Source: New Zealand Privacy Commissioner – Blog
Covid-19 is often described as an unprecedented threat to public health.
While New Zealand has experienced pandemics in the past, the epidemiological characteristics of this virus, the global nature of its spread and re-spread and the connected nature of our lives domestically and internationally means controlling COVID-19 will require both ongoing vigilance and speed of response to the threat of community re-infection.
Knowing who is potentially at risk, being able to rapidly and effectively locate positive cases (and isolate them and their close contacts) has been critically important in NZ’s science-based approach to fighting the virus. This brings personal information and privacy into play.
Serious threat to public health or safety exception
Fortunately, the architects of both the 1993 and 2020 Privacy Act envisaged a scenario where the collection, use and disclosure of personal information would be needed to combat a serious threat to public health or safety.
They designed the serious threat to public health or safety (‘public health exception’) specifically for this purpose. This exception permits the collection, use and disclosure of personal information where it is necessary to prevent or lessen a serious threat to public health or public safety[1]. It is worth noting that the serious threat exception was amended in 2013 to remove the words “and imminent” at the advice of the Law Commission to make it easier for agencies to use.
While the serious threat to public health and safety exception has existed since 1993, it is unsurprisingly (and fortunately) very rarely used. People are more familiar with the parallel exception for a serious threat to the health and safety of an individual. As a consequence, agencies appear to feel uncertain about how to use the public health exception where the threat affects a community or wider section of the population.
Given this and the ongoing nature of the COVID-19 public health risk, I thought it would be useful to provide guidance on how agencies can make use of the public health exception. After all, if you cannot make use an exception designed for a serious threat to public health during a global pandemic, when could you use it?
How can agencies determine whether a public health exception is applicable?
To make use of the Privacy Act’s public health exception decision-makers within an agency need to believe, on reasonable grounds, that:
- a serious threat to public health and safety exists;
- that the collection, use or disclosure of personal information is necessary to prevent or lessen the serious threat; and
- in the case of health agencies, that it is either not desirable or not practicable to obtain authorisation from the individual concerned[2].
The key thing to remember here is that we are talking about public health. As such, a decision-maker’s “reasonable belief” regarding both the existence of a serious threat and the extent to which the use or disclosure of personal information is necessary to prevent or limit this serious threat should be on made on health grounds and based on current best practice epidemiological or clinical advice. This makes the serious threat to public health exception an ideal regulatory tool for dealing with a dynamic, evolving public health threat like Covid-19 where the “rules” need to keep adapting to meet live challenges.
The Ministry of Health has the lead role in advising the Government and New Zealand on whether a situation represents a serious threat to public health. The issuing of an epidemic notice and the ongoing advice from the Ministry of Health makes it very clear that Covid-19 represents a serious ongoing threat to public health.
The Ministry of Health is also responsible for coordinating and disseminating best practice scientific advice on what is necessary to prevent or lessen the threat of COVID-19. This by extension includes the information necessary in order to monitor and control the risk to New Zealand from the movement of people across our border, and track, trace, isolate and quarantine infection risk within New Zealand. Agencies are entitled to rely on this advice in making decisions regarding whether the collection, use and sharing of personal information is necessary to prevent or lessen the threat posed by the transmission of Covid-19.
Is information sharing about groups of individuals permitted?
Another question I am regularly asked is whether the public health exception allows for the sharing of aggregated information regarding groups of individuals. The Privacy Act differentiates between serious threats to public health and safety and individual health and safety for a reason.
Public health is, by definition, focussed on keeping the community well and on groups of people rather than individuals. This provides a basis for the collection, use and disclosure of personal information about a class of individuals that is reasonably considered to be necessary based on relevant criteria, rather than on an individualised basis. Again, the reasons for sharing aggregated data about a class of individuals (for example people seeking to enter New Zealand or people testing positive and their close contacts, or people working in at-risk situations) should be based on best-practice health advice.
Given the ongoing nature of the threat it is likely that agencies involved in pandemic management will need to continue to share information and will need to make regular assessments of the extent to which the “serious threat to public health and safety” exception still applies as they do so.
Good privacy practice still applies – maintaining trust and confidence is critical
Even where the public health exception is being relied on, good basic privacy practice remains important in order to maintain trust and confidence of the community. Like the Civil Defence National Emergencies (Information Sharing) Code 2020, the public health exception applies to the source of personal information (2), use (10) and disclosure (11) information privacy principles. The other principles, including those covering collecting only what is necessary, safe storage and security, access by individuals to their own data, and ensuring accuracy before disclosure still apply.
Maintaining trust and confidence also involves agencies being transparent about what data they’re collecting and what it will be used for. If specific data needs to be collected and then shared for the Covid-19 response, best practice would see an agency advising individuals of this at the time of collection or when an individual was signing up for or receiving a service (for example, when making a booking to come to New Zealand). This could also mean that agencies do not need to rely on the public health exception, as onward use or disclosure for Covid-19 purposes was one of the purposes of collecting the information in the first place.
Lessons from the Ministry of Health’s recent reliance on the serious threat to public health and safety exception
I recently conducted an Inquiry into the Ministry of Health’s disclosure of Covid-19 patient information to emergency services providers. The Ministry of Health relied on the public health exception to disclose this information. In undertaking this Inquiry, I was mindful of the statutory requirement for the Privacy Commissioner to have regard to the need for “government and businesses being able to achieve their objectives efficiently” (Privacy Act 2020, 21 (a) (iii)). I consider agencies may find my recommendations and findings in that Inquiry useful when considering their use of the public health exception.
First, I found the Ministry appropriately considered the basis on which it disclosed health information about Covid-19 patients to emergency services providers when relying on the serious threat to public health exception. The Ministry made a considered, risk-based assessment based on best scientific information about the nature of the virus and how it was spread, and what was known about its prevalence in the community, and determined that all emergency service providers should receive regular aggregated information regarding positive cases.
Second, I agreed with the Ministry’s judgement that the serious threat exception was not available as a basis for providing such information to Members of Parliament, or officials of territorial authorities, as sharing identifiable information was not necessary to prevent or lessen the risk of a serious threat (based on scientific evidence) and therefore did not meet the public health exception.
While supporting the Ministry’s evidence-based judgement regarding the disclosure of patient information to emergency services providers I made the following recommendations:
- Where a decision has been made to release or share information in order to prevent or lessen the serious threat to public health presented by Covid-19, the need to continue to do so should be regularly reviewed. Agencies should establish processes to ensure these reviews take place regularly and are based on best practice evidence about the virus and its management.
- It is critically important that all parties disclosing, receiving and using the information understand the basis of the information sharing and scope of their obligations in respect of the information. A memorandum of understanding can be a useful way to achieve and record this. Such documents should set clear expectations about the appropriate security and use of the information being disclosed, give clear direction on non-retention beyond clinical relevance and detail how often an review/assessment needs to be undertaken to ensure that there is still a legitimate reason for the disclosure.
When in doubt – Ask Us
The public health exception is specifically designed to provide agencies with the ability to collect, use and disclose personal information where it is necessary to safeguard the lives of New Zealanders. The principle-based nature of the exception means it is ideally suited to a dynamic, evolving situation like Covid-19. It allows agencies to make risk-based decisions on current best practice advice.
I understand that agencies are unfamiliar with the use of this exception. OPC is available to assist agencies with advice, including peer review of Memoranda of Understanding to provide a framework for disclosures of personal information that are necessary to avoid prevent or lessen a serious threat to public health or public safety.
[1] See Information Privacy Principles 10 (use) and 11 (disclosure). For the avoidance of doubt, from 1 December 2020 the exceptions for principle 2 (source of personal information) are being expanded to include collection necessary to prevent or lessen a serious threat to the life or health of the individual concerned or any other individual.
[2] Health Information Privacy Code Rule 11(2)
