Kia ora koutou,
New Zealand continues to manage its way out of the current delta outbreak, with government plans to relax lockdown measures resting heavily on Kiwi vaccination levels. An important part of this strategy will be permitting greater freedoms for those who are fully vaccinated and, to enable this, the government has announced the development of COVID-19 vaccination certificates, or vaccine passports. Given the potential impact these passports could have on individual rights — to movement, social participation and accessing services — it will be critical to get privacy settings right.
Privacy Foundation NZ’s Health Care and Policy Working Group has issued detailed commentary on the privacy issues surrounding vaccine passports and has urged the government to undertake a comprehensive privacy impact assessment before their roll out. The Working Group recommended the application of the fundamental principles formulated by the Australia Institute’s Centre for Responsible Technology, which is largely privacy-focused, promoting concepts such as use limitation, storage limitation and individual control. They also call out the broader risks raised by the implementation of vaccine passports, including exacerbating existing social inequities that may impact vaccination levels in a particular community. As with recent concerns around renewed contact tracing efforts, there are calls for ensuring legislative protections are in place, reflecting a growing view that the Privacy Act’s flexible information privacy principles may not be enough to safeguard these more invasive pandemic responses.
On a related note, and reflecting growing pressure from public and private sector agencies to utilize new technologies, the Office of the Privacy Commissioner released a timely position paper on the regulation of biometrics. The paper puts some stakes in the ground with respect to biometrics. It outlines how the Privacy Act applies to the collection and use of biometrics, comments on complementary frameworks that can assist to ensure biometrics are used ethically and lawfully, and clearly articulates the risks associated with such technologies. The privacy considerations will be familiar to our readers. More interesting are the OPC’s broader expectations on agencies considering the use of biometrics, including:
- Ensuring they consider the sensitivity of biometric information — it is based on inherent biological or behavioral characteristics of an individual that cannot readily be changed in the event of a breach (unlike, for example, a password).
- Ensuring the use of biometrics is targeted and proportionate — do the benefits outweigh the risks, particularly in relation to vulnerable groups?
- Ensuring Te Ao Māori perspectives have been taken into account — the paper is a promising example of the OPC’s increasing interweaving of Te Ao Māori into its regulatory approach.
- Ensuring an appropriate level of human oversight — the paper recognizes biometrics are increasingly used to inform automated decision-making, often with significant consequences for people. As with conversations around the broader use of algorithms, the need for meaningful human oversight and governance is critical.
Automated decision-making has also featured in conversations around NZ, Australia and the wider APAC region in relation to China’s new Personal Information Protection Law. On 14 Oct., IAPP’s Auckland and Brisbane KnowledgeNet chapters hosted a highly informative virtual meeting on the implications of PIPL for agencies in ANZ. Panel experts Clarisse Girot and Barbara Li discussed PIPL’s key provisions — and its similarities with the existing highwater mark requirements of the EU GDPR — with moderator Stephen Bolinger, CIPP/E, CIPP/G, CIPP/US, CIPP/M, CIPT, FIP. Standout issues for me included the requirement for multiple consents, including in relation to automated decision-making, and the current lack of clarity around the scope of many onerous obligations that await further regulation. We all agreed there will be a need for more discussion on this, particularly once greater clarity is known, and we are planning to host another virtual session on PIPL in the new year.
Privacy professionals have their work cut out now and in the near future to help agencies navigate these new and challenging issues. Keep an eye out for announcements from the IAPP as the program of virtual events for the IAPP ANZ Summit Online 2021 in early November is finalized.
Enjoy the digest, folks; stay safe and be kind.
Ngā mihi nui