Friday 2 July 2021

Data Use Protections for Digital Contact Tracing Data - Round 2

This letter follows-up from my original letter in January 2021 and the response from the Minister in February 2021. After the use of digital contact tracing data for police purposes in Singapore in January, recent reports in June have highlighted police use of QR code scan data in specific States in Australia. As this is now much closer to home, and with urgent legislation being introduced in Western Australia, I felt that it was necessary to urgently write to the Minister again to highlight this issue. For anyone reading this, I emphasise again that the risk of Police using digital contact tracing data is relatively low in New Zealand, especially after assurances have been given by Police that they have not and will not use this data, but I still believe that it would be better to have stronger protections than to rely on assurances.

2 July 2021

Dear Hon Chris Hipkins,

I write with some urgency to note that recent news articles in Australia have highlighted State police use of their digital contact tracing data. For example, see in Western Australia, and for a broader look across all States. The context in which this is happening is much closer to New Zealand than the previous reports from Singapore earlier in the year.

The situation is different in New Zealand for two key reasons. Firstly, QR code scans are held in a centralised database in each Australian State whereas NZ COVID Tracer holds the data decentralised on each device. This prevents the scenario of Police or another agency requesting data from the Ministry of Health directly without the user's knowledge or consent, but the data can still be retrieved from the device itself. Secondly, QR code scanning is mandatory in many venues (based on risk) in Australia, whereas it is voluntary in New Zealand.

I note media reports that the latter may change soon, and advice is currently being formed by DPMC with assistance from a number of agencies including Ministry of Health and the Office of the Privacy Commissioner. I am writing this letter because I believe it is critical that legislative protections be put in place before signing-in is made mandatory in any setting in Aotearoa New Zealand. The public must have confidence that digital contact tracing data, and specifically NZ COVID Tracer data, will only be used for contact tracing purposes, and cannot be used by any agency, employer, or person for any other purpose.

After writing to you in January, I appreciated the response from your office, and subsequently followed-up with the Ministry of Health and had a meeting to discuss policy around legislative protections for this data. The conclusion at the time was that it was not a sufficiently high priority for the policy and legal teams, and I accept that the response to COVID-19 is multifaceted and the government has to prioritise its interventions. But in the current context of the government considering making QR code scanning (or signing-in generally) mandatory in high-risk venues, I believe it is necessary to bring this issue to your attention again.

I have already raised the recent media reports in Australia with the Ministry of Health, and my understanding is that their policy team is now considering the issue, but I am not certain if this is connected to considerations around making signing-in mandatory in high-risk venues. I am also of the opinion that this needs to be considered with some urgency, to close off this potential issue before negative outcomes happen.

In addition to legislative protections, I believe that it is also important to raise the issues of enforcement, digital exclusion, and Apple/Google's rules for their Exposure Notification Framework in relation to making QR code scanning / signing-in mandatory for high-risk venues. I will not delve into these issues in this letter but encourage the policymakers forming the advice for you to consider these.

While usage of NZ COVID Tracer to scan QR codes has been woefully low in recent months, I believe that legislative protections for digital contact tracing data must be implemented as part of any set of interventions to increase adoption and usage of this tool. I thank you for your time in reading this letter, and would appreciate a response about the plans for this issue. I would be happy to engage in further discussion on this topic.

Ngā mihi nui,
Dr. Andrew Chen
Research Fellow
Koi Tū: The Centre for Informed Futures
The University of Auckland

No comments:

Post a Comment