Read on Twitter
Govt COVID-19 "tracer" app (I guess it wasn't officially a digital diary) is on the Android app store: https://play.google.com/store/apps/details?id=nz.govt.health.covidtracer
The app is just loading from a website: https://tracing.covid19.govt.nz/signup
The sign-up process starts with the privacy statement. Personal information is requested (to help the contact tracers find you if they need to). Stored securely by MOH on AWS servers in Sydney. Personal information stored for the duration of the COVID-19 pandemic response.
This is DISTINCT from the check-ins/visited locations that it stores, which it says are stored on your device for 31 days. The language includes that data is on your phone "unless you choose to share it with contact tracers."
Once you sign up for an account, it asks for your personal information. Functionality includes giving your address, names (recommended), phone number (rec), date of birth (rec), gender (optional), ethnicity (optional).
Then you can keep track of where you've been by scanning QR codes. Haven't found how to generate a QR code for your location/business yet. It appears that you can only record QR code locations, and cannot enter your own data about where you've been.
Eventually you will be able to do daily self-isolation or quarantine health check-in if you need it. And the app invites you to share the link with your friends and whānau. It also provides links to other MOH resources around contact tracing and access to health services.
App asks for camera permissions (so that you can scan QR codes). Doesn't appear to ask for location tracking (GPS/WiFi/etc.) permissions.
Now to delve into the Privacy Policy. Have consulted with OPC, and a PIA has been completed (currently not accessible, likely embargoed on the MOH website). App available for those under 16 but you may need parent or guardian to release info to contact tracers.
Personal information is only used and disclosed for the purpose of the public health response to the COVID-19 pandemic. Data will not be shared with other govt agencies unless they are directly involved in assisting. They will not be able to use for other purposes.
Registration or supply of information is not mandatory. But if you have, or are suspected of having COVID-19, they may use the Health Act to require you to provide the necessary information to a contact tracer and this app may assist you in that process.
You need o set up a username and password to use the app and keep your personal information up to date. 2FA is available.
Amazon Pinpoint used for analytics, collects IP address, pages visited, date/time visiting, referring site, operating system, browser, and other info like screen resolution and language. Stats can be viewed by site admins and MOH staff, may be shared with other govt agencies.
Non-identifying demographic info may be aggregated to help with equity ("to ensure we are serving all communities during the COVID-19 pandemic response") and will not be used to identify people personally.
Full privacy policy here: https://tracing.covid19.govt.nz/help/privacypolicy
I think one source of confusion will be that it deals with TWO sets of information.
1) Your personal details so that contact tracers have up-to-date contact details for you (and demographics for equity analysis)
2) Locations where you have scanned QR codes
1) Your personal details so that contact tracers have up-to-date contact details for you (and demographics for equity analysis)
2) Locations where you have scanned QR codes
1) Personal details are shared with MOH and put on a server (securely).
2) Information about locations are stored on the device and are not transmitted to MOH (we think).
You have to read the first page pretty closely to get that understanding.
2) Information about locations are stored on the device and are not transmitted to MOH (we think).
You have to read the first page pretty closely to get that understanding.
The important question: is this a good app?
Giving up-to-date contact details so contact tracers can call you is good.
If all the businesses that you go to generate a QR code that you can scan, then this is a helpful tool for helping you remember where you have been.
Giving up-to-date contact details so contact tracers can call you is good.
If all the businesses that you go to generate a QR code that you can scan, then this is a helpful tool for helping you remember where you have been.
It is NOT proximity tracking, it is not the Bluetooth thing that many other countries are exploring/using. Right now, it is not a replacement for businesses keeping their own records for contact tracing, which is still a requirement under the Public Health Response Order.
Based on the text of the Privacy Policy, this is probably okay from a privacy perspective and safe to use. I have not checked the source code or the functionality or done a network analysis or anything else like that.
In terms of keeping track of where you have been... TBH you can achieve a very similar goal by just taking a photo of each building you visit. Your phone probably geotags it already, and the metadata has the date/time. Doesn't matter if there is a QR code to scan or not.
Report here that the ability for businesses to generate QR codes for their locations based on their national business number likely to be on MBIE website tomorrow: https://twitter.com/plambrechtsen/status/1262649074991284225?s=20
I feel a bit bad/sad for all the developers who have already spent a lot of time and money on building solutions that are pretty good and get the job done. We will have to wait and see what uptake there is amongst businesses to generate QR codes compatible with this app.
And I need to pause for dinner because @charaustin has been very patient. Goodnight for now!
Privacy Impact Assesment for the app is now available here: https://www.health.govt.nz/our-work/diseases-and-conditions/covid-19-novel-coronavirus/covid-19-health-advice-general-public/contact-tracing-covid-19/nz-covid-tracer-app/nz-covid-tracer-app-questions-and-answers
PIA says future versions of the app may include voluntary electronic sharing of data with contact tracers, exposure notification, and daily health check-ins for people in self-isolation/quarantine where contact tracers have determined it to be appropriate.
Section five notes that Bluetooth contact tracing could be added later, including the Apple/Google protocol, as well as potential for symptom reporting and immunisation status verification.
Info page notes that the COVID Tracer app has been through independent security testing. It also specifies that information held will be for public health purposes only and never shared with agencies outside the health sector, which is slightly stronger than the Privacy Policy.
PIA: "The app will not record any location information automatically." Consumers have to scan QR codes with the app, they cannot do this through the website. Stores a Global Location Number and timestamp on your phone. MBIE via NZBN assigns the Global Location Numbers.
Anonymous analytics collected to help evaluate effectiveness, but cannot be used to personally identify an individual, reporting must be aggregate. Data is stored separately to the personal information and cannot be linked together.
Users will be notified by e-mail or in the app if there are any changes to the Purpose Statement or other Privacy Notice Materials (which I assume includes if they add functionality to the app like Bluetooth tracking or something else).
This part of the PIA sets out the case for how the app can help address some of the challenges experienced in manual contact tracing.
Putting up a sign with a QR code on it is not compulsory for a business, but "it is expected a number of businesses may find the [code] beneficial, as a visible signal that they are taking all reasonable steps to keep their customers safe."
The app only records check-in time. There is no facility to include an "end time", which the PIA notes may "be unreliable in any event.
Governance of the program is done by the "data governance group", Senior Responsible Office for Data and Digital, and the Business Design Council (all at MOH).
The Privacy Impact Assessment has rated the residual risk across the 12 Health Information Privacy Code rules (based on the Privacy Act) as Low for all items.
And with that, I have exhausted the documents currently available and will be off to bed soon. Register your details, download the app if you can: https://tracing.covid19.govt.nz/
One last thing - the app wasn't "leaked" and it wasn't a snafu. It makes sense that the govt would want to submit the app for approval by Apple and Google app stores well before the official launch. So the apps became available once they were approved, nothing nefarious.
Full Q+A from MOH has been released now that it's last 6:30am https://www.health.govt.nz/our-work/diseases-and-conditions/covid-19-novel-coronavirus/covid-19-health-advice-general-public/contact-tracing-covid-19/nz-covid-tracer-app/nz-covid-tracer-app-questions-and-answers
Clearly specifies that businesses still need to maintain their own registers, and that people are recommended to sign into the business register as well as keeping their own records.
App was developed by Rush Digital. Specifications will be released later this month to allow other developers making other contact tracing apps to use the NZ COVID Tracer QR codes and meet MOH data standards - hurray!
The Q+A doc also makes it pretty clear that the location data you collect is just to help you in the unfortunate event that you have to be interviewed by a human contact tracer (because you have or may have COVID-19). Contact tracing is still driven by humans at the moment in NZ.
Bloomfield says this morning that they are working on Bluetooth functionality for proximity tracking and that the functionality may be available in June: https://www.rnz.co.nz/national/programmes/morningreport/audio/2018747185/government-contact-tracing-app-launched
