Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.
We respect your Do Not Track preference.
As our response to COVID-19 changes across Aotearoa New Zealand, organisations should regularly review what personal information they are holding and check if they still need to collect and keep it.
For example, some organisations have information about their employees’ vaccination status, while others took information about their visitors for contact tracing.
Principle 9 of the Privacy Act 2020 states organisations should not keep personal information any longer than required.
Organisations can visit business.govt.nz for the latest guidance on COVID-19 public health order requirements or seek advice internally from their privacy officer.
Remember to also check if there are any other laws requiring certain types of information be kept for specific periods. For example, the Public Records Act 2005 establishes a regulatory framework for information and records management across the public sector.
Principle 5 of the Privacy Act states organisations must ensure there are safeguards in place that are reasonable in the circumstances to prevent loss, misuse or disclosure of personal information. Explore Principle 5 for details about safeguarding information.
One solution could be to create a schedule showing the types of personal information held and when it should be destroyed.
Principle 9 of the Privacy Act states that organisations must take reasonable steps to destroy or de-identify personal information when no longer needed. Identifying how the information was collected and stored can be key to efficiently completing this process.
If the information is stored in a hard copy, such as a paper-based register of contact tracing information, disposal might include secure shredding.
If the information is stored electronically in cloud-based storage, USBs or with a third-party provider, ensure the records are permanently destroyed including in any back-up system or offsite storage.
Employees may require training to ensure that personal information is securely destroyed.
The Privacy Act 2020 has an exception that applies if the collection, use or disclosure of personal information is necessary to prevent or lessen a serious threat to the life, health, or safety of any individual, or to public health or public safety.
The Privacy Commissioner provided detailed guidance about the serious threat to public health exception and the COVID-19 pandemic as part of High Court judicial reviews into the sharing of personal vaccination information.
You can find all the Ministry of Health’s Privacy Statements and Privacy Impact Assessments on their information gathering and use in relation to the pandemic here.
Employers that have a legitimate need to know an employee’s vaccination status can ask the employee for that information; for example, where the employee’s role is subject to a vaccine mandate, or where the information is material to a health and safety plan.
Information collected for the purpose of determining whether a person is vaccinated is protected by section 34B of the COVID-19 Public Health Response Act 2020 and can only be used for the purposes of the COVID-19 response. In particular, the employer can only hold, store, use or disclose the information for the purpose of:
A breach of this restriction can attract significant penalties and is considered to be an interference with the privacy of the individual for the purposes of the Privacy Act.
Visit the Ministry of Business Innovation and Employment’s (MBIE) for general assistance to businesses and workers about vaccines and the workplace, which includes privacy advice.
Visit this section of the Ministry of Health website for guidance for workplaces dealing with cases of COVID-19.
Some businesses will be required, or may choose, to check customers’ My Vaccine Pass in certain traffic light settings. It is their right to do so, with a few exceptions such as supermarkets, pharmacies and some other health services, food banks, and petrol stations.
The COVID-19 Public Health Response (COVID-19 Vaccination Certificate) Order 2021 sets out the information that vaccination certificates must show and requires the person’s name and date of birth to be displayed. This is so organisations or businesses can verify your identity if required.
Because this law requires personal information to be used in a certain way, it overrides the provisions in the Privacy Act. This means we cannot investigate complaints about these requirements.
You can see the Ministry of Health’s Privacy Impact Assessment for the My Vaccine Pass on their website here.
