Covid-19 Response Minister Chris Hipkins has asked officials for advice on potential law changes that could address lingering privacy worries with the NZ Covid Tracer app.
It comes after a leading data expert and Privacy Commissioner John Edwards suggested legal tweaks that would ensure agencies couldn't use tracer data for spying or criminal investigations.
New Zealand's app remains a critical tool for helping tracers quickly track down close contacts of people infected with Covid-19 - but at the same time, collects large amounts of personal information from users.
The Government has moved to allay surveillance worries by making the app "decentralised", leaving location data - like that loaded via QR codes - and interaction information, fed via Bluetooth tracing, on peoples' phones until it's needed for contact tracing.
While that approach, widely used by other countries, helped protect users' privacy, there was still little legislative protection against the data being used for other purposes by the Government.
Dr Andrew Chen, a researcher at University of Auckland-based Koi Tū: The Centre for Informed Futures, said one concern was that police or intelligence agencies could seek a warrant for a phone and then take tracer data from it.
Singapore's government recently sparked an outcry when it passed laws allowing its police to access data from its TraceTogether app for serious crimes like murder, rape and drug trafficking.
In New Zealand, Chen noted that a recent police review of emergent technologies showed police have the tools and capability to search phones for data.
This month, he wrote to Hipkins and Director-General of Health Dr Ashley Bloomfield, suggesting New Zealand could take a similar step to Australia, which introduced an amendment clarifying who and who wasn't allowed to use tracer app data, and for what purposes.
That effectively meant that intelligence agencies who incidentally collected tracer data from phones had to delete that data and could not use it.
But Chen told the Herald there were still concerns around two scenarios.
"One is law enforcement agencies getting access, as happened in Singapore, which is the main worry," he said.
"The other is that, just because the NZ Covid Tracer app is designed well, it doesn't mean that other digital contact tracing tools are well designed too."
For example, he said, there had been some 30 different providers for digital contact tracing QR codes in the past.
"We know that, last year, there were companies that collected personal information from contact tracing and then used it for marketing purposes.
"So it would actually be good to have some rules in place that specifically state data that is collected for the purposes of the Covid-19 pandemic should only be used to respond to it."
Chen has previously suggested the Government could amend the Public Health Response Act, but now believed the reform would be more suitable elsewhere in own current laws.
In a written response to Chen last week, Hipkins noted that location and Bluetooth contact data was recorded centrally only when given to tracers - and even then, people could still decide if they wanted to release it.
"With New Zealand's relatively small number of cases, there are relatively few people whose data is held centrally," Hipkins said.
"This data is well secured in the ministry's systems and the ministry has undertaken only to use it for contact tracing purposes."
Further, he said, the app had existing protections that limited the time period that data was retained for.
Scanned and manually recorded locations were kept on a user's phone for 60 days and then automatically deleted, while Bluetooth interaction keys were kept on a user's phone for 14 days and then wiped.
Although data from the app uploaded to ministry systems was kept for longer as some of it became part of a person's health record, the ministry had committed to deleting it "in certain categories" at the end of the pandemic - including all contact details.
Hipkins maintained that the risk of it being used for surveillance was low, and had been advised that the threshold for agencies compelling access to it was "quite high".
Police have also told Chen that it hadn't - and wouldn't - seek or access any data from the app to aid investigations.
Still, Hipkins acknowledged that existing protections were "not complete" - and pointed to similar suggestions for reform made by the privacy commissioner.
"While digital contact tracing options are more limited now than they were, I note there is nothing to prevent people using other existing options, nor to prevent new ones emerging," Hipkins said in the letter.
"I understand that the ministry has published standards and a certification regime for apps that use the Government QR code that includes privacy expectations.
"However, alternative approaches are not prohibited, and for that reason the Government supports ensuring there are protections for all apps and digital tools used for contact tracing."
He'd asked the ministry to provide advice on legislative changes that could be made - a move that was encouraging to Chen.
"This is good to see. At the same time, I think it's important to reassure people that the risk here is low - and that we all need to be using the app as much as possible."