New Zealand: Mandatory contact tracing and privacy - Is my personal information protected?

On 22 August 2021, the Ministry of Health announced that scanning or manually signing in to cafes, restaurants, events and the like "will now become compulsory after the Government announced that mandatory record-keeping is being introduced at all alert levels".¹

Mandatory record-keeping is set to become effective seven days after a change in alert level settings allow more businesses to open.² Everyone aged 12 and over must scan or manually sign-in to cafes, restaurants, bars casinos, concerts, aged care facilities, health care facilities barbers, exercise facilities, nightclubs, libraries, courts, local and central government agencies and social service providers who have a customer service counter.

There is no doubt that the threat posed by COVID-19 to New Zealanders requires ongoing vigilance and, sometimes, seemingly extreme measures such as contact tracing. Unsurprisingly, the announcement has raised concerns as to how mandatory contact tracing affects personal information and privacy. In order to allay concerns, people must first understand the why behind the mandate.

Why contact trace?

The purpose of contact tracing is to identify those who are at risk of transmitting COVID-19 and to rapidly and effectively locate positive cases. It is a measure adopted globally and has proven to be effective in combatting the virus.

In New Zealand, the Ministry of Health introduced the NZ COVID Tracer app (the App). The App creates a digital diary of places visited by the user when the QR code at entrances to public buildings is scanned. Each scan records the location name, address of the business, time and date.

Businesses must display a QR code for customers to scan. At Alert Level 2 and higher, businesses must also provide an alternative tracking register for those who do not use the App. The tracking register records the customer's name, phone number, date and time of visit.

Like most technology, the App poses threats to an individual's privacy and cybersecurity of personal information, which could result in a privacy breach if insufficiently protected. This begs the question, does the App comply with New Zealand's privacy laws?

Privacy laws

New Zealand's privacy laws are encompassed by the Privacy Act 2020.

The Act sets parameters for the collection, use and disclosure of information by agencies, including in the context of a threat to public health or safety. The 'public health or safety exception' contained in Principle 11 permits the collection, use and disclosure of personal information where it is necessary to prevent or lessen a serious threat to public health or public safety.

The public health or safety exemption is rarely used, and its application is shrouded with uncertainty. Although, it is not untenable to suggest that a global pandemic such as COVID-19, is the very threat contemplated when the exception was drafted. If it does not apply in this context, it is difficult to envisage when it might.

Even so, the controls applied by the Ministry of Health to protect personal information are robust.

Protection controls

The App does not send any information to the Ministry of Health about which QR codes are scanned, who scanned them, or where they were scanned, but simply registers that a QR code was scanned.

The App is designed to protect personal information in a number of ways. In particular:³

• The information recorded by the App is stored on the user's phone where only the user can see it. This includes QR codes scanned, manual diary entries, Bluetooth 'keys', and NHI numbers.
• Digital diary entries are automatically deleted from a user's phone after 60 days, and Bluetooth keys after 14 days.
• A user will only be asked to share data if he or she tests positive for COVID-19. If identified as a confirmed or probable case, it is the user's choice whether to share his or her digital diary with the Ministry or upload Bluetooth keys.
• If a user chooses to share a digital diary, it will not be used for enforcement purposes nor shared with another government agency unless that agency is directly involved in the COVID-19 response and sharing the information is necessary for public health purposes.
• A user may uninstall the App (noting that information will still need to be recorded on the alternative tracking register) and request the deletion of any registration information provided by sending an email to help@covidtracer.min.health.nz.

For clarity, information recorded on the alternative tracking register is personal information. Therefore, businesses must protect customer privacy and also ensure that customers are aware that their personal information is being collected, and for what purpose.

Finally, New Zealand's approach is not novel. Australia has similarly developed a Bluetooth-based COVID SAFE app for further tracing, as has Singapore and the US. While it is understandable that mandatory contact tracing will be faced with some apprehension, sufficient controls are in place to protect personal information and privacy.

Footnotes

¹ https://www.stuff.co.nz/national/politics/126148560/covid-19-scanning-or-signing-in-to-become-mandatory-at-cafes-busy-venues-and-events-at-all-alert-levels
² But the extent of the new policy is still unclear – officials are understood to still be working on exactly what sort of businesses will have to comply.
³ For more information, see: https://www.health.govt.nz/our-work/diseases-and-conditions/covid-19-novel-coronavirus/covid-19-resources-and-tools/nz-covid-tracer-app/privacy-and-security-nz-covid-tracer

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.