The COVIDSafe contact tracing app (app) has now been available for nearly three weeks and over 5.5 million Australians have now downloaded it. The app is intended to help speed up the tracing and contacting of people who have potentially been exposed to COVID-19. Yet everyday there are important privacy questions being raised by the community. The government has said that 10 million downloads are required for the app to be effective.
KPMG Law’s Privacy Team answers some key questions.
1. Will the app be mandatory?
While the Federal Government and business community is encouraging Australians to use the app, it is not mandatory. Downloading the app is a personal decision. You cannot be required by any level of Government, employers, schools or shopkeepers to download and use the app or to tell them that you have, or have not, downloaded it. The legislation establishing the app’s legal framework (explained below) imposes penalties on people and organisations found to have required another person to download, have, or use the app. However, there is no liability for individuals who require a person to use the app prior to entering a private residence (this does not apply to commercial, share house or employment situations).
2. How has privacy been protected?
3. Can children use the app?
Yes, but they must get a parent or guardian to consent to the collection of the registration information. A parent or guardian can provide consent for the upload of the encrypted contact data to the National COVIDSafe Data Store (data store), though this is currently not mandatory for child users.
4. What information is collected?
Setting up the app: when you register for the app, your mobile phone number, name, age range and postcode information are collected. This information will be stored in the data store.
In operation: the app requires the user’s Bluetooth to be active and functioning on their mobile device. The app uses Bluetooth signal strength to determine contact with another user’s mobile device. For each device where contact is established the app will log the following: each device’s unique and encrypted user ID, the date and time of the contact, the distance of the devices, and the duration of the contact. The user’s location data will not be collected. The contact data is stored on the device and routinely deleted every 21 days. Whether the data will be filtered prior to an authorised transfer to the data store remains uncertain at this stage.
The Federal Government has said that the data storage will be in place until the conclusion of the pandemic. Who and how this will be determined is set out in new privacy legislation explained below.
5. Who can use the app data?
If an app user tests positive for COVID-19, they will be contacted by their relevant state or territory health authority seeking consent to the transfer of the encrypted contact data on their device to the data store. This is like a double opt-in and a user can refuse to provide consent. The data that is transferred to the data store cannot be accessed by the user, the Federal Government or other people they have come into contact with. Any attempt to decrypt the encrypted contact data is an offence.
Australia’s privacy laws and other legislation could currently allow this data to be used for other purposes and those concerns have been raised by privacy experts. This is why the Federal Government has introduced specific privacy legislation to address these issues and provide assurances to the community.
6. What legislation has been proposed?
On 4 May 2020, the Federal Government released the Privacy Amendment (Public Health Contact Information) Bill 2020 (Cth) (Bill) to amend the Privacy Act 1988 (Cth) (Privacy Act).The bill passed both houses of Federal Parliament on 14 May 2020. The object of the bill is to enshrine strong privacy protections by bringing the regulation of app data within the Privacy Act. These protections will apply to the operation of the app by users, health authorities and authorised contracted entities and regulate their access to and handling of app data.
The new provisions ensure that the collection of information by the data store is for the purpose of contact tracing only. Users will also be able to direct the department to delete any personal information held about them in the data store. This feature provides an important control for individuals over their data and privacy. De-identified app data may be retained for statistical use.
7. What law currently applies to the app and user data?
The law that initially established and governed the app is set out in a determination made by the Federal Minister for Health under the Biosecurity Act 2015 (Cth) on 25 April 2020 (determination). The purpose of the determination is to provide strong interim privacy protections in relation to the data collected from app users. Most of the requirements under the determination mirror the new provisions in the Bill.
8. Is there a time limit on the app and the use of the app data?
A user can uninstall the app at any time and this will also delete all associated data (including encrypted data) from the user’s device, but not the data store. Users will need to request an early deletion of their data from the data store. Users will also be prompted to uninstall the app once the Federal Health Minister determines that the pandemic has concluded. The information stored in the data store will not be deleted immediately after the pandemic is over. Once the Minister makes this determination, the amendments to the Privacy Act will be repealed after 90 days. The new legislative provisions are intended to override the governing legislation of the Australian National Archives, meaning nothing from the app will be held beyond the end of the pandemic.
9. Has the app’s source code been released? Why is this important?
As recommended by the PIA, the Digital Transformation Agency (DTA) released the source code for the app on 8 May 2020. The DTA welcomes feedback about the app’s source code from the public. Allowing people to see how the app has been designed, how it operates and what the inbuilt controls are is aimed at helping build community trust and confidence in the app.
10. What are the concerns about hosting the data collected by the app on AWS?
It is an offence to transfer app data out of Australia. The department’s COVIDSafe IT service provider, the DTA, has contracted the US cloud provider Amazon Web Services (AWS) to host and maintain the data store. Whether the determination and the amendments to the Privacy Act, are enough to protect the data in the data store from the application of the CLOUD Act, is still being debated. The PIA examined these risks and made recommendations to the department to ensure that the arrangements between the Commonwealth and AWS include clearly defined terms around the roles, services, expectations and use of data.
The app is one tool that the Federal Government is using to better equip health authorities in their work to support the community in responding to the impact of diagnosed cases. To achieve this objective some sensitive data needs to be collected.
Trust is critical and downloading the app must be a personal, informed and voluntary choice based on confidence in the privacy and security of our data. Providing a legislative framework to overcome the current gaps or ambiguities is an important step towards building public trust and support for the app that has been designed to help the community.
The introduction of the app has highlighted Australia’s complex regulatory regime to manage data and privacy across the Commonwealth, States and Territories. A unified and updated regulatory framework for privacy would make this easier.
Further insight into the controls built into the data store to prevent non-compliance and data breaches, the length of time data is stored in the data store, how the health authorities will be monitored and regulated and an option for a review of the app and laws should the pandemic period persist are welcomed to provide even greater comfort.
The Federal Government has found the balance between our public health needs and being clear about the privacy implications and how these are managed. You don’t need to be a privacy lawyer to sign up or understand how your data will be used. The operation and the consent process is simple and clear. The choice to download it is a personal one.
If you have any questions regarding the content of this article and would like speak to someone from our team please contact us.