Open letter: Data use protections for NZ COVID Tracer

The content below has been reproduced from a 5 January 2021 post on Andrew Chen’s blog.

Watch: Andrew discusses the letter in an interview with 1News

Update, 10 February 2021: Read Minister Hipkins’ response to Andrew’s letter


News articles on January 4/5 2021 reported that the Singaporean government had done a U-turn on the data use protections around their TraceTogether system for digital contact tracing. The government had previously stated that the data would “never be accessed unless the user tests positive” and that it would only be used for contact tracing purposes. However, they confirmed in Parliament that TraceTogether data could “be used for criminal probes” by the Singapore Police Force. The BBC reported that the data had been used once already in a murder investigation.

In some discussions with legal academics, we had previously identified a gap in the New Zealand legislation around NZ COVID Tracer as well, but there were more pressing concerns at the time. Now that the Singaporean precedent has been set, I felt it was appropriate and necessary to highlight the issue with the New Zealand government in the hopes that legislative protections could be put in place to further protect the privacy of individuals and give people confidence that our government agencies could not misuse this data. It is a relatively low risk in New Zealand, but it would be better to have stronger protections than to rely on assurances.

 

05 January 2020

Dear Hon Chris Hipkins and Director-General of Health Ashley Bloomfield,
cc Privacy Commissioner John Edwards, Deputy Director-General of Health (Data and Digital) Shayne Hunter

I write to bring your attention to data protections around the use of data generated/collected through the NZ COVID Tracer app (subsequently also referred to as “the app”).

By way of brief introduction, I am a Research Fellow with Koi Tū: The Centre for Informed Futures at The University of Auckland. I have been following the development of digital contact tracing around the world, particularly in New Zealand and how our government has implemented our version of this tool. I have had some informal conversations with the Ministry of Health about the design and use of the app, but have no financial relationship. The views in this letter are my own and may not reflect those of my employers.

Trust in government is one of the critical factors that influences the uptake rate of digital contact tracing tools (also identified in Vaithianathan et al, 2020: https://csda.aut.ac.nz/__data/assets/pdf_file/0009/382743/PolicyPrimerFINAL.pdf). The power imbalance between the state and individual persons leads to understandable concerns about privacy and the potential use or misuse of personal information. A Ministry of Health research report into contact tracing technologies from October 2020 showed that a significant proportion of individuals held “concerns about being tracked by Government/privacy issues”.

Digital contact tracing tools collect significant amounts of personal information. These tools can be considered surveillance, but justified by the current health crisis. The New Zealand approach mitigates surveillance concerns by using a decentralised architecture, leaving location information (via QR codes) and interaction information (via Bluetooth Tracing) on the device until it is needed for contact tracing purposes. This approach helps protect the privacy of users, and is the predominantly favoured approach around the world.

However, in NZ there is little protection against this information being used for other purposes once it has been collected by a government agency from the device. There is a concern that Police or intelligence agencies could seek a warrant for a phone and then take NZ COVID Tracer data off that phone (e.g. QR code scans as a record of where the persons has been). The recent NZ Police Assurance review of emergent technologies shows that Police have the technical tools and capability to search cellphones for data (https://www.rnz.co.nz/news/national/429896/audit-reveals-new-tech-tools-in-police-s-digital-armoury). While the Singaporean context is obviously very different to ours, recent reports set a worrying precedent around how a government might repurpose data collected for contact tracing towards other applications (https://www.zdnet.com/article/singapore-police-can-access-covid-19-contact-tracing-data-for-criminal-investigations/).

I acknowledge that the Ministry of Health states on their website and in the Privacy Statement for the app that “Any information you register with the app will never be used for enforcement purposes. It also won’t be shared with another government agency unless that agency is directly involved in the COVID-19 response and sharing the information is necessary for public health purposes during the pandemic.” However, this is a one-way statement from the Ministry of Health to the user, and does not limit the powers or interactions of other government agencies. There are interactions with other pieces of legislation such as the Privacy Act 2020, the Search and Surveillance Act 2012, and the Civil Defence National Emergencies (Information Sharing) Code 2013.

To help mitigate the identified risks and provide further confidence to the people of New Zealand that their privacy is protected, I recommend that you clarify, in legislation, that data collected through NZ COVID Tracer can only be used for contact tracing purposes. Defining it in this way would not limit a particular agency from using the information (e.g. NZ Police), but would restrict their use of the data to be only for the specific purpose.

This could be similar to the Privacy Amendment (Public Health Contact Information) Act 2020 in Australia (https://www.legislation.gov.au/Details/C2020A00044), which clarifies who is and who isn’t allowed to use “COVID app data” or “COVIDSafe data”, and for what purposes. These protections have meant that intelligence agencies who incidentally collected data from COVIDSafe on phones had to delete that data and could not use it (https://www.itnews.com.au/news/covidsafe-data-incidentally-collected-by-intelligence-agencies-in-first-six-months-558129). These protections could be introduced as an amendment to the COVID-19 Public Health Response Act 2020, or appropriate delegated/subordinate legislation.

In addition, I am of the opinion that it would be helpful to define an endpoint for when data collection through NZ COVID Tracer will end, or alternatively define a process through which the endpoint will be decided. This would also include defining a condition or a point in time when data that the government has collected will be destroyed (or fully anonymised and retained for research purposes).

As a New Zealand citizen, I have been proud to see our response to COVID-19 and how we have been able to maintain our freedoms relative to many places around the world. I view digital contact tracing as a tool that may help us continue to keep ourselves safe, and therefore encourage individuals and the government to utilise this tool in a responsible way. Clarifying the usage of data collected through this tool, across all of government, could help improve confidence and trust, therefore improving uptake and potential effectiveness of the app. I thank you for your time in reading this letter, and would appreciate a response about the planned actions on this topic. I would be happy to engage in further discussion on this topic (and I am Wellington-based).

Ngā mihi nui,
Dr. Andrew Chen
Research Fellow
Koi Tū: The Centre for Informed Futures
The University of Auckland

This letter has been reviewed by A/Prof Dean Knight from Victoria University of Wellington’s Faculty of Law, who shares similar sentiments.


Update, 10 February 2021: Read Minister Hipkins’ response to Andrew’s letter