New law covering vaccination and tracing data is potentially flawed

Please share this story - thanks

By Gehan Gunasekara, Dr Marcin Betkier and Kathryn Dalziel

Former Prime Minister and constitutional law expert Sir Geoffrey Palmer claimed in his 1987 book that New Zealand had “the fastest law in the west”. With no second parliamentary chamber to scrutinise legislation, and with the Labour Party’s dominance after the last election, last week provided an example.

The Covid-19 Response (Vaccinations) Legislation Act (the Act) amended the Covid-19 Public Health Response Act 2020, the Employment Relations Act 2000 and affects other laws such as the Privacy Act 2020.

With no select committee examination that would have allowed public input, the Bill was introduced on Tuesday November 23, put through all its stages the same day, and received the royal assent, turning it into law, on Thursday. At best it is somewhat rough at the edges, but at worst potentially flawed.

Laws – especially those that affect practically everyone – should be clear and comprehensible to ordinary people and not just legal experts. However, if we were to give some of the examples below to students in an exam, we would be at risk of being murdered or suffering serious bodily harm (hopefully metaphorically speaking). One such example is the protection of Covid-19 contact tracing and vaccination information.

To its credit, the Government responded to public pressure, by providing for Covid-19 contact tracing information to be off-limits for other purposes, including normal law enforcement, to encourage the honesty needed to tackle the more serious pandemic danger. The Privacy Act and Health Information Privacy Code (HIPC) were insufficient on their own to protect this contact tracing data as they contain exceptions where there is a belief on reasonable grounds that disclosure of the information is necessary for law enforcement purposes.

The Act now stipulates that “Despite anything in the Privacy Act”, contact tracing information can only be used for contact tracing, enforcement of Covid-19 orders or for the purposes of the Health Act. Likewise, with information collected or obtained for the purpose of determining whether a person is vaccinated or has complied with the Covid-19 Public Health Response Act or a Covid-19 order made under it. It may only be used for these purposes or the purposes of the Health Act.

Criminal offences are created for contravention of these protections – backed up with serious penalties, six months’ imprisonment and fines up to $12,000 – plus the ability to complain to the Privacy Commissioner. Employers, especially, need to be cognisant of these. For example, using contact tracing records for the purposes of disciplining an errant worker for absences from work would constitute an offence.

However, the Health Act exception potentially weakens the apparent protection. Section 22C of this Act, for instance, permits the disclosure of health information (this would include vaccination status and contact tracing information) in several contexts. One of these is where disclosure would be permitted by the Privacy Act or a code such as the HIPC. So, we have now come full circle.

And it doesn’t end there. Section 22 C also allows disclosures to a range of other persons. Some are understandable, for instance employees of district health boards or medical officers of prisons. Individuals themselves (or where under 16 years of age their representatives) can also authorise disclosure of their data. The list, however, includes an assortment of others including probation officers, social workers, and constables in connection with their powers, duties and functions. This leaves the back door wide open for police, for example, to use contact tracing information to prosecute someone accused of a non-Covid related offence (burglary or assault for example).

There are even larger policy concerns. It is questionable whether the security implications of supplying the vaccine passport in the form of an editable PDF were considered (would a simple JPEG have been better?). Nudging New Zealanders to use Google and Apple’s digital wallet infrastructure to store the vaccine pass (effectively supporting their monopolies/oligopoly and supplying them with personal data) is also problematic. We may shoot from the hip with our laws but are they on target?

Gehan Gunasekara, Dr Marcin Betkier and Kathryn Dalziel are from the Privacy Foundation New Zealand. Gehan Gunasekara is an associate professor in commercial law at the University of Auckland Business School and chair of the foundation.

Please share this story - thanks