‘Flattening the curve’ depends on social distancing– in particular, preventing large aggregations of people, such as the thousands of people on Bondi Beach. You can bet that almost every person on the beach had a mobile phone transmitting location data. Could mobile data be used to identify members of the community who came near the passengers from the Ruby Princess who were disembarked without testing?
An article in yesterday’s New York Times surveys how geo-location data is being used around the world to fight Corona virus.
At the more ‘privacy respectful’ end of the scale, Vodafone Italy is providing public health officials with aggregated information about movements of subscribers (i.e. the general population, not infected users) to to determine how many people are obeying a government lockdown order and the typical distances they move every day. About 40 percent are moving around “too much,” an official recently said.
But other uses of personal data go much further. In South Korea, private developers have released apps, such as Corona100, that lets a user know when he or she is within a 100ms of where a confirmed Covid-19 patient has been. This data is sourced from Government data – and is so granular that it has allowed individuals to be identified (BBC reports).
As today’s AFR reports, the debate over use of mobile phone data has started in Australia.
There are powers under existing Australian laws that could cover disclosure of telco-related information in a health emergency:
- If sufficiently anonymised, data about people movements may not qualify as personal information within the meaning of the Privacy Act – but the overseas experience shows how readily geo-location data can be reverse processed to re-identify individuals.
- Section 287 of the Telecommunications Act (Telco Act) provides an exemption from the Telco Act prohibition against disclosure of personal information where the disclosing party (e.g. a carrier or carriage service provider) has reasonable grounds for believing that the disclosure or use is reasonably necessary to prevent or lessen a serious and imminent threat to the life or health of a person. Disclosure in these circumstances is deemed to be permitted by the Privacy Act (section 303B). While this has been used in individual cases, such as domestic violence, is it scalable to a pandemic?
- Section 313(4) of the Telco Act requires carriers and carriage service providers to ‘give officers and authorities of the Commonwealth and of the States and Territories such help as is reasonably necessary for enforcing the criminal law or …safeguarding of national security’. When does a pandemic rise to the level of a threat to national security? Could state and territory police seek assistance to enforce laws requiring self-quarantine?
- This obligation also could require supply of metadata which section 187AA of the Telecommunications (Interception and Assistance) Act (TIAA) specifies to include the date, time and duration of a communication or of its connection to a service and the location of equipment used in connection with a communication. Enforcement agencies which can have access to metadata include state and territory police for criminal law enforcement purposes (section 1110A, TIAA) – e.g. again, potentially to enforce laws limiting social gatherings.
- Service providers also can voluntarily disclose telco data when reasonably necessary for the enforcement of the criminal law (section 177, TIAA).
- The Biosecurity Act, which allows biosecurity control orders to be issued, also has its own powers that could cover disclosure of telco data. For example, section 51 provides that to address a listed human disease entering, or emerging, establishing itself or spreading in, Australia the Health Minister may make a determination specifying biosecurity measures, including ‘requiring a specified person to provide a specified report or keep specified records’. Could that cover mobile location data of an infected person? Section 88 provides that ‘an individual may be required by a human biosecurity control order to wear either or both specified clothing and equipment that is designed to prevent a disease from emerging, establishing itself or spreading’. Could that include the tracking bracelets which new arrivals in Hong Kong are required to wear?
Are the current safeguards around these powers adequate when used on a mass scale? There will be a continuing debate about whether and how special measures needed in these dire times can be left behind once we are through to the other side. The UK Parliament has announced an inquiry into how to balance the most basic of human rights – the right to live – with other individual rights that define us as a society, such as privacy.