Sign in registers and the Privacy Act 2020
21 October 2021
Many of you will have seen the guidance from the Office of the Privacy Commissioner in regards to alternative contact tracing registers and the need to ensure that they comply with the Privacy Act 2020.
“Using an open sheet or register left in a public-facing position where personal information is visible to others is a leading cause of COVID-19-related privacy breaches. It’s important that businesses provide other methods of collecting and storing contact tracing records, but in ways which also protect the privacy of those whose details are being collected.” Says Privacy Commissioner John Edwards.
This same concern can be applied to club sign in books/registers. As sign in books/registers ask for personal information you must take care to ensure they are safe and secure and that they comply with the principals of the Privacy Act 2020.
Below we have compiled a few things to think about:
What are some practical alternatives to public-facing sign in books/registers?
- Have individual sign in slips or cards for people to fill in that are then handed to staff.
- Have an employee manually record visitor details – this ensures that staff maintain control over the records and do not leave contact information visible to others.
- Do not keep a sign in register at all and instead have staff confirm whether a person is an authorised customer or authorised visitor at the bar (recommended).
- Use an electronic system, like a tablet sign-in app, or an existing booking system.
Only record as much information as you need
A general rule of the Privacy Act is to collect only as much information as you need and no more.
This can be a little bit tricky when it comes to club sign in registers/books as they are not required by law, rather you are using them as a tool to establish that someone is an authorised customer or an authorised visitor under the Sale and Supply of Alcohol Act 2012.
Logically in order to establish that they are an authorised customer or authorised visitor you would only need to collect the persons name, details of their membership and the time and date of their visit.
Consent and Access
When you collect personal information, you must take reasonable steps to make sure that the person knows why it’s being collected, who will receive it, whether giving it is compulsory or voluntary and what will happen if they don’t give you the information.
It may be that you have a small statement on the back of the sign in slip, display a privacy statement at the bar if you have staff manually signing people in or if you are using an electronic system you may use a statement or pop up built into the system.
People have a right to access the information you keep about them, so be sure to have a process for facilitating that if required.
Security and Storage
Once collected, you will need to keep the information safe. This means storing it safely and securely, for instance if it is a physical record it could be stored where other valuables are kept such as a locked cabinet with other important documents. If it is a digital record it needs to be stored on a secure information system. If you are using a work cellphone to store texts this cellphone will need to be kept safe and secure.
It will also be important to ensure that access to this stored information is provided to a limited number of key people. You should know who has access and why.
We recommend that clubs visit the Office of the Privacy Commissioner for more information https://www.privacy.org.nz/ the website is pack full of guidance, resources and training.