COVID-19 Privacy in a Pandemic


Tania Goatley, Laura Littlewood and Kristin Wilson of Bell Gully and reproduced with permission


The information in this article was current as at the date of publication of 9 April, 2020, however some changes have taken place subsequent to publication. To see the most recent developments please check here.  

​​In an emergency like the COVID-19 pandemic, the tension between the maintenance of personal privacy and the good of the collective can come to a head. Information can be key to ensuring issues are properly addressed, however it is important to ensure that individual privacy rights are respected.

The Privacy Commission has released useful guidance as to the privacy issues that arise in the context of the COVID-19 pandemic. This article provides an overview of the legal position in New Zealand, and a summary of the guidance issued to date by the Privacy Commission.

State of Emergency

As a state of emergency has been declared, the operation of the Civil Defence National Emergencies (Information Sharing) Code 2013 (Civil Defence Code) has been triggered. This Code gives agencies the authority to collect, use, or disclose personal information for purposes directly related to the current emergency, for the duration of time that the state of emergency is in force.

Agencies can collect, use or disclose personal information where they reasonably believe all of the following criteria are met:

  • the individual concerned must be involved in the national emergency (this is likely to be satisfied, as all of New Zealand is involved in the current crisis),
  • the collection, use or disclosure is for a purpose that directly relates to the government or local government management of response to, and recovery from, the state of national emergency caused by the COVID-19 pandemic, and
  • in the case of a disclosure, the personal information is disclosed to one of the following agencies:
  • a public sector agency,
  • an agency that is, or is likely to be, involved in managing or assisting in the management of the emergency, or
  • an agency directly involved in providing repatriation, health, financial or other humanitarian assistance services to individuals involved in the emergency.

This means that an individual's consent is not necessarily required in order to collect, use or disclose information, and the Civil Defence Code can be used as a legal authority for such actions, subject to the criteria above. As an example, employers can now disclose employee information to the Ministry of Social Development to access the government wage subsidy, without obtaining prior authorisation from employees.

Where prior individual authorisation has not been sought, the Privacy Commission encourages agencies to follow up with individuals and notify them about the use of their information as soon as it is reasonably practical to do so.

Contact Tracing

The Police have recently set up a contact and trace system for returning travellers, which involved travellers being sent text messages directing them to a website where they could opt-in to the tracing scheme. When the system was first established there was some confusion as to what people were agreeing to, how pervasive the tracing would be, and whether this had an end date.

The Police tracing website is being redeveloped so that it is clear this is a New Zealand Government website. It is also being made more secure, as the initial version of the website gave rise to concerns that it was not secure enough, and the data of people using the service could be stolen. A privacy impact assessment is also being carried out on the Police's use of contact tracing technology.

Access

Individuals can still request access to their personal information during the lockdown period, and agencies will have to respond to those requests in accordance with the Privacy Act 1993. In particular, the Privacy Commission has advised that the 20 working day period in which a response to the request must be given continues to apply. An agency can request an extension to this period if the volume of information requested is such that a response cannot be given within the timeframe, or the necessary consultations cannot be completed within 20 working days.

The Commission notes that while agencies must advise if they intend to grant or refuse the request within the 20 working day period, requesters may not actually receive their information within this time. Requesters are advised to let agencies know if there is a particular day by which they need the information.

For simple requests, an agency may be able to advise that it will grant the request (that is, notify the requester that the information will be provided to them), even if the information is not actually provided until the agency's workplace reopens. If the information is not readily retrievable due to the lockdown, this will be a basis to refuse the request. The Privacy Commission has advised that agencies should log requests that are refused for this reason, and review these requests once the lockdown is lifted.

The Privacy Commission has emphasised that communication is key, including recommending that agencies explain to requesters any difficulty the agency may have in responding to a request or providing the information. The Privacy Commission has advised that if an agency has genuinely been prevented from meeting its obligations by COVID-19 measures, the Commission is unlikely to facilitate financial settlements or refer complaints to the Director of Human Rights Proceedings.

Collection of Information

The principles on collection of information continue to apply. The Privacy Commission has however issued specific guidance confirming that if a tenant claims to be struggling to pay rent and requests rent relief, the landlord can request proof of hardship (for example a letter from the tenant's employer showing reduced hours, or proof of reduced income).

Disclosure of Information

Under the Privacy Act, agencies are permitted to disclose personal information where they believe on reasonable grounds that this is necessary to prevent or lessen a serious threat to public health. This includes (for example) telecommunications companies disclosing location data to the government or police, or employers disclosing information about potential contagion to employees.

Before an agency discloses information, it needs to carefully consider whether such a disclosure is truly necessary to prevent or lessen the threat to public health. If an employee is already in self-isolation and is unsure if they have the virus, then it is unlikely to be necessary to inform other employees of this fact, unless those other employees may have been exposed. If there is a risk that other employees have been exposed to the virus, the employer should consider whether it is necessary to identify the individual who may be the source of the exposure (it is preferable not to do so, if this is practicable).

The Privacy Commission has confirmed that individuals are able to report to the Police or Ministry of Health that someone else is not complying with lockdown conditions or is not self-isolating when they should be.

Some issues with improper disclosure have already occurred. The Ministry of Health issued an apology last week for publishing the details of two clusters on its website in a way that was likely to publicly identify people who had contracted the virus. There were concerns that the public registry of businesses that had received wage subsidies could breach the privacy rights of sole traders or very small businesses. It will be important that everyone, especially government agencies, consider possible privacy implications when information is published about individuals.

Use of Information

The Privacy Commission has issued a warning to hospitality establishments that they cannot use guest registers that have been compiled for the purposes of contact tracking for any other purpose (for example, marketing). These registers of contact information must be kept safe and secure, and must be destroyed after four weeks. If an event organiser or hospitality establishment believes there may have been exposure to someone with COVID-19, they should report this to the authorities and provide the relevant contact list.

Agencies such as pharmacies can use patient contact details to give COVID-19 health advice, if they believe the patient may be at risk and the use of the information is necessary in order to prevent or lessen a serious threat to public health, or an individual's life or health. Pharmacies should not however use this as an opportunity to market products or services that are unrelated to the emergency.

General Guidance

The principles that underpin New Zealand's privacy laws continue to apply through this crisis. It will be particularly important that agencies openly communicate with individuals about how their information is collected, used, and disclosed. Where an exception, or the Civil Defence Code, is relied upon, it will be vital that agencies carefully consider what they can and cannot do, that they are transparent with their actions and decision-making, and that the use and disclosure of information is limited to a tightly defined scope.

Disclaimer

This publication is necessarily brief and general in nature. You should seek professional advice before taking any action in relation to the matters dealt with in this publication.