In recent weeks, the Federal Government has encouraged all Australians to download its COVIDSafe digital contact-tracing app. The relaxation of COVID-19 restrictions may depend on the app’s take-up. The COVIDSafe app uses Bluetooth technology to detect and log when other COVIDSafe users are within 1.5 metres of an app-enabled device for longer than 15 minutes.
What data will you, and won’t you, be disclosing if you download the app?
The app requires a user’s name, mobile number, age range and postcode on registration. A user ID is assigned against these details and is stored with the registration information on a central server.
To protect against the identity of an individual being pinpointed via their device’s Bluetooth signal, the technology allows the server to generate and distribute temporary IDs to users on a rolling basis. It is these IDs, as well as a time stamp and distance data, that are exchanged in a ‘highly encrypted’ form between devices when they interact in close proximity. Importantly, location and geographic data are not captured or exchanged so while instances of proximity are captured via Bluetooth, where those interactions took place is not. Some Android users have reported the app requesting access to location data however presumably this is an error.
Where is your data stored and for how long?
Data exchanged between users is stored locally on their devices unless and until a user tests positive and elects to release it to a health authority for the purpose of contact-tracing, as described below. A user’s registration information, encrypted user ID and any contact data released to a health authority are stored on the central server.
Each encrypted record stored by a device is maintained for a maximum of 21 days from the date of creation. This is roughly the incubation period of COVID-19 and therefore the period that is relevant to public health authorities.
The central server which stores the registration data collected by the app will be maintained on Amazon cloud servers located in Australia. The data collected is not permitted to be retained on a database outside Australia or disclosed to a person outside Australia.
Users can delete the app themselves together with any data recorded by it at any time and the Biosecurity Determination (the instrument governing the use of the app) states that all data will be deleted after ‘the COVID-19 pandemic has concluded’. It is currently unclear what metric will be used to assess when the pandemic has concluded. Under the privacy policy governing use of the app a user may request that any data held in the central server be deleted at any time.
What happens with your data?
The data may only be used for contact-tracing by State and Territory health authorities and for a limited number of related purposes such as ensuring the app is functioning as intended, and by law enforcement for the purposes of ensuring compliance with the Biosecurity Determination. The current framework also permits the Federal Government to use de-identified information for statistical purposes, which may carry some inherent de-identification risk.
The Biosecurity Determination defines ‘State or Territory health authority’ as the bodies responsible for administering health services in a State or Territory. Given the complexity of State and Territory health infrastructure, and the relationship between Federal and State and Territory legislation, there are two things that are currently unclear: which State or Territory agencies have access to the data, and what control the Federal Government has over State and Territory use and access. Further clarity in these areas will be helpful. Disclosure to third party contractors engaged by relevant bodies may be permitted to assist them in fulfilling their functions.
As expected, the Biosecurity Determination and app privacy policy go a long way in answering questions raised by privacy experts and peak legal and civil liberties bodies. Other questions however remain. It is likely the full legislative framework planned for implementation in May will answer many of these other questions. The results of a Privacy Impact Assessment conducted by the Australian Signals Directorate’s Australian Cyber Security Centre, released yesterday, will no doubt assist in shaping this legislative framework.
Time will tell whether the Federal Government’s efforts in designing, messaging and legislating for COVIDSafe have been successful in convincing these bodies and the public that the risks have been properly managed. However, for those who remain concerned it is worthwhile considering that under public health and biosecurity laws, authorities are already undertaking the same contact-tracing process manually. Also, public health legislation obliges medical practitioners, pathologists and hospitals to confidentially notify public health authorities of a positive COVID-19 case and permits public health officials to contact a patient and their doctor to advise how they may limit the spread of the disease. Law enforcement also remains responsible for prosecuting contraventions of biosecurity laws which include those relating to contact-tracing and those requiring individuals to quarantine.
The result may be that a COVID-19 positive user of the app that decides to ‘opt out’ of notifying the Federal Government of their contact history and delete their version of COVIDSafe may nevertheless be contacted by their State or Territory health agency who has been notified of their case status by their treating health practitioner. Law enforcement may also contact the individual in the course of investigating or prosecuting non-compliance with other applicable biosecurity laws.
While discussions regarding the privacy implications and usefulness of COVIDSafe will no doubt continue, the decision of individual Australians to download and make use of the app may be more straight forward. The willingness to participate may depend in large part on whether Australians have asked themselves the questions posed above and satisfied themselves that the Government has considered the same. Making clear that the architects of the app have adequately engaged with these issues will provide comfort to the community that contributing to this well-intentioned initiative will not come at an unintended personal cost.
Authors: Sheila McGregor, Melissa Fai and Mitch Bennett
Visit Smart Counsel