Privacy and security for NZ COVID Tracer

NZ COVID Tracer has been designed to protect your privacy and keep your data safe.

On this page:

How your personal information is managed

The Ministry of Health has consulted with the Privacy Commissioner to ensure NZ COVID Tracer protects your privacy.

The personal information and contact details you choose to register through NZ COVID Tracer (on the ‘register your details’ and ‘let us know where you are staying’ screens) are provided to the Ministry of Health so contact tracers can quickly get in touch if you are identified as a close contact of someone who has COVID-19.

Any further information you decide to record through NZ COVID Tracer – for example, the QR codes you scan, your manual diary entries or your NHI number - is stored securely on your phone. Digital diary entries are automatically deleted after 60 days.

The contact alert process for NZ COVID Tracer does not involve transmitting any information from your phone. If you are identified as a confirmed or probable case of COVID-19, it is your choice whether to share your digital diary with the Ministry. You are in control of your data.

Any information (excluding anonymous statistical information) you provide to the Ministry will not be shared with other government agencies except where the agency is directly involved in the public health response and sharing the information is necessary for public health purposes during the COVID-19 pandemic. It will never be used for enforcement purposes.

If any information you provide to the Ministry is added to your health record, for example if you test positive for COVID-19, it will be kept for the same duration as the rest of your health record.

The Office of the Privacy Commissioner has been consulted and is satisfied that the privacy implications (and their mitigations) for the current release of NZ COVID Tracer have been appropriately recorded in the Privacy Impact Assessment available below.

Two-factor authentication

Two-factor authentication (2FA) provides an extra layer of security and makes it harder for someone else to gain access to your information. NZ COVID Tracer supports 2FA through the use of Time-Based One Time Passwords (TOTPs).

If you want to set up 2FA on the contact tracing app, you will first need to download a reputable authenticator app and install this on your device.

Once you have signed up to the contact tracing app you can then choose to enable 2FA by visiting the ‘Login & security’ section of the ‘My Profile’ screen and following the setup instructions.

Then, when you log in to the contact tracing app, in addition to your password you will be prompted to enter a TOTP, which is generated by your authenticator app.

It’s important you keep your authenticator app private and safe. If you lose access to it you won’t be able to log in, and you’ll have to contact us about restoring access to your NZ COVID Tracer account.

Amazon Web Services

NZ COVID Tracer has been developed for the Ministry of Health by New Zealand company Rush Digital and relies in part on the Amazon Web Services (AWS) platform.

An All-of-Government cloud services agreement with AWS has been in place since 2017. AWS services and infrastructure were reviewed as part of the procurement process and are regularly tested against third-party assurance frameworks.

Any information recorded by NZ COVID Tracer that you choose to share for contact tracing is encrypted before it is sent to the Ministry via the AWS cloud services platform. The Ministry retains control of the decryption keys. 

NZ COVID Tracer has also been assessed by independent security experts to ensure your data is managed securely. 

Deleting your data

You can edit or delete entries in your digital diary at any time:

  • Select 'View my diary' on the 'My profile' screen
  • Tap on the entry you wish to edit or delete
  • Tap either ‘Edit’ or ‘Delete entry’.

If for whatever reason you choose to uninstall NZ COVID Tracer, you can request the deletion of any information you provided during the registration process by sending an email to [email protected]. Please include the reason for your request and a contact phone number.

Accessing or updating your information

You can update any personal information held on your device by bringing up the relevant screen within NZ COVID Tracer. You can check your digital diary at any time by selecting ‘View my diary’ on the ‘My profile’ screen or by tapping the icon on the top-left of the ‘Record a visit’ screen.

Under the Privacy Act 1993, you can request a copy of any information the Ministry of Health holds about you. Further information - Current data access policy.

Back to top