This Data Collection Policy sets out the way personal information collected via COVIDTracing is handled in accordance with the Privacy Act,1993. The Privacy Act 1993 regulates us through the Information Privacy Principles as to how we collect, use, hold, disclose, access, correct, manage and dispose of your personal information.
Type of personal information collected, and intended purpose & usage
Personal information is collected for the express purpose of contact tracing for health officials and the requirements for businesses to operate under Government’s guidelines for contact tracing.
Neither the business owner, nor the end customer needs to download or install any new software or app.
For the purposes of clarity, each reference made to “customer” is to be interpreted as the individual that is visiting a business location where the business owner has opted to use CovidTracing for contact tracing compliance.
Registered businesses display a QR code at the entrance to their premises or at any other location deemed suitable by the business owner.
Customers scan the QR code with the camera on their phone and are then redirected to the Registration page.
When customers register by scanning the QR code at a business location Covid Tracing will ask them to consent to the collection of the following information:
- Full name
- Email address
- Mobile phone number
- Age group (optional)
- Gender (optional)
At the same time the IP address and mobile browser information through which the registration took place is also saved
Upon entering the details mentioned above, a 4 digit, one-time verification code is displayed on the customers’ mobile screen.
The customer then shows the 4 digit code to the business owner, designated staff or associates at checkout to get verified.
Data concerning each visit at each location is held in our system for 60 days, after which it is automatically deleted forever.
No backups of data older than 60 days is kept by CovidTracing
How will personal information be stored?
When customers register at a business, data is transmitted over SSL and saved securely on web servers are hosted in New Zealand. All reasonable steps are taken to ensure the ongoing security, fidelity and accuracy of information stored. However, a customer is responsible for entering accurate information to begin with.
What customer information is shared with the Business
The business owner, or any users within a business can only ever see the customers’ name and the last 4 digits of their mobile numbers.
Customer information may also be shared with any relevant Government Health Departments that are registered as an authorised Government Agency with CovidTracing.co.nz.
Current process for Medical teams accessing COVIDTracing (subject to change)
Registered health agencies can request access to your personal information. The procedure is driven by your consent and happens through the following steps:
If you have tested positive for Covid-19, a registered health agency will login to the CovidTracing system using their authorized access.
They will be able to locate you by entering your mobile number which you would have provided at a testing facility where you underwent tests for Covid-19 or any other infectious disease to which principles of contact tracing are applicable.
To view your information, the health agency will request for your consent.
Their request will generate an SMS which is sent to your registered mobile number with instructions on how to grant consent.
Once you have granted consent, the requesting agency will then be able to see your details and begin contact tracing
Contact tracing might also reveal all the other locations you would have previously registered at.
Only the last 60 days of movements are available
What if I don’t get SMS verification asking for consent
In the event of a technical failure, or for any other unavoidable reason, if you are unable to receive the consent link, you can also retrieve the consent link via email. The process is identical to the one outlined above, with the only difference being the medium through which you grant consent. Its either by SMS or by email.
What happens if you don’t give consent to the health agency ?
Consent is driven by you. You have the right to decline consent for contact tracing, unless it becomes enforceable by Law.
In the event you decline consent, COVIDTracing will not share your information with any health agency.
COVIDTracing may share data if we believe it’s required by applicable law, regulation, operating license or agreement, legal process or governmental request, or where the disclosure is otherwise appropriate due to safety or similar concerns. This includes sharing personal data with law enforcement officials, public health officials, other government authorities, or other third parties.
Storage and Security Disclaimer
We are committed to protecting the security of individuals personal information and we take all reasonable precautions to protect it from unauthorised access, modification or disclosure. We will hold your personal information on record for 60 days for each visit at a registered business.
Be advised that while security precautions are being taken, web servers that store information are not impenetrable. It is possible that third parties may be able to gain unauthorized access to the information you submit. By proceeding with the use of Covid Tracing, you accept the risk that there may be an inadvertent disclosure of the information you submit.
Where there has been a data breach and an individual’s personal information is released inadvertently or accessed by unauthorised parties, we will notify the individual by email to the registered email address on record.
Data Retention and Deletion
COVIDTracing may retain certain user data after receiving an account deletion request if necessary. COVIDTracing may also retain certain information if necessary, for purposes of safety, security, and fraud prevention.
We will hold your personal information on record for 60 days by default. This can change in the following two situations-
If Legislation requires us to delete information easier than 60 days.
You request us to delete your personal information by filling out our data deletion form.
Your right to accessing your personal information stored by COVIDTracing
You can request access to your personal information anytime. Under the Privacy act,1993 If you make a request for access, we are required to provide it to you within 20 days. We may choose the medium through which we will provide this information.
Further Policy Concerns
We’ll notify you before we make changes to this Policy. If an individual has any concerns about privacy or the use or collection of personal information by us please contact us at [email protected] and we will respond as quickly as possible (our target response is to not exceed 20 days) and handle all complaints in a way that is fair and consistent.