• Andy Bunyan
    10
    Hi all, to what extent have people been either on a voyage of learning discovery, or driven to near-despair by a clear lack of knowledge by organisations as to the requirements of the Privacy Act and in particular with regard to the want for health information?

    Some requests I've seen would be laughable were they not coming from clients who can be very valuable indeed. Whilst I've been aware of what's needed for several years, what has happened more widely in recent weeks is nothing short of a revelation. How have some of you seen this?
  • Garth Forsberg
    34
    Some DHBs have been telling me that they need an assurance that only vaccinated contractors go to their site but are also reserving the right to request full name, date of birth, date and type of vaccination and other personal information for any staff that might be going to their site in the future.
    I've said yes to the assurance, but no to the other request.
    The wording similarity between each DHB makes me think they either all have the same lawyer or they are cutting and pasting from the Act but getting it out of context.
    Other non-health clients have made similar demands.
  • MattD2
    337
    Some DHBs have been telling me that they need an assurance that only vaccinated contractors go to their site but are also reserving the right to request full name, date of birth, date and type of vaccination and other personal information for any staff that might be going to their site in the future.Garth Forsberg
    That is likely because they are required by the Vaccination order to collect that information if the worker is covered under the order; 11A - COVID-19 Public Health Response (Vaccinations) Order 2021
    My understanding of the Privacy Act (and correct me if I am wrong @Andy Bunyan) is that it doesn't prevent anyone from requesting private information, but it provides a framework for (amongst other things) how private information is collected (including informing the purpose of collecting the information), keeping the information private and not using it for any other purpose than for the reason it was collected.

    The grey area in the DHB situation is who is considered the "relevant PCBU" - your company or the DHB. But I would argue that the safest way to not fall faul of the privacy act while complying with the order is to consider your company as the "relevant PCBU" and to ensure that the assurance they are requesting includes that the company will keep accurate and up to date records of any worker as per 11A of the order.
  • Stephen Small
    50

    We have had the same requests, however my workers are not coved by the COVID-19 Public Health Response (Vaccinations) Order 2021, as they do not fall into this category:
    7.2 Workers who carry out work where health services are provided to members of the public by 1 or more health practitioners and whose role involves being within 2 metres or less of a health practitioner or a member of the public for a period of 15 minutes or more

    My concern is the scattergun effect of health providers who are sending out blanket statements without looking at the coverage.
  • MattD2
    337
    We have had the same requests, however my workers are not coved by the COVID-19 Public Health Response (Vaccinations) Order 2021, as they do not fall into this category:
    7.2...
    Stephen Small
    If they are working for the DHB would they not generally fall under "7.3 Workers who are employed or engaged by certified providers and carry out work at the premises at which health care services are provided"?

    My concern is the scattergun effect of health providers who are sending out blanket statements without looking at the coverage.Stephen Small
    I agree with you on this - and as I mentioned it would seem reasonable for you to respond that as the Relevant PCBU of the Affected Person you have obtained and have record of the information required under clause 11A of the Vaccination Order, can confirm that the Affected Persons assigned to the work comply with clause 7 of the Order, and will updated the DHB if anything changes.
  • Andy Bunyan
    10
    Favourites include workers being required to complete a form on a one-off basis which includes a declaration that they have not been at a place of interest even though the list can be updated several times a day.

    Latest cab off the rank is "you've been at a place of interest? Then self-isolate for X days" and they are saying it irrespective of what MoH may be saying about the very same potential exposure situation.

    As to your query @MattD2, whilst we may choose to release our info to our own paymasters, one might say we at least have a bit of an eye on one's own organisation so as to be comfortable. If however that info is being sought by customers of one's employer and is released then one might say the genie is out of the bottle and control of certain personal info lost forever.

    For anyone curious I'd thoroughly recommend the good e-learning training offered by of all people The Privacy Commissioner. Privacy and Health 101's and ABCs too for those who are keen. Nevermind the ten commandments or the seven deadly sins, one can get to grips with the Thirteen Principles of Privacy ;-)
  • MattD2
    337
    As to your query MattD2, whilst we may choose to release our info to our own paymasters, one might say we at least have a bit of an eye on one's own organisation so as to be comfortable. If however that info is being sought by customers of one's employer and is released then one might say the genie is out of the bottle and control of certain personal info lost forever.Andy Bunyan
    One of the main parts of the Privacy Act is to have a clear purpose for the collection of private information, ensuring the people you are collecting the information from understand that purpose and how the information is to be used and then only using the information for that purpose.
    As in the example you gave unless you have informed your employees that you will be sharing the information with clients then you shouldn't... and clients really shouldn't be sharing private information with others - a clear breach if the act.
  • Stephen Small
    50


    Hi Matt,
    No we are not contracted to, engaged by, or working for the PCBU as we are a monopoly utility provider.(But I agree that it may be different if we were!)
  • MattD2
    337
    Yeah, sorry Stephen - I did have that thought after I posted that maybe you were meaning you weren't covered by the Vaccination Order at all.
    I would take a similar approach still though - inform them that you have collected the required information to ensure that you can and will only send vaccinated employees to their job, but as the information was not gathered for the purpose to provide it to your clients that you legally cannot do so.
  • MattD2
    337
    Here is a question - does the "My Covid Pass" breach the Privacy Act?

    Information Privacy Principle 1 states that "Personal information must not be collected by an agency unless; the information is collected for a lawful purpose connected with a function or an activity of the agency; and the collection of the information is necessary for that purpose."

    The purpose of the My Vaccine Pass is "... an official record of your COVID-19 vaccination status for use within Aotearoa New Zealand. It will allow you to access certain events and venues operating under the COVID-19 Protection Framework

    The Pass includes personal information of a person's full name and their date of birth, however are these actually required for the purpose of the Pass?

    It could be argued that the person's full name is needed to be provided to a business if business is expected to validate that a person is not using another persons Pass by cross checking a Pass against another photo ID. However MBIE's advice is that a business is not required to check any other ID - a person wanting to enter a premise where Vaccine Certificates are being used is required to only present their My Vaccine Pass to do so (https://www.business.govt.nz/news/requiring-my-vaccine-passes-for-entry/).
    More specifically; why is a date of birth necessary for the Pass's purpose - especially when you consider that a date of birth is a piece critical information commonly used for the verification of a person (think of the most common question you are asked over the phone when a company wants to check it is really you - "what's your full name and date of birth, please?"
    So should the MoH really be offering up this personal information? Especially when verification of the validity of a Pass holder could more effectively be enforced if the Verification App could be used to validate only a (random) portion of this information - e.g. if the business wants to verify a scanned Pass the App provides a question such as "What month were you born in?" or "what is your last name?" (although it would also require a rethink of the Pass to not provide the personal information in the QR code as cleartext).

    Information Privacy Principle 11 also relates to the above question, in that whether "...the disclosure of the information is one of the purposes in connection with which the information was obtained or is directly related to the purposes in connection with which the information was obtained"? i.e. is the Pass giving the bouncer the purpose why the information was collected? I would argue it was not...
  • KeithH
    171
    @MattD2 short answer - No.
    The Privacy Commissioner has already determined the "My Vaccine Pass" in it's current form does not breach the Privacy Act with details here.

    To quote a couple of paragraphs from that page -
    "Our Office (Office of the Privacy Commissioner) has emphasised the importance of ensuring that this sytem is designed with privacy as a core consideration. That has included advocating for the Pass not to distinguish between those who are vaccinated and those who have an exemption on medical grounds (it is not necessary for the business to know).

    Our Office also advocated for legislative protection of personal information collected so that it cannot be reused or repurposed by the business collecting it."

    Further -
    "Does the Privacy Commissioner investigate complaints about the details on My Vaccine Pass?

    The COVID-19 Public Health Response (COVID-19 Vaccination Certificate) Order 2021 sets out the information that vaccination certificates must show and requires the person’s name and date of birth to be displayed.

    Where another law requires personal information to be used in a certain way, that will generally override the provisions in the Privacy Act.

    We cannot investigate complaints about these requirements.

    If you want to discuss the information displayed on vaccination certificates further, you will need to contact the Ministry of Health."

    Source here


    So in answer to your question
    does the "My Covid Pass" breach the Privacy Act?MattD2
    the Privacy Commissioner says No.
  • MattD2
    337
    Privacy Commissioner says No.KeithH
    Or specifically they have said:
    Our Office also advocated for legislative protection of personal information collected so that it cannot be reused or repurposed by the business collecting it.KeithH
    or in other words "we'll deal with any issues after the horse has bolted"
    And
    Where another law requires personal information to be used in a certain way, that will generally override the provisions in the Privacy Act.KeithH
    essentially saying the Government can decide whatever they want to do, remembering the bill to amend the act were rushed through in 2 days and the actual orders which are actually specifying how this information is collected and managed do not actually go through parliament but are just the on the whim of the Minister of Health or the Director-General of Health.

    And the first comment from the Privacy Commission is related to distinguishing between vaccinated and exempt people - which they have said the Pass should not do because there is no need for it to do so - so it is the same question for the other Personal Information, for the purpose of confirming a person's vaccination or exempt status does the Pass need to include that information. With the way it is being proposed to be used it would seem like it doesn't.

    Also interesting that the Vaccination Certificate order seems to be drafted and released to other Government agencies but not to the wider public. Most people are waiting anxiously for the new orders relating to the various Covid Protection Framework requirements to be able to plan exactly what they need to do from Friday onwards... hopefully we see them soon.
  • MattD2
    337
    Also interesting that the Vaccination Certificate order seems to be drafted and released to other Government agencies but not to the wider public. Most people are waiting anxiously for the new orders relating to the various Covid Protection Framework requirements to be able to plan exactly what they need to do from Friday onwards... hopefully we see them soon.MattD2
    So I was wrong about that - aparently this was release on Sunday (28th Nov)... unfortunately the list of active orders under the Covid Act on the Covid-19.govt.nz website has not been updated to reflect this.
bold
italic
underline
strike
code
quote
ulist
image
url
mention
reveal
youtube
tweet
Add a Comment

Welcome to the Safeguard forum!

If you are interested in workplace health & safety in New Zealand, then this is the discussion forum for you.