Dear Diary – a COVID-19 contact tracing update
20 May 2020
To assist with the move to alert level 2 and beyond, the Government has released a "digital diary" app to help users keep a log of their movements, such as between cafes and restaurants. The app is designed to supplement existing contact tracing efforts and does not replace the need for businesses to have their own contact tracing registers. Importantly, use of the app is voluntary.
How does it work?
The app works by allowing users to record their movements by scanning COVID-19 QR codes on posters in, for example, cafes. Each user is required to disclose contact details in order to register for the app so that the National Close Contact Service (NCCS) can contact users that are identified as a close contact of someone who has COVID-19. This data is only to be used for "public health purposes" and will not be shared with any agencies outside of the health sector.
When a user scans a COVID-19 QR code, the app will collect a global location number, location name, physical address of the location, and the date and time the scan occurred. This data is stored on the phone, is only to be shared by the user at its discretion, and then is automatically deleted after 31 days. If a user chooses to disclose additional data (eg to the NCCS if they become unwell with COVID-19), then that data will only be used by agencies directly supporting the COVID-19 public health response. It will not, for example, be used for law enforcement purposes.
An update to the app is expected next month to allow users to electronically transmit their digital diary to the NCCS, to receive notifications if they have visited high risk locations and self-report COVID-19 symptoms. We understand that additional Privacy Impact Assessments will be undertaken before any such release.
While we're no epidemiologists, it seems obvious to us that for a contact tracing app to be really successful, it will need widespread public buy-in.
From the time such an app was first suggested, some commentators have voiced concerns about the collection and use of personal information. In our view, the public are unlikely to support and use a contact tracing app that does not have a privacy-first approach to personal information.
It appears that Government has listened to these concerns, involved the Privacy Commissioner's Office and developed an app that does indeed take a privacy-first approach. The app is entirely voluntary and collects limited personal information. In addition, the app favours a decentralized approach so that the user has control over any location information that the user chooses to record (which may be more sensitive). By limiting the scope of data that is pooled in a centralized system, there is also lower risk of scope creep (ie it will be more difficult for the data to start being used for some other purpose later on down the line).
Of course, for the app to be effective, it also needs to work. Some contract tracing apps developed around the world have had functionality issues. For example, in Australia, some phones have had issues recording data accurately unless the phone is unlocked and the app open. Such issues may impact on the usefulness of the app and the data it collects. We’re hopeful that the developers of the New Zealand app have learned from the experiences of their overseas counterparts (despite the quick timeframe they’ve had to develop the app) to ensure that the functionality of the app will maximise its public health benefits to New Zealand.