Police admit privacy breach of Covid status
The police have apologised to six people whose Covid-19 status was released to prospective employers through its vetting process.
Admission of the privacy breach has come as Privacy Commissioner John Edwards released the findings of an independent inquiry into the disclosure of Covid-19 patient information by the Ministry of Health to emergency services during the pandemic. Edwards’ inquiry initially began after his office received complaints from members of the public whose Covid patient information was released during employment vetting processes handled by police.
At least one of the complainants had tested positive for Covid19, while another was a household contact of a confirmed case.
The inquiry found that while police had legitimate reasons to collect patient information from the ministry, the decision to input that information into the police vetting system was wrong and led to its unauthorised release.
Upon receiving the complaints, Edwards notified Police Commissioner Andrew Coster of his ‘‘concerns’’ and the practice was stopped immediately in midApril.
‘‘We said: Look, this is not an appropriate function of the vetting service. It is not an appropriate use of state information by police. Police are not qualified to make what are essentially clinical judgments about the implications of that [Covid-19] exposure in terms of a particular workplace,’’ Edwards said.
Three recommendations were made to police in the inquiry’s findings, including to consistently review and revise the need for Covid-19 patient information and to develop internal policies on staff access to this information. Edwards also recom
mended a memorandum of understanding between the ministry and police be developed ‘‘in line with its own need for patient information and internal policy’’, the report read.
In a statement, Police Assistant Commissioner Jevon McSkimming said the organisation accepted the inquiry’s findings.
‘‘We are sorry for the release of information and we acknowledge that this should not have happened. We have apologised to those people whose Covid-19 status we shared when we shouldn’t have.
‘‘We note the recommendations of the Privacy Commissioner and we have issued guidance to staff to ensure this does not happen again,’’ McSkimming said.
While Edwards found the ministry had a ‘‘clear and measured rationale’’ for providing patient information to emergency services, including police in April, the health agency should have reviewed its decisions when the country moved down alert levels the following month.
‘‘In the early stages of the pandemic, when we had limited information, there was a lot of fear and uncertainty about the potential impact of the virus on frontline emergency staff, it was justifiable for the ministry to practise a wide distribution of Covid test results to emergency services.
‘‘But we have found, as we knew more, they should have reviewed that process. There should have been a greater effort taken to ensure people getting tested knew that it was one of the pathways of the information.
‘‘There was a missing step in that the ministry did not appear to turn its mind to whether the authorisation of the individuals could be obtained,’’ Edwards said.
The report made six recommendations to the ministry.
A response was sought but was not received by publication deadline.