Understanding how data can be consumed ethically is paramount to having privacy co-exist with innovation.
Currently with the COVID-19 pandemic taking place, technology companies worldwide are presenting in droves to government trying to provide a helping hand with everything from people tracking apps through to using AI for finding a vaccine have taken place.
In New Zealand Both the Privacy Act and the Health Act provide a legal basis for the use of telecommunications data for the purpose of contact tracing or infringement of self-isolation, as long as the application is only used for the effective management of COVID-19 under the direction of the Director-General for Health and for the enforcement of Level 4 Lockdown Restrictions.
Why was that important to us?
A few weeks ago, the Aware Group used this data to support both the Ministry of Health and the New Zealand Police-See our demo. All sensitive projects require a strict review process to ensure that the solution and any associated third party access is both ethical and defines how protections are put in place.
If Aware Group wanted to implement the proposed solution, we had to ensure that we could comply with the privacy legislation of New Zealand (This is one of the first steps that Aware Group takes before starting our AI conversation ethics): the legal advice we sought follows:
Law enforcement complies with the Privacy Act 1993
1. The 1993 Privacy Act does not apply to the extent that the data are collected, used and disclosed for the purpose of tracking individuals who have violated or are in breach of the Government Alert Level 4 Restrictions. The Privacy Act expressly exempts NZ Police from complying with the Privacy Principles relating to the collection, use and disclosure of personal information where a failure to comply with the Privacy Principles is necessary “to avoid prejudice to the maintenance of the law by any public sector agency, including the prevention, detection, investigation, prosecution and punishment of offences” or “for the purpose of compliance”
The Police have powers under the Health Act 1956 and the Civil Defense Emergency Act 2002 to enforce the Alert Level 4 restrictions, including fines for infringements.
Effective management of COVID-19 2. 2.
2. To the extent that the data are collected, used and disclosed for the effective management of COVID-19 (which is a ‘infectious disease’ under Schedule 1, Section B of the Health Act), such as contact tracing of individuals who have been in contact with another individual who has or may have COVID-19, or monitoring compliance with the guidance of a medical officer (authorized by the Director-General of Health).
Part 3A of the Heath Act (in different sections) provides:
(9) Notwithstanding anything in the Privacy Act 1993, where a person requires another person to provide information under this section: 1. The person required to provide the information must comply with the requirement and be informed that the information must be provided for the effective management of infectious diseases; and 2. Nothing in this section limits an individual’s right to access or disclose information about him or her under the Act or any other Act.
What are the rights of the public?
The above section imposes a statutory obligation on a person (such as NZ Telecoms and NZ Police) to disclose certain information to another person (such as a medical officer or other appropriate government officials) for “effective management of infectious diseases” and that statutory obligation overrides all requirements of the Privacy Act. In other words, the Privacy Act does not apply where the data are collected by the NZ Police, under the direction of the Director-General of Health, and disclosed to a medical officer, the Director-General of Health or a Ministry of Health official for the effective management of COVID-19.
Required Government Consultation
As the use of this data management platform will be very much in the public domain, it is important that the various branches of government and the Privacy Commissioner are consulted in order to ensure consistency of the message and understanding of the legislative basis for the use of the platform. The Privacy Commissioner has no obligation or ability to approve the use of the platform from a regulatory perspective, but will be approached by the media and by officials for comments. It is therefore important for him to be comfortable with the application of the legislative framework as outlined above.