certificates establishing proof of vaccination and are linked to a holder’s identity. The concept of a vaccine passport was introduced to enable the sharing of information electronically, with a vaccine passport electronically linked to an actual passport and thereby enabling international travel.   

Vaccine certificates operate in the same way, without the potential link to a passport. In New Zealand, the Government has indicated that a digital vaccination certificate will contain a QR code.  Those who are unable to be vaccinated or who choose not to for medical, religious or other reasons could apply for an exemption, which would be accessible digitally.   

Another alternative is a health passport or pass, which could confirm the individual’s vaccine status, that they have tested negative for the virus or have recovered from it.   

Each of these options provide a consistent means of collecting information about aspects of a person’s Covid status, and thereby enabling those receiving the information to make more accurate risk assessments and manage those risks accordingly.   

While vaccine certificates, passports and health passes may play a significant role in economic recovery, in allowing the easing of Covid-induced restrictions, there are real concerns in the development of vaccine certificates and passports from a privacy perspective (how broadly information may be shared) and inequities (e.g. those who are unable to receive a vaccine will be potentially discriminated against). There are also questions about the need for developing an entirely new IT system/app where individuals can access and display information such as vaccine status via current health apps such as MyIndici. 


Managing Covid-19 requires balancing many competing rights and interests, including rights to privacy.  For further details for employment and privacy related matters, you are welcome to contact our team of specialist lawyers on 07 282 0174. The DTI Lawyers commercial and property law specialists can also be contacted on that number. 


[1] In health, those high risk workers who will be required to be vaccinated under the Order include general practitioners, pharmacists, community health nurses, midwives, paramedics and all health workers where vulnerable patients are treated. This also covers people who work at aged residential care, home and community support services, Kaupapa Maaori health providers and Non-Government Organisaitons who provide health services. In education, this includes all school staff including home-based educators, teacher-aides, administration and maintenance staff and contractors who come into contact with children and students.

About the Author
Andrea Twaddle
Andrea is an experienced specialist employment lawyer and Director at DTI Lawyers. She advises on contentious and non-contentious employment law issues, including privacy, and health and safety matters. Andrea is AWI-CH qualified, and undertakes complex workplace investigations. She is a member of the national Law Society Employment Law Reform Committee, a former Council Member at the WBOP District Branch of the Law Society, and Coordinator of the WBOP Employment Law Committee. Andrea is a sought-after commentator and speaker on employment law issues at client and industry seminars. She provides specialist, strategic advice to other lawyers, professional advisors and leadership teams. You can contact Andrea at andrea@dtilawyers.co.nz