Experts have called for a data protection requirement to sit alongside the Government’s forthcoming mandatory scanning and sign-in policy, Marc Daalder reports
While digital contact tracing tools can speed up the response to an outbreak, they also create a new reservoir of travel and location data that could be misused.
In Singapore and Australia, police have had access to digital contact tracing data for law enforcement purposes. In one case in Queensland, for example, police investigating the theft of a police pistol and taser got a warrant for the QR scanning data from people who had been in the area.
While the decentralised design of New Zealand’s Covid-19 tracing app, which stores all location and proximity data only on the user’s device, makes it harder for the data to be misused, it’s still possible. And the new requirement to either scan in at most locations or manually sign in with pen and paper highlights the need for additional protections of that data, experts say.
“In Singapore and in some Australian states, trust and confidence in digital contact tracing were significantly impacted when it was revealed that police had accessed the data for law enforcement purposes,” Andrew Chen, an expert on digital contact tracing and research fellow at Koi Tū – the Centre for Informed Futures, said.
“While New Zealand Police have stated that they ‘have not, and will not’ use NZ Covid Tracer data for law enforcement purposes, legislation to create stronger penalties for misuse would further assure New Zealanders that participation is safe. Such legislation would also protect against employers or businesses misusing that data as well.”
“We’ve made that recommendation last year, so that’s very much our position,” Privacy Commissioner John Edwards agreed.
However, the Covid-19 Response Minister Chris Hipkins indicated a legislative change was not on the cards.
“In terms of the legislative change around whether we would prevent that information being used for other purposes, having considered a legislative change at this point, we have been clear that we would not envisage it being used for any other purpose than contact tracing. That is the purpose for which it is collected. We would not envisage it being used for any other purpose,” he said.
Is that assurance enough?
“I think it isn’t,” Edwards said.
Rick Shera, a partner at law firm Lowndes Jordan and an expert on digital privacy law, said that the revamped Privacy Act might cover a lot of the potential misuse of contact tracing data. However, he still thought an additional data protection requirement would be helpful, particularly to ward off misuse by law enforcement or other government agencies.
“I think it’s useful. I don’t think, necessarily, that the Government will abuse the collection of the information,” he said.
“It’s a fairly long bow, I think, to suggest that this would be high-risk. Nonetheless, because there is enough angst about privacy in terms of collection of information by government organisations, I think anything we can do to make that more robust and to be able to provide people with reassurance that it won’t be used for any ulterior purpose is appropriate.”
Chen pointed out that in Singapore and in some Australian states, government guarantees that the data would only be used for tracing had later been breached. In Queensland, after the stolen pistol investigation, the police service had to create a new policy directing officers not to seek a warrant for contact tracing data outside of “extraordinary circumstances”. In Western Australia, when police refused to rule out the use of data for investigations, the state legislature had to pass a law preventing them from doing so.
Police misuse would come in the form of a warrant to access someone’s phone.
“We’re not worried about someone remotely hacking your phone, because that’s unlikely,” Chen said.
Shera suggested the case law on what sort of information police might have access to on a phone is not quite settled. It would probably also depend on the specifics of the warrant, he said.
This could also go past police misuse, Chen said.
“Broader than that also is tax implications, like IRD. You wouldn’t want a tradie who was doing cash jobs on the side to not use the app. Similarly, MSD are quite punitive of people who they think are in a relationship. You don’t want people to not use the app because they’re worried about the Government,” he said.
A data protection could also ensure businesses don’t misuse the data provided via manually signing in, such as for marketing purposes. Employers who might demand to know an employee’s whereabouts could also be prevented from seeking to access contact tracing data on someone’s phone. This sort of situation is covered by a federal Australian data protection law introduced for the country’s national Covid-19 app.
In the end, it all comes down to the point Shera made. The Government is mandating scanning and signing in because the voluntary approach has failed to increase app usage. A simple data protection measure could only further reassure the skeptical that their information will be kept safe and invite them to participate in contact tracing, Chen said.
