Up Again New Zealand: Privacy and Data

Intellectual Property and Technology

1. Can an employer carry out temperature monitoring and other health checks on employees and visitors prior to them entering work premises?

Employers should check employment agreements to assess if there is any broad consent provided for which would allow temperature screening. If employees agree to regular temperature checks, there should not be an issue. An employer can always ask as long as it is clear that the employee can refuse without fear of reprisal.

At Level 1, temperature checking would be permissible with individual consent, and there is a right to turn away private business.  From a privacy perspective, if, for example, a business was using thermal imaging cameras, it should include clear signage advising individuals of that fact and directing them to where they could find more information about the purposes of collection, who information could be disclosed to etc.  The same restrictions around use and disclosure of information as those set out above, also apply in respect of information collected from visitors to the premises.

From a data privacy perspective, employers are permitted to check employees’ and visitors' temperatures and carry out other health checks provided that:

  • the manner of collection is not unfair or overly intrusive; and
  • employers comply with New Zealand's usual disclosure/privacy statement requirements – for example, ensuring employees and visitors are aware their temperature is being collected, of the purposes of collection, of the intended recipients of the information, and of the consequences if the employee or visitor does not allow collection of the information.

If, for example, a business was using thermal-imaging cameras, it should include clear signage advising individuals of that fact and directing them to where they could find more information about the purposes of collection, and who information could be disclosed to. 

In terms of what can be done with that information, it should be used or disclosed only for the purposes for which it was collected (which highlights the importance of making this clear to employees and visitors before collection). The information could also be used and disclosed to prevent or lessen a serious threat to public health and safety or the life or health of the relevant individual or another person (for example, disclosure to health authorities for contact-tracing purposes may fit within this exception, though it would be better to inform employees and visitors upfront that this type of disclosure may be made). 

The information collected from a health check of an employee or visitor would likely be “health information” for the purposes of the Health Information Privacy Code 1994 (HIP Code). The HIP Code only applies to “health agencies” (for example, medical practices and rest homes), so is not of general application to all businesses.  All employers accredited under the Accident Compensation Act 2001 are health agencies and, in respect of health information, will need to comply with the HIP Code. 

The HIP Code imposes obligations broadly similar to those under the Privacy Act 1993 (Privacy Act), which sets out the privacy obligations in respect of general personal information, but can impose stricter or additional obligations on collection, storage, use and disclosure of health information.

Under the HIP Code, the right to disclose health information on the grounds that such disclosure is necessary to prevent or lessen a serious threat to public health or safety, or the life or health of the relevant individual or another person only applies where it is not desirable or not practicable to obtain authorisation from the individual concerned.

2. Can an employer ask employees and visitors to complete a questionnaire on whether they are experiencing typical COVID-19 symptoms, have been in contact with an infected individual, or recently travelled to high risk countries?

The answer immediately above also applies. Employers may ask employees or visitors to complete a questionnaire on whether they are experiencing typical COVID-19 symptoms, have been in contact with an infected individual, or recently travelled to high-risk countries, provided that employers comply with the usual disclosure/privacy statement requirements – for example, ensuring employees and visitors are aware this information is being collected, the purposes of collection, the intended recipients of the information and the consequences if the employee or visitor does not allow collection of the information.

The same restrictions around use and disclosure of information as those set out in in the answer immediately above also apply in respect of information collected from a questionnaire.

Information collected about the COVID-19 symptoms of an employee or visitor is health information for the purposes of the HIP Code.  The same restrictions around use and disclosure of health information as those set out in question 1 also apply in respect of COVID-19 diagnoses and antigen test results.

3. Can an employer require their employees to notify them if they or a member of their household has contracted COVID-19, or that they have the antigen?

The response to temperature monitoring/checks above also applies.  Employers may ask their employees to notify them if they or a member of their household has contracted COVID-19, or that they have the antigen, provided that employers comply with the usual disclosure/privacy statement requirements.

New Zealand's Privacy Act also requires that personal information be collected directly from the individual concerned. However, information can be collected from another source where collection from the individual is not reasonably practicable in the circumstances. Collecting information about employees' family members from the employee (not the family member directly) would likely be permitted on the basis that it is not practicable for an employer to directly contact employees' family members.

The same restrictions around use and disclosure of information as those set out in the section on temperature monitoring/checks above also apply in respect of information collected about COVID-19 diagnoses and antigen test results.

A diagnosis that a person has contracted COVID-19 or that they have the antigen is health information for the purposes of the HIP Code, so the same HIP Code restrictions around use and disclosure of health information as those set out in the section above on temperature monitoring/checks also apply (but only if the employer is subject to the HIP Code).

4. Can an employer tell their employees that a colleague may have potentially contracted COVID-19?

An employer may tell their employees that a colleague may have potentially contracted COVID-19, provided that such disclosure to other employees is one of the purposes for which that information was collected (which usually means it was a purpose notified to the individual at the time the information was collected), or if disclosure is necessary to prevent or lessen a serious threat to public health and safety or the life or health of the relevant individual or another person

Under the HIP Code, the right to disclose health information on the grounds that such disclosure is necessary to prevent or lessen a serious threat to public health or safety, or the life or health of the relevant individual or another person only applies where it is not desirable or not practicable to obtain authorisation from the individual concerned. Accordingly, employers subject to the HIP Code should take extra care when making this kind of disclosure.

Best practice would be to notify individuals at the time the information is being collected that that the information may be disclosed to the employee's colleagues.

Additionally, under the Privacy Act and the HIP Code there is an obligation to take all reasonable steps to ensure that, having regard to the purpose for which the information is proposed to be used, information is accurate, up to date, complete, relevant and not misleading before use of that information.  Employers should obtain as much information as reasonably practicable about the likelihood of the relevant employee having contracted COVID-19 before telling other employees that a colleague has potentially contracted COVID-19. For example, it could be misleading to notify employees that a colleague may have potentially contracted COVID-19 where the relevant individual had been in contact with a confirmed COVID-19 case but had subsequently tested negative for COVID-19. This also applies to the potential uses of information referred to in other questions, but is particularly relevant if information is to be disclosed to other individuals because of the increased risk of embarrassment or other harm. 

5. Can an employer share information with a health authority about COVID-19 cases they become aware of?

An employer may share information with a health authority about COVID-19 cases it is aware of, provided that such disclosure is one of the purposes for which that information was collected or is necessary to prevent or lessen a serious threat to public health and safety or the life or health of the relevant individual or another person. 

Under the HIP Code, the right to disclose health information on the grounds that such disclosure is necessary to prevent or lessen a serious threat to public health or safety, or the life or health of the relevant individual or another person only applies where it is not desirable or not practicable to obtain authorisation from the individual concerned.

Best practice would be to notify individuals at the time the information is being collected that one of the purposes of collection is to notify the relevant health authorities of any COVID-19 cases it becomes aware of.

Employers should take all reasonable steps to ensure that any information shared with a health authority is accurate, up to date, complete, relevant and not misleading.

6. Can an employer send employees’ health data to one of their affiliates outside the EEA or otherwise in another jurisdiction?

Yes, provided that such disclosure is in accordance with the purposes for which that health data was collected.

Amendments to New Zealand's Privacy Act, due to come into effect in 2020, will introduce a regime restricting the offshore transfer of personal information.  Generally, transfer of personal information outside New Zealand will generally only be permissible if:

  1. the individual concerned authorises the disclosure after being expressly informed that the overseas recipient may not be required to protect the information in a way that, overall, provides comparable safeguards to the Privacy Act;
  2. the overseas recipient is carrying on business in New Zealand and the discloser believes on reasonable grounds that the recipient is subject to the Privacy Act in respect of the information;
  3. the discloser believes on reasonable grounds that the overseas recipient is subject to privacy laws that, overall, provide comparable safeguards to those in the Privacy Act;
  4. the discloser believes on reasonable grounds that the overseas recipient is subject to privacy laws of a country or a binding scheme specified in regulations made under the Privacy Act; or
  5. the discloser believes on reasonable grounds that the overseas recipient is required to protect the information in a way that, overall, provides comparable safeguards to those in the Privacy Act (for example by way of confidentiality provisions in an agreement between the discloser and the recipient).

To prepare for the amendments, we generally recommend that our clients ensure any overseas recipients of personal information to which the Privacy Act applies (including in the case of international intra-group transfers) sign an agreement requiring the recipient to protect the information in a way comparable to the protections in the Privacy Act.

Although no other countries or schemes have been “whitelisted” for the purposes of the fourth exception above, we expect transfer to jurisdictions with stringent privacy laws (such as GDPR) will be permitted, either because those countries will be specified in regulations or because the third exception will be satisfied.

7. Can an employer monitor how employees move around the workplace to help keep social distancing rules?

Whether such monitoring is allowed will depend on the manner in which the monitoring is carried out. An employer can monitor the movements of employees, provided that:

  • the manner of collection is not unfair or overly intrusive; and
  • employers comply with the usual disclosure/privacy statement requirements – for example, ensuring employees and visitors are aware their movements are being monitored, the purposes of collection of such information, the intended recipients of the information and the consequences if the employee does not allow collection of the information.

For example, monitoring employees using surveillance cameras in bathrooms or changing rooms would likely be considered overly intrusive. 

8. Does an employer need to comply with any other GDPR principles or local privacy laws, when collecting data for the purpose of tackling COVID-19?

Employers in New Zealand must comply with the Privacy Act 1993. 

In addition to the obligations described above, employers should be aware that individuals have a right to access any personal information that an agency holds about them and to request correction of that information.

An employer must ensure that any personal information it holds is protected by such security safeguards as are reasonable in the circumstances to take against loss, unauthorised access, use, modification, disclosure or other misuse. 

Employers must not keep personal information for longer than is required for the purposes for which the information may lawfully be used. Depending on the type of data, COVID-19 information may only be required for a relatively short time (for example, to assess whether an employee returning from overseas has contracted the virus while travelling). Employers should have in place processes for deleting this information when it is no longer required.

9. What are the risks if I am in breach of the GDPR or local privacy laws?

Under the Privacy Act, where an Information Privacy Principle (the principles which outline the obligations and restrictions on collection, storage, use and disclosure of personal information) has been breached and that breach has caused harm to the individual subject of the breach, a complaint can be made to the Office of the Privacy Commissioner. The Privacy Commissioner has the power to investigate a complaint (or to investigate an interference with privacy on the Commissioner's own initiative) and to act as a conciliator between the complainant and the agency whose action is the subject of the complaint.

The Commissioner can use best endeavours to secure a settlement of the complaint and an assurance that the action will not be repeated. Where a settlement and/or assurance is not reached following an investigation, the matter could be referred to the Human Rights Review Tribunal (HRRT). The HRRT can make binding decisions including awards for damages. The HRRT has the discretion as to whether and what amount of compensation should be awarded (up to a maximum of NZD350,000). The most the HRRT has awarded for a privacy matter to date is just over NZD168,000, for an extremely egregious interference with privacy. 

As general guidance, the HRRT has said that, unless there is good reason for awarding nothing or a low amount, damages for cases at the less serious end of the spectrum range from NZD5,000 to NZD10,000; more serious cases can range from NZD10,000 to around NZD50,000; and the most serious cases will range from NZD50,000 upwards.

10. Are employers permitted to ask employees to undergo virus testing? 

If an employee is showing symptoms that suggest they are not fit to be at work, the employer could request that they obtain a medical certificate from a GP confirming that they are fit to work. This would need to be at the employer's cost and will not necessarily involve the GP carrying out a COVID test.
From a privacy perspective, virus testing as instructed by a GP would be permitted provided that:

  • the manner of collection was not unfair or overly intrusive (even if the COVID-19 test is relatively invasive, there are no real alternatives so, in the circumstances, the test is unlikely to be considered unreasonably intrusive); and
  • employers comply with the usual disclosure/privacy statement requirements – e.g. ensuring employees are aware of the purposes of collection, the intended recipients of the information and the consequences if the employee does not allow collection of the information.

The same restrictions around use and disclosure of information as those set out in relation to employee temperature testing also apply.