Privacy on the Podium, Particularly in a Pandemic

NZ officials declared a state of emergency in Parliament on Wednesday, leaning on the Epidemic Preparedness Act 2006 (EPA) to issue a Notice on Covid-19. The effect is to provide certain authorities with extensive powers to be used “when necessary” in order to combat Covid-19.[1] This gives rise to pertinent questions on the applicability of privacy and data protection principles, and the surge of technology providers alleging their solutions will help.

Executive Powers

Governments need to be able to act swiftly in emergencies, and albeit not often, we have seen this play out before in NZ. The last case related to the Canterbury earthquake in 2011 - the first declaration made under the Civil Defence Emergency Management Act 2002 (CDEM).  The Canterbury Earthquake Response and Recovery Act 2010 (CERRA) was passed under extreme urgency, providing far-reaching powers to authorities. The provision of extraordinary powers naturally imports risks of equal measure. CERRA later received criticism about the breadth of the power granted, with prominent legal academics calling it a “dangerous precedent”. The danger typically arises from a poorly framed general power to regulate, with weak checks and balances.

The EPA was introduced during the Bird Flu panic, when the country was preparing for the arrival of the serious virus. It is drafted to permit the declaration of the "epidemic notice" we have now seen issued in relation to Covid-19. This enables Ministers to change Acts of Parliament by Orders in Council. So far this sounds similar to CERRA, but in fact the checks and balances are in fact much stronger in the EPA.[2] This might be because, unlike CERRA which was rushed through in the middle of an extraordinary situation, the EPA was drafted in preparation for something yet to come. This includes providing the Minister of Health the ability to change any legislation it administers.[3] The Ministry of Health followed the Notice with an Order allowing the use of special powers by Medical Officers of Health for the purposes of preventing the outbreak and spread of COVID-19, already provided under the Health Act.[4]

Data Privacy and Protection

Technology, as is now always the case, is both a tool and a risk in an emergency like this. People panic, feel all kinds of pressure, and it can be challenging in such an environment to apply a novel situation to existing norms and regulations. Data collection, use, and sharing can undoubtedly help to combat Covid-19. It hasn’t taken long for companies around the world to weigh in on how their tech is the solution, with even the World Economic Forum opining that that “personal data could play a role in identifying trends and raising recommendations” for solutions to Covid-19. It is at times like these we should be extra cognisant of our principles around privacy and data protection. They are a lens through which to view our behaviour, and this is why we, and others globally, have fought so hard to enshrine them in regulation. This shouldn’t change, especially shouldn’t change, in a crises that involves the sensitive personal data of numerous individuals.

In New Zealand, both the public and private sector are subject to the Privacy Act 1993 (PA), which outlines 12 core information privacy principles (IPPs). The purpose of the PA is to promote and protect individual privacy in relation to “personal information”. The definition of personal information is broad and encompasses health information such as test result.[5] This gives rise to a common and often challenging balancing act in the privacy world, particularly around the appropriate bounds of information collection, use and disclosure. Our privacy principles provide a framework for this balancing of the public interest against an individual rights to privacy and protection.

The PA does not give any entity the overriding ability to share personal information (which includes health information) as of right. In the ordinary manner of things, agencies comply with the IPPs, which for example would mean an entity sharing personal information will need to:

• Advise the individual that their information may be disclosed (IPP 3).
• Obtain informed consent to the proposed sharing (IPP 11), which the individual must be able to meaningfully refuse.
• Confirm with the entity receiving the information that it will only be used for the sole purpose for which it was collected (IPP 10).  

Both globally and in New Zealand, there are exceptions to the IPPs, which enable the Government to respond pragmatically in a crisis if necessary to protect public safety. For example, the PA permits the use or disclosure of personal information where the use or disclosure is necessary in order to prevent or lessen the risk of a serious threat to someone’s safety, wellbeing or health. This is consistent and extended in the Health Information Privacy Code (HIC)[6] where following the ordinary use and disclosure rules this would:

1. prejudice the interests of the individual concerned; or
2. that compliance is not reasonably practicable in the circumstances of the particular case;
3. that the use of the information for that other purpose is necessary to prevent or lessen a serious [...] threat to:

• public health or public safety; or
• the life or health of the individual concerned or another individual.

These exceptions clearly could apply in certain situations related to an individual’s Covid-19 related health information. The CDC also provides a broader scope for information sharing if the Government has declared a national emergency, whereby information can be shared for a permitted purpose. A permitted purpose is broad - one that directly relates to the government or local government management of response to, and recovery from, an emergency in relation to which a state of national emergency exists.

It’s not a given that all of these exceptions will apply in every situation - but it is a possibility. The regulations reflect that, whilst privacy is a fundamental right (recognised in international human rights law) it is not unqualified. Exceptions exist for situations where it is deemed “necessary” – and these potentially could be relied upon in combatting Covid-19. We must keep in mind that the exceptions don’t arbitrarily push best practice principles out the window. It is possible and important to appropriately uphold best practice principles like data minimisation, the right to be forgotten, transparency, storage limitation, and confidentiality in an emergency.[7]

Technology – and the Risks

Governments both locally and globally are bringing in a range of technologies solutions to assist in combatting the virus. As has already been pointed out, not all of them have the  best reputation for upholding our privacy. And it’s not just global tech giants that getting involved. Many other companies are touting new technologies (many of which are involve tracking and surveillance) as the “solution” to Covid-19, despite little oversight as to how the data they collect will be used now, or in the future.

There are several concerns here. One is around the more nefarious data use and collection scenarios (that are all too common) where personal data is collected by technology solution providers. Data is often used in a way that the individual is unaware of (but may have “consented” to in some form or another), probably uncomfortable with, and might not uphold any of the principles covered above. The data likely gets stored offshore, meaning no luck under the Privacy Act if you ever do find out about it (directly or indirectly). Helpfully, the long overdue (though still lacking teeth) Privacy Bill, does aim to strengthen cross-border data flow protection.[8]

In times where people are desperate (for example to use an online tool to check their symptoms etc), there is often an imbalance of power and lack of education between these providers and the individuals providing their personal data. Individuals simply have no way to tell how the data is used (now or in years to come), whether the data is encrypted, and where it really goes. The fact is, the crisis doesn’t eliminate that certain companies stand to gain here, particularly when it involves your data.

Trust Framework

The pandemic highlights a glaring need to accelerate the Cabinet mandated efforts of the Department of Internal Affairs in creating a Digital Identity Trust Framework for New Zealand. This will outline rules and standards that entities must adhere to when dealing with personal and non-personal data, and create an accreditation scheme (and hopefully a trust mark) so that individuals (and other organisations) have a simple way to know who they can trust – regardless of their depth of knowledge on the nuances of privacy or data protection. It is critical for individuals to have this transparency, and safeguards now, as this situation makes evident.

Summary

The privacy community is left in a rather undesirable situation in times of crisis. It can be tempting for those not familiar with the space to avoid confronting issues of privacy and data protection, when more pressing, life endangering matters are at hand.

But just because an action is legal, does not mean it is necessary, nor that it would be ethical in every situation. We must reflect on why we have privacy principles in the first place. They are a lens through which to view our behaviour – and this shouldn’t change – especially shouldn’t change, when Governments are under intense pressure and resource are strained. When it comes to our personal data, the long term effects are rarely predictable. NZ has the opportunity to lead by example in this global crisis – this is an opportunity to show that together we can combat an emergency without curtailing a backdrop of principles that serve to protect us.

[1] The Notice activates legislative provisions in the Health Act 1956, Civil Defence Emergency Management Act 2002, the Social Security Act 2018 and the Immigration Act 2009.

[2] It is also worth noting that NZ has a Regulatory Review Committee which acts on the Parliament's behalf to ensure that the delegated law-making powers are being used appropriately. It examines all regulations, investigates complaints about regulations, and examines proposed regulation-making powers in bills for consistency with good legislative practice.

[3] Provided that the Ministry's chief executive says in writing that the change is necessary to combat the epidemic.

[4] Section 70 of the Health Act 1956.

[5] Personal information includes any piece of information that relates to a living, identifiable human being.

[6] The Privacy Act 1993 gives the Privacy Commissioner the power to issue codes of practice that become part of the law. These codes may modify the operation of the Act for specific industries, agencies, activities or types of personal information. There are currently six codes.

[7] These principles are not expressly mentioned in the PA however can be read into other principles (For example, to comply with the requirement that personal information may only be held for so long as is necessary for a lawful purpose). GDPR remains a gold standard.

 [8] The Privacy Bill is currently sitting with the Committee of the whole house; the third reading is set for 2020.