Pressure is mounting for the Government to prevent scanning and sign-in data from being misused by government departments or private businesses, Marc Daalder reports

Although Chris Hipkins once said contact tracing data was not sufficiently protected under the law, he now says his assurances should be enough and no further regulation is needed.

The Covid-19 Response Minister was sent an open letter on Thursday morning signed by dozens of experts and academics, including notable Covid-19 advisors like Michael Baker, Siouxsie Wiles and Shaun Hendy. The letter said the data protections in the legal order mandating record-keeping at most venues – either through scanning QR codes with the NZ COVID Tracer app or manually signing in – were insufficient to prevent that information being misused by government departments or businesses.

Two political parties have now also joined the call for greater protections, with ACT Party leader David Seymour and Greens MP Golriz Ghahraman both saying the lack of protections could undermine trust in the Covid-19 response and reduce compliance with the public health measures.

But when questioned about the letter on Thursday, Hipkins said his word should be good enough.

“I can provide an absolute reassurance that we don’t use any of the information obtained through our Covid-19 contact tracing, vaccination and testing programmes for any purpose other than responding to Covid-19,” he told Newsroom.

The open letter anticipated that response and said it didn’t cut the mustard.

“The assurances that have been provided by yourself and other government officials are insufficient to prevent misuse. We have seen reports this year from Singapore and various states in Australia that contact tracing data has been used for law enforcement purposes, despite previous assurances,” the letter, authored by digital contact tracing expert Andrew Chen, stated.

Misuse could come from a range of sources. Police, for example, could access someone’s cell phone or look at a manual sign-in sheet. The Ministry of Social Development, which has strict rules governing the types of relationships beneficiaries can have, could want the data to ensure its policies are being followed. Businesses could also take contact information from sign-in sheets for marketing purposes.

The reply from Hipkins represents a u-turn from his previous position, expressed in a February letter to Chen. At that stage, Hipkins said he thought there was a low risk the data might be misused, but then conceded, "I recognise that existing protections are not complete".

"I have asked the ministry to provide me with advice on legislative changes that could be made, taking into account submissions by you and the Privacy Commissioner," Hipkins wrote.

On Thursday, he said the issue was "not something that we have yet considered" and that he "wouldn't rule out" legislating against misuse. But, he then said, "We've already made it very clear that we would not use that information for anything other than the purpose for which it was collected."

His response on Thursday wasn't quite in line with comments from the Prime Minister, who said a prohibition on using the data for anything other than contact tracing was "already the case, I would have thought".

The order doesn't place any restriction on the use of the data, other than that it be held for 60 days and then deleted. The privacy-centred design of the NZ COVID Tracer app does make it more difficult to misuse, but the open letter said there were still risks. More widespread use of pen-and-paper sign-in methods under the mandatory record-keeping requirements was also expected, and this would create other risks.

Hipkins' response also didn't address the issue of private sector misuse. Last year, manual sign-in sheets resulted in stalking and information being used for marketing purposes.

"We cannot rely on government assurances that there will be no private sector misuse of the data," the open letter said.

"I think people can quite reasonably say, 'I want to help battle Covid, but I'm not going to give some company my data that they can, as far as the law is concerned, use for any purpose they like,'" Seymour agreed.

"We already have enough people concerned that contact tracing is an invasion of privacy. It's essential that the law differentiates the two.

"People talk about China and their social credit system and all of the terrible things that the CCP is getting up to. The great protection that we have against that is the rule of law and really clear protections for people's rights, which in China they don't have. We need to use those tools because they're the difference between us and those guys."

Ghahraman told Newsroom she was concerned the lack of protections would undermine compliance, particularly from beneficiaries or immigrants who might be worried that agencies like the Ministry of Social Development or Immigration New Zealand might misuse their data.

"I don't think it's outside of the realm of possibility that this data will be misused by the government and by private entities, ultimately," she said.

"That fear is very valid."

Marc Daalder is a senior political reporter based in Wellington who covers climate change, health, energy and violent extremism. Twitter/Bluesky: @marcdaalder

Leave a comment