22/02/2021·4 mins to read
NZ COVID Tracer App - Is your data safe?
In this article, we explore how the government can prevent actual or perceived “function creep”[1] with the NZ COVID Tracer app. In particular, given the recent proposals that use of the app be compulsory, whether there should be legislative protection to prevent location information that is collected from being used for other purposes. Increased protections for collected information may allay privacy concerns and, even if the use of the app is not made mandatory, increase the uptake and effectiveness of the NZ COVID Tracer app.
What you need to know:
- There is currently no legislation that prohibits the government from using data collected on the NZ COVID Tracer app for other purposes, such as criminal investigation.
- In May 2020, the Australian government introduced legislative protection for data collected with its COVIDSafe contact tracing app. An amendment to the Australian Privacy Act 1988 creates offences for using data collected by the COVIDSafe App for any purpose other than contact tracing.
- The Singapore government recently amended the privacy policy of its COVID TraceTogether app to permit use of collected information for criminal investigations, backtracking on its previous promises that collected information would be used solely for Covid-19 contact tracing.
Background: NZ COVID Tracer app
With the recent Valentine’s Day cluster forcing Aucklanders to once again re-enter lockdown, New Zealanders have had a timely reminder of the importance of using the NZ COVID Tracer app to scan into places they visit. The use of the app helps to facilitate effective contact tracing, which aids in minimising the spread of outbreaks.
The Ministry of Health has continuously updated the NZ COVID Tracer app with more features and safeguards, such as Bluetooth tracing and removing the requirement for people to register their details when downloading the app onto their phones.
There has also been recent media indicating that the government is considering making the use of the NZ COVID Tracer app compulsory, a move that is apparently supported by business.
Overseas contact tracing app scrutiny
Covid-19 contact tracing apps have been the subject of considerable public scrutiny around the world, in respect of their effectiveness, transparency surrounding operation, and the security of data collected. Such scrutiny only increases as governments look to use technology to assist in controlling and limiting the spread of Covid-19.
The Australian government has taken a positive step to assure users that their information can only be used for the purposes of contact tracing, alleviating concerns of function creep. The Australian government passed the Privacy Amendment (Public Health Contact Information) Act 2020 which prohibits the collection, use or disclosure of COVIDSafe app data for any purpose other than contact tracing.[2] This prohibits the collection of COVIDSafe app data even for criminal investigations, for example, as part of a warrant. Even intelligence agencies that incidentally collect data from COVIDSafe on phones must delete that data and cannot not use it.
On the other hand, in Singapore, the government has backtracked on previous statements that information collected through its TraceTogether app will only be used for Covid-19 contact tracing. Foreign Minister Vivian Balakrishnan in June 2020 stated, “TraceTogether app, TraceTogether running on a device, and the data generated, is purely for contact-tracing. Period.” However, in January 2021, Minister of State for Home Affairs Desmond Tan said that data can also be used “for the purpose of criminal investigation”. TraceTogether app’s privacy statement has since been updated to reflect this additional use. Naturally, this has undermined some of the public trust in the TraceTogether app.
NZ COVID Tracer app privacy concerns
In New Zealand, the government has indicated through the NZ COVID Tracer Privacy and Security Statement that the information collected will only be used for contact tracing by New Zealand’s public health system for the purposes of the Covid-19 pandemic response. However, there has been no firm action from the government to prevent function creep, and the Privacy and Security Statement is effectively a one-sided statement given by the Ministry of Health to users, and does not extend to other government agencies. Notably, Singapore’s TraceTogether privacy statement had similar wording as well - until it was amended. Additionally, although information collected is decentralised, theoretically, police or intelligence agencies could seek a warrant for a phone and then take NZ COVID Tracer data off that phone.
Even prior to the recent lockdown, it has been reported that Covid‑19 Response Minister Chris Hipkins had asked officials for advice on potential law changes that could address lingering privacy worries with the NZ COVID Tracer app. It will be interesting to follow any legal developments which arise from this, for example, whether the Australian approach of expressly prohibiting the collection, use or disclosure of COVIDSafe app data for any purpose other than contact tracing will be adopted.
Such potential law changes may increase public confidence and therefore uptake, and mitigate the need for other more intrusive measures to increase uptake. For example, Prime Minister Jacinda Ardern has recently said that the government is exploring mandating QR code scanning, to prevent complacency, something ACT leader David Seymour has been pushing for. Whether or not mandatory QR code scanning is even feasible is yet to be seen, for example, businesses would not be incentivised to prohibit customers who do not scan from entering, given it would not be in their commercial interests.
The introduction of any such legislation will no doubt help increase uptake of the NZ COVID Tracer app, further increasing its effectiveness as a tool to fight to spread of Covid-19. As stated by the Privacy Commissioner, public confidence is paramount to having effective tools for contact tracing. New Zealanders want to help defeat this virus, but they also want to trust that their personal information will not be misused or lost.
Get in touch
Please get in touch with our contacts if you have any questions about this article or data privacy in general.
[1] Function creep is defined as the gradual widening of the use of a technology or system beyond the purpose for which it was originally intended, especially when this leads to potential invasion of privacy.
[2] Section 94D: https://www.legislation.gov.au/Details/C2020A00044