Source: Privacy Commissioner
Since New Zealand moved to Covid-19 Alert Level 2 on May 13, many of us have resumed activities that were forbidden during Levels 3 and 4.
Anyone who has recently eaten out, had their hair cut or visited a gym, will have noticed that a condition of entry at such establishments is the requirement to record personal details with the business. This may occur by writing your name and phone number on a list by the door, downloading an app or using your smartphone to scan a QR code.
Under the recently passed Covid-19 Public Health Response Act 2020, all food and drink premises (excluding takeaways but including soup kitchens), businesses that have memberships (such as gyms), public facilities (such as libraries), event facilities (such as cinemas) and courts and tribunals must keep a register of customers who use their services.
Retail businesses, malls, or takeaway food outlets are not required to keep such registers.
These registers support Ministry of Health contact tracing efforts and are a critical precondition of greater social contact.
Last week, the Ministry of Health launched its contact tracing app. While it is the official Government app, there have been many private sector contributions. Developers have moved swiftly to help get New Zealand moving again, and to fill an urgent business need.
Our assessment
We carried out a stocktake of the contact tracing solutions available on the market. The idea is to help businesses understand the privacy implications of these various solutions so they can choose the right one for them, while making sure the offerings do not expose individuals’ personal information to risk.
Through the process of assessing these solutions we have been able to work with developers to improve the privacy of their solutions and we are pleased to say that all solutions listed are privacy friendly. For example, we queried whether copying identity documents, or collecting details of vehicle registration were necessary to facilitate contact tracing. We also assisted these businesses to provide more fulsome information about their security practices and ensured that they were only retaining data for the requisite 60 days. Developers reviewed their practices, agreed with us, and amended their products accordingly.
We’ve listed each contact tracing solution in a table, summarising the type of solution, who it is designed for, and how it works. We assessed:
- the information collected
- how long it is kept
- where it is stored
- whether the solution is transparent about what is collected
- whether the solution has appropriate security measures in place
- whether individuals can access the information collected, and
- whether information collected is only used for the purposes for which it was collected.
The solutions were assessed against the 12 privacy principles in the Privacy Act 1993.
One option those developers might consider is applying for public recognition of their solution through our Privacy Trust Mark scheme – Noho Matatapu. Each application is assessed on its own merits and a Privacy Trust Mark is valid for two years.
Click here to download the full table
MORE INFORMATION
Our stocktake does not provide an assessment about whether these solutions are compliant with other legal requirements – particularly under the Covid-19 Public Health Response (Alert Level 2) Order 2020.
The Office of the Privacy Commissioner has not run independent security testing or employed security experts for this evaluation.
We reached out to all the businesses included in this table to give them an opportunity to provide further information about their respective products and in some cases suggested ways to improve the products. These businesses have taken our advice in adjusting their products.
If you can’t see an app or solution you’ve been asked to use in the table, it might be because we are still working with the developer to get them to remedy deficiencies. We intend to add to this table as new apps enter the market. Have you seen one that isn’t mentioned here? Send it in!
For more information, visit our Privacy and Covid-19 page here.
0 comments
Back