Police disclosing Covid-19 patient info through vetting process was 'inappropriate' - report

Police use and disclosure of Covid-19 patient information was "inappropriate", says Privacy Commissioner John Edwards. 

File image of Covid-19 testing. Source:

The latest inquiry into the Ministry of Health's disclosure of Covid-19 patient information to emergency services was released today.

Edwards also said Government agencies should review the way they handle and share highly sensitive Covid-19 patient health information.

"Police should never have disclosed patients’ Covid-19 statuses to prospective employers as part of their vetting process."

Police had access to alerts related to Covid-19 to help carry out pandemic management and general policing duties.

"However, police’s use of that information also extended to disclosing it to agencies as part of its vetting function," he said. 

On police disclosing patients’ Covid-19 statuses to patients’ potential employers as part of their vetting function, Edwards said this was "inappropriate". 

"Police should have reviewed its need for patient information as the number of Covid-19 cases in New Zealand reduced.

"To police’s credit, as soon as we raised concerns about this practice, they immediately stopped."

Edwards said it happened for "only a small number of cases and for a short-lived period".

The disclosure of Covid-19 patient information to emergency services earlier this year saw the leak of confidential Covid-19 patient details.

Names, addresses, ages and hotel names of people who tested positive for Covid-19 were leaked to some media outlets in early July by Hamish Walker, a National MP who had been sent the details by Michelle Boag, former National Party president and then-acting chief executive of Auckland Rescue Helicopter Trust. 

The inquiry by Michael Heron found their motivations were political and "not justified or reasonable" and his report was referred to the Privacy Commissioner. 

"The Ministry of Health has acted appropriately and responsibly with Covid-19 patient information," Edwards concluded in the report issued today.

"Emergency services, including police, received it for legitimate reasons.

"However, police use and disclosure of Covid-19 patient information as part of its vetting function, although only for a short time, was inappropriate."

Edwards said the Ministry of Health had "clear and measured rationale" for passing on Covid-19 patient information in April - but should have gone back to look at that decision when New Zealand moved down alert levels in May. 

That was also found in the July inquiry, which said the policies around privacy should have been reviewed when there was no longer community transmission in New Zealand.