Friday, 5 February 2021

Minister's Response on Digital Contact Tracing Legislative Protections

In early January, I wrote a letter to Minister Chris Hipkins along with Director-General of Health Ashley Bloomfield and Deputy Director-General (Data and Digital) Shayne Hunter about the need for legislative protections on data from digital contact tracing tools like the NZ COVID Tracer app, in light of developments in Singapore. This data being collected for public health purposes to respond to the pandemic should only be used for that purpose, and while assurances from senior officials are helpful, legislative protections would help improve confidence that this data is safe from government misuse. It's worth noting the subsequent official statement of "[NZ] Police has not, and will not, seek or access any data from the NZ COVID Tracer App to aid investigations."

You can read the response from the Minister in original PDF format here, but I have extracted the text out for accessibility:

Dear Dr Chen,

Thank you for your letter and for your contributions to the Ministry of Health’s development of the NZ COVID Tracer app thus far. 

As you note, New Zealand is operating a de-centralised approach for both location recording and recording of Bluetooth interactions. For most people who use the NZ COVID Tracer app, scanned locations and Bluetooth interactions are recorded and stored securely on their phone and are never submitted to the Ministry. New Zealand’s approach differs to that taken by Singapore and Australia where Bluetooth close contacts are identifiable centrally when uploaded by a COVID-19 case. This decision not to centralise data and to use a Bluetooth framework that preserves anonymity is a privacy-enhancing strength of New Zealand’s approach to digital contact tracing. 

Location and Bluetooth contact data is recorded centrally only when someone has been using the app and is asked to submit that data by a contact tracer when they test positive for COVID-19. In these cases, the user can make their own decision about whether to release their recorded locations or Bluetooth keys to a contact tracer. With New Zealand’s relatively small number of cases, there are relatively few people whose data is held centrally. This data is well secured in the Ministry’s systems and the Ministry has undertaken only to use it for contact tracing purposes. 

In addition, the NZ COVID Tracer app has existing protections that limit the time period that data is retained for. Scanned and manually recorded locations are kept on a user’s phone for 60 days and are then automatically deleted. Bluetooth interaction keys are kept on a user’s phone for 14 days and then automatically deleted. These relatively short retention periods limit the risk that data could be accessed and used for purposes other than for contact tracing. 

Data from the NZ COVID Tracer app that has been uploaded to Ministry systems is retained for longer as some of it becomes part of a person’s health record. The Ministry has committed to deleting data in certain categories at the end of the pandemic including all contact details that have been submitted via the NZ COVID Tracer app. 

I believe that the risk of law enforcement or intelligence services access to contact tracing data is low. Data on phones is protected by relatively rapid cycles of automated deletion and user have the ability to manually delete entries. Location data held by the Ministry is limited to a very small number of people. I am advised that the threshold for law enforcement or intelligence agencies compelling access to information (such as via a warrant under the Search and Surveillance Act 2012) is quite high, which offers further protection. 

However, I recognise that existing protections are not complete. In his submission to the Finance and Expenditure Select Committee on the COVID-19 Public Health Response Act 2020, the Privacy Commissioner recognises this and recommends that the Health Act or the COVID-19 Public Health Response Act be amended. The Commissioner provides some options for how this could be done. 

While digital contact tracing options are more limited now than they were, I note there is nothing to prevent people using other existing options, nor to prevent new ones emerging. I understand that the Ministry has published standards and a certification regime for apps that use the government QR code that includes privacy expectations. However, alternative approaches are not prohibited, and for that reason the Government supports ensuring there are protections for all apps and digital tools used for contact tracing. 

I have asked the Ministry to provide me with advice on legislative changes that could be made, taking into account submissions by you and the Privacy Commissioner. 

Thank you for your continued support of the Government’s COVID-19 endeavours, in particular your support of the NZ COVID Tracer app, and for your ongoing and constructive feedback. 

Yours sincerely,
Chris Hipkins
Minister for COVID-19 Response

No comments:

Post a comment