Supplementary Order Paper No 85

No 85

House of Representatives

Supplementary Order Paper

Tuesday, 19 October 2021

COVID-19 Public Health Response Amendment Bill (No 2)

Proposed amendments

Melissa Lee, in Committee, to move the following amendments:

New clause 5A

After clause 5 (page 5, after line 3), insert:

5A Section 9 amended (Minister may make COVID-19 orders)

Replace section 9(1)(ba) with:

(ba)

the Minister must be satisfied that the order—

(i)

does not limit or is a justified limit on the rights and freedoms in the New Zealand Bill of Rights Act 1990; and

(ii)

adequately protects individual privacy, including by complying with the information privacy principles set out in section 22 of the Privacy Act 2020; and

(iii)

appropriately protects the immunities and privileges recognised in subpart 8 of Part 2 of the Evidence Act 2006.

Clause 25A

Replace clause 25A (page 21, line 16–33) with:

25A New Part 2A inserted

After section 34, insert:

Part 2A Protection of Data

34A Interpretation

In this Part,—

contact records means a record of a person entering the premises of a business or service or attending a gathering that contains any or all of the following:

(a)

the name of the person; and

(b)

the date on which and time at which the person entered the premises or attended the gathering; and

(c)

if the record is being provided to another person, a telephone number that may be used to easily contact the person who is entering the premises or attending the gathering

contact tracing means the process of identifying persons who have been in contact with a person who has tested positive for COVID-19

certification data means a digital COVID certificate and any associated data

digital COVID certificate means a certificate issued by or on behalf of the New Zealand Government that contains a digital identifier that operates as a digital proof that a person has been vaccinated against COVID-19

digital COVID data means NZ COVID Tracer app data and certification data

electronic communication device means any of the following:

(a)

a telephone or computer:

(b)

any other electronic device that is capable of—

(i)

computing information; or

(ii)

communicating in any other way using any technology (including telecommunication, radiocommunication, and broadcasting technology).

Ministry means the Ministry of Health

National Contact Tracing Solution or NCTS means the computer system administered by or on behalf of the New Zealand Government for the purpose of contact tracing

NZ COVID Tracer app means an app that is made available or has been made available, by or on behalf of the New Zealand Government, for the purpose of facilitating contact tracing

NZ COVID Tracer app administrator means the Ministry

NZ COVID Tracer app data means data relating to a person that:

(a)

has been collected or generated through the operation of NZ COVID Tracer app; and

(b)

either:

(i)

is registration data; or

(ii)

is stored, or has been stored, on an electronic communication device

registration data means the information about a person that was uploaded from an electronic communication device when the person was registered through the NZ COVID Tracer app

tracing data means—

(a)

NZ COVID Tracer app data; and

(b)

contact records kept by a business or service; and

(c)

contact records kept by person of their own movements and activities (other than any NZ Covid Tracer App data relating to the person).

34B Part does not limit Privacy Act 2020

Nothing in this Part limits the Privacy Act 2020.

Subpart 1—Offences relating to digital COVID data and tracing data

34C Unlawful use or disclosure of certification data and tracing data

(1)

A person must not use or disclose certification data, other than for the purpose of or in connection with lawfully verifying a person’s vaccination status.

(2)

A person must not use or disclose tracing data, other than for the purpose of or in connection with contact tracing.

(3)

A person who contravenes subsection (1) or (2) commits an offence and is liable on conviction to—

(a)

a term of imprisonment not exceeding 2 years; or

(b)

a fine not exceeding $10,000.

(4)

This section overrides any obligation to disclose information under any other enactment.

(5)

To avoid doubt, this section does not apply to a person using or disclosing their own personal information.

34D Unauthorised uploading of NZ COVID Tracer app data

(1)

A person must not upload, or cause to be uploaded, NZ COVID Tracer app data from an electronic communication device to the NCTS without the express consent of—

(a)

the person whose data it is; or

(b)

if that person is unable to consent, that person’s parent, guardian, or other person lawfully acting on that person’s behalf.

(2)

A person who contravenes subsection (1) commits an offence and is liable on conviction to—

(a)

a term of imprisonment not exceeding 2 years; or

(b)

a fine not exceeding $10,000.

34E Decrypting digital COVID data

(1)

A person must not, without reasonable excuse, decrypt digital COVID data that is held on an electronic communication device.

(2)

A person who contravenes subsection (1) commits an offence and is liable on conviction to—

(a)

a term of imprisonment not exceeding 2 years; or

(b)

a fine not exceeding $10,000.

34F Requiring the use of NZ COVID Tracer app

(1)

A person must not require another person to do any of the following:

(a)

download the NZ COVID Tracer app to an electronic communication device:

(b)

have the NZ COVID Tracer app in operation on an electronic communication device; or

(c)

consent to uploading NZ COVID Tracer app data from an electronic communication device to the NCTS.

(2)

A person who contravenes subsection (1) commits an offence and is liable on conviction to—

(a)

a term of imprisonment not exceeding 2 years; or

(b)

a fine not exceeding $10,000.

Subpart 2—Other obligations relating to digital COVID data and tracing data

34G Tracing data must be destroyed

(1)

The NZ COVID Tracer administrator must ensure that NZ COVID Tracer app data, that is not registration data, is destroyed after 30 days from the date on which the data was collected.

(2)

A business or service that holds contact records must ensure that those records are destroyed after 30 days from the date on which the records were collected.

(3)

A person who contravenes subsection (2) commits an offence and is liable on conviction to a fine not exceeding $15,000.

34H Deletion of registration data on request

(1)

A person may request that the NZ COVID Tracer administrator delete registration data that it holds about them at any time.

(2)

Upon receipt of a request under subsection (1), the NZ COVID Tracer administrator—

(a)

must take all reasonable steps to delete the registration data that they hold as soon as practicable; and

(b)

if it is not practicable to delete the data immediately, the NZ COVID Tracer administrator must not use or disclose the data for any purpose.

34I Deletion of certification data on request

(1)

A person may request that the person responsible for the operation of the digital COVID certificate delete certification data about them at any time.

(2)

Upon receipt of a request under subsection (1), the responsible person—

(a)

must take all reasonable steps to delete the certification data that they hold as soon as practicable; and

(b)

if it is not practicable to delete the data immediately, they must not use or disclose the data for any purpose.

34J Deletion of digital COVID data or tracing data received in error

(1)

A person who receives digital COVID data or other tracing data in error must, as soon as practicable, delete the data.

(2)

A person who contravenes subsection (1) commits an offence and is liable on conviction to a fine not exceeding $5,000.

34K Digital COVID data must be deleted when no longer required to support COVID-19 response

(1)

No person may collect or hold digital COVID data or tracing data after the end date.

(2)

In this section, the end date is 30 days after the first date at which there is no order made under section 11 of this Act in force that provides for the collection or use of tracing data.

(3)

A person who contravenes subsection (1) commits an offence and is liable on conviction to a fine not exceeding $15,000.

Subpart 3—Privacy Commissioner to review data collection systems

34L Privacy Commissioner to review data collection systems

(1)

The Privacy Commissioner must review the operation of the following systems in order for the Privacy Commissioner to assess the effects that these systems have on the privacy of individuals in New Zealand:

(a)

the NCTS, in particular the collection and handling of personal information in the NCTS:

(b)

any system or programme used to collect and handle certification data.

(2)

The Privacy Commissioner must undertake the review in subsection (1),—

(a)

the end of the 6 month period starting on the commencement of this Part; and

(b)

at least once every 6 months after that date.

(3)

Before commencing a review under subsection (1), the Privacy Commissioner must—

(a)

publish the draft terms of reference proposed for the review; and

(b)

allow 20 working days for written comments to be provided to the Commissioner.

(4)

The Privacy Commissioner must consider any comments received in the 20 day period, make any changes to the terms of reference they consider appropriate, and publish the final terms of reference on Privacy Commissioner’s website.

(5)

As soon as possible after completing a review under subsection (1), the Privacy Commissioner must provide a report on the review to the Minister.

(6)

As soon as practicable after receiving the report, the Minister must present a copy of that report to the House of Representatives.

34M Review to be treated as an inquiry under Privacy Act 2020

A review conducted under section 34L(1) must be treated as if it were an inquiry conducted by the Commissioner under section 17(1)(i) of the Privacy Act 2020, and section 203 of that Act applies accordingly.

Explanatory note

This Supplementary Order Paper amends the COVID-19 Public Health Response Amendment Bill (No 2) to insert a further amendment to address the concerns regarding access to and use of contact tracing data by law enforcement as it is held by businesses or on people’s personal devices, in particular through the COVID-19 Tracer App and QR Codes.