Like many other of our rights and liberties, privacy has been upended by Covid-19. Privacy commissioner John Edwards looks at the hard choices we’re about to face.
Privacy was described in a seminal 1890 essay as “the right to be let alone”. Now, in April 2020, we find ourselves instead obliged to stay alone. The enforced privacy of our lockdown bubbles is quite different to the freedom and personal autonomy the essay’s 19th century authors envisaged.
But even in this shared crisis, privacy looks different depending on who you are. Spare a thought for those in overcrowded houses, unable to find space for a private moment as out-of-work parents and uncles and grandparents line up for the bathroom alongside out-of-school children.
Think also of the imposition of a cruel and desolate privacy on the victims of the disease, living their last hours in forced separation from families, comforted by uniformed and masked health professionals, but unable to be held or heard or touched by those closest to them.
In this new reality we have sacrificed our right to freedom of association and freedom of movement. We can be stopped and questioned by police about our destination or motivation if we venture away from home. Such are the sacrifices we have all made, that now “minding your own business” has become akin to disloyalty, as we crash websites established to dob each other in for breaches of the rules.
Much has been said about our spirit of community, of common purpose, of our resilience. The prime minister has implored us to be kind, and for the most part we have. We applaud the dedication and bravery of some of the most overlooked of our workforce – the supermarket stackers, the nurses, the courier drivers. This crisis, like many others before, can bring out the best in us.
But it can also bring out the worst: the censorious, the finger-waggers, the hoarders, the profiteers, the fearful, the ignorant. Those whose self-righteousness impels them to post scornful comments online about those afflicted with the disease; the vigilantes who, rather than entrusting authorities to investigate apparent incidents of non-compliance, rush to post their judgement in the court of Facebook, or Twitter, or the comments section of their favoured blog.
Right now privacy must give way to science, and to the wider public health imperative that our response to this crisis must be driven by evidence – evidence that is also information about the spread of the disease, the success or failure of the mitigations, or about whom you have been in contact with for more than 15 minutes in the last 14 days.
As my office works with those managing the crisis, we try to stimulate reflection on the decisions currently being made using some fundamental questions informed by our privacy values:
- Will it work?
- Is the proposed use of information proportional to the problem?
- Can it be reversed after the crisis passes?
In times of crisis there can be a temptation to drop any number of standards and protections. To call for the opening of databases, and for the greater sharing of information.
My predecessor left me with a mechanism created after the dust of the Canterbury earthquakes cleared: the Civil Defence National Emergencies (Information Sharing) Code 2013. The code is triggered when a state of emergency is declared, and allows agencies to disclose or use personal information for the purposes of managing the emergency, including delivering financial assistance. We are now operating under the code, so privacy concerns are currently little impediment to the appropriate management of the pandemic.
But there are limits. There have been questions about whether an agency has the right to ask a DHB if any of the clients it needs to visit have tested positive for Covid-19. Why should it have that right? The whole point of lockdown is that we are assuming everyone has the virus, and taking universal precautions to fend it off. If you take more precautions to visit a household with a confirmed case, does that mean you would drop your standards for a visit to one that might have an asymptomatic, untested, undetected carrier?
Many digital service providers hold boatloads of location information about where we’ve been, and who else has been there. Should authorities be able to access location data from Spark, Vodafone, Google, Apple and Facebook to help with contact tracing? Will it work?
Contact tracing is very resource intensive. It requires trained professionals to identify anyone who might have been exposed to a confirmed case. Technology has a role in supporting their work, but if the technological net is cast too wide, and more geolocated “contacts” are identified than those who have actually come within infectious range, there is a risk that the burden on the contact tracers will be increased, and more people than necessary diverted into further isolation.
Governments around the world are rushing to develop contact tracing apps. It is difficult to make them mandatory, because it is too easy to simply leave your phone at home if you don’t trust it. So building in privacy is essential for getting buy-in based on trust. Israel discovered this when its initiative utilising the intelligence services was ruled unlawful by the High Court.
The extraordinary Google/Apple joint initiative announced this weekend provides a solution based on good evidence. The new contact tracing technology will not allow governments to access location data about users, but it will provide an interoperable Bluetooth function that will ensure “clinically significant” contacts who are also using the app will receive a public health message once a user is tested positive.
Back to New Zealand. It’s important that businesses that get the wage subsidy pass it on to their employees. It makes sense to publish the names of the recipients, so employees can assist with auditing and help identify those rorting the system, or not passing the subsidy on to the staff. But what of the self-employed, the sole traders? Should their details be published also? Why should a sex worker, with no employees, be put off seeking the income assistance every other earner is entitled to, for fear of exposure? They shouldn’t.
What will privacy look like after this initial tsunami has passed, when we start heading back down through the levels? There’s a high likelihood that when you next go to a restaurant you’ll have to sign in, potentially leaving your name and contact details (required for possible future contact tracing) exposed to every subsequent patron to come in. We at the Privacy Commissioner’s office have thought about that, and give some advice here.
When life returns to whatever normal means in a few weeks’ time, privacy will still be there. Privacy is nothing if not contextual. What will we be talking about then? Will landlords be able to ask about the Covid-19 status of prospective tenants? Probably not. Will the emergency standards of security for working at home be OK once we return to business as usual? Also probably not – you might want to add passwords to those Zoom meetings and take a closer look at the T&Cs.
Will we be talking about the need for government to know where you’ve been, and who you’ve been within two metres of? I hope not.
There will be much to learn and reflect on once we are allowed back to normal life, and for years to come. Those of us who don’t like to waste a crisis will be thinking about how the new ways of doing things these past few weeks can be carried into our future. And my office will continue to measure those changes against the same standards as before: Will it work? Is it necessary? Are there better ways which better protect privacy?
Except hand washing. It looks like we’ll keep hand washing either way.