Contact tracing apps in Australia

A new world for data privacy

The COVID-19 pandemic has seen governments across the world restricting civil liberties and movement to new levels. To aid the safe lifting of current public health restrictions, new technologies are being developed – contact tracing apps – and rolled out to automate labour intensive tasks critical to containing the spread of the virus. Our contact tracing survey summarises the principal regulatory and policy issues applicable to contact tracing across a range of key jurisdictions in real time.

Is technology being used by the government to monitor and control the spread of COVID-19 (e.g. contact tracing app, CCTV, cell phone location data, credit-card history)?

The Australian Federal Government launched a contact tracing app (the COVIDSafe App) on 26 April 2020.

What are considered to be the major privacy concerns in relation to the app in your jurisdiction (in relation to its use (a) by the government; and (b) by private sector organisations)?

a) By the Australian Government

  • Function creep – There was initially concern regarding "function creep", with information being used for other law enforcement purposes but a Determination under the Biosecurity Act 2015 (cth) (Determination) has prohibited this.
  • Tracking – There were also initially concerns around the Government tracking people, but such concerns have been allayed to some extent by the COVIDSafe App not using GPS.
  • Privacy professionals – Privacy professionals are generally accepting that the COVIDSafe App does seek to protect Australians' privacy. >
  • Cyber security review – There has been a cyber-security review by The Cyber Security Cooperative Research Centre who have confirmed that the personal information collected is limited.
  • Source code – The Government has consistently said that the source code to the COVIDSafe App will be made public. As at the date of the COVIDSafe App release the source code has not been published. The Privacy Impact Assessment recommended making the source code for the App publicly available, to allow for independent analysis and consideration. In the response to the recommendation the Department of Health has stated that the source code will be released subject to consultation with the Australian Signals Directorate's Australian Cyber Security Centre.
  • Technical – There are some technical concerns that on iOS the COVIDSafe App will need to be kept running in the background. There are also some questions over the accuracy of the Bluetooth proximity information.
  • No individual right of action – an individual whose privacy or other rights may be infringed, or who may be coerced in relation to the COVIDSafe App (in contravention of the Determination) is given no private right of action.

(b) By private sector organisations

  • AWS – The data in the COVIDSafe App cannot be used by private organisations, except that Amazon Web Services (AWS) will assist in developing the COVIDSafe App, and will supply the infrastructure and associated support services for the National COVIDSafe Data Store. As such the Privacy Impact Assessment made recommendations that the Government confirm the arrangements with AWS and ensure the contract is sufficient.
  • Centralised model – The Privacy Impact Assessment acknowledged the "increased intrusiveness" of a centralised model, but states that it is understood that this "...has been balanced from a policy perspective against the ability of government to most effectively track potentially infected persons and to reduce the spread of COVID-19 in a manner consistent with the objects of the Privacy Act". No recommendations to instead use a de-centralised approach have been made. This has inherent privacy concerns; that a hacker could access the COVIDSafe App data, given it is stored in one centralised place.

  • App details

    1. What is the name of app COVIDSafe App
    2. Is the app voluntary?

    3. Yes

    4. Is there any suggestion that use of the app and a clean result may be necessary to enter workplaces or any commercial or public buildings (or is this explicitly or implicitly prohibited)? No The Determination provides that a person must not refuse to allow another person to enter premises on the grounds that the other person has not downloaded/ is not using/ has not consented to the COVIDSafe App. The Determination does not address "clean results' and access to buildings.
    5. What information is required to register for the app? Is the information collected considered excessive? No According to the COVIDSafe App privacy policy, when an individual registers to use the COVIDSafe App the Australian Department of Health, with the support of the Digital Transformation Agency in its role as the COVIDSafe IT service provider, will ask the individual to consent to the collection of:
      • the individuals' mobile phone number – so that the individual can be contacted if needed for contact tracing;
      • the individuals' name – so the relevant health officials can confirm they are speaking to the right person when performing contact tracing. It is noted that it is easiest if the individual provides their full name but a pseudonym or fake name may be used;
      • the individuals' age range – so that health officials can prioritise cases for contact tracing, if needed; and
      • the individuals' postcode – to make sure health officials from the right State or Territory who work in the individuals' area can contact the individual, and to prioritise cases for contact tracing, e.g. hotspot areas.

      • If the individual is under the age of 16, parent or guardian consent to the collection of registration information and contact data is required.

        We note that there are no details of how minors parental consent is verified, or whether this is updated (for example if a user is under 16 when they register but then turns 16). There are also no details about consent of users who re over 16 years old but lack mental capacity to consent.

    6. Is GPS or Bluetooth used? Bluetooth
    7. Is data stored on a centralised server? YES Only in respect of infected users who have given their consent and those who have come into contact with an infected user who also consent to data being uploaded.
    8. Does the identity of the infected user get captured centrally? Yes With the consent of the infected user, the infected status and data are uploaxed and linked to the user's regitration data. If an individual tests positive for COVID-19 and has been using the COVIDSafe App, and the individual consents at that time, the following information is uploaded to the database administered by or on behalf of the Commonwealth for the purpose of contact tracing (the National COVIDSafe Data Store):
      • that there was contact between that individual and any other users (and as such details of another in contact user may also be provided);
      • the individual's temporary unique identifier;
      • the Bluetooth signal strength during the "Digital Handshake" (i.e. the meeting of 2 devices within 1.5 metres for more than 15 minutes) (note that the 15 minute time period is referred to in the Privacy Impact Assessment relating to the COVIDSafe App, but is not a requirement under the Determination); and the date and time of the "Digital Handshake".

      It is not clear what happens with any future "Digital Handshakes' after an individual tests positive or whether there is any update to information after an individual recovers from infection

    9. Is the identity of the infected user disclosed to proximate users or public health authorities? Is it disclosed to anyone else? No Generally information is not disclosed to anyone other than the public health officers responsible for identifying and contacting persons who may have been exposed to a risk of contracting COVID-19, and they will only be provided with access to information about users in the State or Territory in which they are conducting contact. Note that under the Determination public health officers is widely defined, it includes collection, use and disclosure "by a person employed by, or in the service of" a State or Territory health authority" for the purpose of contact tracing.
    10. Is consent needed to share data with other users/ upload the data to a centralised system? Yes The Determination provides that a person cannot be coerced into consenting to uploading COVIDSafe App data from a mobile telecommunications device to the National COVIDSafe Data Store. Consent is always required for uploading the contact data. The data is not able to be shared with other users, even with consent. The Determination does not allow the COVIDSafe App data to be used for any purpose other than contact tracing (see 14 and 15 below). Contact tracing is defined as the process of identifying persons who have been in contact with a person who has tested positive for COVID-19 and includes notifying a person that the person has been in contact with a person who has tested positive.
    11. Is the identity of the proximate users disclosed to public health authorities? Is it disclosed to anyone else? No Please refer to our response above.
    12. Does the app incorporate "privacy by design" and was a privacy risk assessment completed? Yes The app incorporates privacy by design. The Privacy Impact Assessment has also been made publicly available. This Assessment made 19 recommendations. The Department of Health has published its response to the Privacy Impact Assessment, in which it broadly accepts all recommendations. In particular, the publicly released Privacy Impact Assessment states "We are satisfied that Australian Government has considered the range of privacy risks associated with the App and has already taken steps to mitigate some of these risks. The PIA makes a range of recommendations to ensure privacy issues continue to be addressed as the App is rolled out and App information is collected and used."
    13. How long will the data be kept for, are there clear lines around timing? Unknown
      • On a user device – all encrypted "Digital Handshakes' are automatically deleted 21 days after they have been collected. In addition, after a "Digital Handshake" is uploaded to the National COVIDSafe Data Store, it will be deleted from the user's device.
      • COVIDSafe Data Store – The Determination provides that the Commonwealth must cause COVIDSafe App data in the National COVIDSafe Data Store to be deleted after the COVID 19 pandemic has concluded. However, there is no definition of "concluded" or time frame for deletion in the Determination.
    14. Has data security been addressed expressly (e.g. encryption)? Yes The Privacy Impact Assessment refers to:
      • Data minimisation;
      • all information uploaded to the National COVIDSafe Data Store from a user's device will be encrypted in flight;
      • all information that is encrypted on the user's device will be deleted 21 days after it has been captured;
      • public health officers (which is widely defined under the Determination, see above) responsible for identifying and contacting persons who may have been exposed to a risk of contracting COVID-19 will only be provided with access to information about users in the State or Territory in which they are conducting contact tracing;
      • access to, and use of, the National COVIDSafe Data Store will be logged, and regularly audited; and
      • ensuring that appropriate arrangements are in place with AWS, the Digital Transformation Agency and the States and Territories.
    15. Are there clear limitations regarding who may have access to the data? Yes The Determination provides that data from the COVIDSafe App may not be used other than as described in the Determination. The Determination allows for collection, use or disclosure of COVIDSafe App data:
      • by a person employed by, or in the service of, a State or Territory health authority for the purpose of, and only to the extent required for the purpose of, undertaking contact tracing;
      • by an officer, employee or contractor of the Health Department or the Digital Transformation Agency for the purpose of, and only to the extent required for the purpose of enabling contact tracing by persons employed by, or in the service of, State or Territory health authorities, or ensuring the proper functioning, integrity or security of the COVIDSafe App or of the National COVIDSafe Data Store;
      • for the purpose of transferring encrypted data between mobile telecommunications devices or to the National COVIDSafe Data Store;
      • for the purpose of investigating a potential contravention of the Determination;
      • prosecuting a person for contravention of the Determination;
      • producing statistical information that is de identified

      Individuals are not able to access their own data held in the COVIDSafe Data Store or the encrypted information on their device.

    16. Are there clear limitations on the purposes for which the government may use the data? Yes Please refer to our response above.
    17. Is the government of your country bound by privacy laws in respect of the contact tracing data? Yes Specifically, the Determination (but see note 2 above). The Privacy Act 1988 (Cth) regulates Commonwealth Government agencies. In the week beginning 11 May 2020, the Privacy Act is expected to be amended so that it applies to the State and Territory health agencies which will have access to the data for contact tracing purposes. State and territory agencies are also subject to state privacy laws. Further legislation is also expected.
    18. Has the regulator commented/ provided guidance on the technology? Yes The Office of the Australian Information Commissioner (OAIC) provided a statement on 26 April 2020 that "important safeguards have been put in place to protect personal information collected through the app so it can be used to help address this public health crisis. The OAIC also noted that it will continue to monitor the implementation of the Privacy Impact Assessment recommendations and can audit COVIDSafe App and investigate complaints from the public about privacy.
    19. Are there any private sector initiatives you are aware of to use/ integrate the app or the information from the app (e.g. to reflect the results back to workforces)? No

    The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.