Covid-19 Minister Chris Hipkins has sought advice from officials on potential changes to the law that could address lingering privacy concerns with the NZ Covid Tracer app. Photo / Bevan Conley
Covid-19 Countermeasure Chris Hipkins has sought advice from officials on potential changes to the law that could address lingering privacy concerns with the NZ Covid Tracer app.
It comes after a prominent data expert and Privacy Commissioner John Edwards suggested changes to the law would ensure agencies can’t use tracking data for spying or criminal investigations.
The New Zealand app remains an important tool for helping tracers quickly trace the close contacts of people infected with Covid-19 – but at the same time, gathering large amounts of personal information from users.
The government has moved to ease surveillance concerns by creating “decentralized” applications, leaving location data – such as those loaded via QR codes – and interaction information, entered via Bluetooth tracking, on people’s phones until needed for contact tracing.
While this approach, widely used by other countries, helps protect user privacy, there is still little legislative protection against data used for other purposes by Governments.
Dr Andrew Chen, a researcher at Koi Tū: The Center for Informed Futures based at the University of Auckland, said one concern is that police or intelligence agencies could request a warrant for a phone call and then retrieve tracing data from it.
The Singapore government recently sparked protests when it passed a law allowing police to access data from the TraceTogether app for serious crimes such as murder, rape and drug trafficking.
In New Zealand, Chen noted that a recent police review of emerging technology suggests police have the tools and the ability to search data on cell phones.
This month, he wrote to Hipkins and Director General of Health Dr Ashley Bloomfield, suggesting New Zealand could take similar steps to Australia, which introduces amendments that define who and who is not allowed to use tracer app data, and for what purposes.
That effectively means that intelligence agencies that accidentally collect tracking data from cell phones have to erase the data and can’t use it.
But Chen told the Herald that there were still concerns surrounding the two scenarios.
“One of them is that law enforcement officers get access, as happened in Singapore, which is a major concern,” he said.
“The other thing is, just because the NZ Covid Tracer app is well designed, it doesn’t mean that other digital contact tracing tools are designed as well.”
For example, he said, there were about 30 different providers for QR code digital contact tracing in the past.
“We know, last year, there were companies that collected personal information from contact tracing and then used it for marketing purposes.
“So it’s actually nice to have some rules that specifically state data collected for the purpose of the Covid-19 pandemic should only be used to respond to it.”
Chen previously suggested that the Government could amend the Public Health Response Act, but now believes the reforms would fit better elsewhere in the current law.
In a written response to Chen last week, Hipkins noted that Bluetooth location and contact data were recorded centrally only when given to the tracker – and even then, people can still decide if they want to release it.
“With the relatively small number of cases in New Zealand, there are very few people whose data is stored centrally,” said Hipkins.
“This data is well secured in the ministry system and the ministry has done only to use it for contact tracing purposes.”
Furthermore, he said, the application has protection that limits the time period for data storage.
Manually scanned and recorded locations are stored on the user’s phone for 60 days and then deleted automatically, while the Bluetooth interaction key is stored on the user’s phone for 14 days and then deleted.
Although data from apps uploaded to the ministry’s system is kept longer because some of it becomes part of a person’s health records, the ministry has committed to deleting it “in a specific category” at the end of the pandemic – including all contact details.
Hipkins claims that the risk of being used for surveillance is low, and has been told that the threshold for agencies forcing access to it is “quite high.”
The police also told Chen that they did not – and would not – seek or access any data from the app to aid in the investigation.
However, Hipkins acknowledged that the existing safeguards were “incomplete” – and pointed to similar suggestions for reforms being made by privacy commissioners.
“While digital contact tracing options are now more limited than ever before, I notice nothing is preventing people from using other existing options, or preventing new ones from emerging,” Hipkins said in the letter.
“I understand that the ministry has published standards and certification regimes for applications that use Government QR codes that include privacy expectations.
“However, alternative approaches are not prohibited, and for that reason the Government supports ensuring there is protection for all digital applications and tools used for contact tracing.”
He has asked the ministry for advice on possible legislative changes – a move that encourages Chen.
“It’s great to look at. At the same time, I think it’s important to convince people that the risk here is low – and that we should all use this app as much as possible.”