Leading Kiwi Covid-19 health experts, lawyers and academics continue to be concerned about what they say is a lack of adequate legislation to protect people’s contact tracing data against misuse.
From Wednesday, to assist with contact tracing in the event of an outbreak, people over the age of 12 are required to keep records of where they’ve been at most events and business locations at all alert levels. This can be done through methods like scanning QR codes or signing paper registers.
The Government has repeatedly assured people about the privacy of their digital contact tracing data since last year. Meanwhile, agencies like the police have stated they wouldn’t use data from the NZ Covid Tracer App to aid investigations.
However, an open letter addressed to Covid-19 Response Minister Chris Hipkins asks for that assurance to be written into law. It’s signed by more than 100 people across academia and civil society organisations.
The letter is penned by Dr Andrew Chen, a digital contact tracing expert and researcher at Koi Tū: The Centre for Informed Futures, an apolitical think tank based at Auckland University.
“Assurance, by itself, doesn't lead to any penalty for somebody breaking that assurance,” Chen told 1News.
Chen had been asking for increased privacy protections for contact tracing data since January. Hipkins had written to Chen in February recognising “existing protections are not complete", and that he was asking for advice about “legislative changes”.
However, that hasn't yet resulted in any progress.
Chen said legal protections could prevent incidents seen overseas. For example, Singapore police are able to access data from the country’s Covid app, while Queensland and Western Australia banned that sort of practice after police accessed data on at least six occasions for unrelated criminal investigations.
Chen argues in the letter that existing legislation like the Privacy Act, despite its principle that information collected should generally only be used for the purpose for which it is collected, isn’t adequate for contact tracing records.
“The struggle with what it says in the Privacy Act is there are a number of exceptions, law enforcement being one of them, and the penalties that are offered in the Privacy Act are relatively low, in the $10,000 mark.
“In [Western] Australia, the penalties for misusing contact tracing information are in the hundreds of thousands of dollars and years of imprisonment,” he said.
Additionally, the Government’s assurances wouldn’t extend to the private sector or individuals, Chen said.
The current Order that provides the legal backing for current Alert Level restrictions states that "if the business or service keeps a contact record for the sole purpose of enabling contact tracing", they must dispose of it after 60 days.
Chen argues that particular wording leaves a gap for data collected for multiple purposes, for example, a business’ sign-in form that tells customers their information could also be used for its marketing.
There were also instances last year of people’s contact details being stolen from these written records, including one Bay of Plenty woman who was harassed by a stranger after she’d provided her number to a Hamilton casino for contact-tracing purposes.
“With more data being generated, the risk of something bad happening increases,” Chen said of the new record-keeping rules.
Despite his concerns about the risk to privacy, Chen is quick to point out people should still continue to make records of their whereabouts in case contact tracers would need it.
“Throughout the pandemic, privacy and public health have been described as two ends of the seesaw, [and the idea that] if you want to protect privacy, therefore, you have to lower public health outcomes,” he said.
“In this case, I think this is a protection that can advance both goals together.”
Christchurch barrister Kathryn Dalziel, who specialises in privacy law, is among the open letter’s signatories.
She said further protections to people’s privacy would give people the confidence to comply with the new mandatory record-keeping rules.
Dalziel said if the Government had already given its assurance, and police had already said it wouldn’t use contact tracing data, “why don’t we all just say it out loud?”
“There’s a little magic place called Parliament that can make it really clear that that is how everyone's going to behave.”
As for what that legislation could look like, Dalziel said: “They can have a look at how Australia’s drafted it.
“It’s really quite straightforward, which is that records are collected for the sole purpose of enabling contact tracing, to be held to a day and then disposed of, and that it will not be used for any other purpose.”
When asked about the concerns raised in the open letter on Thursday last week, Hipkins said he could provide “an absolute reassurance” that information collected for the purposes of tackling Covid-19, such as contact tracing and vaccinations, would only be used for the response against the virus.
“If there is further legislative protection that would give people comfort, of course, that’s something that I wouldn’t rule out.”
He said the Government hadn’t yet considered specific legislation against the misuse of data collected for contact tracing purposes.
“We’ve already made it very clear that we would not use that information for anything other than the purpose for which it is collected.”
Similar questions were put to the Government on Tuesday, and again two days later.
On both occasions, Prime Minister Jacinda Ardern indicated the Government was still figuring out what Covid-19 contact tracing-related privacy legislation could look like and if it was needed.
“No, you don’t need to take our word for it … I know Minister Hipkins was seeking more advice on this matter and I haven’t seen it back yet,” Ardern said on Thursday.
The Director-General of Health Dr Ashley Bloomfield said people should be reassured that data collected by the Covid Tracer app, whether that be QR code scans or manual entries, would stay on their phones.
“It’s only released, with their permission, once they receive a message that suggests they may have been at a location of interest,” he said.
Concerns raised in the open letter about data collected by venues through analogue methods like pen and paper haven’t been addressed, however.
Chen wanted officials to address the separate issues that come with whether a contact tracing method was either analogue and digital, and who it was that collected the data.
“I’m generally less worried about data [collected through the Covid Tracer app] because it stays on the device. But, there is an edge case around police or another Government agency legally getting access to the device and then using the data there," Chen said.
"I think we’re also worried about people coercively getting access to that data.”
Privacy Commissioner John Edwards said in a statement that his office had also “raised very similar issues” to Hipkins that the open letter had.
Edwards said his office would “continue to provide advice as required”.
“We will be interested to see any response to the open letter.”