Privacy Impact Assessment - Ministry of Health COVID-19 Contact Tracing Application NZ COVID Tracer - Ministry of Health NZ
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Ministry of Health
COVID-19 Contact Tracing Application (NZ COVID Tracer
App)
Privacy Impact Assessment
Release 8.0 (29 July 2021)
Date 27 July 2021
Privacy Impact Assessment Versions
This Privacy Impact Assessment (“the Assessment”) will be an evolving document that will
record the impacts related to the latest release developments, immediately prior to
implementation of such releases. This document will be regularly updated. A summary of the
version releases is in Appendix Seven.
The current version of this document will be made publicly available, commencing with initial
release of the NZ COVID Tracer mobile app. This is the eighth Privacy Impact Assessment
and addresses Release 8.
Document creation and management
This document has been prepared by the Data & Digital Directorate, Ministry of Health.
Consultations with the following have occurred during the development of this document:
• Sector Portfolio Manager, Digital Portfolio Team, Ministry of Health
• Manager, Data Governance, Data & Digital, Ministry of Health
• Project Manager, COVID-19 Contact Tracing App, Data & Digital, Ministry of Health
• General Manager, Emerging Health Technology and Innovation, Ministry of Health
• IT Security Manager, Data & Digital, Ministry of Health
• The Chief Privacy Officer of the Ministry of Health
• The Government Chief Privacy Officer
• The Office of the Privacy Commissioner
Disclaimer
This Assessment has been prepared to assist the Ministry of Health (“the Ministry”) to review
the purposes for which information collected via the NZ COVID Tracer mobile app can be
used, and the privacy safeguards that are required to manage those purposes.
Every effort has been made to ensure that the information contained in this report is reliable
and up to date.
This Assessment is intended to be a ‘work in progress’ and may be amended from time to
time as circumstances change or new information is proposed to be collected and used.
Summary of Intent
This Assessment represents the current state of the way the NZ COVID Tracer mobile app
will operate, and expectations for future releases.
Page 2 of 84
Contents
SECTION ONE – EXECUTIVE SUMMARY 4
CLARITY OF PURPOSE 11
INFORMATION COLLECTION PROCESSES 11
ACCESS AND SECURITY 11
FUTURE PRIVACY IMPACT ASSESSMENT ACTIVITY 12
SECTION TWO – OPERATIONAL DETAILS 13
BACKGROUND 13
INFORMATION COLLECTED AND USER INFORMATION FLOWS 14
DATA FLOWS 15
CCTA SECURITY 21
GOVERNANCE 21
SECTION THREE - PRIVACY ANALYSIS 23
SECTION FOUR - INTENDED FUTURE USE CASES 38
APPENDIX ONE – CONTACT TRACING – THE SYSTEM SUPPORTED BY THE CCTA 39
APPENDIX TWO – THE ONBOARDING PROCESS 42
APPENDIX TWO – ANNEX ONE – ONBOARDING 45
APPENDIX THREE - ANONYMOUS STATISTICAL AND PERFORMANCE INFORMATION 46
APPENDIX FOUR – APP FEATURES – BLUETOOTH TRACING, DIGITAL DIARIES, NOTIFICATIONS
AND EXPOSURE EVENTS, NEAR FIELD COMMUNICATION (NFC) 51
APPENDIX FIVE – BLUETOOTH TRACING– HOW DOES IT WORK? 71
APPENDIX FIVE – ANNEX ONE 77
APPENDIX FIVE – ANNEX TWO 78
APPENDIX SIX – BLUETOOTH AND THE COOK ISLANDS 79
APPENDIX SEVEN – RELEASE HISTORY 81
APPENDIX EIGHT - GLOSSARY 82
Page 3 of 84
Section One – Executive Summary
1. The COVID-19 pandemic is forcing governments around the world to evaluate how
standard public health approaches to managing and controlling infectious disease can be
bolstered and augmented by technology.
2. The speed and efficiency of Contact Tracing is one of the most critical factors in a health
system’s ability to slow or stop the spread of communicable diseases1. In the case of
COVID-19, it has been determined that under routine conditions of movement and
contact amongst the population, the disease can spread too quickly to be contained by
traditional Contact Tracing practices alone2. Further detail about Contact Tracing can be
found in Appendix One.
3. The Ministry has identified an opportunity to support national Contact Tracing processes
by use of an application for supported iOS and Android smart phones (the NZ COVID
Tracer mobile app – the App), a Web Application (Website), and a Data Platform
(Platform). These are collectively referred to as the COVID-19 Contact Tracing
Application (the CCTA).
4. Individuals who choose to use any component of the CCTA are referred to as
“Consumers” in this Assessment.
5. The CCTA will enable Consumers to keep their own record of places they have been,
devices they have been in proximity with, and activities they have undertaken. This will
assist them to rapidly respond to Contact Tracers about where they have been, who they
have been in contact with and the type of activity that has occurred.
5.1. Contact Tracers will then be able to more quickly identify Close Contacts and Casual
Contacts, and assess the risk of exposure to the virus.
5.2. It will also be possible for Contact Tracers to quickly send Location Alert
Notifications to CCTA Consumers when they may have been exposed to a person
with COVID-19 at a Location where they have both scanned in.
5.3. The CCTA will also implement the Exposure Notification System3, which will allow
rapid Bluetooth Alert Notifications to be sent to Close Contacts via the Bluetooth
Tracing functionality.
5.4. Consumers will be able to adjust their behaviour in response to warnings provided
via Notifications.
1 Rapid case detection and contact tracing, combined with other basic public health measures, has over 90% efficacy against
COVID-19 at the population level, making it as effective as many vaccines. This intervention is central to COVID-19 elimination
in New Zealand: Dr Verrall,A 10 April 2020: Rapid Audit of Contact Tracing for COVID-19 in New Zealand page 1.
2 https://science.sciencemag.org/content/early/2020/04/09/science.abb6936
https://www.health.govt.nz/system/files/documents/publications/contact_tracing_report_verrall.pdf
3 The Exposure Notification Framework (ENF) is the protocol created by Apple and Google to support privacy- preserving digital
contract tracing using Bluetooth Low Energy. The Exposure Notification System is an implementation of the ENF protocol within
the New Zealand jurisdiction.
Page 4 of 84
6. The Office of the Privacy Commissioner and the Government Chief Privacy Officer have
been consulted and are satisfied that the privacy implications of the CCTA, and the
related mitigations, have been appropriately recorded in this PIA.
Privacy focus
7. The intention of the Ministry has been to retain consumer choice, minimise the collection
of personal information to those matters most directly useful for Contact Tracing
purposes, and limit who will have access to that information. It has also endeavoured to
minimise any potential privacy risks in its development of the CCTA and balance these
against the public health benefits of enhanced contact tracing. Consumer trust is
essential if use of the CCTA is to become widespread. The Ministry intends to earn and
respect that trust.
8. The purpose of development of this Assessment has been to review the process of
collection, storage, use and sharing of personal and contact information associated with
the CCTA to ensure that relevant risks are identified and mitigated. This has involved
ongoing consultation with the Office of the Privacy Commissioner, the Government Chief
Privacy Officer and others to ensure that the CCTA retains a strong privacy focus.
9. This Assessment is to be a ‘living’ document that will be updated as the CCTA
development progresses, with the intent that updates be published either ahead of or
alongside future releases. This will enable the Ministry to maintain transparency about
the CCTA with Consumers, who may choose to opt-out if they do not wish to participate
in future releases.
Background
10. Technology can help with the process of Contact Tracing. The Ministry has worked with
the health sector and the community to identify ways of improving access to relevant
information, while still respecting individual privacy.
11. The Ministry has created a National Contact Tracing Solution (the NCTS), to greatly
increase the capacity and reliability of tracing activity, and to support existing regional
expertise.
12. Additional key uses for technology are:
12.1. to enable faster access to the correct contact details for people who may
come in contact with COVID-19;
12.2. for Consumers to record their movements so that if they become infected with
COVID-19 they can quickly and accurately identify others who may be Close
Contacts or Casual Contacts;
12.3. for Contact Tracers to send a Location Alert to some Consumers who may
have been exposed to COVID-19;
Page 5 of 84
12.4. for Consumers to use the Exposure Notification System (Bluetooth Tracing) to
allow for quickly notifying close contacts; and
12.5. for Consumers to have access to up-to-date information and links to tools
relevant to the COVID-19 response.
13. The Ministry has therefore commissioned, and is operating, the CCTA to enable the New
Zealand public to opt in to support Contact Tracing processes for the purposes of the
COVID-19 pandemic response.
14. The Ministry has developed standards that will enable other apps to participate in
support of the public health Contact Tracing processes, provided that the other apps can
meet the necessary security and privacy standards. This project is addressed under a
separate PIA (COVID-19 Contact Tracing Integration Product – Privacy Impact
Assessment).
15. The Ministry has also decided to adopt the Exposure Notification Framework (ENF),
developed by Apple and Google, as part of the CCTA offerings. The implementation of
this framework is referred to as the Bluetooth Tracing features. The ENF is being used in
a number of jurisdictions around the world. It is designed to enable notification of
potential exposure in a way that minimises risks to privacy. It remains optional for App
users whether they choose to enable the Bluetooth Tracing features. A detailed
summary of the Bluetooth Tracing features is attached in Appendix Five.
16. The Bluetooth Tracing features will be designed to focus on the speed of notification to
Consumers who are more likely to be a Close Contact, rather than identifying any
possible contact, however fleeting that contact may have been. This is achieved by
setting a threshold for the duration and strength of signal that indicates someone is likely
to be a Close Contact. The main use Contact Tracers identified for the Bluetooth Tracing
features was the prompt notification (via Bluetooth Alert) of those most at risk of being
Close Contacts, so that App users would be alerted to their increased risk, and could act
accordingly to limit the spread of COVID-19. The Bluetooth Alert messaging may include
encouraging testing and self-isolation.
17. The gradual opening of the New Zealand borders has also identified opportunities to
utilise the CCTA.
17.1. Quarantine free travellers from Australia are invited (in the boarding
information provided to them) to download, and use, the NZ COVID Tracer
App while they are in New Zealand.
17.2. Travellers between the Cook Islands and New Zealand will be able to use the
Bluetooth features of the App from either country4, and upload their keys, or
receive Notifications if another App user tests positive. This new Bluetooth
exchange capability will be explained in more detail in Appendix Six. This has
the potential to enhance contact tracing with travel between New Zealand and
4 CookSafe+ for the Cook Islands and NZ COVID Tracer App for New Zealand
Page 6 of 84
the Cook Islands, but does not compromise existing privacy and security
features associated with the NZ COVID Tracer App.
17.3. In each case use of the NZ COVID Tracer App will remain voluntary.
COVID-19 Contact Tracing Application (the CCTA)
18. Development of the CCTA is progressing in stages, and new functions are released as
they are developed. This Assessment addresses Release 8. This includes:
18.1. The ability to add manual entries to the Digital Diary that are linked to a QR
code Location if the Consumer has previously scanned at that Location. This
is so that entries can be added without having to scan the QR code again.
18.2. The ability to save Locations from the Digital Diary that are frequently visited,
so that they can be easily accessed when adding entries.
18.3. The ability to add an entry to the Digital Diary by scanning an NFC tag. This
new process is further described in Appendix Four.
18.4. New features to send information to Consumers including:
18.4.1. Automated reminder Notifications to remind a user to update
their Digital Diary when they have not added an entry for a
certain amount of time.
18.4.2. The ability to opt in and out of announcement Notifications
(added in Release 6) and automated reminder Notifications,
where general communications are sent by the Ministry to all
Consumer devices set to receive these notices.
19. The NZ COVID Tracer mobile apps for iOS and Android have the following features
available to the Consumer to choose from:
19.1. Registration: Consumers are able to download and use the App without
needing to register or provide any identifiable information if they choose not
to. There will not be any password requirement to use the App, so
Consumers will need to use their standard device screen lock feature if they
wish to protect the information held by the App on their device, such as their
digital diary.
19.2. Contact Details: Consumers can choose to submit their contact details via the
mobile App. These details will be available to Contact Tracers to look-up
within the NCTS if that person tests positive with COVID-19 or is a potential
Close Contact of someone who tests positive with COVID-19. This could
include full name, phone number, and address (if provided) to assist contact
tracers with identification and contact details. Date of birth, gender, and
ethnicity are also optional. If Consumers choose to provide any of this
information, they will also need to provide an email address and verify it
before it is stored.
Page 7 of 84
Digital Diary
19.3. Digital Diary: A Consumer can choose to record Location information. They
can add an entry linked to a QR Code Poster by scanning a QR code, tapping
a Near Field Communication (NFC) tag, or adding an entry for a saved
scanned Location they have been to before. They can also manually add
entries to their Digital Diary, to record activities, or places they have been,
where a QR code poster was not on display. They can also record who they
have been with at these activities or places by writing a description. There is
an edit feature to amend or delete these entries if the Consumer chooses.
19.4. Share Digital Diary feature: Consumers can choose to authorise the App to
upload the Digital Diary held on their phone to the NCTS if they test positive
with COVID-19. This can only happen if a Contact Tracer asks them to do
this, and they use a one-time password given to them by the Contact Tracer.
19.5. Notification of Exposure Event (Location Alert): Contact Tracers can, at their
clinical discretion, publish an Exposure Event of Interest (EEOI) to subscribed
App Consumers to notify them of a potential exposure to COVID-19 at a
particular Location. If a Consumer has a Digital Diary entry linked to the QR
Code Poster at the Location during the time frame set by the Contact Tracer,
they will receive a Location Alert.
19.5.1. The Digital Diary entry must have been created by scanning a
QR code, tapping an NFC tag, or manually adding a diary
entry linked to the QR Code Poster.
19.5.2. The Location Alert will include a link to the Digital Diary entry
that matched the EEOI.
19.5.3. A Location Alert can be removed from the Dashboard by being
dismissed or by another Location Alert being received.
Previously received Location Alerts can be seen in Digital
Diary entries that matched an EEOI.
19.5.4. This Location Alert feature includes an option for the Contact
Tracers to include a ‘Call Back’ option if they consider that
appropriate for a particular location. It is up to the Consumer to
choose whether to respond to a Location Alert Notification,
including a Call Back request.
Bluetooth
19.6. Bluetooth Tracing: A Consumer can activate the Exposure Notification
System (ENS) on their device. The Bluetooth Tracing feature is described
more fully in Appendix Five. This allows devices that support ENS to
broadcast to other devices, and record broadcasts received of randomly-
generated keys from those other devices5. The use of the ENS is designed to
minimise the risk of re-identification of Consumers. The keys do not record
5Rolling Proximity Identifiers (RPIs) – these are ever changing identifiers that are generated from the Temporary Exposure Key
on each Consumers device. The RPI are shared with other devices via Bluetooth and change every ten to fifteen minutes.
Page 8 of 84
who either of the Consumers are, nor where they are. Each device would
keep its own record of the keys it had come in contact with.
19.7. Upload Bluetooth keys feature: Consumers can choose to authorise the App
to release the random keys that their phone has generated, if they test
positive. A Contact Tracer will initiate the request for these keys by entering
an onset date and phone number in the NCTS, and a Consumer will receive a
text message with a one-time password. If the Consumer enters the one-time
password into the app, their Temporary Exposure Keys (TEKs) are uploaded
to the CCTA server. Unlike uploading a Digital Diary, the Contact Tracer does
not gain any access to data about the Consumer’s movements through the
upload of Bluetooth Tracing keys. Additional privacy controls include:
19.7.1. The keys are random and secured by the Consumer’s device
and only seen by the nearby device.
19.7.2. When uploaded, the published keys are randomly ordered on
the CCTA server.
19.7.3. The process of notifying contacts (via the Bluetooth Alert)
occurs automatically from the CCTA after keys are uploaded.
19.8. Exposure Notification (Bluetooth Alert): Every few hours, each device checks
for keys that have been uploaded by Consumers who have tested positive for
COVID-19. If the device has a match with any of these keys, it checks against
the App’s algorithm configuration. This is designed to identify Close Contacts.
It displays a notification to the Consumer on the device only if the exposure
exceeds the programmed duration and strength of signal in relation to the
contact with the device of other Consumer(s) who has tested positive for
COVID-19. This notification can include an option for the Consumer to
request a return call (a Call Back), if the Contact Tracers consider that
appropriate. As with the Location Alert, it is up to the Consumer to choose
whether to respond to a Bluetooth Alert Notification, including a Call Back
request.
19.9. Cook Islands and sharing of Bluetooth keys. Release 7 introduces the ability
to share Bluetooth tracing keys with CookSafe+ users who have an ENS
Bluetooth compatible device.
19.9.1. A central server (managed by the Ministry of Health) will
enable the management of the upload and distribution of keys
to Consumers in New Zealand and the Cook Islands using one
of the ENS Bluetooth compatible apps. This will only occur with
a positive case (for the upload), and a matching key for the
Bluetooth Alert Notification on the Consumer’s device.
19.9.2. This will enable information about individuals who travel
between New Zealand and the Cook Islands to be exchanged
irrespective of whether the Consumer has left one country for
the other in between the time of exposure and the time of
Bluetooth Alert Notification.
Page 9 of 84
19.9.3. The privacy implications will be same for the NZ COVID Tracer
App Bluetooth features described above (minimal).
19.10. My NHI Details: Consumers will be given the option to manually add their NHI
to the details they have recorded on their device. This will enable them to use
their device screen to display their NHI (if they choose to) on the ‘My NHI
Details’ screen when they attend a testing facility.
19.11. Notifications: Consumers may choose (on an opt out basis) which of the
following types of Notifications to receive:
19.11.1. Announcement Notifications. The Ministry of Health may
choose to send general notices to all devices with the App
installed which have subscribed to Announcement
Notifications. This would transmit information the Ministry
considered important to all Consumers, but is separate to the
Notifications sent in relation to an Exposure Event.
19.11.2. Diary Reminder Notifications. A user will receive a Diary
Reminder Notification a configured amount of time after their
last Digital Diary entry. These notifications are generated
locally on the device. The current timeframe plan is when the
App has not been used for 7 days, and then if still unused at
14 days, the Consumer will receive a reminder on their phone
– and then no more notifications will be sent, unless the
Consumers starts using the App again.
19.11.3. Once a Consumer has enabled Notifications on their device,
and upgraded the App to a version that supports these
Notifications, they are enabled by default.
19.11.4. A Consumer can opt out of receiving either type of Notification
(or both of them) by navigating to the Notification Preferences
screen on the My Data tab. This screen is also linked to from
Diary Reminder Notifications.
19.12. In-App information provision: Dashboard features on the App include:
19.12.1. In-App statistics. This will include national app usage statistics
(as per information released by the Ministry to its website).
19.12.2. Personal metrics. This allows the Consumer’s personal usage
statistics for the App for the previous fortnight to be displayed
only on the device. This data is calculated on and stays on the
device.
19.12.3. Announcements. This will show announcements issued by the
Ministry of Health to all users of the app.
19.12.4. The addition of a resources tab with server-driven links to
trusted resources, such as vaccination related information and
current COVID test locations so the Consumer can identify a
location near them from the list (if required).
Page 10 of 8419.12.5. No personal information is exchanged between the CCTA and
these information links, but non-identifiable analytics may be
collected (as further described in Appendix Three).
Clarity of purpose
20. A simple Privacy Statement is displayed to Consumers as part of the onboarding
process. This is linked to a more detailed Privacy and Security Statement for those who
wish to view that more detailed information.
21. These Privacy Notice Materials have been created with the intent that all Consumers can
obtain a full understanding of how their information will be used if they choose to
participate.
22. Authorised users of the information (Contact Tracers) will be informed about
expectations for use, and limitations on use of this personal information. This will be
consistent with their existing legislative responsibilities under the Health Act to manage
this information appropriately.
Information Collection Processes
23. The Privacy Notice Materials, including the Privacy Statement and the Privacy and
Security Statement, are designed to be compliant with rule 3 of the Health Information
Privacy Code. The Privacy Notice Materials are available to Consumers at the first
contact with the CCTA, prior to the Consumer submitting any information.
24. CCTA Consumers will be notified in advance of any material changes being
implemented to the Purpose Statement or other Privacy Notice Materials via their
registered email address (if they have one) or in-App message. This will indicate new
features and also what has changed from a privacy perspective (if anything). There will
be an opportunity within the App to review the updated privacy statement on the device
screen when a new feature is added that requires an opt-in / opt-out choice. This will
enable ongoing Consumer choice about participation.
25. Consumers have the choice of opting-in to use the CCTA, and if they do, will retain the
choice of the extent to which they wish to contribute information.
26. Links will be provided to a web-based explanation in the Privacy and Security Statement
which will contain more detail for those individuals who wish to know more (a layered
privacy notice). The Privacy and Security Statement will also link to the current version of
this Assessment.
Access and Security
27. The CCTA implements robust security and authorisation controls to prevent
unauthorised access to information and follows leading practices for encrypting data at
rest and in transit. Access to information requires authentication.
28. Prior to each substantive release, the CCTA and supporting web services has been
independently security assessed by an All of Government approved supplier. Findings
Page 11 of 84from the reviews will be remediated where appropriate. Future releases of the solution
will also be independently assessed to the same standards.
Future Privacy Impact Assessment Activity
29. The CCTA has been developed in parallel with completion of this Assessment. The
Office of the Privacy Commissioner and the Government Chief Privacy Officer have
provided independent advice and assessment to the project team during this process,
which the project team has endeavoured to incorporate into the CCTA application.
Page 12 of 84Section Two – Operational Details
Background
The Ministry approach to the CCTA development
1. The Ministry is developing the CCTA to support national Contact Tracing activity.
Appendix One contains additional details about Contact Tracing.
2. Decisions made on Release features for the CCTA are driven by a focus on privacy and
choice for individuals, alongside identified requirements for Contact Tracing. Additional
details in relation to Release 5 are contained in Appendix Two.
3. The intent of the Ministry is to be transparent with the use of the data, in order to
maintain and grow social licence:
• The information collected will be voluntarily provided by the Consumer (on an opt in
basis). Release 5 removed the requirement to register before use, and no longer
requires the Consumer to supply an email address on sign up. Other details about
the App features can be found in Appendix Four.
• The information collected will only be used for the COVID-19 Pandemic Public
Health Response (limited use).
• Any information relating to the Consumer’s visited Locations will remain on their
device unless they decide to use the CCTA’s electronic Digital Diary Share facility
after a request from a Contact Tracer. This voluntary process does not remove the
requirement under section 92ZZC(3) of the Health Act for a person who has COVID-
19, or is a probable case, to provide information about the circumstances in which
they may have contracted or transmitted the virus.
• The visited Location records on the Consumer’s device will expire on a rolling 60-
day period. This is on the recommendation of the Contact Tracing team following an
outbreak in Auckland in August 2020. It is consistent with four incubation periods of
the virus – which amounts to 56 days.
• Uploading and sharing of Bluetooth keys (from CookSafe+ or NZ COVID Traver App
users) will apply only for a positive case where there is a matching record on a
Consumer device. Bluetooth tracing is an opt in feature, as is the choice to upload
keys after a positive test. Bluetooth keys will expire after 14 days for both Apps.
4. The approach the Ministry has taken is to try and make it as easy as possible for
Consumers to sign up and provide their information, while providing sufficient security
controls for Consumers to safely manage their information. The App no longer requires
Consumers to remain logged in to use it (from Release 5 onwards).
5. Consumers are responsible for the choice of how to secure their own device.
Page 13 of 846. Contact Tracers will be able to use App generated information from Consumers to
support the national case management of positive cases and Close Contacts. Case
management is recorded on the NCTS. All points of contact with the NCTS are
described in this Section Two of this Assessment.
Information Collected and User Information Flows
7. The Ministry has identified four key sets of information involved in the CCTA processes:
• Personal, contact and demographic information – Consumers choosing to
provide this information about themselves will enable Contact Tracers to contact the
correct person more quickly and easily. Demographic details will also assist the
Ministry to understand its performance and to produce a solution that is more
equitable. The individual may also record their NHI number on their device in case
they require it to establish their health identity quickly e.g. when seeking a test for
COVID-19 in a community setting. Provision of all of this information is voluntary.
• Visited Locations and Digital Diary entries – this information will be recorded by
Consumers about Locations they have visited or activities in which the Consumer
has been involved. This easy access by Consumers to their past movement and
activity information will allow Contact Tracers to more quickly assess information
relating to Locations where the COVID-19 infected Consumer (or probable case)
may have encountered Close Contacts, thus reducing the risk of transmission to
others.
o A Consumer must choose to add an entry by scanning a QR code, tapping an
NFC tag, or adding a diary entry manually (including by selection of a saved QR
code) on each occasion or no information will be collected. This Digital Diary
information is held on the Consumer’s device.
o A Consumer, who has tested positive or is a probable case, may also decide to
upload that information (when requested by a Contact Tracer). If they do
choose to upload, all Digital Diary entries will be uploaded at the same time
(there will not be a choice to upload only scanned Locations or only manual
entries – the choice will be to upload all information or not upload).
▪ Uploaded Locations and Diary Entries will be useful to the Contact Tracer
as they will be able to review the Locations and Digital Diary details, and
discuss them further with the Consumer.
▪ This discussion will enable the Contact Tracer to identify any Location,
date and time were there may have been a risk of transmission to other
individuals (Exposure Events).
• Bluetooth Tracing information – this is the information generated and collected by
the Exposure Notification System. This includes:
o Temporary Exposure Keys (TEKs) randomly generated each day by each
Consumer’s device.
Page 14 of 84o The record of Rolling Proximity Identifiers (RPIs) broadcast by other nearby
devices, the time this broadcast was received, and the signal strength of the
broadcast, all collected by and held on the Consumer’s device.
o TEKs uploaded to the CCTA platform by people who have tested positive for
COVID-19 (including those uploaded by CookSafe+ users of the Bluetooth
feature).
• Anonymous Statistical and Performance Information – this information will be
collected from Consumer’s interactions with the CCTA, and from its performance on
devices, to help the Ministry to understand the stability and effectiveness of the
CCTA, and develop equitable solutions. Additional details about statistical and
performance information are contained in Appendix Three.
Data Flows
8. The following diagram demonstrates the dataflows associated with the CCTA 6:
Use of Information: Data Storage, Retention and Access
9. Consumers will only be able to access their own information.
10. Select staff and individuals in a production support role have access to the CCTA
Platform (the data storage system that holds Consumer personal contact information and
the Bluetooth key exchange server). This access is only used for the purposes of
6 Refer Appendix Six for details of the Interoperability server with CookSafe+.
Page 15 of 84maintaining the correct function of the production application. This access is logged and
audited.
Contact details
11. Consumer contact details (if they choose to supply them) are securely stored by the
CCTA AWS platform. This data store can be queried (view only access) by Contact
Tracers who:
• have authorised access to the NCTS, and
• who need to find contact information of Contacts of a person with a confirmed or
probable case of COVID-19, or who need to find contact information of Quarantine
Free Travellers who may have been in a place with community spread of COVID-19.
12. This secure NCTS / CCTA interface will only be used if the Contact Tracer needs to
locate the individual Consumer and did not already have access to their current contact
details from other contact tracing or health system sources, or needs to confirm details
obtained from other sources are current.
• Any access will be logged into the NCTS audit records. This audit trail will record
which Contact Tracer used their view access to an individual Consumer’s contact
details.
• The contact information will only be entered into NCTS once it has been verified by
the Contact Tracer, in contact with the Consumer, both to confirm they have
identified the right person and that the contact detail is accurate. Other information
will be obtained directly from the individual Consumer by discussions with the
Contact Tracer.
Digital Diary - Location details and manual entries
13. If a CCTA Consumer (who is a confirmed or probable case) is requested by a Contact
Tracer to inform them of the Locations they have been to, or the people that they have
been in contact with, the Consumer may choose to use the CCTA’s "share my diary”
facility to upload the Digital Diary they have recorded. This will include Digital Diary
entries recorded by scanning QR codes, tapping NFC tags, adding diary entries linked to
a QR Code Poster they have previously scanned, and adding diary entries manually (the
Upload Information).
14. If the Consumer chooses to electronically release the Upload Information, that
information will be held in a secure store within the NCTS Salesforce boundary.
• The Upload Information can be accessed by the Contact Tracer through Salesforce
(NCTS) which retrieves the data relating to that case from the data store.
• Any access will be logged into the NCTS audit records. Only authorised users can
access the NCTS. This NCTS audit trail will record which Contact Tracer used their
view access to an individual Consumer’s Upload Information.
• When a scanned Location or manual Digital Diary location (that has been submitted
by the Consumer) is identified as an Exposure Event, an Exposure Event entry will
be created within the NCTS. This Exposure Event and the associated Contact
Location will be retained as part of the NCTS case record.
Page 16 of 84• Digital Diary manual entries that identify potential Close Contacts will be followed up
through NCTS contact tracing processes.
• From this Upload, Information Locations that are not identified as Exposure Events,
or manual entries not identified as relevant for Contact Tracing of Close Contacts,
will be retained for six months before being securely destroyed.
Exposure Event Notification (Location Alert)
15. Contact Tracers have identified that the App can assist to provide notification of potential
contacts of an individual who has since tested positive. If an Exposure Event is
determined to have created a risk of infection of Contacts, and that Location has a GLN7,
a clinical decision will be made as to whether it will benefit the Contact Tracing process
to send Notification via the App, in addition to the other methods available for identifying
Contacts.
16. The NCTS has a feature (a button for ‘Escalate Exposure Event’) to enable a Contact
Tracer to indicate that an Exposure Event may have created Contacts and therefore be
appropriate for Location Alert Notification via the CCTA.
• This Exposure Event will then be considered by Ministry clinicians to determine
whether Close Contacts are likely and whether the App is an appropriate method of
advising of that Exposure Event.
o Only a limited number of authorised Contact Tracers will be able to use the
interface in NCTS to create an Exposure Event of Interest (EEOI) for
Notification (an EEOIN).
o The EEOI Notification content will be defined by the Contact Tracers when the
Location Alert Notification is created. The Contact Tracers will determine the
appropriate level of information to disclose based on the risk, and
circumstances of the Exposure Event.
o This will require individual review and clinical sign off before the EEOIN is
released to the CCTA, for publication to Consumers as a Location Alert.
o This clinical intervention is to maintain national consistency in the Location Alert
process, and to ensure that consistent clinical criteria are applied. It is important
to maintain a balance between alerting individuals to a potential exposure,
against the anxiety generated by over Notification of Location Alerts. The
clinical oversight and final decision-making on sending the Location Alert is
designed to weigh that balance in decision-making.
o The addition of the Call Back feature, and the ability for Contact Tracers to add
a specific message in a Location Alert, will assist the management of the higher
risk Exposure Events from those that are lower risk (as the lower risk Location
Alerts will not receive the Call Back option).
17. Location Alerts are available to Consumers who subscribe to the Location Alert
Notifications, and who have a matching date, time and Location (scanned GLN) on their
device.
7A GLN is a Global Location Number. It is the unique identifier that identifies a particular physical location for a business, or a
branch of a business or other legal entity. This is the detail that is recorded by the App when ‘scanning’ at a Location
Page 17 of 84• Upon a successful match of an Exposure Event on a Consumer’s device, the
Consumer is provided with a Location Alert that they may have been in contact with
COVID-19 (including any content that may have been approved by the authorised
Contact Tracer).
• Each Consumer will therefore be put on notice to monitor any potential health
changes. If the Contact Tracer considers additional information is necessary, that
information could be included in the Location Alert message. If the Contact Tracer
considers it a higher risk event, a Call Back option may be included.
• Appropriate resources are included on a weblink contained in the Location Alert
about the symptoms to look for, and what to do in the event the Consumer needs
further assistance (including Healthline contact details). Consumers receiving a
standard (or lower risk) Location Alert will be requested to monitor their wellbeing
and call Healthline if they have any concerns.
• The Location Alert will contain a reference to the Digital Diary entry that matched the
Exposure Event, so that the Consumer can contact any other people who were at
the Location with them.
• The Consumer will not be identified by the Location Alert receipt, and no information
about the Consumer’s identity will be passed to Contact Tracers. Only if a Call Back
option is offered, and accepted by the Consumer, will the Consumer be able to send
their name and contact phone number as part of the Call Back request. If the
Consumer chooses to accept the ‘offer’ to receive a Call Back from a Contact
Tracer, a code (linking to the case record of the person who gave rise to the
Exposure Event) will be available to the Contact Tracer as part of the Call Back
response. The Contact Tracer can then have a direct discussion with the Consumer
about their personal situation.
• At no time is information about the person who tested positive to COVID-19
available to other Consumers.
18. Consumers are not compelled to respond or take any particular action. They are instead
requested to monitor their own health and have a list of resources available if they
become symptomatic.
19. A non-identifying analytics event may be recorded to help the Ministry measure the
number of Location Alerts received.
Bluetooth Tracing Key Exchange Server
20. If a Consumer has tested positive for COVID-19, a contact tracer may use the NCTS to
trigger a request for the last 14 days of Bluetooth Tracing keys that the Consumer’s
device has generated. This is with the Consumer’s consent.
21. The request will include the Consumer’s mobile phone number and the date that the
Contact Tracer believes the Consumer became contagious.
22. The request will be sent to the Key Exchange Server. The server will send a request to
the EN Notification Service to send an SMS to the Consumer with a one-time passcode
(OTP) to enter into the app.
Page 18 of 8423. The EN Notification Service will use Twilio8 to send an SMS to the Consumer. Twilio
receives no information about the Consumer other than the message to be sent, which
does not contain their name or any other personal details, and the number to send it to.
24. If the Consumer chooses to enter the OTP into the app, the keys that they have
generated in the last fourteen days will be uploaded into the Key Exchange Server.
25. The Key Exchange Server does not receive any information about who has uploaded the
keys. It deletes all keys that expired before the date the Consumer became contagious.
It collates the remaining uploaded keys into a ZIP file of all other Consumer’s uploaded
keys, within a maximum timeframe of the last fourteen days.
26. Release 7 will also send these non-identifiable keys to the Ministry’s secure Inter-
operability Server. That Server will enable the exchange of these keys with the key
exchange server for CookSafe+ (and vice versa). Any keys received from the CookSafe+
will be available to the New Zealand key exchange server, to add to the ZIP file.
27. Each device using the app will download this ZIP file every few hours and check whether
they have been exposed to any of the keys contained therein.
28. The Key Exchange Server will delete keys and OTPs when they are older than fourteen
days.
Security and Retention on NCTS
29. Full details of the data access and controls in place for NCTS will be covered in a
separate Privacy Impact Assessment for the NCTS. In summary:
• The NCTS is made up of a number of components, including a rules engine,
integration and AWS capability. Salesforce Service Cloud (Service Cloud) is the
Salesforce customer service and case management Software as a Service platform.
Service Cloud provides the core platform that supports all core capabilities of the
NCTS.
• The Salesforce Service Cloud instance is served from Amazon Web Services (AWS)
Cloud infrastructure based in Sydney, Australia.
• Information stored in the NCTS is covered by the NSS Data Policy, this aligns with
the relevant HISO standards, including HISO 10029:2015 Health Information
Security Framework, and the New Zealand Information Security Manual.
30. Information that originates from the App that is sent to the NCTS by one of the processes
identified above will be securely stored under the following retention requirements:
• Any identifiable information collected will only be used for public health purposes
related to COVID-19.
• Contact information extracted by a Contact Tracer will be added to an NCTS case
record only after confirmation with the Consumer concerned.
• Digital Diary data uploaded will be located in a secure location within the NCTS
Salesforce platform but will not be transferred into a NCTS case record unless a
Contact Tracer determines it is relevant to an Exposure Event. Any information,
8Twilio is a cloud communication platform as a service based in the United States of America that allows text messages to be
sent and received.
Page 19 of 84including Location Information, not transferred will be securely deleted on a regular
basis (within six months of submission).
• Identifiable Consumer information recorded in the NCTS will relate to one of the
following categories:
o Related to an individual who has, or is a probable case of, COVID-19 (an NCTS
case record) which is stored in the NCTS as part of the pandemic case
management system; or
o Related to an individual who is identified as a Close Contact.
• Information retention policies will be fully detailed in the NCTS Privacy Impact
Assessment, but in summary:
o Any identifiable information that does not become part of the NCTS case record
of an individual will be retained for the duration of the pandemic (until the
COVID-19 Public Health Response Act 2020 is repealed) and then securely and
promptly destroyed (such as information linked only to a Close Contact).
o Any information incorporated into an individual NCTS case record will be
managed securely and retained in accordance with the Health (Retention of
Health Information) Regulations 1996. Consideration is being given in the NCTS
retention policy development as to what parts of this NCTS case record may be
able to be securely destroyed earlier. The NCTS will engage with the Office of
the Privacy Commissioner and the Chief Archivist before finalising its retention
policy and specifically address this issue.
o Non identifiable (or de-identified) information may be used for purposes related
to the public health response to COVID-19 (which may include planning for
future potential events or research).
Statistical Information
31. Statistical information collected about the use of the platform will be accessible to
relevant Ministry staff and its suppliers, in order to make decisions about the features
and functionality of CCTA. This information does not identify any individual Consumer,
nor will Consumer personal information be accessible in this way.
Information and convenience features
32. The App includes links to other websites where information can be located that may be
useful to App users. This includes, for example, a link to the site identifying COVID-19
test location sites – which the Consumer can then manually scroll through and identify a
location near them. No identifiable information or location details are exchanged.
33. The App will also contain statistics about app usage and other statistics issued by the
Ministry of Health that may be of interest to users.
34. The App will contain a personal metric showing how many days out of the last fourteen
at least one diary entry has been recorded for. This is calculated on the device from data
held only on the device.
35. The App will contain the ability to show announcements on the dashboard.
Announcements will be issued to all users of the app simultaneously. They may be
Page 20 of 84displayed only on the dashboard, or they may be accompanied by a push Notification.
Users may opt out from receiving push Notifications for these announcements.
36. The App will contain the ability to remind Consumers to fill out their Digital Diary after a
period of time has passed with no Digital Diary entries being created. These reminders
will consist of a Notification, a message on the dashboard, and a message in the Digital
Diary. These are generated on the device from data held only on the device. Timing and
text are configured by the Ministry (at seven and fourteen days). Users may opt out of
these reminders.
CCTA Security
37. Prior to each major Release, the CCTA and supporting web services will undergo an
independent security review by an All of Government approved supplier. This will include
the Interoperability Server that will exchange Bluetooth keys with the CookSafe+ CCTA
platform equivalent (so that the keys can be broadcast to CookSafe+ devices). Findings
from the review will be remediated where appropriate. Future Releases of the solution
will also be independently assessed to the same standards.
38. The CCTA, including Consumers’ personal information and anonymised information, is
hosted and stored using Amazon Web Services (AWS) in the ap-southeast-2 (Sydney)
region. This is a Ministry-owned sub-tenancy of the main Ministry of Health AWS
tenancy, which enforces relevant security, audit, and policy controls.
39. The Website found at tracing.covid19.govt.nz is stored and served using Netlify, a
specialist web hosting service designed to host static web applications. Only pre-
compiled static web assets, including HTML, CSS, and JavaScript are served from
Netlify. Consumer’s personal information, and other data collected by the CCTA, is not
sent to Netlify servers.
40. Data stored within AWS is encrypted. The Ministry controls access to the encryption
keys and the data.
41. The source code and high-level architecture for initial design of the solution have been
reviewed by the Government Communications Security Bureau’s National Cyber
Security Centre and an independent All of Government security supplier and designed in
collaboration with Amazon Web Services.
42. The Specific Agreement with the Service Provider for provision of the CCTA contains
standard Ministry Information Technology clauses designed to require compliance with
relevant New Zealand security and privacy obligations in development of the CCTA.
Governance
43. Governance of the programme maintains oversight of the collection, management,
authorised use and deletion of information arising from the CCTA processes via the
following oversight:
• The COVID-19 Technology Enablers Governance Group will perform the overall
governance function, and the COVID-19 Technology Steering Group will manage
operational matters.
• The Senior Responsible Officer for Data and Digital’s COVID-19 response.
Page 21 of 84• The Business Design Council. This includes a sub-set of members from the Digital
Investment Board, a Clinical Leader and Ministry (non-Data & Digital) employees.
• The NCTS governance team.
Page 22 of 84Section Three - Privacy Analysis
The purpose of this Assessment is to review the process of collection, storage, use and
sharing of personal and contact information for the purposes of the COVID-19 pandemic
response against the 13 Rules in the Health Information Privacy Code (HIPC).
This application will collect personal and contact information for health purposes. It will be a
health agency (the Ministry of Health) collecting, storing, using and where appropriate
sharing the information collected (with other health agencies, but only as required for the
purposes of the COVID-19 pandemic response). The CCTA is designed to support existing
Contact Tracing activity, and enables Consumers choice in what features they wish to use to
support New Zealand’s COVID-19 response.
The App has been changing incrementally through a series of Releases. This analysis
addresses the accumulated releases up to and including Release 8.
The introduction of the Bluetooth tracing functionality has been focussed on swift
identification of those individuals more likely to be at risk of having been in Close Contact
with a Case. Contact Tracers indicated speed in the initial warning to Consumers at risk
could assist in ensuring faster self-isolation and testing if required. This could help stop the
potential for spread of the virus at an earlier stage. There is potential for the Bluetooth Alert
Notification to be received some hours earlier than a phone call from a Contact Tracer could
be made (assuming the individual is likely to be eventually identified as a Close Contact.)
• There may also be some individuals identified who may not have been identified by
the Contact Tracing processes.
• It is also possible, however, that some Consumers may receive a Bluetooth Alert
when they were not actually at risk (for example, the algorithm is set at a level that
has enabled a match which was marginal in terms of actual risk or a contact was
recorded on the other side of a glass partition etc).
A balance needed to be set between the ability to provide notification, and the risk of over-
notification. The algorithm settings (to enable each Consumer’s device to weigh any
notification of potential contact with a Case) have been closely monitored, so they could be
adjusted if required by the Ministry to ensure they have been set appropriately for the
intended purposes – although the challenges of doing so with no active community cases
are noted. There has been adjustment to align with international standards after recent
exposure events.
The level of uptake of the Bluetooth Tracing feature is also of importance – a higher uptake
will lead to greater coverage and greater potential for contacts to be recorded on a
participating device. This would enable the Bluetooth Alert feature to reach more Consumers
if necessary. Gaining and maintaining Consumer trust will be essential to the uptake of the
Bluetooth Tracing feature.
• This feature may cause some unease for Consumers, due to uncertainty about how it
will work. The Ministry planned and implemented a communication strategy to help
explain the processes to the public. It updated the in-App Privacy Statement, and
also its second ‘layer’ of the Privacy Statement – the web-based Privacy and Security
Statement. The Ministry has also included a more detailed description in this Privacy
Impact Assessment for those who are interested.
Page 23 of 84• The Ministry has chosen an option that retains key information on the Consumer
device, rather than a centralised collection. The ‘keys’ recorded and used in the
Bluetooth Tracing and Bluetooth Alert notification processes identify neither the
Location where a contact occurred, nor the identity of the Consumer (or the other
person in proximity to them).
• The Bluetooth features remain optional – if a Consumer does not wish to use the
features, then they do not need to enable them. They retain that choice.
The addition of the Bluetooth Interoperability Server, to enable keys to be shared with
CookSafe+ has undergone Ministry security review for the new components and related
transfers. The information involved (the Bluetooth keys generated) will not identify the user
or the location of any contact. The privacy implications of the Bluetooth keys therefore will be
essentially the same as for the existing NZ COVID Tracer App, even those shared overseas
for use in another jurisdiction.
The Ministry has conducted its analysis under the Health Information Privacy Code as the
information is ultimately about individuals who may test positive for COVID-19, are a
probable case of COVID-19, or may be a Close Contact of a person with COVID-19. Under
clause 4(1)(e) it is considered that this could be information about an ‘individual which is
collected before or in the course of, and incidental to, the provision of any health service or
disability service to that individual’. The Ministry has therefore chosen to analyse the high
standards associated with health information in the HIPC for the purposes of this Privacy
Impact Assessment.
Health Information Solution Details and Key Controls Residual
Privacy Code Rules commentary risk
Rule Purpose of The purpose of collecting this Purpose Low
1 collection of health information is to assist with
information Contact Tracing activities as part Collection of this demographic, contact and
of the COVID-19 pandemic Location information is for the lawful purposes of
- Only collect response. assisting with the public health response to the
health information COVID-19 pandemic. This involves Contact Tracing
if you really need The App is intended to address to locate Close Contacts of COVID-19 positive
it challenges to the Contact Tracing individuals, and includes associated activities.
processes: These may include:
1. Consumer Contact Details: • reviewing up to date contact details; or
New Zealanders who have • enabling prompt identity verification to
changed their contact details expedite community testing of Consumers
since they were last updated (with NHI and details available on Consumer
in the NHI or NES services device screens) if the Consumer chooses to
or people in New Zealand use this option;
with no contact details in • enabling Call Back contact to be requested
those services. The impact of by a Consumer who has received a Location
this lack of information is that Alert or Bluetooth Alert, if the Consumer
Contact Tracers find it more chooses to request that contact;
difficult to contact the person • discussing Locations where an Exposure
concerned, delaying the Event may have occurred (if the individual
process of testing and/or has chosen to opt in to the Location-related
self-isolation for potential choices); or
Close Contacts. • identifying potential Close Contacts using
2. Close Contacts and Digital Diary entries as a prompt.
Locations: People have
difficulty remembering where
Page 24 of 84they have been and who • Notifying Consumers using the Bluetooth
they have had “close Alert of potential exposure to COVID-19
contact” with, particularly
over the period of interest Necessary
(up to 60 days). This means
Consumers and therefore The Consumer contact information supplied is
Contact Tracers may not be necessary to meet this purpose, as set out in
able to identify all of those Appendix Two paragraph 10.
who need to be tested,
and/or isolated. The App The Location and Digital Diary data is necessary for
Digital Diary feature will Contact Tracing purposes to enable Consumers to
enable both scanning of QR more easily recall events where the Consumer may
Location codes and also have interacted with Close Contacts, or Locations
manual entry of relevant where Close Contacts may have congregated, and
details by the Consumer. to support Exposure Event Notifications.
3. Speed of notification of
potential exposure to Early versions of the app specified that Digital Diary
COVID-19. The faster information was to be automatically deleted after 31
Consumers can be made days. In accordance with further clinical advice from
aware that they may have the Contact Tracing team it has been determined
been exposed to the virus, that 60 days-worth of Digital Diary records may
the faster they can make provide additional valuable information to identify
choices to limit their contact the source of an original infection. The time frame
to others, and seek for automatic deletion has now been extended to 60
treatment for themselves (if days, as it is considered information related to the
required). Although the additional two incubation period is necessary to
Contact Tracing processes assist with Contact Tracing.
work efficiently, there is still a
time lag between a person One potential challenge created by the addition of
testing positive and their free field text entries for the Digital Diary is that
potential contacts being individuals can put as much information as they
identified and contacted. The wish (up to the character limit) and are not
Bluetooth Alert notification is constrained in the information they wish to include.
designed to enable direct This means that the App features themselves do
notification to Consumers of not, in this instance, limit the information fields that
the potential exposure, can be included in the recording. Some individuals
without the additional delay may put personal comments about themselves or
involved in Consumer to others that they may not wish others to see. This
Contact Tracer contact. could result in information not ‘necessary’ for the
Contact Tracing purposes being collected (if it was
The type of personal information Uploaded).
being contemplated for collection
under the CCTA is all optional. There is however the significant mitigation feature
The Digital Diary recordings are that the information will not leave the Consumer’s
aligned with that addressed under device for review by a Contact Tracer unless the
Part 3A of the Health Act, subpart Consumer chooses to Upload it in response to a
5 – Contact Tracing. This CCTA Contact Tracer Request.
collection will not be under those
powers but will be a collection on • Part of the Contact Tracer training will be to
a voluntary basis of the range of reinforce that it is optional to Upload the
information authorised under the information (but that if the Consumer does
Contact Tracing provisions. choose to Upload, that all Digital Diary
information – both scanned Location and
• Notifications of Exposure manual entries - will be uploaded).
Events will occur if enabled • The Digital Diary itself will have a prompt
(for iOS) or not disabled immediately above the ‘Add entry’ screen
(for Android), or when the stating ‘Describing who you were with and
Consumer opens the App. what you were doing can help the Contact
The Consumer can choose Tracing team if you share your diary’.
how (or if) to respond to • There is an edit feature for Consumers to
those Notifications. update or delete entries – this will enable the
• The Upload option for Consumer to review the data they have
Digital Diary details (both collected on the Digital Diary and modify it if
Location information and necessary to remove any information they do
Page 25 of 84You can also read
