Covid-19 and record-keeping rules: who’s protecting your data?

However, the move has sparked privacy concerns, with 121 academics and organisations signing an open letter to the government calling for better data protections.

Dr Andrew Chen, research fellow at the University of Auckland’s Koi Tū: The Centre for Informed Futures, penned the letter.

“We know that contact tracing is an important part of our response to Covid-19 but getting everyone to participate in it requires a lot of trust,” Dr Chen said.

“If people are worried that their data may be misused, they may be more likely to provide false details or refuse to provide details, which undermines our public health response.”

Rules require contact tracing records to be disposed of after 60 days. But Dr Chen and other signatories want tighter restrictions to prevent misuse of data.

The letter outlines possible misuses, including by:

• police and government agencies for investigations or enforcement purposes

• companies for marketing purposes

• employers for purposes other than health and safety

• individuals acting coercively against others.

Dr Chen points out there were several instances last year where personal information was taken from Covid-19 sign-in registers and misused, either for marketing purposes or stalking.

Higher penalties needed

The issues raised by Dr Chen highlight the problems with the lack of teeth in our privacy law. Maximum fines under the Privacy Act are $10,000.

Harsher penalties apply across the Tasman for privacy breaches. For example, the maximum penalty in Western Australia is three years’ imprisonment or a fine of $259, 214.

“We have been calling for the government to introduce legislation that has strong penalties for misuse of contact-tracing records,” Dr Chen said.

“This legislation doesn't need to be very complicated; it just needs to create a strong disincentive for misuse of data collected for contact-tracing purposes.”

Consumer NZ chief executive Jon Duffy agrees with Dr Chen’s concerns.

“There’s a fundamental problem with the act as it does not make it an offence to misuse a person’s personal information,” Duffy said.

Despite growing concerns, law reform isn’t the pipeline. Covid-19 Response Minister Chris Hipkins said no changes are planned to current legislation.