COVIDSafe privacy report calls on state health bodies to comply with Privacy Act
As the Australian government pushed out its COVIDSafe tracing app on Sunday, the Department of Health also released a privacy assessment [PDF] of the app.
The report was prepared by law firm Maddocks and contains 19 recommendations, along with others that were made during the development of the app. Its authors admit the document was prepared within "an extremely compressed timeframe," and says the government has "considered the range of privacy risks associated with the app and has already taken steps to mitigate some of these risks".
Through the use of Bluetooth, the app records "digital handshakes" for each minute that two phones using the app are in contact. When a user tests positive for coronavirus, they are asked to upload the handshakes to a centralised National COVIDSafe Data Store, which are then accessed by contract tracers to notify people who are determined to be at risk.
The handshakes contain: The unique IDs of each user in contact -- said to be an "encrypted version of the user's mobile phone number"; Bluetooth signal strength used to determine distance; and a timestamp. Handshakes are stored on mobile devices and deleted 21 days after being created.
Responsibility for the implementation and operation of the app lies with the Commonwealth Department of Health, along with the Digital Transformation Agency, but app information is passed only to state agency-based contact tracers.
Once the information gets into the hands of state authorities, the federal health department no longer has control of the information, the report said.
"Ideally, state and territory public health authorities should also be required to comply with the Privacy Act as if they were an APP [Australian Privacy Principles] entity. Such arrangements would assist in providing users with additional privacy protections, including to ensure that all users are afforded the same protections across all jurisdictions," the report said.
"Arrangements with the states and territories should impose appropriate requirements about what information can be extracted, and how that extraction must occur, and include requirements about the security of any systems that will be used to store the extracted data (including storage and subsequent access to any physical and electronic records created as a result)."
Entities such as government bodies and political parties do not need to adhere to the Privacy Act 1988 or Australia's Notifiable Data Breaches regime in utilising the app.
As part of the assessment process, contract tracers need to assess each handshake for risk -- current criteria is within 1.5 metres for 15 minutes -- but in doing so, they are able to access data of people who might be assessed to not be at risk, the report states, and this fails to adhere to data minimisation principles.
A number of alternatives were also laid out: To have the app only record handshakes that meet the 1.5 metres for 15 minutes requirements; to only upload handshake that meet the requirements; to have the central store automatically delete handshakes that don't meet the requirements; or restrict access in the store to only those handshakes that meet the criteria.
The report also states that when a user deletes the app, the user needs to make a separate request to remove any data uploaded to the data store.
Once registered, users will be unable to modify their registration details, with the only recourse being to uninstall and reinstall the app, and re-register with the app.
The Commonwealth Department of Health will also be able to know in aggregate terms how many users have the app open and running, thanks to a new unique ID being pushed out to devices every two hours, and devices phoning home when they accept the new ID. These acknowledgements will be collated into a unique ID report.
"These unique ID reports will not include any information about which users have the app open and running, or where any users are located," the report said.
The report noted that the IDs should be treated as personal information once uploaded to the data store.
Arriving before the passing of any legislation surrounding the app's deployment, the report also warned of function creep and raised the prospect of people being forced to use the app in circumstances such as entering a supermarket or employers forcing it on workers.
At the same time, the report asked whether uploaded information falls under the Archives Act and said Australians should be informed that they could register with a pseudonym.
Speaking on ABC radio on Monday morning, Health Minister Greg Hunt said as of 6am on Monday, over 1.13 million Australians had downloaded the app, and its source code would be released in two weeks.
"The Chief Medical Officer's advice is we need the COVIDSafe app as part of the plan to save lives and save livelihoods," Prime Minister Scott Morrison said in a joint statement with Hunt, Minister for Government Services Stuart Robert, and Chief Medical Officer Professor Brendan Murphy on Sunday.
"The more people who download this important public health app, the safer they and their family will be, the safer their community will be and the sooner we can safely lift restrictions and get back to business and do the things we love."
The Australian Privacy Foundation said the release of the app and the report was disappointing.
"The limited information until today was released by poorly-briefed Ministers with little understanding of the problem and of the proposed solution," board member Dr Monique Mann said.
"Today's incomplete documents raise more questions than they answer. Public trust has been undermined rather than earned. We need an open, independent Privacy Impact Assessment based on wide public and expert consultation."
Shadow Minister for Health Chris Bowen said on Monday that the legislation and privacy concerns around the app should be referred to the Senate Select Committee looking at COVID-19.
"I appreciate the fact that the government has accepted that recommendation and that will be referred ... to enable before the legislation is considered by the Parliament, a hearing for people to express concerns, for experts to give evidence and for those issues to be properly aerated before the Parliament," Bowen said.
"That's a good sign ... that things are working the way that it should, between the government and the opposition on things like this."
The app received "strong support" from the Australian Information Industry Association (AIIA), which had an "exclusive briefing" on Monday from Stuart Robert, CEO of the Digital Transformation Agency Randall Brugeaud, and head of Australian Cyber Security Centre Abi Bradshaw.
"In the absence of a medical vaccine, you could think about contact tracing as a digital vaccine with our contact data being the virtual antibodies," AIIA chair and chief strategy and innovation officer at Deloitte Australia Robert Hillard said.