OAIC has fielded zero complaints and received no reported COVIDSafe breaches

Level of activity involving the app was receiving 11 enquiries and starting four assessments of the contact tracing app.

covidsafe.png

The Office of the Australian Information Commissioner (OAIC) has released its first six-monthly report on the privacy and security of Australia's COVIDSafe app, which has been far from successful and only identified a small number of unique cases.

The app, which was touted at its introduction as being akin to sunscreen, has since been relegated to double-checking duties.

"There is scarce evidence on the effectiveness of digital or automated contact tracing," a contact tracing review released earlier this month said.

For the OAIC, from May 16 to November 15, it fielded no complaints about the app and handled 11 enquiries. Over half of the enquiries occurred in July, and no enquiries were reported for October or November.

"We provided general information in response to 10 enquiries and provided assistance on how to make a complaint in response to one enquiry," the OAIC said.

The types of enquiries handled were about the legal basis of the app, the number of downloads of the app, whether the app could be a condition of entry to a worksite, whether education organisations could force students to download the app, and whether sporting organisations could force members to use the app.

Must read: Living with COVID-19 creates a privacy dilemma for us all

The OAIC has also started four assessments related to the access controls used on the data store, functionality of the app against privacy policy and collection notices, and whether the data store administrator was complying with requirements related to data handling, retention, and deletion.

The title of data store administrator was passed from the Department of Health to the Digital Transformation Agency (DTA) on May 16.

Attached to the end of the report was an unclassified report from the Inspector-General of Intelligence and Security (IGIS) on how the agencies under its purview -- Australian Security Intelligence Organisation, Australian Security Intelligence Service, Australian Signals Directorate, Office of National Intelligence, Australian Geospatial-Intelligence Organisation, and Defence Intelligence Organisation -- had complied with requirements under the Privacy Act for COVIDSafe data.

"Incidental collection in the course of the lawful collection of other data has occurred (and is permitted by the Privacy Act); however there is no evidence that any agency within IGIS jurisdiction has decrypted, accessed or used any COVID app data," the IGIS report said.

"IGIS advises that it plans inspection activities in coming months to verify data deletion and provide further assurance that no COVID app data has been accessed, used or disclosed."

The IGIS report added that agencies said it would be difficult to identify "encrypted COVID app data amongst other lawfully collected encrypted data". The agencies also said they were developing procedures to use when incidental collection occurs and implementing procedures to delete data "as soon as practicable".

In June, it was revealed the DTA knew COVIDSafe had severe flaws, despite sending it out for public use on 26 April 2020. It followed research that showed locked iPhones were practically useless when it came to logging encounters through COVIDSafe.

"COVIDSafe works as is written on the label, it supports public health efforts … there is no intention to jettison the current app and start again … our intention is to continue to improve the current app," DTA CEO Randall Brugeaud said last month at Estimates when questioned whether the government would switch to the Apple or Google notification framework.

Related Coverage