Monday 13 September 2021

Minister's Response to Open Letter for Contact Tracing Record Protections

Earlier this month, we wrote an open letter to Minister Chris Hipkins calling urgently for legislative protections for contact tracing records, particularly in light of the introduction of mandatory recordkeeping. You can read the response from the Minister in original PDF format here, but I have extracted the text out for accessibility:

Dear Andrew,

Thank you for your email of 2 September 2021. We appreciate the engagement you and the other signatories have exhibited in raising issues that concern you related to actions taken to assist with contact tracing as part of the public health response to the COVID-19 pandemic.

As you know, mandatory record-keeping has been introduced requiring that, from 7 September 2021, the person in control of a workplace of a business or service must have systems and processes in place to ensure, so far as reasonably practicable, each person aged 12 years or older who enters the workplace either scans the QR code for the workplace or otherwise makes their own contact record (Electronic Records); or provides a contact record that the person in control of the workplace collects (Other Records).

In our previous correspondence we have covered that Electronic Records are kept on a person’s own device, and it is only upon the request of a contact tracer that information may be transferred to the Ministry of Health as authorised by the Health Act and used in the management of Covid-19. Other Records may only be used for the same limited purpose and are required to be stored by the business or service provider and after 60 days deleted, unless transferred to a contact tracer.

The Government considers that the wording used in the Alert Level Orders, together with the relevant provisions in the Health Act 1956, provides that information collected in contact tracing records (whether in electronic or hard copy form) are to be used and disclosed solely for the purposes authorised by relevant legislation, including for contact tracing purposes and the “effective management” of COVID-19.

A range of general law powers and remedies are available under New Zealand to prevent the use of information collected in contact tracing records from improper use by businesses and government agencies (even if a warrant had initially been obtained) for purposes broader than is specifically authorised in the Orders and Health Act. For example, the Courts have established processes to ensure that only data and information that is relevant and lawfully obtained may be used in law enforcement investigations. Individuals affected by any misuse of information may have access to the processes provided for by the Privacy Act 2020, the New Zealand Bill of Rights Act 1990, and the Judicial Review Procedure Act 2016.

Continuous improvement of New Zealand’s legal framework is important and necessary. The Government remains interested in what other countries have done, particularly where the use of technology in their systems is more developed than ours. That seems to be particularly important given the global nature of the pandemic, the desirability of operating as consistently as possible with best practice and meeting our international obligations, as we work towards reopening our borders. Other countries’ responses reflect their particular circumstances and culture. Their legal frameworks are not the same as ours and a similar approach may not be necessary or considered appropriate here.

There are significant differences between New Zealand’s and Australia’s constitutional and legal frameworks. It is critical that our legal framework, as it applies to technology, and the rights and interests we have developed, remains fit for purpose in the COVID world. That is important not only for the current contact tracing purposes, but also because we are increasingly likely to want to rely on solutions provided by technology to ensure that contact tracing can be carried out and the information transferred faster and more effectively (both within New Zealand and eventually overseas, as appropriate, when borders open up) without that being any more onerous than required for individuals, businesses and organisations, and government agencies.

The Government has signalled the importance it attaches to removing barriers to people feeling confident to use the COVID Tracer App to store sensitive personal information about themselves and their daily activities so that can be used to speed contact tracing. That is evident in the privacy-by-design approach that has been taken to the architecture of the App, and the way in which relevant data is collected, stored, and deleted.

It might be that there could be additional benefit in providing legislative provisions in a more clear, transparent and easily accessible form. I will raise this with officials for further consideration.

I have asked officials from the Department of the Prime Minister and Cabinet to meet with you and a select number of other authors of this letter to discuss these matter further. I look forward to hearing the result of these discussions.

Yours sincerely,
Chris Hipkins
Minister for COVID-19 Response

Saturday 4 September 2021

NZ is introducing mandatory record keeping to help contact tracers. But is the data protected enough?

This article was originally published on The Conversation on 3 September 2021. Protections for the record-keeping data have been subsequently introduced in legislation:

From 11:59pm on Tuesday September 7, every person in Aotearoa New Zealand over the age of 12 will be required to keep a record of their whereabouts, either by scanning QR codes or signing paper registers many businesses and event organisers will have to provide.

Mandatory record-keeping is part of an effort to strengthen contact tracing, in response to low numbers of people who were scanning or signing in before the current Delta outbreak and lockdown.

The new rules will lead to significantly more data being collected. The government has reassured the public that any data collected for contact tracing would only be used for that specific purpose, but there are concerns other government agencies could ask for such information for law-enforcement purposes.

I have been calling for strong privacy protections, enshrined in law, since January, when Singaporean police accessed contact tracing data for criminal investigations.

In an open letter to COVID-19 response minister Chris Hipkins, signed by more than 100 academics and civil society organisations, we argue the public health response order that implements the new rules does not provide sufficient privacy protection.

Particular concerns about the potential use of contact-tracing data for other purposes include:
  • by police and government agencies with enforcement powers for investigatory or enforcement purposes
  • by private sector agencies for marketing purposes
  • by employers for purposes other than health and safety
  • and by individuals coercively against others.
The role of protections for contact tracing records
Penalties under New Zealand’s privacy laws are relatively low (up to NZ$10,000) in comparison with Australian laws that protect contact-tracing data (up to A$250,000 or five years’ imprisonment).

Better protection of contact-tracing data should be a relatively simple to introduce, and we have Australian law from which to draw inspiration. This would improve people’s confidence that their contact-tracing records will only ever be used for this purpose, and will help increase participation.

Before New Zealand’s current lockdown, participation in record-keeping was likely too low. We don’t know how many people were keeping pen-and-paper diaries, but only 10-15% of New Zealand adults were scanning QR codes or making manual entries in the NZ COVID Tracer on a regular basis.

Detailed record-keeping is important for contact tracers to figure out where and when people may have been exposed to an infectious person and to draw up a list of locations of interest as quickly as possible.

It is hard to remember exactly where you’ve been during the 14 days before a positive COVID-19 test. But it might make the difference between contact tracers being able to identify locations of interest and the virus continuing to spread in the community.
What it means for businesses

The list of businesses to which the new requirement applies is long and listed specifically under schedules 2 and 3 of the public health response order).

The onus to scan in won’t be on customers but on business owners. Supermarkets, dairies, hardware stores, food banks and petrol stations are exempt, but the new rules allow people to keep a record in their own diary, so they don’t have to use QR codes or any pen-and-paper option provided by a business.

We need most adults to participate in record keeping to have a significant impact on the spread of new variants, like Delta.

As New Zealand prepares to move down alert levels, more businesses will be allowed to operate. Businesses for which the mandatory record-keeping rule applies will be given seven days after an alert level change to comply. In a practical sense, this means two main things:
  1. Businesses will need to provide a pen-and-paper system for individuals to record their visit. I recommend a “ballot box” to help protect privacy (rather than a sheet of paper anyone can read). A template is available. These records need to be kept for 60 days (preferably sorted by date), but then have to be disposed of. They shouldn’t be used for any other purpose, or shared with anyone other than a public health official.
  2. Businesses must ensure customers are either scanning the QR code (which is mandatory to display) or otherwise recording their visit. Staff should also be scanning in too, so they can check whether the systems work properly.
A new simplified QR code poster design is available from the Ministry of Health.

Enforcing mandatory record keeping
It is up to businesses to decide their policy for dealing with people who refuse to record their visit. Strictly speaking, the order requires that a record be made, and there are fines of up to $1,000 for non-compliance.

But in reality, it is likely these fines will only be applied against businesses that repeatedly and flagrantly refuse to comply with the requirements.

Businesses trying to do the right thing will need to decide whether or not to serve individuals who refuse to make a record. Businesses can refuse service as they are simply upholding the law, and can call the police if someone is being particularly difficult.

In my opinion, staff should not have to put up with poorly behaved customers or put themselves in danger. The approach should be the same as with other health and safety regulations, such as not serving alcohol to intoxicated patrons.

Even without further legislation to protect the privacy of contact-tracing data, the benefits of everyone maintaining good record-keeping far outweigh the potential costs. Good records could make the difference between containing an outbreak and the whole country having to go into lockdown. It’s a relatively cheap and simple insurance to keep our communities safe.

Thursday 2 September 2021

An Open Letter Calling for Legislative Protections for Contact Tracing Records

This letter follows-up from my original letter in January 2021, the response from the Minister in February 2021, and my follow-up letter from July 2021. It comes after the Minister announced a policy of mandatory recordkeeping on 22 August 2021, which was implemented in the Public Health Response Order found here. It is relevant to note that Police have given assurances that they have not and will not use this data, but this letter covers scenarios broader than just Police, and even then it is better to have strong legislation than to rely on assurances.

Dear Hon Chris Hipkins,
CC Dr Ashley Bloomfield, Shayne Hunter, John Edwards

Firstly, thank you for your leadership through this current Delta outbreak. We all appreciate the work of you and your teams in helping to keep all people in Aotearoa New Zealand as safe as possible. This letter comes from a group of individuals including academics and those representing civil society organisations. The views in this letter are our own and may not reflect those of our employers.

This letter follows previous letters from Dr Andrew Chen on 05 January and 02 July 2021 about legislative protections for data collected for contact tracing purposes. On 22 August, a policy of mandatory recordkeeping was announced, and this was implemented through the COVID-19 Public Health Response (Alert level Requirements) Order (No 10) 2021 (the ‘Order’).

The recordkeeping requirement includes not only the use of the NZ COVID Tracer app to scan QR codes, but also manual recordkeeping in workplaces as well as those who choose to use personal apps and diaries to record their movements. A requirement on individuals to record this data at all alert levels in certain venues will lead to a significant increase in the amount of data being collected by individuals and businesses.

In your response to Dr Andrew Chen on 05 February 2021, you noted that “I recognise that existing protections are not complete” and that “the Government supports ensuring there are protections for all apps and digital tools used for contact tracing.”

Based on discussions with officials from the Ministry of Health and the Department of Prime Minister and Cabinet, we expected the Order to include clear protections against misuse of the data that is collected under the mandatory recordkeeping policy. The only protection offered in the Order is in s11(2), which requires contact records collected for the sole purpose of enabling contact tracing to be held for 60 days and then disposed of.

In our opinion, the protections provided in the Order are insufficient to protect the rights of people in Aotearoa New Zealand. There are a number of concerns that have been raised in previous letters and in the media, including:

- The potential for Police and government agencies with enforcement powers (e.g IRD, MSD, MBIE) to use this data for investigatory or enforcement purposes.
- The potential for private sector agencies to use this data for marketing purposes.
- The potential for employers to use this data for purposes other than Health and Safety.
- The potential for individuals to use this data coercively against other individuals.

The assurances that have been provided by yourself and other government officials are insufficient to prevent misuse. We have seen reports this year from Singapore and various states in Australia that contact tracing data has been used for law enforcement purposes, despite previous assurances. While their centralised data approaches are different to how NZ COVID Tracer works, the risks still exist, particularly with pen and paper records being in more widespread use. We also note that individuals perceive risks with government agencies other than Police. For example, overstayers may be worried about Immigration NZ misusing this data. It is counter to our collective interest to discourage those individuals from participating in recordkeeping.

Importantly, these scenarios not only cover misuse by government agencies, but also misuse by private sector actors. We cannot rely on government assurances that there will be no private sector misuse of the data. Last year, we saw several cases of pen and paper records being misused by individuals to stalk others, and a number of businesses re-using data from pen and paper records for marketing purposes. We also note that the Order only places a restriction on the retention of data collected “for the sole purpose of enabling contact tracing”, which therefore excludes data that is collected for multiple purposes (e.g. a sign-in form that notes information may be used for marketing purposes).

In our opinion, the protections offered by the Order and the Privacy Act 2020 are insufficient for contact tracing records. Not only are there several exceptions offered in the Privacy Act that overlap with concerning use cases for this data, the penalties for misuse are also relatively low (not exceeding $10,000). Western Australia’s Protection of Information (Entry Registration Information Relating to COVID-19 and Other Infectious Diseases) Act 2021, which protects SafeWA data, has a maximum penalty of imprisonment for 3 years or a fine of $250,000. The Federal-level Privacy Amendment (Public Health Contact Information) Act 2020, which protects COVIDSafe data, has a maximum penalty of imprisonment for 5 years or 300 penalty units (equivalent to AUD$66,600). Both of these pieces of Australian legislation (attached) place strong restrictions against the use of contact tracing data for any other purpose, and could be adapted to the Aotearoa New Zealand context.

Contact tracing is a crucial tool in our response to COVID-19, and the collection of information to support contact tracing processes should be encouraged. The potential for misuse of that information may dissuade people from participating, and therefore could negatively impact contact tracing and our ability to respond to the current and future outbreaks. We note that a Ministry of Health research report into contact tracing technologies in October 2020 showed that a significant proportion of individuals hold “concerns about being tracked by Government/privacy issues.” It is in our collective interest to have protections that provide individuals with confidence to participate in recordkeeping. The benefits far outweigh the costs.

The signatories to this letter collectively strongly recommend that the government adopt legislation to clarify that data collected for contact tracing purposes must only be used for contact tracing purposes. This legislation should apply to data collected through any means, whether that is using NZ COVID Tracer app or any other digital or analogue means. This legislation should apply to government agencies, private sector agencies, and individuals. This legislation should set sufficiently strong penalties to disincentivise breaches.

We urge you to consider the adoption of legislative protections for recordkeeping data collected for contact tracing purposes as a matter of urgency, with parts of Aotearoa New Zealand entering Alert Level 3 and mandatory recordkeeping beginning soon.

Yours sincerely,

1. Dr Andrew Chen, Research Fellow | Koi Tū: The Centre for Informed Futures, The University of Auckland
2. Dr Dean Knight, Associate Professor | Faculty of Law, Te Herenga Waka—Victoria University of Wellington
3. Karaitiana Taiuru | Ngāi Tahu, Ngāti Kahungunu, Ngāti Toa, University of Otago
4. Dr Tara McAllister | University of Auckland
5. Dr Siouxsie Wiles, Associate Professor | University of Auckland
6. Dr Eddie Clark, Senior Lecturer | Faculty of Law, Te Herenga Waka—Victoria University of Wellington
7. Mr Graeme Edgeler, Barrister | Blackstone Chambers
8. Professor Michael Baker | University of Otago, Wellington
9. Dr Anne Bardsley | Koi Tū: The Centre for Informed Futures
10. Professor Shaun Hendy | University of Auckland
11. Ms Hiria Te Ata Te Rangi | Ngati porou me Tuwharetoa
12. Thomas Beagle, Chairperson | NZ Council for Civil Liberties
13. Dr Ethan Plaut, Lecturer in Communication | Waipapa Taumata Rau | University of Auckland
14. Karōria Johns | Ngapuhi Nui Tonu, Te Rarawa, Kihi Consultancy & CoDesign
15. Professor Tim Dare | Philosophy, Waipapa Taumata Rau, University of Auckland
16. Morgan Tupaea | Ngāti Koata, Ngāti Kuia, Ngāti Tipa, Te Aitanga a Māhaki
17. Kathryn Dalziel | Barrister
18. Mandy Henk, CEO | Tohatoha Aotearoa Commons
19. Dr Nessa Lynch, Associate Professor | Faculty of Law, Te Herenga Waka - Victoria University of Wellington
20. A/Prof. Ian Welch | School of Engineering and Computer Science, Te Herenga Waka - Victoria University of Wellington
21. Nigel Robertson | University of Waikato
22. Joy Liddicoat | Research Affiliate, University of Otago
23. Kent Newman | Co-Secretary Privacy Foundation New Zealand | PhD Student— Faculty of Law, Te Herenga Waka—Victoria University of Wellington
24. Jade Kake | Ngāpuhi, Te Arawa, Te Whakatōhea
25. Te Rangikaiwhiria Kemara | Te Aitanga O Nga Uri O Tupahau
26. Rhiannon Bertaud-Gandar | Alumna, University of Oxford
27. Paul Campbell, Software Engineer | Moonbase Otago
28. Andrew Ecclestone, Senior Associate | Institute for Governance and Policy Studies, Victoria University of Wellington
29. Professor Andrew Jull | University of Auckland
30. Dr Edward Willis, Lecturer | Faculty of Law, University of Auckland
31. Dr Matheson Russell, Associate Professor | Philosophy, University of Auckland
32. Kaye-Maree Dunn | Te Rarawa, Ngapuhi, Ngati Kahu, Ngati Mahanga, Ngai Te Rangikoianaake, Ngai Tamanuhiri
33. Dr Petra Butler,  Professor | Victoria University of Wellington
34. Ms Anjum Rahman, Co-Lead | Inclusive Aotearoa Collective Tāhono
35. Caleb Moses | Ngāpuhi, Te Mahurehure, Aitutaki
36. Dr Marcin Betkier, Lecturer | Faculty of Law, Victoria University of Wellington 
37. Mr. Carlos Cordero, Principal Consultant | Convergnce Ltd.
38. Chris Cormack, Kaihuawaere Matihiko  | Catalyst IT
39. Kate Pearce and Cordy Black, Co-Leaders | Aotearoa Tech Union
40. Professor Michael Plank | University of Canterbury
41. Dr Tatjana Buklijas, Senior Lecturer | Koi Tu: Centre for Informed Futures & Global Studies, University of Auckland
42. Professor Andrew Geddis | Faculty of Law, University of Otago
43. Dr Sarah Hendrica Bickerton, Lecturer | School of Social Sciences | Te Puna Mārama, University of Auckland | Waipapa Taumata Rau
44. Marcelo Rodriguez Ferrere, Senior Lecturer | Faculty of Law, University of Otago
45. Professor Thomas Lumley | Department of Statistics, University of Auckland
46. Professor Dave Parry, Professor of Computer Science | Auckland University of Technology
47. Dr Erika Pearson, Senior Lecturer | School of Communication, Journalism and Marketing, Massey University
48. Dr Anca Yallop | Faculty of Business, Economics and Law, Auckland University of Technology
49. Kim Connolly-Stone, Policy Director | InternetNZ
50. James Ting-Edwards, Senior Policy Advisor | InternetNZ
51. Arran Hunt, Partner | Stace Hammond
52. Tom Barraclough, Director and Researcher | Brainbox Institute / Faculty of Law, University of Otago
53. Nicola Brown, Senior Policy Advisor | InternetNZ
54. Rick Shera | @lawgeeknz
55. Melanie Johnson | Acting Chair LIANZA Standing Committee on Copyright
56. Kate O'Connor | Chair, Northern B Health and Disability Ethics Committee
57. Barbara Robson | Member, Privacy Foundation NZ and Convenor of PFNZ Health Care and Policy Working Group
58. Patricia Cunniffe MNZM MA | Privacy Foundation New Zealand
59. Daimhin Warner, Principal and Director | Simply Privacy Ltd
60. Emma Pond, Principal and Director | Simply Privacy Ltd
61. Gehan Gunasekara, Associate Professor, University of Auckland | Chair, Privacy Foundation New Zealand
62. James Cooper, PhD student | School of Computer Science, University of Auckland | Member, Privacy Foundation New Zealand
63. Gareth Abdinor, Partner | Malley & Co Solicitors
64. Monique Greene | Privacy Consulting Limited
65. Simon Lovatt | University of Waikato
66. Dr Will Koning, Chief Data Officer | Kantar
67. Dr Amanda Kvalsvig, Senior Research Fellow | University of Otago Wellington
68. Dr Felicia Low, Research Fellow | Koi Tū: The Centre for Informed Futures, University of Auckland
69. Mr. Andrew McTear Smith, Senior Consultant | The Innovation Trust
70. Associate Professor Anna Brown | Toi Āria: Design for Public Good, Massey University
71. Ms Kate Hannah, Research Fellow | University of Auckland, Te Pūnaha Matatini

In the interest of time, we are sending the letter with these signatories, but more may join over the coming days. This letter will be publicly published, and any responses will also be publicly published to allow all signatories to see the responses.

72. Dr Stephen Hill, Senior Lecturer | School of Psychology, Massey University
73. Kai Koenig, Software Engineer
74. Hayden Wilson, Chair & Partner | Dentons Kensington Swan
75. Dr Benjamin Dickson, Research Fellow | Waipapa Taumata Rau The University of Auckland
76. Prof Virginia Braun | School of Psychology, The University of Auckland
77. Laurie Fleming, Software Developer | Dæmons Ltd
78. Mark Hanna | Member, NZ Council for Civil Liberties
79. Mr Werner Schmidt Alumni | University of Auckland
80. Mr Nicholas Malcolm, Security Consultant | @nickmalcolm
81. Matt Brown
82. Dr Emily Harvey, Researcher | Market Economics
83. Sanjana Hattotuwa, PhD Candidate | National Centre for Peace and Conflict Studies, University of Otago
84. Mr Jason Danner, Managing Director | Aerorock
85. Mr Aidan Cullen, Student | University of Auckland
86. Bede Bignell
87. Tristam Sparks, Senior Lecturer | Massey University
88. Jordan Carter, Chief Executive | InternetNZ
89. Max Tweedie, Executive Director | Auckland Pride
90. Mr Grant Nicholson, Partner | Anthony Harper
91. Juha Saarinen, Technology Writer | Independent
92. Elliot Weir, Features Editor | Critic Te Arohi
93. Mrs Sue Boyde, Retired business analyst | Extinction Rebellion Te Whanganui a Tara
94. Dr Jonathan Marshall, Senior Lecturer | Massey University
95. Dr John Hopkins, Professor of Law | Te Whare Wānanga o Waitaha | University of Canterbury
96. Dr Robin Quigg, Pūkenga | University of Otago
97. Ms Isla Stewart, Computer Science | Victoria University of Wellington
98. Robyn West
99. David Hood
100. Dave Carpenter, Software Engineer | Microsoft
101. Dr Kathleen Mistry, Medical Education Fellow | University of Auckland
102. Brent Carey, Domain Name Commissioner | Domain Name Commission
103. Troy Cornwall | Software Developer
104. Lindsay Mouat, Chief Executive | Association of New Zealand Advertisers
105. Daniel Wilson, Teaching Fellow | Waipapa Taumata Rau / University of Auckland
106. Dr Heather Battles, Lecturer  | The University of Auckland
107. Dr Chris Duran, CTO | Biomatters
108. Ryan Blair, Hotel Maintenance Manager | Rotorua
109. Ivan Towlson, Principal Engineer | Microsoft New Zealand
110. Dr David Friggens, Technical Lead | Infometrics Ltd
111. Andrew Ruthven, Chief Information Security Officer | Catalyst Cloud Ltd
112. Ryan England, Scientist | ESR
113. Dave Lane, Open Source Technologist | OER Foundation
114. Adriana Milne, Team Coordinator | Catalyst IT 
115. Kris Wehipeihana, Kaiwhakamanawa | Catalyst IT
116. Mr. Neil Birrell, PhD Candidate | University of Auckland
117. Ben Bradshaw, Tech Lead | Catalyst IT
118. Kay Jones, Member | NZ Council for Civil Liberties
119. Frith Tweedie, Associate Partner  | EY Law
120. Amber Craig | he uri o Wairarapa rāua Muaūpoko
121. Ernest Schuch, IP Attorney | Advance IP
122. Andrew Sporle, Deputy-Director | Healthier Lives National Science Challenge
123. Richard Simpson, Preparedness Consultant | Simpson Consulting
124. Filip Vujičić, Operations Engineer | Catalyst IT
125. Dr Shaun Rosier | Victoria University of Wellington
126. Manfred Lange, Principal Consultant | HYPR Innovation
127. Mike Riversdale

As the Minister has now responded, we have closed the open letter to further signatories.