Section One – Executive Summary - Ministry of Health · Web viewConsumers can download the App to...

Ministry of HealthCOVID-19 Contact Tracing Application (NZ COVID Tracer

App)

Privacy Impact AssessmentRelease 7.0 (24 May 2021)

Date 24 May 2021 (updated)

ConfidentialityThis Privacy Impact Assessment (“the Assessment”) will be an evolving document that will record the impacts related to the latest release developments, immediately prior to implementation of such releases. This document will be regularly updated. The current version of this document will be made publicly available, commencing with initial release of the NZ COVID Tracer mobile app. This is the seventh Privacy Impact Assessment and addresses Release 6. This Release 6 introduces features intended to improve engagement and the usefulness of alerts.

Document creation and managementThis document has been prepared by the Data & Digital Directorate, Ministry of Health.

Consultations with the following have occurred during the development of this document:

Sector Portfolio Manager, Digital Portfolio Team, Ministry of Health Manager, Data Governance, Data & Digital, Ministry of Health Project Manager, COVID-19 Contact Tracing App, Data & Digital, Ministry of Health General Manager, Emerging Health Technology and Innovation, Ministry of Health IT Security Manager, Data & Digital, Ministry of Health The Chief Privacy Officer of the Ministry of Health The Government Chief Privacy Officer The Office of the Privacy Commissioner

DisclaimerThis Assessment has been prepared to assist the Ministry of Health (“the Ministry”) to review the purposes for which information collected via the NZ COVID Tracer mobile app can be used, and the privacy safeguards that are required to manage those purposes.

Every effort has been made to ensure that the information contained in this report is reliable and up to date.

This Assessment is intended to be a ‘work in progress’ and may be amended from time to time as circumstances change or new information is proposed to be collected and used.

Summary of Intent

This Assessment represents the current state of the way the NZ COVID Tracer mobile app will operate, and expectations for future releases.

of 75

ContentsSECTION ONE – EXECUTIVE SUMMARY 4

CLARITY OF PURPOSE 10INFORMATION COLLECTION PROCESSES 10ACCESS AND SECURITY 10FUTURE PRIVACY IMPACT ASSESSMENT ACTIVITY 11

SECTION TWO – OPERATIONAL DETAILS 12

BACKGROUND 12INFORMATION COLLECTED AND USER INFORMATION FLOWS 13DATA FLOWS 14CCTA SECURITY 20GOVERNANCE 20

SECTION THREE - PRIVACY ANALYSIS 21

SECTION FOUR - INTENDED FUTURE USE CASES 35

APPENDIX ONE – CONTACT TRACING – THE SYSTEM SUPPORTED BY THE CCTA 36

APPENDIX TWO – THE RELEASE 5 ONBOARDING PROCESS 39

APPENDIX TWO – ANNEX ONE 42

APPENDIX THREE - ANONYMOUS STATISTICAL AND PERFORMANCE INFORMATION 43

APPENDIX FOUR – APP FEATURES – BLUETOOTH TRACING, DIGITAL DIARIES, NOTIFICATIONS AND EXPOSURE EVENTS 46

APPENDIX FIVE – BLUETOOTH TRACING– HOW DOES IT WORK? 62

APPENDIX FIVE – ANNEX ONE 68

APPENDIX FIVE – ANNEX TWO 69

APPENDIX SIX – BLUETOOTH AND THE COOK ISLANDS 70

APPENDIX SEVEN - GLOSSARY 72

of 75

Section One – Executive Summary1. The COVID-19 pandemic is forcing governments around the world to evaluate how

standard public health approaches to managing and controlling infectious disease can be bolstered and augmented by technology.

2. The speed and efficiency of Contact Tracing is one of the most critical factors in a health system’s ability to slow or stop the spread of communicable diseases1. In the case of COVID-19, it has been determined that under routine conditions of movement and contact amongst the population, the disease can spread too quickly to be contained by traditional Contact Tracing practices alone2. Further detail about Contact Tracing can be found in Appendix One.

3. The Ministry has identified an opportunity to support national Contact Tracing processes by use of an application for supported iOS and Android smart phones (the NZ COVID Tracer mobile app – the App), a Web Application (Website), and a Data Platform (Platform). These are collectively referred to as the COVID-19 Contact Tracing Application (the CCTA).

4. Individuals who choose to use any component of the CCTA are referred to as “Consumers” in this Assessment.

5. The CCTA will enable Consumers to keep their own record of places they have been, devices they have been in proximity with, and activities they have undertaken. This will assist them to rapidly respond to Contact Tracers about where they have been, who they have been in contact with and the type of activity that has occurred.

5.1. Contact Tracers will then be able to more quickly identify Close Contacts and Casual Contacts, and assess the risk of exposure to the virus.

5.2. It will also be possible for Contact Tracers to quickly send notifications to CCTA Consumers when they may have been exposed to a person with COVID-19 at a Location.

5.3. The CCTA will also implement the Exposure Notification System3, which will allow rapid notifications to be sent to Close Contacts via the Bluetooth Tracing functionality.

5.4. Consumers will be able to adjust their behaviour in response to warnings provided via notifications.

1 Rapid case detection and contact tracing, combined with other basic public health measures, has over 90% efficacy against COVID-19 at the population level, making it as effective as many vaccines. This intervention is central to COVID-19 elimination in New Zealand: Dr Verrall,A 10 April 2020: Rapid Audit of Contact Tracing for COVID-19 in New Zealand page 1.2 https://science.sciencemag.org/content/early/2020/04/09/science.abb6936https://www.health.govt.nz/system/files/documents/publications/contact_tracing_report_verrall.pdf3 The Exposure Notification Framework (ENF) is the protocol created by Apple and Google to support privacy- preserving digital contract tracing using Bluetooth Low Energy. The Exposure Notification System is an implementation of the ENF protocol within the New Zealand jurisdiction.

of 75

https://science.sciencemag.org/content/early/2020/04/09/science.abb6936

https://www.health.govt.nz/system/files/documents/publications/contact_tracing_report_verrall.pdf

6. The Office of the Privacy Commissioner and the Government Chief Privacy Officer have been consulted and are satisfied that the privacy implications of the CCTA, and the related mitigations, have been appropriately recorded in this PIA.

Privacy focus

7. The intention of the Ministry has been to retain consumer choice, minimise the collection of personal information to those matters most directly useful for Contact Tracing purposes, and limit who will have access to that information. It has also endeavoured to minimise any potential privacy risks in its development of the CCTA and balance these against the public health benefits of enhanced contact tracing. Consumer trust is essential if use of the CCTA is to become widespread. The Ministry intends to earn and respect that trust.

8. The purpose of development of this Assessment has been to review the process of collection, storage, use and sharing of personal and contact information associated with the CCTA to ensure that relevant risks are identified and mitigated. This has involved ongoing consultation with the Office of the Privacy Commissioner, the Government Chief Privacy Officer and others to ensure that the CCTA retains a strong privacy focus.

9. This Assessment is to be a ‘living’ document that will be updated as the CCTA development progresses, with the intent that updates be published either ahead of or alongside future releases. This will enable the Ministry to maintain transparency about the CCTA with Consumers, who may choose to opt-out if they do not wish to participate in future releases.

Background

10. Technology can help with the process of Contact Tracing. The Ministry has worked with the health sector and the community to identify ways of improving access to relevant information, while still respecting individual privacy.

11. The Ministry has created a National Contact Tracing Solution (the NCTS), to greatly increase the capacity and reliability of tracing activity, and to support existing regional expertise.

12. Additional key uses for technology are:

12.1. to enable faster access to the correct contact details for people who may come in contact with COVID-19;

12.2. for Consumers to record their movements so that if they become infected with COVID-19 they can quickly and accurately identify others who may be Close Contacts or Casual Contacts;

12.3. for Contact Tracers to send a Location Alert to some Consumers who may have been exposed to COVID-19; and

of 75

12.4. for Consumers to use the Exposure Notification System (Bluetooth Tracing) to allow for quickly notifying close contacts.

13. The Ministry has therefore commissioned, and is operating, the CCTA to enable the New Zealand public to opt in to support Contact Tracing processes for the purposes of the COVID-19 pandemic response.

14. As other apps enter the New Zealand marketplace, the Ministry is developing standards that will enable those other apps to participate in support of the public health Contact Tracing processes, provided that the other apps can meet the necessary security and privacy standards. This project is addressed under a separate PIA (COVID-19 Contact Tracing Integration Product – Privacy Impact Assessment).

15. The Ministry has also decided to adopt the Exposure Notification Framework (ENF), developed by Apple and Google, as part of the CCTA offerings. The implementation of this framework is referred to as the Bluetooth Tracing features. The ENF is being used in a number of jurisdictions around the world. It is designed to enable notification of potential exposure in a way that minimises risks to privacy. It remains optional for App users whether they choose to enable the Bluetooth Tracing features. A detailed summary of the Bluetooth Tracing features is attached in Appendix Five.

16. The Bluetooth Tracing features will be designed to focus on the speed of notification to Consumers who are more likely to be a Close Contact, rather than identifying any possible contact, however fleeting that contact may have been. This is achieved by setting a threshold for the duration and strength of signal that indicates someone is likely to be a Close Contact. The main use Contact Tracers identified for the Bluetooth Tracing features was the prompt notification (via Bluetooth Alert) of those most at risk of being Close Contacts, so that App users would be alerted to their increased risk, and could act accordingly to limit the spread of COVID-19. The Bluetooth Alert messaging may include encouraging testing and self-isolation.

17. The gradual opening of the New Zealand borders has also identified opportunities to utilise the CCTA.

17.1. Quarantine free travellers from Australia are invited (in the boarding information provided to them) to download, and use, the NZ COVID Tracer App while they are in New Zealand.

17.2. Travellers between the Cook Islands and New Zealand will be able to use the Bluetooth features of the App from either country4, and upload their keys, or receive notifications if another App user tests positive. This new Bluetooth exchange capability will be explained in more detail in Appendix Six. This has the potential to enhance contact tracing with travel between New Zealand and the Cook Islands, but does not compromise existing privacy and security features associated with the NZ COVID Tracer App.

17.3. In each case use of the NZ COVID Tracer App will remain voluntary.4 CookSafe+ for the Cook Islands and NZ COVID Tracer App for New Zealand

of 75

COVID-19 Contact Tracing Application (the CCTA)

18. Development of the CCTA is progressing in stages, and new functions are released as they are developed. This Assessment addresses Release 7. This will include some new information resources, and some alterations to the display of information, for ease of use and understanding by the Consumer. The key new feature in Release 7 is the ability to share Bluetooth keys with Cook Island users in the event a user from either New Zealand or the Cook Islands tests positive, and has used the Bluetooth features of CookSafe+ or the NZ COVID Traver App.

19. The NZ COVID Tracer mobile apps for iOS and Android have the following features available to the Consumer to choose from:

19.1. Registration: Consumers are able to download and use the App without needing to register or provide any identifiable information if they choose not to. There will not be any password requirement to use the App, so Consumers will need to use their standard device screen lock feature if they wish to protect the information held by the App on their device, such as their digital diary.

19.2. Contact Details: Consumers can choose to submit their contact details via the mobile App. These details will be available to Contact Tracers to look-up within the NCTS if that person tests positive with COVID-19 or is a potential Close Contact of someone who tests positive with COVID-19. This could include full name, phone number, and address (if provided) to assist contact tracers with identification and contact details. Date of birth, gender, and ethnicity are also optional. If Consumers choose to provide any of this information, they will also need to provide an email address and verify it before it is stored.

Digital Diary

19.3. Digital Diary: A Consumer can choose to record Location information (the places the Consumer has been and scanned a QR code). They can also manually add entries to their Digital Diary, to record activities, or places they have been, where a QR-code poster was not on display. They can also record who they have been with at these activities or places. There is an edit feature to amend or delete these entries if the Consumer chooses.

19.4. Share Digital Diary feature: Consumers can choose to authorise the App to upload the Digital Diary held on their phone to the NCTS if they test positive with COVID-19. This can only happen if a Contact Tracer asks them to do this, and they use a one-time password given to them by the Contact Tracer.

19.5. Notification of Exposure Event (Location Alert): Contact Tracers can, at their clinical discretion, publish an Exposure Event of Interest (EEOI) to subscribed App Consumers to notify them of a potential exposure to COVID-19 at a particular Location. If a Consumer has a Digital Diary entry created by scanning at the Location during the time frame set by the Contact Tracer, they will receive a Location Alert.

of 75

19.5.1. The Location Alert will include a link to the Digital Diary entry that matched the EEOI.

19.5.2. A Location Alert can be removed from the Dashboard by being dismissed or by another Location Alert being received. Previously received Location Alerts can be seen in Digital Diary entries that matched an EEOI.

19.5.3. This Location Alert feature includes an option for the Contact Tracers to include a ‘Call Back’ option if they consider that appropriate for a particular location. It is up to the Consumer to choose whether to respond to a Location Alert Notification, including a Call Back request.

Bluetooth

19.6. Bluetooth Tracing: A Consumer can activate the Exposure Notification System (ENS) on their device. The Bluetooth Tracing feature is described more fully in Appendix Five. This allows devices that support ENS to broadcast to other devices, and record broadcasts received of randomly-generated keys from those other devices5. The use of the ENS is designed to minimise the risk of re-identification of Consumers. The keys do not record who either of the Consumers are, nor where they are. Each device would keep its own record of the keys it had come in contact with.

19.7. Upload Bluetooth keys feature: Consumers can choose to authorise the App to release the random keys that their phone has generated, if they test positive. A Contact Tracer will initiate the request for these keys by entering an onset date and phone number in the NCTS, and a Consumer will receive a text message with a one-time password. If the Consumer enters the one-time password into the app, their Temporary Exposure Keys (TEKs) are uploaded to the CCTA server. Unlike uploading a Digital Diary, the Contact Tracer does not gain any access to data about the Consumer’s movements through the upload of Bluetooth Tracing keys. Additional privacy controls include:

19.7.1. The keys are random and secured by the Consumer’s device and only seen by the nearby device.

19.7.2. When uploaded, the published keys are randomly ordered on the CCTA server.

19.7.3. The process of notifying contacts (via the Bluetooth Alert) occurs automatically from the CCTA after keys are uploaded.

19.8. Exposure Notification (Bluetooth Alert): Every few hours, each device checks for keys that have been uploaded by Consumers who have tested positive for COVID-19. If the device has a match with any of these keys, it checks against the App’s algorithm configuration. This is designed to identify Close Contacts. It displays a notification to the Consumer on the device only if the exposure exceeds the programmed duration and strength of signal in relation to the

5 Rolling Proximity Identifiers (RPIs) – these are ever changing identifiers that are generated from the Temporary Exposure Key on each Consumers device. The RPI are shared with other devices via Bluetooth and change every ten to fifteen minutes.

of 75

contact with the device of other Consumer(s) who has tested positive for COVID-19. This notification can include an option for the Consumer to request a return call (a Call Back), if the Contact Tracers consider that appropriate. As with the Location Alert, it is up to the Consumer to choose whether to respond to a Bluetooth Alert Notification, including a Call Back request.

19.9. Cook Islands and sharing of Bluetooth keys. Release 7 introduces the ability to share Bluetooth tracing keys with CookSafe+ users who have an ENS Bluetooth compatible device.

19.9.1. A central server (managed by the Ministry of Health) will enable the management of the upload and distribution of keys to Consumers in New Zealand and the Cook Islands using one of the ENS Bluetooth compatible apps. This will only occur with a positive case (for the upload), and a matching key for the notification on the Consumer’s device.

19.9.2. This will enable information about individuals who travel between New Zealand and the Cook Islands to be exchanged irrespective of whether the Consumer has left one country for the other in between the time of exposure and the time of notification.

19.9.3. The privacy implications will be same for the NZ COVID Tracer App Bluetooth features described above (minimal).

19.10. My NHI Details: Consumers will be given the option to manually add their NHI to the details they have recorded on their device. This will enable them to use their device screen to display their NHI (if they choose to) on the ‘My NHI Details’ screen when they attend a testing facility.

19.11. In-App information provision: Dashboard features on the App include:

19.11.1. In-App statistics. This will include national app usage statistics (as per information released by the Ministry to its website).

19.11.2. Personal metrics. This allows the Consumer’s personal usage statistics for the App for the previous fortnight to be displayed only on the device. This data is calculated on and stays on the device.

19.11.3. Announcements. This will show announcements issued by the Ministry of Health to all users of the app.

19.11.4. The addition of a resources tab with server-driven links to trusted resources, such as vaccination related information and current COVID test locations so the Consumer can identify a location near them from the list (if required).

19.11.5. No personal information is exchanged between the CCTA and these information links, but non-identifiable analytics may be collected (as further described in Appendix Three).

of 75

Clarity of purpose20. A simple Privacy Statement is displayed to Consumers as part of the onboarding

process. This is linked to a more detailed Privacy and Security Statement for those who wish to view that more detailed information.

21. These Privacy Notice Materials have been created with the intent that all Consumers can obtain a full understanding of how their information will be used if they choose to participate.

22. Authorised users of the information (Contact Tracers) will be informed about expectations for use, and limitations on use of this personal information. This will be consistent with their existing legislative responsibilities under the Health Act to manage this information appropriately.

Information Collection Processes23. The Privacy Notice Materials, including the Privacy Statement and the Privacy and

Security Statement, are designed to be compliant with rule 3 of the Health Information Privacy Code. The Privacy Notice Materials are available to Consumers at the first contact with the CCTA, prior to the Consumer submitting any information.

24. CCTA Consumers will be notified in advance of any material changes being implemented to the Purpose Statement or other Privacy Notice Materials via their registered email address (if they have one) or in-App message. This will indicate new features and also what has changed from a privacy perspective (if anything). There will be an opportunity within the App to review the updated privacy statement on the device screen when a new feature is added that requires an opt-in / opt-out choice. This will enable ongoing Consumer choice about participation.

25. Consumers have the choice of opting-in to use the CCTA, and if they do, will retain the choice of the extent to which they wish to contribute information.

26. Links will be provided to a web-based explanation in the Privacy and Security Statement which will contain more detail for those individuals who wish to know more (a layered privacy notice). The Privacy and Security Statement will also link to the current version of this Assessment.

Access and Security27. The CCTA implements robust security and authorisation controls to prevent

unauthorised access to information and follows leading practices for encrypting data at rest and in transit. Access to information requires authentication.

28. Prior to each substantive release, the CCTA and supporting web services has been independently security assessed by an All of Government approved supplier. Findings from the reviews will be remediated where appropriate. Future releases of the solution will also be independently assessed to the same standards.

of 75

Future Privacy Impact Assessment Activity29. The CCTA has been developed in parallel with completion of this Assessment. The

Office of the Privacy Commissioner and the Government Chief Privacy Officer have provided independent advice and assessment to the project team during this process, which the project team has endeavoured to incorporate into the CCTA application.

of 75

Section Two – Operational DetailsBackgroundThe Ministry approach to the CCTA development

1. The Ministry is developing the CCTA to support national Contact Tracing activity. Appendix One contains additional details about Contact Tracing.

2. Decisions made on Release features for the CCTA are driven by a focus on privacy and choice for individuals, alongside identified requirements for Contact Tracing. Additional details in relation to Release 5 are contained in Appendix Two.

3. The intent of the Ministry is to be transparent with the use of the data, in order to maintain and grow social licence:

The information collected will be voluntarily provided by the Consumer (on an opt in basis). Release 5 removed the requirement to register before use, and no longer requires the Consumer to supply an email address on sign up. Other details about the App features can be found in Appendix Four.

The information collected will only be used for the COVID-19 Pandemic Public Health Response (limited use).

Any information relating to the Consumer’s visited Locations will remain on their device unless they decide to use the CCTA’s electronic Digital Diary Share facility after a request from a Contact Tracer. This voluntary process does not remove the requirement under section 92ZZC(3) of the Health Act for a person who has COVID-19, or is a probable case, to provide information about the circumstances in which they may have contracted or transmitted the virus.

The visited Location records on the Consumer’s device will expire on a rolling 60-day period. This is on the recommendation of the Contact Tracing team following an outbreak in Auckland in August 2020. It is consistent with four incubation periods of the virus – which amounts to 56 days.

Uploading and sharing of Bluetooth keys (from CookSafe+ or NZ COVID Traver App users) will apply only for a positive case where there is a matching record on a Consumer device. Bluetooth tracing is an opt in feature, as is the choice to upload keys after a positive test. Bluetooth keys will expire after 14 days for both Apps.

4. The approach the Ministry has taken is to try and make it as easy as possible for Consumers to sign up and provide their information, while providing sufficient security controls for Consumers to safely manage their information. The App no longer requires Consumers to remain logged in to use it (from Release 5 onwards).

of 75

5. Consumers are responsible for the choice of how to secure their own device. Existing Consumer App users will be advised that a password will no longer be required by in-App notification.

6. Contact Tracers will be able to use App generated information from Consumers to support the national case management of positive cases and Close Contacts. Case management is recorded on the NCTS. All points of contact with the NCTS are described in this Section Two of this Assessment.

Information Collected and User Information Flows7. The Ministry has identified four key sets of information involved in the CCTA processes:

Personal, contact and demographic information – Consumers choosing to provide this information about themselves will enable Contact Tracers to contact the correct person more quickly and easily. Demographic details will also assist the Ministry to understand its performance and to produce a solution that is more equitable. The individual may also record their NHI number on their device in case they require it to establish their health identity quickly e.g. when seeking a test for COVID-19 in a community setting. Provision of all of this information is voluntary.

Visited Locations and Digital Diary entries – this information will be recorded by Consumers about Locations they have visited (by scanned QR Code) or by manual Digital Diary entry for places visited or activities in which the Consumer has been involved. This easy access by Consumers to their past movement and activity information will allow Contact Tracers to more quickly assess information relating to Locations where the COVID-19 infected Consumer (or probable case) may have encountered Close Contacts, thus reducing the risk of transmission to others.

o A Consumer must choose to scan a QR code or manually record a visit in their Digital Diary on each occasion or no information will be collected. This Digital Diary information is held on the Consumer’s device.

o A Consumer, who has tested positive or is a probable case, may also decide to upload that information (when requested by a Contact Tracer). If they do choose to upload, all Digital Diary entries will be uploaded at the same time (there will not be a choice to upload only scanned Locations or only manual entries – the choice will be to upload all information or not upload).

Uploaded Locations and Diary Entries will be useful to the Contact Tracer as they will be able to review the Locations and Digital Diary details, and discuss them further with the Consumer.

This discussion will enable the Contact Tracer to identify any Location, date and time were there may have been a risk of transmission to other individuals (Exposure Events).

Bluetooth Tracing information – this is the information generated and collected by the Exposure Notification System. This includes:

of 75

o Temporary Exposure Keys (TEKs) randomly generated each day by each Consumer’s device.

o The record of Rolling Proximity Identifiers (RPIs) broadcast by other nearby devices, the time this broadcast was received, and the signal strength of the broadcast, all collected by and held on the Consumer’s device.

o TEKs uploaded to the CCTA platform by people who have tested positive for COVID-19 (including those uploaded by CookSafe+ users of the Bluetooth feature).

Anonymous Statistical and Performance Information – this information will be collected from Consumer’s interactions with the CCTA, and from its performance on devices, to help the Ministry to understand the stability and effectiveness of the CCTA, and develop equitable solutions. Additional details about statistical and performance information are contained in Appendix Three.

Data Flows8. The following diagram demonstrates the dataflows associated with the CCTA6:

Use of Information: Data Storage, Retention and Access

9. Consumers will only be able to access their own information.

6 Refer Appendix Six for details of the Interoperability server with CookSafe+.

of 75

10. Select staff and individuals in a production support role have access to the CCTA Platform (the data storage system that holds Consumer personal contact information and the Bluetooth key exchange server). This access is only used for the purposes of maintaining the correct function of the production application. This access is logged and audited.

Contact details

11. Consumer contact details (if they choose to supply them) are securely stored by the CCTA AWS platform. This data store can be queried (view only access) by Contact Tracers who:

have authorised access to the NCTS, and

who need to find contact information of confirmed or probable Close Contacts of a person with a confirmed or probable case of COVID-19.

12. This secure NCTS / CCTA interface will only be used if the Contact Tracer needs to locate the individual Consumer and did not already have access to their current contact details from other contact tracing or health system sources, or needs to confirm details obtained from other sources are current.

Any access will be logged into the NCTS audit records. This audit trail will record which Contact Tracer used their view access to an individual Consumer’s contact details.

The contact information will only be entered into NCTS once it has been verified by the Contact Tracer, in contact with the Consumer, both to confirm they have identified the right person and that the contact detail is accurate. Other information will be obtained directly from the individual Consumer by discussions with the Contact Tracer.

Digital Diary - Location details and manual entries

13. If a CCTA Consumer (who is a confirmed or probable case) is requested by a Contact Tracer to inform them of the Locations they have been to, or the people that they have been in contact with, the Consumer may choose to use the CCTA’s "share my diary” facility to upload the Digital Diary they have recorded. This will include scanned Locations recorded on their device, and their manual Digital Diary entries (the Upload Information).

14. If the Consumer chooses to electronically release the Upload Information, that information will be held in a secure store within the NCTS Salesforce boundary.

The Upload Information can be accessed by the Contact Tracer through Salesforce (NCTS) which retrieves the data relating to that case from the data store.

Any access will be logged into the NCTS audit records. Only authorised users can access the NCTS. This NCTS audit trail will record which Contact Tracer used their view access to an individual Consumer’s Upload Information.

When a scanned Location or manual Digital Diary location (that has been submitted by the Consumer) is identified as an Exposure Event, an Exposure Event entry will be created within the NCTS. This Exposure Event and the associated Contact Location will be retained as part of the NCTS case record.

of 75

Digital Diary manual entries that identify potential Close Contacts will be followed up through NCTS contact tracing processes.

From this Upload, Information Locations that are not identified as Exposure Events, or manual entries not identified as relevant for Contact Tracing of Close Contacts, will be retained for six months before being securely destroyed.

Exposure Event Notification

15. Contact Tracers have identified that the App can assist to provide notification of potential contacts of an individual who has since tested positive. If an Exposure Event is determined to have created a risk of infection of Close Contacts, and that Location has a GLN7, a clinical decision will be made as to whether it will benefit the Contact Tracing process to send Notification via the App, in addition to the other methods available for identifying Close Contacts.

16. The NCTS has a feature (a button for ‘Escalate Exposure Event’) to enable a Contact Tracer to indicate that an Exposure Event may have created Close Contacts and therefore be appropriate for Notification via the CCTA.

This Exposure Event will then be considered by Ministry clinicians to determine whether Close Contacts are likely and whether the App is an appropriate method of advising of that Exposure Event.

o Only a limited number of authorised Contact Tracers will be able to use the interface in NCTS to create an Exposure Event of Interest (EEOI) for Notification (an EEOIN).

o The EEOI Notification content will be defined by the Contact Tracers when the Notification is created. The Contact Tracers will determine the appropriate level of information to disclose based on the risk, and circumstances of the Exposure Event.

o This will require individual review and clinical sign off before the EEOIN is released to the CCTA, for publication to Consumers as a Location Alert.

o This clinical intervention is to maintain national consistency in the Notification process, and to ensure that consistent clinical criteria are applied. It is important to maintain a balance between alerting individuals to a potential exposure, against the anxiety generated by over Notification of Location Alerts. The clinical oversight and final decision-making on sending the Notification is designed to weigh that balance in decision-making.

o The addition of the Call Back feature, and the ability for Contact Tracers to add a specific message in a Location Alert, will assist the management of the higher risk Exposure Events from those that are lower risk (as the lower risk Location Alerts will not receive the Call Back option).

17. Notification of an EEOI is available to Consumers who subscribe to the alert Notifications, and who have a matching date, time and Location (scanned GLN) on their device.

7 A GLN is a Global Location Number. It is the unique identifier that identifies a particular physical location for a business, or a branch of a business or other legal entity. This is the detail that is recorded by the App when ‘scanning’ at a Location

of 75

Upon a successful match of an Exposure Event on a Consumer’s device, the Consumer is provided with a Location Alert Notification that they may have been in contact with COVID-19 (including any content that may have been approved by the authorised Contact Tracer).

Each Consumer will therefore be put on notice to monitor any potential health changes. If the Contact Tracer considers additional information is necessary, that information could be included in the Notification message. If the Contact Tracer considers it a higher risk event, a Call Back option may be included.

Appropriate resources are included on a weblink contained in the Location Alert Notification about the symptoms to look for, and what to do in the event the Consumer needs further assistance (including Healthline contact details). Consumers receiving a standard (or lower risk) Location Alert will be requested to monitor their wellbeing and call Healthline if they have any concerns.

The Consumer will not be identified by the Location Alert receipt, and no information about the Consumer’s identity will be passed to Contact Tracers. Only if a Call Back option is offered, and accepted by the Consumer, will the Consumer be able to send their name and contact phone number as part of the Call Back request. If the Consumer chooses to accept the ‘offer’ to receive a Call Back from a Contact Tracer, a code (linking to the case record of the person who gave rise to the Exposure Event) will be available to the Contact Tracer as part of the Call Back response. The Contact Tracer can then have a direct discussion with the Consumer about their personal situation.

At no time is information about the person who tested positive to COVID-19 available to other Consumers.

18. Consumers are not compelled to respond or take any particular action. They are instead requested to monitor their own health and have a list of resources available if they become symptomatic.

19. A non-identifying analytics event may be recorded to help the Ministry measure the number of Notifications received.

Bluetooth Tracing Key Exchange Server

20. If a Consumer has tested positive for COVID-19, a contact tracer may use the NCTS to trigger a request for the last 14 days of Bluetooth Tracing keys that the Consumer’s device has generated. This is with the Consumer’s consent.

21. The request will include the Consumer’s mobile phone number and the date that the Contact Tracer believes the Consumer became contagious.

22. The request will be sent to the Key Exchange Server. The server will send a request to the EN Notification Service to send an SMS to the Consumer with a one-time passcode (OTP) to enter into the app.

23. The EN Notification Service will use Twilio8 to send an SMS to the Consumer. Twilio receives no information about the Consumer other than the message to be sent, which does not contain their name or any other personal details, and the number to send it to.

8 Twilio is a cloud communication platform as a service based in the United States of America that allows text messages to be sent and received.

of 75

24. If the Consumer chooses to enter the OTP into the app, the keys that they have generated in the last fourteen days will be uploaded into the Key Exchange Server.

25. The Key Exchange Server does not receive any information about who has uploaded the keys. It deletes all keys that expired before the date the Consumer became contagious. It collates the remaining uploaded keys into a ZIP file of all other Consumer’s uploaded keys, within a maximum timeframe of the last fourteen days.

26. Release 7 will also send these non-identifiable keys to the Ministry’s secure Inter-operability Server. That Server will enable the exchange of these keys with the key exchange server for CookSafe+ (and vice versa). Any keys received from the CookSafe+ will be available to the New Zealand key exchange server, to add to the ZIP file.

27. Each device using the app will download this ZIP file every few hours and check whether they have been exposed to any of the keys contained therein.

28. The Key Exchange Server will delete keys and OTPs when they are older than fourteen days.

Security and Retention on NCTS

29. Full details of the data access and controls in place for NCTS will be covered in a separate Privacy Impact Assessment for the NCTS. In summary:

The NCTS is made up of a number of components, including a rules engine, integration and AWS capability. Salesforce Service Cloud (Service Cloud) is the Salesforce customer service and case management Software as a Service platform. Service Cloud provides the core platform that supports all core capabilities of the NCTS.

The Salesforce Service Cloud instance is served from Amazon Web Services (AWS) Cloud infrastructure based in Sydney, Australia.

Information stored in the NCTS is covered by the NSS Data Policy, this aligns with the relevant HISO standards, including HISO 10029:2015 Health Information Security Framework, and the New Zealand Information Security Manual.

30. Information that originates from the App that is sent to the NCTS by one of the processes identified above will be securely stored under the following retention requirements:

Any identifiable information collected will only be used for public health purposes related to COVID-19.

Contact information extracted by a Contact Tracer will be added to an NCTS case record only after confirmation with the Consumer concerned.

Digital Diary data uploaded will be located in a secure location within the NCTS Salesforce platform but will not be transferred into a NCTS case record unless a Contact Tracer determines it is relevant to an Exposure Event. Any information, including Location Information, not transferred will be securely deleted on a regular basis (within six months of submission).

Identifiable Consumer information recorded in the NCTS will relate to one of the following categories:

of 75

o Related to an individual who has, or is a probable case of, COVID-19 (an NCTS case record) which is stored in the NCTS as part of the pandemic case management system; or

o Related to an individual who is identified as a Close Contact.

Information retention policies will be fully detailed in the NCTS Privacy Impact Assessment, but in summary:

o Any identifiable information that does not become part of the NCTS case record of an individual will be retained for the duration of the pandemic (until the COVID-19 Public Health Response Act 2020 is repealed) and then securely and promptly destroyed (such as information linked only to a Close Contact).

o Any information incorporated into an individual NCTS case record will be managed securely and retained in accordance with the Health (Retention of Health Information) Regulations 1996. Consideration is being given in the NCTS retention policy development as to what parts of this NCTS case record may be able to be securely destroyed earlier. The NCTS will engage with the Office of the Privacy Commissioner and the Chief Archivist before finalising its retention policy and specifically address this issue.

o Non identifiable (or de-identified) information may be used for purposes related to the public health response to COVID-19 (which may include planning for future potential events or research).

Statistical Information

31. Statistical information collected about the use of the platform will be accessible to relevant Ministry staff and its suppliers, in order to make decisions about the features and functionality of CCTA. This information does not identify any individual Consumer, nor will Consumer personal information be accessible in this way.

Information and convenience features

32. The App includes links to other websites where information can be located that may be useful to App users. This includes, for example, a link to the site identifying COVID-19 test location sites – which the Consumer can then manually scroll through and identify a location near them. No identifiable information or location details are exchanged.

33. The App will also contain statistics about app usage and other statistics issued by the Ministry of Health that may be of interest to users.

34. The App will contain a personal metric showing how many days out of the last fourteen at least one diary entry has been recorded for. This is calculated on the device from data held only on the device.

35. The App will contain the ability to show announcements on the dashboard. Announcements will be issued to all users of the app simultaneously. They may be displayed only on the dashboard, or they may be accompanied by a push notification.

CCTA Security36. Prior to each major Release, the CCTA and supporting web services will undergo an

independent security review by an All of Government approved supplier. This will include

of 75

the Interoperability Server that will exchange Bluetooth keys with the CookSafe+ CCTA platform equivalent (so that the keys can be broadcast to CookSafe+ devices). Findings from the review will be remediated where appropriate. Future Releases of the solution will also be independently assessed to the same standards.

37. The CCTA, including Consumer’s personal information and anonymised information, is hosted and stored using Amazon Web Services (AWS) in the ap-southeast-2 (Sydney) region. This is a Ministry-owned sub-tenancy of the main Ministry of Health AWS tenancy, which enforces relevant security, audit, and policy controls.

38. The Website found at tracing.covid19.govt.nz is stored and served using Netlify, a specialist web hosting service designed to host static web applications. Only pre-compiled static web assets, including HTML, CSS, and JavaScript are served from Netlify. Consumer’s personal information, and other data collected by the CCTA, is not sent to Netlify servers.

39. Data stored within AWS is encrypted. The Ministry controls access to the encryption keys and the data.

40. The source code and high-level architecture for initial design of the solution have been reviewed by the Government Communications Security Bureau’s National Cyber Security Centre and an independent All of Government security supplier and designed in collaboration with Amazon Web Services.

41. The Specific Agreement with the Service Provider for provision of the CCTA contains standard Ministry Information Technology clauses designed to require compliance with relevant New Zealand security and privacy obligations in development of the CCTA.

Governance42. Governance of the programme maintains oversight of the collection, management,

authorised use and deletion of information arising from the CCTA processes via the following oversight:

The COVID-19 Technology Enablers Governance Group will perform the overall governance function, and the COVID-19 Technology Steering Group will manage operational matters.

The Senior Responsible Officer for Data and Digital’s COVID-19 response

The Business Design Council. This includes a sub-set of members from the Digital Investment Board, a Clinical Leader and Ministry (non-Data & Digital) employees.

The NCTS governance team.

of 75

Section Three - Privacy AnalysisThe purpose of this Assessment is to review the process of collection, storage, use and sharing of personal and contact information for the purposes of the COVID-19 pandemic response against the 13 Rules in the Health Information Privacy Code (HIPC).

This application will collect personal and contact information for health purposes. It will be a health agency (the Ministry of Health) collecting, storing, using and where appropriate sharing the information collected (with other health agencies, but only as required for the purposes of the COVID-19 pandemic response). The CCTA is designed to support existing Contact Tracing activity, and enables Consumers choice in what features they wish to use to support New Zealand’s COVID-19 response.

The App has been changing incrementally through a series of Releases. This analysis addresses the accumulated releases up to and including Release 7.

The introduction of the Bluetooth tracing functionality has been focussed on swift identification of those individuals more likely to be at risk of having been in Close Contact with a Case. Contact Tracers indicated speed in the initial warning to Consumers at risk could assist in ensuring faster self-isolation and testing if required. This could help stop the potential for spread of the virus at an earlier stage. There is potential for the Bluetooth Alert Notification to be received some hours earlier than a phone call from a Contact Tracer could be made (assuming the individual is likely to be eventually identified as a Close Contact.)

There may also be some individuals identified who may not have been identified by the Contact Tracing processes.

It is also possible, however, that some Consumers may receive a Bluetooth Alert when they were not actually at risk (for example, the algorithm is set at a level that has enabled a match which was marginal in terms of actual risk or a contact was recorded on the other side of a glass partition etc).

A balance needed to be set between the ability to provide notification, and the risk of over-notification. The algorithm settings (to enable each Consumer’s device to weigh any notification of potential contact with a Case) will continue to be closely monitored and adjusted if required by the Ministry to ensure they have been set appropriately for the intended purposes – although the challenges of doing so with no active community cases are noted.

The level of uptake of the Bluetooth Tracing feature is also of importance – a higher uptake will lead to greater coverage and greater potential for contacts to be recorded on a participating device. This would enable the Bluetooth Alert feature to reach more Consumers if necessary. Gaining and maintaining Consumer trust will be essential to the uptake of the Bluetooth Tracing feature.

This feature may cause some unease for Consumers, due to uncertainty about how it will work. The Ministry planned and implemented a communication strategy to help explain the processes to the public. It updated the in-App Privacy Statement, and also its second ‘layer’ of the Privacy Statement – the web-based Privacy and Security Statement. The Ministry has also included a more detailed description in this Privacy Impact Assessment for those who are interested.

of 75

The Ministry has chosen an option that retains key information on the Consumer device, rather than a centralised collection. The ‘keys’ recorded and used in the Bluetooth Tracing and Bluetooth Alert notification processes identify neither the Location where a contact occurred, nor the identity of the Consumer (or the other person in proximity to them).

The Bluetooth features remain optional – if a Consumer does not wish to use the features, then they do not need to enable them. They retain that choice.

The addition of the Bluetooth Interoperability Server, to enable keys to be shared with CookSafe+ has undergone Ministry security review for the new components and related transfers. The information involved (the Bluetooth keys generated) will not identify the user or the location of any contact. The privacy implications of the Bluetooth keys therefore will be essentially the same as for the existing NZ COVID Tracer App, even those shared overseas for use in another jurisdiction.

The Ministry has conducted its analysis under the Health Information Privacy Code as the information is ultimately about individuals who may test positive for COVID-19, are a probable case of COVID-19, or may be a Close Contact of a person with COVID-19. Under clause 4(1)(e) it is considered that this could be information about an ‘individual which is collected before or in the course of, and incidental to, the provision of any health service or disability service to that individual’. The Ministry has therefore chosen to analyse the high standards associated with health information in the HIPC for the purposes of this Privacy Impact Assessment.

Health Information Privacy Code Rules

Solution Details and commentary

Key Controls Residual risk

Rule 1

Purpose of collection of health information

- Only collect health information if you really need it

The purpose of collecting this information is to assist with Contact Tracing activities as part of the COVID-19 pandemic response.

The App is intended to address challenges to the Contact Tracing processes:

1. Consumer Contact Details: New Zealanders who have changed their contact details since they were last updated in the NHI or NES services or people in New Zealand with no contact details in those services. The impact of this lack of information is that Contact Tracers find it more difficult to contact the person concerned, delaying the process of testing and/or self-isolation for potential Close Contacts.

2. Close Contacts and Locations: People have difficulty remembering where

Purpose

Collection of this demographic, contact and Location information is for the lawful purposes of assisting with the public health response to the COVID-19 pandemic. This involves Contact Tracing to locate Close Contacts of COVID-19 positive individuals, and includes associated activities. These may include:

reviewing up to date contact details; or enabling prompt identity verification to

expedite community testing of Consumers (with NHI and details available on Consumer device screens) if the Consumer chooses to use this option;

enabling Call Back contact to be requested by a Consumer who has received a Location Alert or Bluetooth Alert, if the Consumer chooses to request that contact;

discussing Locations where an Exposure Event may have occurred (if the individual has chosen to opt in to the Location-related choices); or

identifying potential Close Contacts using Digital Diary entries as a prompt.

Notifying Consumers using the Bluetooth

Low

of 75

they have been and who they have had “close contact” with, particularly over the period of interest (up to 60 days). This means Consumers and therefore Contact Tracers may not be able to identify all of those who need to be tested, and/or isolated. The App Digital Diary feature will enable both scanning of QR Location codes and also manual entry of relevant details by the Consumer.

3. Speed of notification of potential exposure to COVID-19. The faster Consumers can be made aware that they may have been exposed to the virus, the faster they can make choices to limit their contact to others, and seek treatment for themselves (if required). Although the Contact Tracing processes work efficiently, there is still a time lag between a person testing positive and their potential contacts being identified and contacted. The Bluetooth Alert notification is designed to enable direct notification to Consumers of the potential exposure, without the additional delay involved in Consumer to Contact Tracer contact.

The type of personal information being contemplated for collection under the CCTA is all optional. The Digital Diary recordings are aligned with that addressed under Part 3A of the Health Act, subpart 5 – Contact Tracing. This CCTA collection will not be under those powers but will be a collection on a voluntary basis of the range of information authorised under the Contact Tracing provisions.

Notifications of Exposure Events will occur if enabled (for iOS) or not disabled (for Android), or when the Consumer opens the App. The Consumer can choose how (or if) to respond to those Notifications.

The Upload option for Digital Diary details (both Location information and

Alert of potential exposure to COVID-19

Necessary

The Consumer contact information supplied is necessary to meet this purpose, as set out in Appendix Two paragraph 10.

The Location and Digital Diary data is necessary for Contact Tracing purposes to enable Consumers to more easily recall events where the Consumer may have interacted with Close Contacts, or Locations where Close Contacts may have congregated, and to support Exposure Event Notifications.

Early versions of the app specified that Digital Diary information was to be automatically deleted after 31 days. In accordance with further clinical advice from the Contact Tracing team it has been determined that 60 days-worth of Digital Diary records may provide additional valuable information to identify the source of an original infection. The time frame for automatic deletion has now been extended to 60 days, as it is considered information related to the additional two incubation period is necessary to assist with Contact Tracing.

One potential challenge created by the addition of free field text entries for the Digital Diary is that individuals can put as much information as they wish (up to the character limit) and are not constrained in the information they wish to include. This means that the App features themselves do not, in this instance, limit the information fields that can be included in the recording. Some individuals may put personal comments about themselves or others that they may not wish others to see. This could result in information not ‘necessary’ for the Contact Tracing purposes being collected (if it was Uploaded).

There is however the significant mitigation feature that the information will not leave the Consumer’s device for review by a Contact Tracer unless the Consumer chooses to Upload it in response to a Contact Tracer Request.

Part of the Contact Tracer training will be to reinforce that it is optional to Upload the information (but that if the Consumer does choose to Upload, that all Digital Diary information – both scanned Location and manual entries - will be uploaded).

The Digital Diary itself will have a prompt immediately above the ‘Add entry’ screen stating ‘Describing who you were with and what you were doing can help the Contact Tracing team if you share your diary’.

There is an edit feature for Consumers to update or delete entries – this will enable the Consumer to review the data they have collected on the Digital Diary and modify it if necessary to remove any information they do not wish to share (if they are requested to

of 75

manual Digital Diary entries) will occur only if the Consumer chooses to Upload this information when asked by a Contact Tracer.

A Consumer can choose to add their NHI and use it at the time of seeking a COVID-19 test, and also to request a Call Back after receiving a Location Alert, or a Bluetooth Alert.

A Consumer can also choose to activate the Bluetooth Tracing features. The information generated during the Bluetooth Tracing processes will not be held centrally, other than the TEKs uploaded by a positive case. This information will be retained for a 14 day period for the purposes of the Bluetooth Alert Notification and then deleted.

Upload).

With the Bluetooth Tracing feature it is not necessary that the Contact Tracer, nor the NCTS, have access to TEK or RPI generated and held on the Consumers devices. The notification processes therefore do not involve the Contact Tracers accessing this information. The role of the Contact Tracer does however enable the CCTA collection of TEK from the Consumer to be limited to the time during which the Contact Tracer has determined the Consumer was likely to have been infectious. This will apply equally to the CookSafe+ Bluetooth key information exchanged.

Limiting data collection The opportunity for review and challenge of the workings of the app will be provided to the Office of the Privacy Commissioner prior to adding new features to ensure only data aligned to these purposes is collected.

Data Governance: The Ministry Data Governance Group will provide oversight of the use of the data to ensure that any proposed future use matches the purpose.

Rule 2

Source of information

- Get it straight from the people concerned

A Consumer is the voluntary source of their personal and contact information collected by the application. This is compliant with HIPC Rule 2.

Information about a Location a Consumer has attended will be sourced via the App Location scan (if the Consumer chooses to release the recorded details, either by verbally advising a Contact Tracer or choosing to use the Location data upload).

The Location information (place, date and time) is aligned to the information a Contact Tracer may require under Health Act clause 92ZZC(3) if an individual has, or is a probable case of, COVID-19, as being ‘information about the circumstances in which he or she believes that he or she contracted, or may have transmitted, the infectious disease’. The information is used as a memory aid to help identify Locations, and therefore potential Close Contacts if requested under 92ZZC.

Consumers can use the App on their mobile devices to scan Locations and manually record information in their Digital Diary if they so choose. The App

The collection of information is consistent with Rule 2 as the information, in every instance of collection associated with the CCTA, is collected directly from the Consumer.

The Consumer still has the choice whether to advise the Contact Tracer of visited Locations or relevant information from their manual Digital Diary entries verbally over the phone, or to release that information via the App Upload feature. This retains some control of the data with the individual. However, the Consumer’s independent obligations under clause 92ZZC(3) remain.

It is also noted that some of the manual Digital Diary entries may include information about other individuals that the Consumer has been in contact with if that information has been recorded by the Consumer. If that information were to be Uploaded after a request by a Contact Tracer then potentially information will be collected about third parties, rather than directly from those third parties. In these circumstances it is not reasonably practicable to collect information from those third parties as they are unknown to the Contact Tracer. It is also consistent with the information that will be collected from a positive case about their contacts. Section 92ZZC(4) confirms a case may be required to provided the name, age, sex, address and other contact details of each contact. In addition, under Rule 2 it is an exception to the rule if compliance would prejudice the purposes of the collection or the safety of any individual. In the case of potential Close Contacts it is considered that Rule 2 will be complied with.

Bluetooth Tracing information is collected by

Low

of 75

functionality to Upload Information is voluntary as to whether the individual forwards the electronic copy of information that has been collected on their Digital Diary. Even if the Consumer does not agree to Upload the information from their mobile device it could be used as a reminder to the Consumer in their discussions with the Contact Tracer.

Consumers who wish to activate Bluetooth Tracing will be collecting their own information on their device, and permitting others to collect the RPI they generate. Any Consumer who tests positive will have the choice whether to upload the information – and they will be in charge of initiating the upload process from their device if they choose to do so.

Consumers onto their own devices – and they will only be able to collect information about others they have come into contact with when those others have authorised the Bluetooth Tracing functionality on their own devices. The Consumers will be collecting information about other individuals they have come into contact with, but the information collected is not in a form that identifies that other individual.

Any upload of Bluetooth keys must be authorised directly by the Consumer.

Rule 3

Collection of information from individual

- Tell them what you’re going to do with it

The Ministry will take all reasonable steps to ensure any Consumer of the CCTA is aware that:

information is being collected,

the purpose of the collection and

the intended use, and users of the information.

The expiry and destruction of the information

The individual will also be made aware:

of the name and address of the collecting agency and the agency that will hold the information,

That the supply of the information to the CCTA is voluntary

When the supply of information may become mandatory under section 92ZZC of the Health Act (and any consequences of not supplying the information), noting that the CCTA is not specifically part of the mandated legislation.

Privacy Statement Material has been developed by the Ministry and is available in the App, to ensure that individuals are aware of the purposes of collection and the possible recipients of the information.

The Privacy and Security Statement reflects the Rule 3 requirements. https://tracing.covid19.govt.nz/help/privacypolicy

It also references the current Privacy Impact Assessment located on the Ministry website.

Low

Rule 4

Manner of collection of information

- Be considerate when you’re getting it

The Ministry will not collect personal information by unlawful, unfair or unreasonably intrusive means.

The onboarding process for the App can be completed without providing any personally identifiable details.

User Experience (UX) Design The approach taken by the Ministry is to use UX design processes and to collect anonymous information from Consumers in order to ensure that information is collected as efficiently as possible. Feedback will be used from App use (both analytics and email feedback – see below) to make enhancements to the way the App operates.

Feedback Email The Ministry is providing a

Low

of 75

https://tracing.covid19.govt.nz/help/privacypolicy

The App is designed to be opt-in for all personally identifiable information. The only requirement for submitting contact details is a valid email address that the Consumer has access to. All additional information collected is on a voluntary basis (other than non-identifiable statistical information).

The Ministry has included the following in the Privacy and Security Statement: ‘If you are under 16 years old you may choose to use the NZ COVID Tracer app. Please note, however, that if it becomes necessary for a Contact Tracer to contact you they may need to ask your parent or guardian to provide any necessary information for you.’

It would be very difficult to prevent under 16 year olds signing up to the App as there is no verification requirement nor compulsion to submit age. Also, some individuals younger than 16 may travel independently from their parents and they may wish to collect Location information on their personal device. If they are identified as under 16 years old by a Contact Tracer the representative of the young person can be consulted where appropriate.

feedback email address to receive and incorporate feedback from Consumers to improve utility and equity.

Information from under 16 year olds would be managed by Contact Tracers consistent with section 92ZZC(5) of the Health Act. This enables the Contact Tracer to seek any necessary information from a parent or guardian if the individual is under 16 years of age if that is considered appropriate.

Rule 5

Storage and security of information

- Take care of it once you’ve got it

Personal information is held and managed in accordance with the Privacy Act and Health Information Privacy Code.

Contact details will be stored by the CCTA Platform and made available to NCTS for search purposes (read only access). All of this information is held securely in compliance with Ministry of Health standards. Measures are in place to protect Consumer information from unauthorised access.

Consumer details will be stored either on their device (in the case of the Digital Diary scanned Locations and manual entries) or securely on the CCTA Platform based on Amazon Web Services, Sydney, Australia for the New Zealand Ministry of Health (for

Review of Architecture This has been completed using the standard Ministry process.

Review of Security Architecture This has been undertaken by an All of Government independent organisation.

Review of Security Implementation The Ministry has used an All of Government supplier that is independent and has experience working in the health system.

Access Controls Access to the CCTA Platform and NCTS by specific Ministry staff and suppliers is permitted for production support. This access is logged and audited.

Consumer access to App information held on their device is now protected only by the access controls the user has enabled for their device. Existing users will be notified of this by in-App notification. The ‘in-App’ Privacy Statement will advise individuals of the recommendation to keep the phone locked when not in use: To help keep the information on your phone safe, we recommend you keep your phone

Low

of 75

contact details, if the Consumer has chosen to supply these).

Some data directly relevant to COVID-19 positive cases, and Close Contacts will also be sent to and stored within the NCTS in individual cases. This includes contact information where this information was otherwise unknown and a Contact Tracer has checked its accuracy and relevance to a case. It will also include selected Digital Diary data if a Consumer has chosen to use the ‘upload’ function when contacted by the Contact Tracer, and the Contact Tracer has decided the specific information is relevant to the Contact Tracing processes associated with that Consumer.

Information on NCTS will be encrypted in transit and all personally identifiable, clinical and diagnostic data is encrypted in the NCTS. The NCTS operates on Salesforce Service Cloud on a secure AWS platform based in Sydney.

This CCTA application has been through a number of independent security reviews:

Source code and high-level architecture review from the Government Communication and Security Bureau's National Cyber Security Centre reviewed early releases of the system architecture

security review of cloud environments that the application is deployed to by a company contracted to government

security review of the application source code and penetration testing by another company contracted to government

The Ministry continues to have new features and significant updates independently security reviewed before deployment into production.

locked when you are not using it.

Any interactions involving the interfaces with NCTS for review of CCTA contact details or Locations will be managed securely within the AWS Platform for the CCTA, and the security features applied to the NCTS.

Any uploads of Bluetooth Tracing information will be managed by the CCTA platform in a secure manner. No personal identification features are incorporated into the TEK and so there is no risk of an individual being identified directly from that information alone. The CookSafe+ and NZ COVID Tracer App interactions with the Interoperability Server have been security reviewed. The Interoperability Server is managed in line with the CCTA Platform security.

Rule Access to personal information

The Consumer has the ability to view information they have

Views of personal details provided Low

of 75

6 - People can see their health information if they want to

submitted to the App on their device.

The Ministry will ensure that any Consumer can confirm whether the Ministry holds information about them and if so is informed about the process for getting access to it.

The Consumer will be able to see their own personally identifiable contact information they have supplied in the user interface.

Any other information the Consumer has recorded on their mobile device via the App (Digital Diary entries, being Location scans or manual entries) will be visible on the device for 60 days from the date of recording.

Only contact details or data the Consumer chooses to Upload will be held by the Ministry. This information will be available via access request to

NCTS/Ministry.

Rule 7

Correction of information

- They can correct it if it’s wrong

A Consumer has the ability to correct personal information held in the App.

Personal details provided The Consumer will be able to see and modify or remove personal, identifiable contact information supplied in the user interface.

For any Uploaded information that is then entered on the NCTS standard Ministry policies will apply about access to and correction of information.

Low

Rule 8

Accuracy etc. of information to be checked before use

- Make sure health information is correct before you use it

Contact information supplied by Consumers will not be verified by the Ministry in the first instance, but will be made available to Contact Tracers via the National Contact Tracing Solution (the NCTS) if required, when the Contact Tracer is not otherwise able to find contact details for a Consumer, or needs to verify information they hold. The Contact Tracer will check these details directly with the Consumer prior to entering any of them into the NCTS record for the case.

Digital Diary information will be subject to the accuracy and completeness of the information provided by the Consumer. Consumers could choose not to provide all information. The Consumer may not scan all venues they attended, because they chose not to, they forgot or that venue did not display a QR Code. This also applies to manual Digital Diary entries. The CCTA will have no control over the accuracy / completeness of the data Uploaded.

The ‘edit’ feature for the Digital Diary will enable the Consumer to correct their information if required. If, for example, they have selected an incorrect date for a manual entry they will be able to amend that by selecting the edit button in the manual entry

There are some potential accuracy challenges caused by the manner of information collection (including the lack of verification requirements, and choice of options with the privacy enhancing features of the CCTA).

Ultimately, a balance has been struck (between accuracy and retention of consumer choice and privacy) that appears acceptable in the context of Contact Tracing activity. There are some steps to assist in ensuring information is accurate and up to date prior to use:

Personal details provided The Consumer will be able to see and modify or remove personal, identifiable information supplied in the user interface. This will enhance the opportunity for the Consumer to maintain accurate Digital Diary Records and keep any contact details they provide up to date.

Contact Tracer Review will be used to ensure the information is accurate and matches to the correct person before use (where possible – if contact details are incorrect the Consumer may not be identifiable until the Consumer has been located by other means). This statement applies both to information provided by Consumers about themselves and to information they may provide about Locations.

NHI Use: As the NHI is a unique identifier within the health system it is essential that it is correctly assigned to the right individual. If the wrong NHI was added to a test, and a positive result was returned, it may be initially assigned to the wrong individual.

Community Based Assessment Centres will be required to use standard channels available to

Medium

of 75

screen. A scanned entry may also have an additional note added to provide context to the entry.

It can be reasonably assumed that Consumers will provide details that are true and correct. In the event that it is not correct, or the information submitted becomes out of date, the information will be confirmed by the Contact Tracer before further use.

Noting the importance of the NHI as a unique identifier in the health system, the ability for a Consumer to add their own NHI details into their device creates a potential accuracy challenge. Inaccuracy could arise if a Consumer adds details that are not an NHI number (they may mistakenly assign an alternative series of characters that are unrelated to the NHI) or they may not accurately enter the details (for example transpose figures).

In mitigation of this risk:

no treatment would be provided to an individual based solely on their self-recorded NHI. All test takers (such as Community Based Assessment Centres) would still be required to verify the NHI on standard health provider pathways prior to assigning an NHI to the relevant test.

The Ministry has sent a communication to Community Based Assessment Centres to advise them of the App My NHI Details screen and that they need to continue to complete their standard checks to verify the person’s identity.

A ‘how to’ guide has been developed for CBAC staff on how to either tell people, ‘this is your NHI, add it to the App’, or ‘do you have your NHI in your app? Then let me check that is correct’.

The App screen itself will explain to a Consumer how to identify their NHI.

The Ministry does not have full

health professionals to check the NHI against the Consumer offered version. Name, and date of birth and contact details are also collected as part of the testing process, so even if an NHI was incorrectly recorded on a laboratory test form those other details would enable identification of the correct individual.

Where multiple digital diaries are detected on the phone, Consumers will be prompted to begin a new diary. This can be shared between Consumers if they wish. To view their old diary entries, each Consumer will be required to verify their identity by entering a passcode sent to their email. Once verified, each Consumer can choose to migrate their old diary to the new diary at any time during the 60 day retention period for the old diary.

Bluetooth Tracing: Contact Tracers will be able to set the time period for the upload of Bluetooth keys (from the date a Case is considered to have been infectious). This will assist in making the time frame for Bluetooth Alerts more accurate, ensure that only ‘necessary’ information is collected, and not notify those outside the expected ‘Exposure’ period.

The algorithm contained in the App has been set to most closely approximate Close Contacts – and will accordingly send a strong message to self-isolate to those Consumers who have a match on their device via the Bluetooth Alert process. It is noted that the algorithm is a ‘proxy’ for close contact rather than confirmation of Close Contact. There could be scenarios when the devices were in proximity, but their owners were not, or there was a barrier presenting physical contact but the devices were still able to record each other.

It is difficult to check the algorithm for accuracy of Close Contact risk in a ‘real-world’ setting. New Zealand’s situation is somewhat unique – a very low level of community cases, and a population density that differs from other countries using the ENF. The algorithm setting may require some adjustment over time to reflect New Zealand’s particular circumstances.

The CCTA project team will need to continue to work closely with the Contact Tracing team within the Ministry to monitor the Bluetooth Alert notification process (if it needs to be implemented due to community cases).

Statistical details may assist in gaining insight of numbers of cases who received a Bluetooth Alert notification against the numbers who were ultimately identified as Close Contacts via the Contact Tracing process. This may give some indication if the settings are too high, or too low. There is also likely to be feedback from the community – if people are told to self-isolate by the App and then not subsequently contacted by Contact Tracers. A Call Back process may assist to assess a person’s actual risk – but it will not be possible

of 75

control over allocation and use of the QR codes. There are multiple processes to obtain the QR code, two of which are operated by the Ministry and these rely on information provided by the QR code requester. The Ministry does not control accuracy in the use of QR Codes by Locations (for example for a single organisation using one code for multiple Locations instead of a different code for each Location). In each case, however, the submitted Location information will be reviewed by a Contact Tracer who will ask further questions of the Consumer and verify the correct information (as far as is possible).

There is also the challenge of over or under reporting of EEOI in terms of the number of Notifications generated. Too few (or too narrow an assessment of the Events to be included or the time frames to be applied), and those at risk will not receive a Notification. In contrast, too wide a range of events and times, and high levels of anxiety, and potentially needless self-isolation, could occur.

The involvement of experienced clinicians in determining whether an Event has genuine risk of Exposure will help to limit these risks. A small number of authorised users with clinical expertise will make the final decision on what Exposure Events to notify. This will enable a nationally consistent application of clinical oversight to best meet the balance between under and over Notification.

A ‘Call Back’ function can be added to the Location Alert or Bluetooth Alert Notification process where an authorised Contact Tracer identifies a high risk of exposure to unknown individuals at a Location or Bluetooth Alert is issued. This will enable individuals to have direct contact with the Contact Tracing related services to address any concerns the Consumer may have, and connect them directly with a Contact Tracer to analyse the actual risk they are a Close Contact and may need to be self-

for the Consumer to identify what potential event or person it was that they may have been in contact with if the match occurred only via the Bluetooth Alert notification.

The messaging in the notification will need to be set by Contact Tracers to reflect the perceived risk. This may be adjusted depending on the discussions the Contact Tracer has with the Case. It is noted however that a single message will accompany all matches related to the TEK details uploaded of a single Consumer. This is different to the Location notification which can have a different message for each Location Alert sent. Messages are country specific – for example, they include a phone number to call. The message received by the Consumer if there is a Bluetooth match on their device will depend on which app is activated on that device.

It is understood that the CookSafe+ algorithm settings are the same as New Zealand settings at the time of issue of this PIA. Each country is responsible for the wording of the EN alert message in their App and the threshold settings for an EN match. The parties are expected to let each other know if the EN configuration settings are to be changed, but ultimately this will be a choice for each country.

of 75

isolating and monitored.

There is no ‘sign out’ time from a Location but this may be considered for future releases (noting also that a Consumer may forget to use it and not sign out).

There is an option in the manual Digital Diary entry for date entries, which can be set by the Consumer for the present or the past (but not more than a day into the future). This also does not have a ‘sign out’ time field, but a Consumer could add one in the notes section if they wished.

Rule 9

Retention of information

- Get rid of it when you’re done with it

Consumer contact information is held on the CCTA AWS Platform for the duration of the pandemic and deleted thereafter.

Digital Diary information (on visited Locations and manual entries) recorded by a Consumer will be stored on their device and will expire on a rolling 60-day basis. This has been expanded from the original 31-day period as Contact Tracers have indicated the value of being able to look back further for contacts during an outbreak situation to assist with identifying the source case. The additional time includes up to four incubation periods. Consumers retain the option to delete entries if they wish, or to not Upload information when requested, and provide details only for a shorter period.

The NHI (if the Consumer chooses to record it in their device) will remain on the phone until the Consumer deletes it or the App is deleted from the device. The Ministry has no access to this information.

A Consumer may have an interaction with the NCTS:

A Contact Tracer may locate a Consumer using the contact details they have provided through the App.

Information relating to Locations or Close Contacts of a positive case, if relevant and provided as part of a Digital Diary data Upload, may be entered into the

Data Governance This group will be responsible for ensuring that personal contact details and any other data is deleted at the end of the pandemic.

Database Configuration There is a standard feature that will delete Digital Diary information on the Consumer’s device after 60 days.

Bluetooth Tracing information recorded on a Consumers device will be retained only for a 14 day period and then deleted.

Bluetooth Tracing information uploaded by a Consumer will only be retained on the CCTA for a maximum of 14 days (this is so that any other Consumer who has had their device turned off for a period of time will still be able to receive a Notification match until the end of the time frame any matching information on their own device will have expired.).

Low

of 75

Consumer’s NCTS case record.

If that information has become part of the Consumer’s NCTS case record it will then be subject to retention requirements within the NCTS. Once transferred to the NCTS any ‘health record’ details will be stored in accordance with the Health (Retention of Information Retention) Regulations 1996.9

If the information is not part of the NCTS case record, then any identifiable information supplied to the NCTS via the App will be deleted at the end of the pandemic (noting however that aggregated and statistical information may be retained in a non-identifiable format to assist with public health research and analysis, and for future planning purposes).

Uploaded Location data is linked to the relevant NCTS case and is visible to Contact Tracers to assist in the Contact Tracing process. If a potential Exposure Event is identified by a Contact Tracer this will be acted on. Uploaded information not acted on will be deleted on a regular basis (at least once every 6 months).

Rule 10

Limits on use of information

- Use it for the purpose you got it

Consumer information obtained via the CCTA will only be used for the purposes of the COVID-19 pandemic response.

The Privacy Statement provides: Any personal information you share through NZ COVID Tracer will be used only for public health purposes related to contact tracing, during the COVID-19 pandemic response. The information will not be shared with other government agencies except where the agency is directly involved in the COVID-19 public health response.

Consumers opt in to the collection of their identifying and contact information by signing up for the

Data Governance The Data Governance Group will provide oversight of the use of the data to ensure that use matches the purpose

Low

9 http://www.legislation.govt.nz/regulation/public/1996/0343/latest/DLM225616.html

of 75

CCTA.

Consumer choices within the App include:

To download and use the App

Which contact and identification details to provide (if any);

Whether to add their NHI (and whether to show it to any third party);

What Location data to scan; What information to manually

include in the Digital Diary; Whether to upload Digital

Diary information if requested by a Contact Tracer.

Whether to act on Notifications received.

Whether to activate the Bluetooth Tracing features

It can reasonably be assumed if a Consumer has opted in to any of these features then the Consumer is in agreement with the proposed uses associated with those features.

Rule 11

Limits on disclosure of information

- Only disclose it if you have good reason

Consumer information will be disclosed by the Ministry of Health only for use by the public health system in relation to the COVID-19 pandemic response, for purposes related to Contact Tracing. This is consistent with the Privacy and Security statement

The data collected via the App will not be shared with other Government agencies unless they are directly involved in assisting with the COVID-19 Contact Tracing activities as identified in the Privacy and Security Statement.

If relevant to a Consumer who has tested positive for (or is a probable case of) COVID-19, information disclosed to a Contact Tracer may be incorporated into a Consumer’s NCTS case record. This will include contact details and relevant Digital Diary information provided.

Data Governance The Data Governance Group will provide oversight of the disclosure of the data to ensure that any disclosures matched the purpose

Access controls Only those required to have access to the data for COVID-19 Contact Tracing related purposes will have access. This will be enforced by Ministry policy and subject to audit monitoring of logged access activity.

The Consumer does not have view access to their own TEK when using the App, nor will they see the RPI identifiers of other devices recorded on their device.

It is possible that if a Consumer had very limited contacts and received a Notification that they may be able to work out the identify of a Case. With the addition of the Location and date of potential exposure to the Location Alert content, this would be even more likely. This is however also the case in other Notification situations unrelated to the App. The Locations incorporated into the App Location Alert will only be those that will also appear on the Ministry website, and will already be details that Contact Tracers have determined should be made publicly available due to the serious threat to public health (the risk of unidentified Close Contacts). A disclosure in these circumstances is likely to fit

Low

of 75

Any interactions following engagement with a Contact Tracer will be governed by the Health Act provisions related to Contact Tracing, and / or in a manner consistent with the Privacy Act, and are beyond the scope of the CCTA.

within the serious threat to public health exception.

It is anticipated that this is not a highly likely occurrence, and it is noted that Locations are regularly published to the Ministry website, so this possibility has been in existence for some months now and does not seem to have given rise to any challenges to date.

Rule 12

Disclosure of health information outside New Zealand

No disclosure of identifiable information is to be made outside New Zealand other than in compliance with section 11 of the Privacy Act 2020, due to the hosting sites of the CCTA Platform and the Interoperability Server being located in Australia.

The Bluetooth keys that may be exchanged with CookSafe+ will not contain personally identifiable information.

Low

Rule 13

Unique identifiers

- Only assign unique identifiers where permitted

A unique identifier will identify each Consumer in the CCTA database. The purpose of this is to ensure that the personal details provided are only able to be seen by the Consumer. This is also required in order for the database to function and to allow this to be provided to Contact Tracers.

This unique identifier used by the CCTA is not connected to the NHI or any other identifier in use in the health system and is purely for the purposes described.

The individual will be able to choose to add their own NHI to the App records on their own device, and show it on the My NHI Details screen if they wish.

Low

of 75

Section Four - Intended Future Use Cases1. The Ministry is committed to exploring best options for privacy protections and ensuring

these have been fully canvassed before implementing any new features.

2. Other matters that may form part of the further developments would be fully assessed in a future Privacy Impact Assessment, and include:

Equity and accessibility features, including additional language support

Interoperability potential with other Apps meeting Ministry standard requirements

Surveillance symptom reporting across a wide population

of 75

Appendix One – Contact Tracing – the system supported by the CCTA

Background

1. In New Zealand, the COVID-19 pandemic was considered sufficiently serious to impose a nationwide state of emergency under the Civil Defence Emergency Management Act 200210.

2. The Ministry’s elimination strategy is a sustained approach to ‘keep it out, find it and stamp it out’. It does this through: controlling entry at the border with routine quarantine or managed isolation for 14 days; disease surveillance; physical distancing and hygiene measures; testing for and tracing all potential cases; isolating cases and their Close Contacts; and broader public health controls depending on the Alert Level we are in.

3. Contact tracing is one of the pillars of the public health response to this infectious disease pandemic along with border control measures, testing, case identification and case isolation/quarantine. The purpose of Contact Tracing is to obtain information about the contacts of persons with infectious diseases or suspected of having infectious diseases in order to:

3.1. Identify the source of the infectious disease or suspected infectious disease

3.2. Make contacts aware that they too may be infected, thereby encouraging them to seek testing and treatment if necessary

3.3. Limit the transmission of infectious disease or suspected infectious disease11

4. The Health Act 1956 provides a statutory regime for Contact Tracing. The CCTA is not directly provided for under these statutory provisions, but some of the information collected via the CCTA is aligned with the information used by Contact Tracers:

4.1. Section 92ZY of the Health Act provides that the purpose of Contact Tracing is to obtain information about the contacts of persons with infectious diseases or suspected of having infectious diseases in order to:

4.1.1. Identify the source of the infectious disease or suspected infectious disease

4.1.2. Make contacts aware that they too may be infected, thereby encouraging them to seek testing and treatment if necessary

10 On 30 January 2020 ‘novel coronavirus capable of causing severe respiratory illness’ was listed under the Health Act schedule as a notifiable infectious disease. On 25 March 2020 an epidemic notice came into force under the Epidemic Preparedness Act 2006.11 Section 92ZX of the Health Act 1956

of 75

4.1.3. Limit the transmission of infectious disease or suspected infectious disease

4.2. Section 92ZZC provides that individuals with an infectious disease, or suspected of having an infectious disease, may be required to provide the name, age, sex, address and contact details of any contact.

5. Once a person is identified as having tested positive for COVID-19, or is a probable case of COVID-19, Contact Tracing will commence to identify Close Contacts. This supports the ‘find it and stamp it out’ component of the Ministry elimination strategy.

5.1. Trained Contact Tracers will contact the infected person directly to ask questions, in line with their responsibilities under subpart 5 of Part 3A of the Health Act. Contact Tracers need to identify Close Contacts promptly to reduce the risk that the infection may spread further, and to ensure people get the best advice as quickly as possible. Close Contacts are those individuals at higher risk of being infected.

5.2. Contact tracing includes a phone call from a Contact Tracer to the Close Contact to provide advice on self-isolation and checking on health and wellbeing. It is therefore important that the Contact Tracer can promptly identify Close Contacts and quickly make contact with them.

5.3. The infected person does not always know the identity of individuals who may be Close Contacts, for example they might have attended an event or a workplace with others they did not know. Alternatively, they might know who the individual is, but not how to contact them. Sometimes it may be difficult to contact an infected person or a Close Contact if, for example, they are travelling.

6. The Ministry has access to the National Health Index (NHI) and the National Enrolment Service (NES). These services allow the Ministry to identify and locate a majority of New Zealanders for Contact Tracing purposes, and are being used as part of the NCTS process. However, a number of limitations have been identified, including:

Incorrect contact details of Consumers and Close Contacts

6.1. Consumers who have changed their contact details since they were last updated in the NHI or NES services, or who may not be residing at their usual address. The impact of this is that Contact Tracers may find it more difficult to contact the person concerned, delaying the process of managing their self-isolation, and Close Contact identification, or they may not be able to locate them at all.

6.2. If the infected person or a Close Contact has independently submitted their contact information via the CCTA, then these contact details can be accessed by a Contact Tracer if they had not been able to locate them promptly via the standard processes.

of 75

Inability to identify Close Contacts

6.3. Consumers have difficulty remembering where they have been and who they have had ‘close contact’ with, particularly over the period of interest (this could, on occasion, be up to 60 days if the source contact has been difficult to identify). This means Consumers and therefore Contact Tracers may not be able to identify all of those who need to be tested, and/or isolated. This is even more of an issue when New Zealand is at lower Alert Levels, as Consumers will be more mobile.

6.4. The use of the CCTA to keep a record of their visits to participating Locations that display an appropriate QR code, or notation on the Digital Diary feature, to be maintained by each Consumer on their own device, may assist them as a memory prompt.

7. The Ministry has identified the CCTA as being able to support some aspects of Contact Tracing. This includes the potential to enable faster contact with Consumers who may be Close Contacts by providing access to up to date contact information, and also by enabling Digital Diary recording, and Notification of applicable Exposure Events.

of 75

Appendix Two – the Release 5 Onboarding processPersonal contact and demographic details

Onboarding process

1. Consumers can download the App to their compatible smartphone and proceed through an onboarding process to begin using the app. In Release 5 they may do this without providing any identifiable information.

2. Consumers may also visit the Website to access a subset of the full App functionality. Consumers are required to verify their email address before each use of the website.

3. In Annex One to this Appendix Two there is a summary diagram of the sign-up process screens – including the email verification noted below if a Consumer does choose to provide some identifiable information.

Voluntary provision of contact details

4. An optional component of the CCTA is to gather limited personal and contact information including a Consumer’s phone number, physical address, email address, gender and ethnicity, if the Consumer wishes to provide these.

5. A Consumer is required to complete an email verification step before any personal and contact information is uploaded. This is also required before a Consumer can edit any of their own previously supplied personal and contact information linked to the same email address.

6. It is voluntary for the Consumer to provide any of this information to the Ministry of Health. This information is used to:

Increase the speed and the reliability with which a Consumer is contacted in the case of having a positive test result or being a Close Contact.

Help ensure that the overall service that is delivered by the Ministry is accessible to all parts of New Zealand.

7. Approximately 98% of Consumers registered with the App prior to Release 5 have submitted their name and contact phone number12.

8. Contact tracers have indicated that this up to date contact information was useful to them during the August Auckland outbreak.

9. If the Consumer does choose to submit their contact details in Release 5 they can use an email address of their choosing. They will be asked to verify (via a code sent to that registered email address) that they control this address.

12 Covid-19 Tracer App Volumes as at 28 September 2020, being 98% of registrations total registrations, a total of 2,027,196 people have provided both name and phone number. As at 27 November the percentage is 97%

of 75

10. Consumers will also be able to add and update this personal demographic information to assist in identifying the correct individual, and their relevant contacts. The Consumer identification and demographic information to be collected has been determined to be necessary for the purpose of the public health response to the COVID-19 pandemic in New Zealand as follows:

Data Compulsory Purpose / necessity

First Name No To identify the individual

Middle Name No To identify the individual

Last Name No To identify the individual

Date of Birth No To identify the individual. The year of birth may be used in aggregate reporting on usage of CCTA across the population.

Gender No To identify the individual. Some people share the same name. Asking for gender helps to ensure we contact the right person. Gender may be used in aggregate reporting on usage of CCTA across the population.

Phone Number No To identify the individual and allow contact to be made

Current/Permanent Address No To identify the individual and allow contact to be made. Post code and/or Region from address may be used in aggregate reporting on usage of CCTA across the population

Email address Yes, if the Consumer chooses to provide identifiable information, but not otherwise

This is required to create an account, so that any contact details or identity information can be submitted by the Consumer. The email is also used to identify the individual and allow contact to be made

Ethnicity No This is to allow the Ministry to understand whether the services provided (information to support faster Contact Tracing) are equitable. This will help the Ministry confirm it is serving all New Zealanders and is obtaining sufficient population coverage from an equity perspective.

11. If submitted by a Consumer, contact and demographic data will be sent to the NCTS via a secure file transfer mechanism. Contact Tracers will have access to this information as a searchable function in the NCTS, similar to those used with the NHI in the health system. This access will be subject to the existing policies and controls relating to the

of 75

NCTS, and will be secure read-only access to the CCTA Platform in response to a specific request about an individual.

of 75

Appendix Two – Annex One

of 75

Appendix Three - Anonymous Statistical and Performance Information1. In order to provide inputs into reporting on the performance of the end-to-end contact

tracing process, the Ministry uses a service (Amazon Pinpoint) to collect and analyse anonymous details about the use of the CCTA service.

2. The data collected by Amazon Pinpoint is stored separately in the Ministry AWS environment. It is not possible for this data to be linked to personal information collected by the CCTA. Data captured by Amazon Pinpoint is detailed on the Amazon Website. This data is captured as “events”, which are triggered when specific actions happen in the App or Website. A summary of this information is presented in the table below.

Data Description

Event Type The Consumer or App action that triggered the event to be recorded.

Timestamps The time the event was triggered, and the time it was recorded in Amazon Pinpoint.

Application, Client, and Device Information about the installed App or Website, and the device is it running on. This includes:

a unique identifier, make, model, and operating system version of the device, and

application name and version, and

in some scenarios a Cognito Identity ID. This is not the same as the Cognito User ID and can not be used to attribute analytics events to personal information.

This information is only used in aggregate and not to identify any individual, or attribute analytics events to personal information.

Session Information about the current session the event was captured in.

Attributes Custom attributes that can accompany events, if provided by the Consumer.

of 75

https://docs.aws.amazon.com/pinpoint/latest/developerguide/event-streams-data-app.html

This is limited to:

post code of the current address, age group, and gender

3. These analytics events are captured at key stages of the App and Website experience. These events are used to provide reporting into the effectiveness and performance of the CCTA and the Contact Tracing end-to-end service model. Specific events of note include:

When the Consumer uses the ‘scan location’ feature, an event may be recorded that a scan has taken place. No information about the Location of this scan or the identity of the Consumer will be recorded. It is not possible to use this event to reconstruct a Consumer’s movements or track where they have been. Information about recorded Locations remains on their device.

When a matching Exposure Event of Interest is found on the Consumer device, an event may be recorded noting that a match was made and Location Alert was opened, and if a Call Back was requested. This event does not record the identity of the Consumer, nor any information about the Exposure Event itself. It is not possible for the Consumer to be contacted as a result of this event being recorded.

When the Consumer enables or disables the Bluetooth Tracing feature, an event may be recorded that this has taken place. No information about the identity of the Consumer is recorded.

When a device checks for Bluetooth Tracing configuration, an event may be recorded, to enable the calculation of how many devices have Bluetooth Tracing enabled. This event does not record the identity of the Consumer.

When a device shows a Bluetooth Alert Notification, an event may be recorded noting that a notification was received, viewed and / or a Call Back requested. This does not record the identity of the Consumer, nor any information about the Exposure Event or Location. It is not possible for the Consumer to be contacted as a result of this event being recorded.

When a device has added an entry by scanning a QR code or adding a manual entry for each of the last 14 days, an event may be recorded. This event is only recorded when this personal metric is complete. It does not record the identity of the Consumer or any other details about their Digital Diary.

When a device views an announcement on the app dashboard, an event may be recorded. No information about the identity of the Consumer is recorded.

of 75

When a device is used to access the information resources linked within the CCTA (for example advice on the groups eligible for vaccination or where a person can get a COVID test) a record of what link to view information was selected will be recorded. No information about the identity of the Consumer is recorded.

4. To assist the Ministry to diagnose performance and stability issues on mobile devices, the App may send data about application crashes to a service operated by Microsoft called App Center. This data contains information about the state of the App before the crash occurred and provides insight for the Ministry and its suppliers to diagnose and fix issues that occur across the range of supported devices. When a crash occurs the following data is sent from the device to App Center:

Install information: An Application Secret and an Installation Identifier are sent with every request so App Center can identify the data and attach it to the Ministry account.

Device data: This data includes information about the device itself, including the Operating System name and version (e.g. iOS 12, Android 7), device model and manufacturer, installed app version, carrier, screen size, and whether the device is jailbroken or not.

Crash and error logs data: This data includes the ID and name of processes, threads and frames related to the crash, the exception type and message, and the device data (outlined above).

Full details on the information which App Center can collect can be found on the App Center website. Note, the Ministry does not associate a User Identifier (userId) with data collected by App Center, so crash data cannot be linked back to an individual user.

5. The CCTA uses a hosted Content Delivery Network (CDN) operated by Google to serve the font files and other static assets used to render the application. The Google Fonts API is designed to limit the collection, storage, and use of end-user data to what is needed to serve fonts efficiently. Google may record a Consumer’s IP address and other device information (as set out in their FAQ). However, personal data, recorded Locations, or other information collected in the CCTA is never shared with Google.

of 75

https://developers.google.com/fonts/faq2#what_does_using_the_google_fonts_api_mean_for_the_privacy_of_my_users

https://docs.microsoft.com/en-us/appcenter/sdk/data-collected

https://docs.microsoft.com/en-us/appcenter/sdk/data-collected

Appendix Four – App Features – Bluetooth Tracing, Digital Diaries, Notifications and Exposure Events1. This section details App features including:

Bluetooth Tracing – content and upload capability

Digital Diary – content and upload capability

Notification Events:

o Bluetooth Alert Notification

o Exposure Events and Digital Diary Location Alert Notification

Ability to manually record an NHI: ‘My NHI Details’

Multiple diary entries on a single device no longer supported

Bluetooth Tracing – content and upload capability2. Additional details of how Bluetooth works are included in Appendix Five.

of 75

3. Consumers who have an Exposure Notification System (ENS) compatible device13, and who want to use this Bluetooth feature, will need to opt in.

4. If the device has Bluetooth Tracing turned on it will operate continuously to record contact with other devices broadcasting in its vicinity. This is done with the use of anonymous and randomly generated keys. These do not identify who the Consumer is or where they were – just that they were in contact with another Bluetooth device. This information stays on the device of each Consumer.

5. The device will retain its record of keys broadcast and received for a period of 14 days before they are automatically deleted from the device.

6. If a Consumer tests positive for COVID-19, they can elect to upload the random keys their device has been broadcasting as part of the Contact Tracing process.

The Upload will be at the request of a Contact Tracer, and a one-time password will be provided by the Contact Tracer to the Consumer to activate the Bluetooth upload from the device. It remains the Consumer’s choice whether or not they will upload their Bluetooth information.

A Consumer will not be able to independently upload Bluetooth information without the appropriate code. The Contact Tracer will not have access to the information uploaded. It will not be possible to tell from the information uploaded where the Consumer has been or who they have been in contact with.

Digital Diary – content and data upload capabilityContent

7. The Digital Diary helps Consumers retain records to identify places they visit, people they have been in contact with, or activities they have undertaken such as travel on the bus to work, or attending the local school football match at a local park.

8. The Consumer will be able to choose what they enter, and how much detail they record into their Digital Diary. The limitations will be in the character limits imposed for recording (for example the character limit for notes is 255), and dates that may be entered. Dates may be entered for past activities (up to 60 days in the past) but cannot record activities in future beyond the current day of entry.

9. Digital Diary information will be retained on the Consumer’s device for a period of 60 days before being automatically deleted by the App (unless deleted earlier by the Consumer).

13 Devices may be incompatible with ENS due to:- Device must support Bluetooth Low Energy (BLE);- Operating system version must be iOS 12.5 or greater, or Android 6.0 or greater;- Android devices must support Google Play Services, and support a Google Play Services attestation check, which

may fail for a variety of reasons.More than 90% of Apple devices in New Zealand are running iOS 12.5 or greater.Approximately 80% of Android devices in New Zealand are running Android 6.0 or greater and support Google Play Services. Android devices manufactured recently in China, including Huawei devices, may not support Google Play Services due to a trade dispute between the US and China.

of 75

10. An edit / delete feature enables Consumers to delete or amend the manual entries made into the Digital Diary. This edit / delete feature will enable Consumers to amend records if they feel they are inaccurate, or when they no longer want to retain those records.

Visited Locations – scanned QR Codes

11. QR codes displayed at the premises of participating businesses, other groups and organisations can be scanned by Consumer’s with the App.

This QR Code will contain information about the specific Location, including a Global Location Number (GLN).

These GLN will be used to represent a Location, or sub-Location, of a business, group or organisation. They will be low cost in terms of a PDF to print out and locate in an appropriate spot (or spots) on their premises.

These GLNs are linked to an organisation’s New Zealand Business Number (NZBN), where available. It is expected a number of businesses may find the GLN beneficial, as a visible signal that they are taking all reasonable steps to keep their customers safe.

12. The App will record the GLN and the ‘check-in time’ when the Consumer scans the QR Code. All scanning is a manual process initiated by the Consumer.

13. The Location Check-in flow has the following screen flows:

Figure 5: Location Check-in Flow

14. The App will hold Location information on the Consumer’s device for 60 days before deleting it.

Digital Diary Upload

of 75

15. A Consumer can elect to send their recorded Digital Diary information, including QR Location and manual entry information, to the Ministry of Health for access by authorised NCTS users involved in Contact Tracing.

The Upload will be at the request of a Contact Tracer if the Consumer is a positive case. The Consumer can then choose to release the 60 days’ worth of Digital Diary (Location information and manual entries) from their device to the Contact Tracer.

A Consumer will not be able to independently upload Location information without the appropriate code.

16. To properly link uploaded Digital Diary information to the relevant NCTS case record, when the Consumer agrees to Upload it, the Consumer will be required to enter a specific code given to them by a Contact Tracer.

When a Consumer chooses to share their Digital Diary data, a request including their name and date of birth will be provided to the Consumer. A unique code will read out to them over the phone. This is a one-time password and will be valid for only 24 hours.

The Digital Diary entries may contain the following information (for the previous 60 days):

o The GLN of a scanned Location, and the time the Consumer scanned the QR code, and ‘checked-in’ to the Location

o The details of manual entries by the Consumer (as further described below in Appendix Four).

of 75

This Contact Tracer provided code will be unique to the Consumer and will enable the Contact Tracer to access the records forwarded to the secure Salesforce location on the NCTS platform, which will be linked to the correct NCTS case record.

NCTS will retrieve business information about each Location by using the GLN to query the NZBN and QR Code database, so Contact Tracers have the information necessary to continue their investigation.

When the Contact Tracer has accessed the identified Consumer’s Digital Diary information, they will then discuss each of the uploaded Locations, and manual entries, with the Consumer to identify how long the Consumer spent at an identified location, what activity they were involved in and who they may have come into Close Contact with.

Only information identified by the Contact Tracer as relevant to a potential Exposure Event or Close Contact will then be further used by the Contact Tracer.

17. Close Contacts are not requested to submit their information unless they subsequently become symptomatic and themselves become a probable or positive case.

18. It remains the Consumer’s choice as to whether they do Upload the Digital Diary if requested by a Contact Tracer, or retain the information on their device and use it as a memory prompt.

Content of Manual Digital Diary entries

19. It is possible that individuals may record information about third parties in their Digital Diary (presumably if they have been in contact with them), but this is consistent with the type of information that the Contact Tracers would request the Consumer to disclose as part of the Contact Tracing process. It is also important that those individuals are identified if they may be at risk of being a Close Contact, which could be a serious threat to their health and those they come in contact with. In the event that there was some sensitivity in any such records the Consumer would be able to edit their Digital Diary entries before Upload if they wished.

20. It is acknowledged that the free text choices may create a challenge for Contact Tracers to follow notations by Consumers. If a Consumer chooses to Upload their Digital Diary when requested, the content will be used by the Contact Tracer to progress their conversation with a Consumer. Only information verified with the Consumer, and relevant to the Contact Tracing process will be transferred onto the NCTS. Digital Diary information not considered relevant will remain in the NCTS secure Upload location, until deletion six months later.

21. There will also be an analytics event created that a manual entry has been created, but this will not disclose which device the entry was made on (or any Consumer identity or other location details).

Notification Events

of 75

22. There are two types of Notification that can now occur via the NZ COVID Tracer App. These are sent out to Consumers who use the App on their device when another Consumer has tested positive for COVID-19.

23. In each case the Contact Tracer will apply their clinical expertise and determine whether it is necessary to send a Notification to make people aware of a potential exposure to COVID-19.

24. Notifications will only be sent when the Consumer with COVID either visited a Location where an App user may have scanned in at the same time, or the Consumer was using the Bluetooth feature (the Bluetooth Alert notification will be for the period from when the Contact Tracer determines the Consumer would have become infectious).

25. Consent of the Consumer is required in each case prior to the upload occurring:

A Notification can only occur with Bluetooth Alert if the Consumer agrees to upload their recorded Bluetooth information. If they do upload their Bluetooth keys this information will be broadcast to devices with the NZ COVID Tracer App loaded as well as the Cook Island COVID tracing app.

If a Consumer consents to upload their Digital Diary information a Location notification may be based off that information. A Contact Tracer can however independently set up a notification for a Location when it becomes clear to them that an Exposure Event might have occurred at a Location (and it has a GLN that App users may have scanned).

Bluetooth Notification

of 75

26. If a Contact Tracer decides to ask a Case to share Bluetooth keys, the Contact Tracer will enter an onset date (the date when the Case was likely to have become infectious) in the NCTS and send a request to the Case for upload of Bluetooth keys.

27. A text message will be sent to the phone number configured in the NCTS. This will contain a one-time password that can be used to upload keys.

28. If a Consumer uploads their keys with the one-time password provided by the Contact Tracer, the Bluetooth keys their phone has broadcast will be uploaded to the CCTA Platform. No data is returned to the NCTS from this upload.

29. Keys from before the onset date determined by the Contact Tracer are discarded. The remaining keys are added to a ZIP file with all other keys of any other cases (including those from CookSafe+) that have been uploaded for the last fourteen days. This is stored on the CCTA Platform. The contents of the file are ordered randomly to prevent correlation of keys across multiple days.

30. Consumer devices using the Bluetooth Tracing feature of NZ COVID Tracer will download the file periodically and check against the keys they have encountered (they are recorded on each Consumer’s device). This same process will apply with users of the CookSafe+ application – and NZ COVID Tracer App keys that have been uploaded will also be available for the CookSafe+ device holder to check.

31. If a device has encountered keys that are in the file, an algorithm is applied on the device to assess whether the Consumer has been sufficiently close for a long enough period to be at risk of contracting COVID-19. This algorithm is part of the Exposure Notification System protocol. The NZ COVID Tracer settings for this algorithm are available on the Ministry of Health website.

32. There will be no indication of who the infectious Consumer/s are in the message sent, nor where the contact occurred.

33. The date of last exposure will be included in the Bluetooth Alert Notification so that they can start their isolation period for the appropriate length of time.

34. The messaging for the Bluetooth Alert Notification will advise the Consumer they have been identified as a Close Contact for a Case and provide advice on what actions to take.

Exposure Events and Digital Diary Notification

35. Contact Tracers may receive information about scanned Locations attended by a case, either by direct contact with the infected individual or using the Digital Diary Location data a Consumer chooses to upload (discussed further below). The Contact Tracer may identify any Exposure Events that are likely to have created a risk of potential exposure to any Close Contacts.

of 75

36. A specialist public health clinician will decide whether to create an Exposure Event of Interest (EEOI) for the purposes of notifying all Consumers via the CCTA. These EEOI events are generated by application of clinical expertise, not automated.

This will involve speaking with the Consumer to confirm appropriate timeframes and behaviour at a relevant Location to ensure that only those Locations visited by the COVID-19 positive individual where there was likely to have been Close Contact exposure are selected.

There are features that make activity at a Location more likely to create risk of Close Contact, for example indoor locations, and length of time at the Location. The definition of a ‘Close Contact’ on the Ministry website indicates those that are at higher risk of being infected. Just passing through a Location is not enough to assume a genuine risk.

It is a challenge to provide the Exposure Notification only to those Consumers who are realistically at risk (rather than over-advising risk and creating greater anxiety than necessary) balanced against missing those who could be at risk.

The clinician involvement in determining if an EEOI is appropriate, and setting relevant time frames, will help balance that risk. It is noted that the App Location scan information held on the device will only record the time of the scan. The expertise of the Contact Tracer and the discussion with the positive case is key in setting the appropriate time frame.

The Location will also need to have a GLN location registered with an official NZ COVID Tracer QR Code to be included in an EEOI, otherwise there will not be a matching Location on any other App user devices capable of receiving a Notification for a Location Alert.

The general communications to Consumers at the time of a Notification are designed to alert people but not alarm them.

o The Notification alert will link to a webpage with relevant information designed to provide additional details and manage expectations and anxiety for a Notification recipient.

o This will include a reference to call Healthline if the individual has questions or considers that they may be experiencing symptoms. A specific text message could also be included by the Contact Tracer about the exposure if necessary.

o If the EEOI is considered to be a higher risk by Contact Tracers a Call Back will also be enabled.

37. An EEOI therefore will represent a specific Location and time range, identified during the investigation of a confirmed or probable case, where there is a specific risk of transmission of COVID-19.

of 75

38. A decision by the clinician to create an EEOI will enable the relevant Location information to be prepared within the NCTS for consumption by the CCTA. The NCTS will create a Notification to be published to a register within the CCTA platform.

39. Consequence of Notification – Location Alert

40. The Location Alert is delivered to Consumers through a ‘silent push notification’ mechanism, after the Consumer has opted in to enable push Notifications on their mobile device (or chosen not to opt out for Android devices)

41. When the Consumer opens the App, it will fetch a list of Exposure Events of Interest from the CCTA Platform.

42. When a Consumer permits push Notifications this will grant permission for the CCTA to request a ‘push token’ and enrol their device for push Notifications. This push token is then registered with Firebase Cloud Messaging (FCM), a push notification service operated by Google that provides a single interface to deliver push Notifications for both iOS and Android. On iOS devices a push token is obtained by requesting it from Apple Push Notification Service (APNS), before it is passed to FCM. An overview of the push notification delivery method is outlined below.

43. When an Exposure Event of Interest is published from NCTS, a silent push Notification will be sent to all registered devices on the CCTA through FCM. If a device is offline, the Notification may be queued for delivery later. This push Notification process will be subject to any limitations of the underlying operating systems, if for example a device were not turned on for a period of time or did not connect to the internet. This type of Notification is in widespread use and is generally considered reliable.

of 75

44. Additionally, any time the Consumer opens the App, any active Exposure Events of Interest are also fetched in the background from the CCTA Platform by the App. This provides an additional check for Exposure Events and makes the solution more resilient to push Notifications not being delivered, or the Consumer not enabling push Notification permissions.

45. Upon receipt of an Exposure Notification via push notification, or after the active list is fetched from the Platform, the Consumer’s mobile device will perform a check to determine if there is a matching Location stored on the device within the last 60 days.

A match will be determined if the following conditions are true:

o The GLN identifier of the EEOI matches the GLN of the recorded Location (or location selected by the clinician sending the EEOI if it was not received via the CCTA Location upload process).

o The date and time range of the EEOI will be compared with the recorded Location date and time range (the check-in time on the Consumer’s device). It is up to the Contact Tracer to set appropriate time frames.

46. This comparison happens in the background of the device, and if no recorded Location to match the EEOI, the Consumer is not alerted to the process. All devices that have opted in to receive push Notifications will receive the silent push. This enables the Consumer device to "wake up" in the background to check the locally recorded data.

If a matching GLN is found on the device within the time range, and the Consumer has not previously been alerted for this EventId (a unique identifier for the event that is used to prevent duplicate Notifications for the same event on the same device), a local notification is presented to the Consumer as a Location Alert. This will prompt the Consumer to open the app for more information. The EventId is recorded on the device so future notifications for the same EventId do not result in another local notification.

If no match is found, all information from the Exposure Event of Interest is discarded and no further action is taken.

If there is a match, the Location Alert will show the Consumer the location name, and the date of the exposure event.

47. If a matching check-in is identified, a flag will be written to the local data store on the Consumer’s device. This ‘local notification’ will prompt the Consumer to open the CCTA for more information.

48. Once the Consumer has opened the App, the flag from the previous step will be checked. If it is for the logged-in Consumer, a screen will be shown informing the Consumer of their potential exposure to COVID-19. This Location Alert screen will include:

of 75

The date and Location of the potential exposure. The Location details will be the same as the details to be published on the Ministry website.

Appropriate advice that the person may have been in contact with COVID-19 and a link to a specific webpage.

This webpage is designed to ensure that a recipient does not experience unnecessary concern and has an immediate ‘plan’ available for them to review. The webpage will provide advice, including that the Consumer should contact Healthline if they develop any symptoms.

o Contact a Consumer may choose to initiate with Healthline will occur independent to the Notification process. Any call will be managed as would any other call to Healthline for assistance with a COIVD-19 related matter. It is noted however that an indication that the individual felt unwell after receiving an App related Notification may be considered a clinical indicator to suggest the person gets tested.

o Contact Tracer contact would be made to Healthline management to indicate that the Notification process had been initiated if it was likely that any increase in queries may result, to ensure appropriate resourcing was available.

No information about the person who tested positive, or other Consumers at the same place at the same time, will be shown to the Consumer. It is acknowledged that the Consumer may be aware of others who were at the Location – but all Locations are published on the Ministry website, so it is a replication of information that is already available. Contact Tracers do not put all Locations on the website (nor do they send Notifications for all Locations). A decision will be made by Contact Tracers whether or not there is a likelihood that there were otherwise unidentified individuals who may have been exposed to COVID-19 at a Location, and that there is a serious threat to public health that requires the Location to be publicised.

of 75

Call Back Request

49. If an authorised Contact Tracer determines that there is an EEOI Location with a high risk of contacts that cannot be promptly identified, and may be Close Contacts, a ‘Call Back’ option may be included in the Location Alert Notification. This could include, for example, a café or bar where others attended but they are not known to the case or the business at the Location.

50. Not all Location Alerts will have the Call Back option – only those deemed high risk by Contact Tracers.

51. The Consumer will be given the option to press the ‘Confirm details’ button (as shown below). This will present an additional screen to the Consumer to enable the Consumer to complete their contact details so that they can be submitted to the NCTS to enable the Contact Tracer to make contact with them (as the Consumer is otherwise unknown to the Contact Tracer).

52. If the Consumer does select a Call Back they will be queued so that a member of the Contact Tracing team can call and speak with them.

53. If a Call Back request is made, the Contact Tracer will be able to identify which case, Location and date was involved from the Call Back request made from the Consumers device, as each EEOI will have a unique code embedded in the Call Back response. The Location and date details will not be available to the Consumer as part of the Location Alert.

54. If the Consumer chooses not to select the Call Back it will not be possible to identify them through the App. They will however receive the brief message about monitoring for symptoms and calling Healthline as standard for all Location Alerts.

55. There is no compulsion for the Consumer to follow any advice given. If they do not choose to seek assistance when appropriate, the App itself will not be able to disclose their identity to any other party – including a Contact Tracer.

of 75

56. An anonymous analytics event may be captured to record that a local match (to the Location data on a device) was made, in order to provide reporting on the effectiveness of the solution and help Contact Tracers understand the scale of an Exposure Event. The data captured in this analytics event cannot be used to identify an individual, so therefore cannot be used to make contact with them.

Locations

57. Contact Tracers will be in independent contact with Locations where there has been an Exposure Event to identify if a contact tracing register was available or to obtain any necessary additional information. If the relevant business or organisation is able to identify additional potential Close Contacts the Contact Tracers will make direct contact with those individuals. The standard Contact Tracing measures would apply to avoid identifying an infected individual as far as practicable (as per section 92ZZG).

Ability to manually record NHI number – ‘My NHI Details’58. Consumers will be given the option to manually add their NHI number to the details they

have recorded on their device. This will enable them to use the ‘My NHI Details’ screen to display their NHI number (if they choose).

59. The My NHI Details screen is designed to enable Consumers to swiftly and privately show their NHI number to testing staff if they attend community-based testing facilities (or in other appropriate settings). This was in response to Consumer request via the email support inbox, and confirmed by the COVID-19 Technology Business Design Council.

60. The My NHI Details screen could assist in the identification and testing process, by enabling the Consumer to display the necessary details on their device.

61. The Consumer will be told (on screen – as shown in the screen shot below) where they might find their own NHI recorded (for example on a prescription, or hospital letter).

62. The NHI will not be verified against the NHI database by the Consumer device. The NHI will still need to be verified by any health professional interacting with the individual. A communication has been sent to the Community Based Assessment Facilities to confirm the ongoing obligation to verify the NHI, and a training package provided.

63. The NHI added into the ‘My NHI Details’ process will not be added to either the contact details on the CCTA platform nor to the Digital Diary Upload information.

64. The screen display is on the following page.

of 75

Multiple Diaries on single device no longer supported65. Prior to Release 5 it was possible to have multiple individuals using a shared device,

each logging in independently. This feature is not available in release 5 (as Consumers no longer have the ability to login to the app). There is no analytical information collected on the number of multi-user devices, but it is not expected to be a high number.

66. Consumers using multiple Digital Diaries on a device will be notified in the App (via a screen, as described over the page) and given options about creating a new diary and how to recover the information from the ‘old’ diary.

67. The information in the ‘old’ diaries will continue to be stored for 60 days from the date of each entry.

of 75

Appendix Five – Bluetooth tracing– how does it work?1. The Ministry has chosen to use the Google / Apple Exposure Notification System (ENS)

to provide its Bluetooth feature for the CCTA. This is a ‘decentralised’ model – where the Bluetooth information is stored on each Consumer’s device, not in a central database.

Background

2. Internationally, Apple and Google have developed a protocol known as the Exposure Notification Framework (ENF)14. This protocol allows for Bluetooth Low Energy (BLE) broadcast of random identifiers (or keys) to other compatible devices where the capability is enabled.

3. This protocol is being further developed as an open standard with the support of the Bluetooth Special Interest Group15.

4. An implementation of the ENF on Android and iOS devices is known as an Exposure Notification System (ENS).

5. Permission to administer an ENS is given by Apple and Google to the Public Health Authority of a jurisdiction. The Ministry of Health has obtained this permission. Google and Apple do not have access to the Consumer data recorded on the CCTA, or on Consumer devices.

6. An ENS works as follows:

A Consumer chooses to participate and turns the EN service on;

Each device that participates randomly generates a Temporary Exposure Key (TEK) each day;

Each device broadcasts a Rolling Proximity Identifier (RPI) that is derived from the TEK16 and this changes frequently, approximately every 10-15 minutes17, synchronised with the rotation of the Bluetooth MAC address;

Each participating device records the signal strength and duration of RPIs broadcast from nearby devices;

14 More information about the ENS is available on the Google and Apple pages for the protocol: https://www.google.com/covid19/exposurenotifications/https://covid19.apple.com/contacttracing 15 Source: https://www.bluetooth.com/learn-about-bluetooth/bluetooth-technology/bluetooth-ens/ Accessed 24/11/202016 More information about the derivation of the RPI is available in the Cryptography Specification of the protocol:https://covid19-static.cdn-apple.com/applications/covid19/current/static/contact-tracing/pdf/ExposureNotification-CryptographySpecificationv1.2.pdf 17 The framework allows for this to be any interval; it is generally 10-15 minutes at present.

of 75

https://covid19-static.cdn-apple.com/applications/covid19/current/static/contact-tracing/pdf/ExposureNotification-CryptographySpecificationv1.2.pdf

https://covid19-static.cdn-apple.com/applications/covid19/current/static/contact-tracing/pdf/ExposureNotification-CryptographySpecificationv1.2.pdf

https://www.bluetooth.com/learn-about-bluetooth/bluetooth-technology/bluetooth-ens/

https://www.google.com/covid19/exposurenotifications/

https://covid19.apple.com/contacttracing

A Consumer who has tested positive for COVID-19 may upload the TEKs they have generated in the last 14 days. These are uploaded to the CCTA platform – and do not identify the individual who uploaded them;

Each participating device downloads the ‘bucket’ of uploaded TEKs from the CCTA platform every few hours;

Each participating device then checks the TEKs against RPIs recorded on the device. This check occurs only on the device. There is no ‘matching’ of these details on the CCTA platform;

Each participating device checks the signal strength and exposure time of any matching RPIs against an algorithm configured by the Ministry of Health, and built into the App;

Any participating device whose exposure exceeds the minimum level of exposure configured by the Ministry of Health displays a notification to the Consumer alerting them that they may have been exposed to COVID-19.

RPI records are automatically deleted from a participating device after 14 days.

7. The ENF has strict controls built into its protocols. Apple and Google use policy, contractual and app review processes to limit the use of EN within a jurisdiction to the process described above. In addition both companies have added a technical control to limit use of location services for any application that uses the protocol. ENS technology is in use in many countries around the world, and has been found to be safe, privacy preserving and effective.

Bluetooth Tracing – how it will operate in New Zealand

8. The Bluetooth functionality therefore has four basic functions: broadcasting, uploading keys, key distribution and checking for exposure. Each of these are detailed further below

Broadcasting

9. Broadcasting: Bluetooth Tracing will record the proximity of each Consumer to other EN-enabled devices. It has no knowledge of who that other Bluetooth user is, or where they are located. It wants to know how close together the devices are, and how long they are near each other. In the diagram below if a device is very close then it will be heard ‘loudly’ by the other Bluetooth device. If it was further away it would be heard more ‘quietly’. This is measured by signal attenuation.

of 75

10. The Rolling Proximity Indicator (RPI) that each Consumer device broadcasts, is ‘heard’ by other Consumers devices who are close enough. Each device hears the RPI of the other. Each device will record the contact. They will use signal strength to estimate distance – or how ‘loud’ the contact was.

11. The RPI is broadcast in the background using a broadcast interval configured by the operating system. This RPI changes approximately every 10-15 minutes in conjunction with the rotation of the Bluetooth MAC address. This enables a record to be retained that indicates how long one Consumers device was close to that other Bluetooth device.

Uploading Keys

12. If a Consumer has tested positive and told a Contact Tracer that they have been using the Bluetooth Tracing feature to record contacts the Consumer will be asked if they agree to upload their keys so Exposure Notifications can be sent.

13. A summary is attached in Appendix Five Annex One that shows the user flow for sharing keys.

14. If the Consumer agrees the Contact Tracer will ascertain the date that the Consumer became infectious and send a text message to the Consumer with a one-time code. This is the process that will apply:

18 The 4-digit example in the diagram does not reflect that the keys actually look like, not the length of the keys

of 75

Key distribution

15. The uploaded information is then filtered to discard any keys that expired prior to the onset of infectiousness (as determined by the Contact Tracer in discussion with the Consumer). Any remaining keys are then merged into a single list of all keys from all other people who shared their keys in the last 14 days.

16. This list is published for download over the internet by all participating devices. Each device checks for new versions of this file approximately every 2 hours.

Checking for Exposure

17. Each device downloads the list of exposures in the background and will check for a match with the records it holds. Attached as Annex Two is an example of how the algorithm process works

18. Bluetooth details are recorded on each Consumer’s device, and are not held in a central database or system. The matching process happens locally on the device, and the notification of possible exposure is also generated by the device. Only the Consumer with the device will know when there has been a match.

19. The NZ COVID Tracer app on each device will apply the algorithm configured by the Ministry and determine which of the ‘exposures’ indicated that a contact was sufficiently ‘loud’ (i.e close in proximity) and for a long enough period of time (there were a number of interactions recorded with the same key over time) that a risk of Close Contact (or transmission of the virus) is likely. Only those keys with a sufficiently high weighting will be sent a Notification.

of 75

20. The Notification received will look like this on the Consumer device:

21. The text of the Bluetooth Alert will be configured by the Contact Tracer. The message will display to all devices where the algorithm detects a risk of exposure over the

of 75

specified threshold. The message is not able to be made specific for contact at specific Locations or Events for the Bluetooth Alert, as these details are not collected by the Bluetooth feature. All matched devices will receive the same message19.

22. It will be up to the Consumer whether or not to use the call back option. If the Consumer clicks the ‘Send your details’ link on the Bluetooth Alert screen they will have the option of completing the following screens:

23. This call back option will enable the Consumer to send their first name, last name, phone number and any contact notes via the App to Contact Tracers. The call would be queued within the NCTS system, and a Contact Tracer will return the call and discuss the Bluetooth Alert, and COVID-19 implications with the Consumer.

24. An analytics event will be recorded (via Amazon Pinpoint) to confirm the notification was shown, an alert viewed and if details were sent for a call back. This will not include any identifiable information but will enable information to be obtained to indicate how many people received an alert, and how many did (or did not) complete the call back details.

19 This is in contrast to the Location Alert which is sent by Contact Tracers for a single Location, so a different message could be sent about numerous Locations where a Case had visited, specific to the risk posed at each of those Locations

of 75

Appendix Five – Annex One

of 75

Appendix Five – Annex Two

of 75

Appendix Six – Bluetooth and the Cook Islands1. Both New Zealand (NZ COVID Tracer App) and the Cook Islands (CookSafe+) are using

the Apple and Google Exposure Notification Framework (ENF) protocol.

2. The proposed quarantine free travel arrangements with the Cook Islands create a new challenge. The challenge is how information recorded by the app in one jurisdiction (either New Zealand or the Cook Islands) can be used to provide notification to Consumers in the other jurisdiction if there may be potential close contacts in that other jurisdiction.

3. Only one Bluetooth contact tracing app can operate at a time.

When visiting either New Zealand or the Cook Islands, it is expected that the app for that country should be used to make sure the consumer receives the relevant health advice.

If a Consumer has more than one Bluetooth contact tracing app on their phone, they are expected to turn off the app that does not apply in the country they are in and turn on the correct one for that country. They may choose not to do this. Both apps will work in each country for recording the Bluetooth keys.

Contact history and notifications will continue even if the Consumer switches between the NZ COVID Tracer app and CookSafe+.

The quarantine free travel will create the possibility that people may be in a different jurisdiction by the time they are aware they are a positive case, or the notification may be sent when the positive case has left the jurisdiction where there was a close contact.

of 75

4. The Ministry of Health has now commissioned the development of a host server (called the Interoperability Server) that can exchange the keys generated on user devices with other jurisdictions. It is hosted on the same AWS instance as the CCTA Platform, and will be managed in line with the CCTA security. It is currently only to be used to exchange keys with the Cook Islands CookSafe+.

5. Each device with CookSafe+ or NZ COVID Tracer app will record Bluetooth interactions from the other using the common ENF protocol. If a user tests positive the keys can be uploaded via the ‘back end’ to the Interoperability Server, and then distributed to the users of the other app, as follows:

6. This will enable contacts arising from travel between the two countries to be promptly notified when the travellers were each using a CookSafe+ or NZ COVID Tracer device. The notification details received (i.e the contact tracer instructions) will respond to the app that currently has the ENF enabled on the device.

7. The information will not identify the Consumers, nor will it identify the location they were at when they came into contact with the positive case. It may however enhance contact tracing processes by enabling swift notification for those travelling between and around these two countries.

8. If any additional countries are to be considered for participation in the Interoperability Server processes the Ministry will review compatibility and security and update the Privacy Statement.

of 75

Appendix Seven - GlossaryThe following are definitions used in this Assessment:

Terms Description, relationship and business rules

AWS Amazon Web Services

Alert The app feature that will alert the Consumer that a Notification has been received by their device signalling that they may have been in contact with a case of COVID-19.

Bluetooth Alert An Alert shown to a Consumer when the Exposure Notification System indicates that there has been contact with someone who has tested positive for COVID-19.

Bluetooth Tracing The name of the feature in the NZ COVID Tracer app that enables the Exposure Notification System.

Case A person who has a confirmed or probable diagnosis of COVID-19.

CCTA Contact Tracing processes by use of a Mobile Application for supported iOS and Android smart phones (the NZ COVID Tracer mobile app), a Web Application (Website), and a Data Platform (Platform) collectively referred to as the COVID-19 Contact Tracing Application.

Close Contact This is any person who has been exposed to a suspect, confirmed or probable case of COVID-19 during the case’s infectious period without appropriate personal protective equipment. The contact is more fully detailed on the Ministry website here: https://www.health.govt.nz/our-work/diseases-and-conditions/covid-19-novel-coronavirus/covid-19-novel-coronavirus-health-advice-general-public/contact-tracing-covid-19

Consumer A user who registers or downloads and signs up to use the NZ COVID Tracer mobile app or website.

Contact Tracer An individual who is authorised to fulfil the role of contact tracer in accordance with section 92ZZA of the Health Act, and includes those assisting with finding and location services. All Contact Tracers are subject to an obligation of confidentiality.

Contact Tracing This is the process used to find people who may have been exposed to an infectious disease. If a person is identified as a Close Contact of someone with COVID-19 they can expected to be contacted by a Contact Tracer, generally by telephone, from the National Close Contact Service operated by the Ministry of Health.

CookSafe+ The Cook Island Contact Tracing application using smart phone Bluetooth technology, based on the Apple/Google Exposure

of 75

https://www.health.govt.nz/our-work/diseases-and-conditions/covid-19-novel-coronavirus/covid-19-novel-coronavirus-health-advice-general-public/contact-tracing-covid-19




Notification System (ENS). CookSafe+ is designed for people located in the Cook Islands but is compatible with the New Zealand COVID Tracer App.

Digital Diary The information a Consumer chooses to record on their mobile device about their interactions and activities, including places they have visited or people they have been in contact with. This includes the scanned Location information.

EEOI Exposure Event of Interest

EEOIN Exposure Event of Interest Notification

ENF Exposure Notification Framework, the protocol created by Apple and Google to support privacy-preserving digital contact tracing using Bluetooth Low Energy.

ENS Exposure Notification System, an implementation of the ENF protocol within a jurisdiction.

Exposure Event A Location, and associated date and time range where there is potential for a potential Close Contact to have been exposed to COVID-19. This will be determined by a Contact Tracer.

GLN Global Location Number.

Location The GLN recorded on the Consumer’s mobile device, which includes a date and time of scan.

Location Alert An Alert shown to a Consumer when a Digital Diary entry matches an Exposure Event of Interest.

MAC address Media Access Control address, (also known as an Ethernet address) is a unique numeric identifier used to distinguish a device from others on a network

NCTS The National Contact Tracing Solution is the secure technology solution to support national Contact Tracing activities.

NCTS case record The NHI linked record that is stored on the NCTS which relates to an individual Consumer who is a positive or probable case.

NHI The National Health Index number is the unique identifier assigned to every person who uses health and disability support services in New Zealand.

Notification The App notification to Consumer devices which have an Exposure Event matching a Location recorded on that Consumer’s device.

Privacy Notice Materials

Material to be prepared to inform Consumers in compliance with rule 3 of the Health Information Privacy Code 1994. This is

of 75


viewable on the Privacy Statement screen on the NZ COVID Tracer mobile app. This will link to a more detailed Privacy and Security Statement. The Privacy and Security Statement will contain a link to the current Privacy Impact Assessment.

Privacy and Security Statement

The second part of the layered privacy notice. It is linked from the Privacy Statement available to Consumers at registration.

Privacy Statement The notice available to Consumers at point of registration with the CCTA.

RPI Rolling Proximity Identifier, the number broadcast by Android and iOS devices using ENS, which is derived from the Temporary Exposure Key and changes every ten to fifteen minutes.

TEK Temporary Exposure Key, the random key generated by the ENS each day.

Upload Information The Digital Diary information that a Consumer has recorded on their device and chooses to upload to the NCTS on request by a Contact Tracer. This will include scanned Location information and also manual entries. Upload or Uploading means the process of transfer of that Digital Diary information.

of 75

Section One – Executive Summary - Ministry of Health · Web viewConsumers can download the App to...

Documents

Transcript of Section One – Executive Summary - Ministry of Health · Web viewConsumers can download the App to...