Privacy and Australia’s COVIDSafe App

How does Australia’s COVIDSafe App stack up from a privacy perspective?

Introduction

For most, the exit strategy from the current COVID-19 lockdown and the best way to manage second waves – pending a vaccine –includes a robust ‘track & trace’ process to identify & isolate COVID-19 cases. Tracing app’s are the automated solution to the labour intensive and somewhat unreliable manual method. The app launched by the Australian government in April 2020 is based on the Singapore TraceTogether app.  It has been re-designed for Australia and is supported by specific legislation around it use.

Tracing apps have their critics. The Brookings Institute’s published a strong warning against building recovery plans on contact tracing apps, arguing that they are more likely to become “vehicles for abuse and disinformation” than they are to enable safe opening of economies.[1] Other critics refer to them a form of pervasive government backed surveillance.

So how does Australia’s COVIDSafe App stack up from a privacy perspective?

Australia’s COVIDSafe App

Generally, contact tracing is done manually: through interviews with patients, with follow up calls or visits to those the patient has been in contact with in the recent past. Much of the labour and guess work in tracing can be replaced if people were automatically able to track and record where they’d been and who they’d had contact with. Thus, the arrival of the tracking app, well several, actually.

The COVIDSafe app was released by the federal government for public download on 26 April 2020. Most of us are familiar with the way the app works.  It uses Bluetooth to record encrypted data about close contacts with other users.  The data is held on the individual’s phone until a user tests positive for COVID-19.  At that time, the user has the option of uploading the encrypted data on their device to the National COVIDSafe Data Store. State and territory contact tracers can access the National COVIDSafe Data Store to anonymously notify the positive user’s close contacts that they may have been exposed to COVID-19 and advise them about what to do next, such as getting tested.[2]

There have been issues with the COVIDSafe app including:

• Its suitability for older style devices, whether it works on locked devices and its impact on other app’s;
• The need to update the app, and whether it works if it’s not updated;
• The protocols for sharing data with the State and territory contact tracers;
• Clarification of the proportion of the population that needs to have a workable app for it to provide a defence against the spread of COVID-19, and the basis for that assessment. Where did the 40% of the population come from?

Reports are now emerging of lack of transparency about the effectiveness of the app.  For example, it now appears that the Federal government’s testing prior to release showed the software only worked effectively on locked iPhones about a quarter of the time or less.  This is different to the 80 – 100% effectiveness rate reported at the time.[3]

These issues have all been cited as reasons for not downloading the app.[4] But one of the most consistent issues have been concern around the privacy implications from use.

Privacy Measures for the COVIDSafe App

On the positive side, much has been done to alleviate public concerns around the collection and security of personal information by the app.

The app has its own privacy policy.  A Privacy Impact Assessment (PIA) was completed by Maddocks, a law firm on the Federal Government’s panel for providing privacy services, and published together with the Health Department’s response.[5] The source code for the app has been made available for review (a few weeks after its release).

On 14 May 2020, Parliament passed the Privacy Amendment (Public Health Contact Information) Act to support the COVIDSafe app and legislate some of the protections recommended in the PIA.[6]

These are all good things. But it is also worth assessing the app against standard privacy principles such as data minimisation, data retention and use limitation and proportionality.

What information is the app collecting and sharing with authorities?

The name, age range, phone number and postcode of individuals who have downloaded the app is collected.  The basis for collecting this information is described in the Collection Notice and includes being able to contact the right person, to prioritise based on age and to make sure health officials from the right State or Territory are given the information.

We’ve been told that location data is not being collected or stored.

How and when is collected data accessed?

If you test positive for COVID-19, the data held on your phone about who you have been in contact with, will be uploaded to a central data repository set up by the Federal Government. That data will then be made available to state health authorities to assist them in tracking positive cases.

However, the uploading to the central repository can only happen with you consent.  The process appears to be that a health official will contact you and ask for consent to enter your mobile number into the data store to generate a PIN to be sent to you by SMS. If you enter the PIN, you give your consent to upload contact data on your device into the data store to share with health officials to enable contact tracing. If another user tests positive to COVID-19, they may upload their contact data, which may include details of their contact with you.[7]

Where will the data be stored?

Initially the app will store encrypted data locally on your phone. Somewhat controversially, the central database will be hosted on Amazon Web Services. The data will be held on servers in Australia, and it will be illegal to transfer the data out of the country.

Who will have access to this data?

The government has responded to this question by stating that only the health professionals involved in contact tracing will have access, and that they have refused requests from the police to have ‘additional capabilities added to the app’. It’s not clear what that may have enabled, but it shows that other interests exist.

Is use of the app voluntary?

Use of the COVIDSafe App is voluntary. As mentioned, the Privacy Act 1988 (Cth)[8] was amended to prevent persons from requiring others to:

• Download the COVIDSafe on their communication devices:
• operate the app on their device: or
• provide consent to upload their user app data onto the data store.

There are also prohibitions that prevent discrimination against a person on the above grounds (e.g. persons cannot be excluded from any premises or be denied any good or service).Breaching these provisions may lead to fines of up to AUD$63,000 and/or 5 years imprisonment.

The ‘voluntary’ nature of use was re-iterated in guidance issued by the Privacy Commissioner in May 2020. However, there have been cases of employers downloading the app on their employees’ work devices, while stating that registration and use is voluntary, which perhaps pushes the boundaries of ‘voluntariness.’

When will the data be securely disposed of?

Contact data is held on your phone for 21 days, before being automatically deleted.  It will also be deleted if you remove COVIDSafe from your device or upload your contact data to the data store. The government website states that, at the end of the Australian COVID-19 pandemic, users will be prompted to delete the COVIDSafe app from their phone.

However, registration details and any uploaded digital handshake can only be deleted by completing a request data deletion form.  Digital handshake information in the Data Store can’t be deleted but cannot be linked back to a user if the registration information has been deleted (which must be done via request). All data in the  National COVIDSafe Data Store will be deleted as soon as is reasonably practicable once the Health Minister has determined that the COVIDSafe app is no longer needed to prevent or control the spread of the virus, and users will be informed.

Other regulators recommended that criteria should be developed to determine when the app should be dismantled and that an independent or separate entity might be responsible for this determination.  In Australia, the fate of the data lies with the Health Minister, a politician, rather than a health or medical expert.

Conclusion

The COVIDSafe App has got many things right.  It has been independently reviewed and there are some strong privacy protections that including:

• Minimisation of data collected;
• Clear specification of the purpose of use;
• Some rights to delete;
• Legislated control over compulsory downloading and use.

However, there are also continuing questions:

• How useful is the data being collected;
• Is the app actually fit for purpose (given issues with its technical operation);
• What will happen to the app and the data collected at the end of the pandemic.

The COVIDSafe app cost more than $2 million to develop through contracts with private sector companies including the Boston Consulting Group and AWS.[9]  Over 6 million Australians are reported to have downloaded the app so far. Its uptake has been spruiked as the one of the most important ways that Australians can protect our nation and health system from the spread of the Corona virus.

However, to date there has been little evidence that it has impacted the spread of the virus in any way. It’s been reported that no useful information has been provided by COVIDSafe since it was launched more than six weeks ago, with health departments around the country having “limited opportunity” to utilise the COVID-19 contact tracing app.[10]

The COVIDSafe app may become more useful as restrictions are eased and Australians return to normal life, and as part of combating the second wave. But at what price?

The proportionality of the response must be in question.

It will be interesting to follow the Australian experience with the app, and what lessons government and businesses can learn about how to use transparency to underpin trust and encourage consumption of their services and the public view on the proportionality of the response..

Resources:

Government COVID Safe App info.

Government COVID Safe App Privacy policy

COVIDSafe App Privacy Impact Assessment

The Guardian’s analysis

[1] We wrote about some of the privacy issues with tracking and tracing here: https://privacy108.com.au/insights/test-track-and-trace-privacy-issues/

[2] Background COVIDSafe Legislation https://www.ag.gov.au/rightsandprotections/privacy/pages/covidsafelegislation.aspx

[3] https://www.itnews.com.au/news/dta-swamped-with-covidsafe-app-feedback-in-first-month-549114

[4] A survey of 1500 Australians about the COVIDSafe app found that the reasons for not downloading included privacy concerns, phone capabilities, and beliefs of limited benefit. https://www.medrxiv.org/content/10.1101/2020.06.09.20126110v1

[5] These resources are available on the Department of health COVIDSafe App site.

[6] Information about this legislation is included on the Attorney-General’s Department website.

[7] https://www.health.gov.au/using-our-websites/privacy/privacy-policy-for-covidsafe-app

[8] Privacy Amendment (Public Health Contact Information) Bill 2020

[9] https://www.innovationaus.com/no-contacts-through-covidsafe-app-yet/

[10] https://www.innovationaus.com/no-contacts-through-covidsafe-app-yet/