INSIGHT

COVIDSafe – what we now know

By Gavin Smith, Phil O'Sullivan, Claudia Hall
COVID-19 Cybersecurity & Privacy Data Technology Telecommunications

In brief 13 min read

On Sunday, the Australian Government launched its voluntary digital contact tracing app 'COVIDSafe', along with the app's Privacy Policy, an independent Privacy Impact Assessment (PIA) and the Department of Health's response to that PIA. The Chief Medical Officer has predicted that the application will have been downloaded more than 2 million times by the end of Monday.

The Minister for Health has also made a determination under the Biosecurity Act 2015 (Cth) (Determination), setting out prescriptive rules about the collection, use and disclosure of COVID app data and prohibiting coercing individuals to download or use the application. The Determination is an interim measure before legislation governing the operation of the app is passed during the May sitting of Parliament.

The operational details of the COVIDSafe app and the accompanying privacy safeguards largely align with the positions covered in our earlier articles (Trace but don't track and Using tech and data in a crisis – contact tracing). However, a relatively small number of key issues remain unresolved and will need to be dealt with in the detailed legislation.

Key takeaways 

  • The Australian Government continues to position COVIDSafe as an extension or enhancement to manual contact tracing processes currently being undertaken by public health authorities, not a digital replacement of them.
  • Registration for COVIDSafe requires a users' name (which may be a pseudonym), mobile phone number (which must be valid, in order to receive the SMS confirmation code), age range and postcode (registration data), but will not collect other location data.
  • COVIDSafe involves a hybrid-centralised model. Devices which have installed COVIDSafe will share unique encrypted temporary IDs with one another (which will be stored on the individual's phone). If an individual is confirmed to have COVID-19, they will be asked if they consent to the disclosure of the app's encrypted data logs to a centralised, secure server operated by the Digital Transformation Agency (DTA) (the National COVIDSafe Data Store). That Data Store will link interaction data with user IDs, identify which interactions satisfy the 'close contact' requirements, and disclose the registration data of 'close contact' users to relevant State or Territory health officials.
  • Users may delete data stored locally on their phone by deleting the COVIDSafe app at any time, but may only delete their information from the National COVIDSafe Data Store by completing a deletion request form and attending a call with the COVIDSafe Administrator. Importantly, this means individuals may still be identified and contacted if they only delete the app.
  • The Determination sets out a very narrow scope of permissions for COVID app data to be collected, used and disclosed. This includes the permitted use of data for 'producing statistical information that is de-identified'.

Overview of process

The application works as follows:

  • Registration: Users are asked to consent to the provision of registration data at the outset, in order to activate the COVIDSafe app. This then enables the app to generate unique encrypted reference codes, which are refreshed every 2 hours and sent to the National COVIDSafe Data Store. Users also consent at the point of registration to be contacted via their mobile number if a person (who the user had been in close proximity with) subsequently tests positive to COVID-19.
  • Operation: When the COVIDSafe app is open, it will run in a constant manner on a user's phone and will share its encrypted reference codes with other users whenever they are within 1.5 metres. This process is known as the "digital handshake", and will occur even if the individuals are only in contact for less than 15 minutes. A log of the date, time, distance and duration of contact with another reference code will be stored locally on a user's phone, for a rolling 21 day period. Singapore's TraceTogether app was also required to run constantly in order to be effective. This led to complaints that it quickly drained the battery of relevant devices. As COVIDSafe (and TraceTogether) do not utilise the Apple or Google COVID tracing API kits, which are intended to allow contact tracing applications to run solely in the background of a user's device without the application being open, this problem is not easily solved.
  • Upload to Data Store: Where an individual is confirmed to have COVID-19, they will be asked to provide a second consent to upload the information collected by their COVIDSafe app to the National COVIDSafe Data Store. The Data Store will filter all interaction data, and only provide the relevant State or Territory health authority with registration data about other users who spent more than 15 minutes within 1.5 metres of the confirmed case. As flagged in our previous article, this process does not require any additional consent to be obtained from a close contact of a confirmed case before their registration information is uploaded to the Data Store or shared with the State or Territory health authority. That consent has already been obtained at the point of registration.
  • Contact tracing: As is currently the case with manual contact tracing, State and Territory health authorities, will use the data to support their contact tracing efforts and contact individuals who may have been exposed to provide advice on next steps. The age range and postcode data of users will be used in order to triage contact tracing efforts, ensuring individuals at higher risk are contacted first. Close contacts may be advised to take measures as are required in their State or Territory (such as self-isolating). Failure by a user to comply with such measures may constitute a breach of relevant State or Territory law.
  • Deletion:
    • Data about contact with other users will be deleted from a user's phone if they:
      • delete the COVIDSafe app; or
      • upload data to Data Store after a positive COVID-19 diagnosis.
    • Where a user deletes the COVIDSafe app, their information will not be automatically deleted from the Data Store. To effect such deletion the individual must complete a data deletion form (which requires the individual be called by the COVIDSafe Administrator). Further, individuals may only change their registration information by deleting and reinstalling the COVIDSafe app (including following the steps above to delete the incorrect information from the Data Store).
    • At the 'end of the COVID-19 pandemic' all users will be prompted to delete the COVIDSafe app, and the Government must cause all COVID app data in the Data Store to be deleted. This obligation will override any retention obligations required by other laws, such as the Archives Act.
    • However, at present, it is not clear what will constitute the 'end' of the pandemic, nor what requirements there will be to delete or destroy information which is held outside of the Data Store, eg by State and Territory health authorities.
    • Further, it is not clear whether, once an individual is confirmed to have COVID-19 (and all their close contacts have been contacted), their information will then be deleted from the Data Store, on the basis that there may be no further contact tracing benefit in retaining data of an individual who may have immunity to COVID-19 (although whether such immunity will arise is still the subject of debate amongst public health experts).

Access and use of COVID app data

The materials released over the weekend clarify the limited scope for collection, use and disclosure of COVID app data (being data relating to a person that has been collected or generated through COVIDSafe, and which is or has been stored on a mobile telecommunications device). We note that as this definition does not capture:

  • de-identified information collected in connection with COVIDSafe;
  • any new information generated by a Federal or State agency, which was not originally stored on a telecommunications device; and
  • any information that a State or Territory health authority has access to separately (ie. through their manual contact tracing efforts),

the handling of any such data will remain subject to existing applicable law, including, to the extent it constitutes personal information, the Privacy Act or State and Territory privacy and health information laws.

Critical privacy assurances set out in the Determination

The Determination (which is expressed to override the Privacy Act, to the extent of any inconsistency) expressly provides that COVID app data may only be handled as follows:

  • By the Department of Health (as the operator of COVIDSafe) and the DTA (as the COVIDSafe IT Service Provider) and each of their contractors:
    • for the purpose of enabling contact tracing by State and Territory health authorities and ensuring the proper and lawful functioning, integrity or security of COVIDSafe or the National COVIDSafe Data Store, including to delete users' registration information at their request;
    • by using such data for the purpose of, and to the extent required for the purpose of, producing statistical information that is de-identified. The Determination does not expressly prescribe what form of de-identification will be undertaken, what sort of de-identified data may be used, or what sort of statistical information will be derived from it. This is a matter that should be addressed in further detail in the new COVIDSafe legislation, including that the de-identification process should be subject to an independent technical data assurance process.  
  • By State and Territory health authorities (or persons in the service of such authorities) – solely for the purpose of (and to the extent required for) contact tracing.

The COVIDSafe FAQs released by the Department of Health state that, in handling users' COVID app data (including all registration data), health officials will be required to comply with the Australian Privacy Principles under the Privacy Act and all applicable data protection and information security obligations. This will require additional compliance measures be introduced because such health officials are usually only bound by the relevant State or Territory privacy legislation (and not the Federal Privacy Act). This obligation does not appear to currently be enshrined in law or the Determination and raises constitutional issues.

The PIA raises a similar issue, recommending that administrative arrangements be introduced which require that:

  • State and Territory health authorities only access, use and disclose personal information for specified purposes (ie. contact tracing);
  • State and Territory health authorities ensure appropriate security arrangements are in place for personal information which has been received from the Data Store; and
  • individual contact tracers be required to agree to terms of use for their handling of such personal information.

In the Department of Health's response to the PIA, it stated that public health officials will be required to acknowledge terms of use, and the form of such acknowledgement is being developed. It is not yet clear whether the arrangements with State and Territory health authorities, or the terms of use for individual contact tracers will be released publicly.

Further, while the Department of Health is bound by the Privacy Act, and therefore must notify any eligible data breaches under Part IIIC of the Privacy Act (including where personal information is stored with AWS), the Department of Health's response to the PIA suggests the mandatory data breach notification obligations will not be imposed on State and Territory health authorities. Instead, the Department has stated that is ensuring appropriate arrangements are in place to minimise the risk of data breaches and ensure an efficient investigation process.

By persons (presumably, Federal, State and Territory law enforcement) – for the purpose of investigating and prosecuting potential misuse of COVID app data under the Biosecurity Determination and Biosecurity Act.

Prohibition on requiring persons to download or use COVIDSafe and other offences

The Determination provides a range of restrictions in relation to the COVIDSafe app which, if contravened, will constitute an offence, and may result in criminal penalties of up to five years imprisonment. These include:

  • attempting to decrypt interaction data generated by COVIDSafe;
  • uploading COVID app data from a device to the Data Store without the consent of the person in possession or control of the device;
  • retaining or disclosing COVID app data outside of Australia, provided that disclosures may be made by a person employed by, or in the service of, a State and Territory health authority, for the purpose of undertaking contact tracing. This would permit disclosure of COVID app data to third party service providers, including AWS, to the extent it would assist with contact tracing efforts.
  • requiring that another person download COVIDSafe, have COVIDSafe in operation, or consent to uploading COVID app data to the Data Store; or
  • refusing:
    • to enter into or continue a contract or arrangement with another person (including an employment contract) or taking adverse action against a person for the purposes of the Fair Work Act;
    • entry into a premises or participation in an activity; or
    • to receive or provide goods or services,

if an individual has not downloaded COVIDSafe, does not have COVIDSafe in operation, or has not consented to uploading their COVIDSafe app data.

This amounts to a clear statement from the Government that employers and other service providers must not mandate the download or use of the COVIDSafe application, or take adverse action against employees who do not download or operate the app. We'll have more to say on this in our next article.

Deletion of data after the pandemic

Under the Determination, the Government has an obligation to cause COVID app data in the Data Store to be deleted after the COVID-19 pandemic has ended.

However, importantly, the Determination does not clarify:

  • what will constitute the 'end' of the COVID-19 pandemic;
  • whether, and the extent of information which may be, de-identified prior to deletion; and
  • obligations to delete information which sit outside of the Data Store (eg any information which has been downloaded by, and is now held by, State and Territory health authorities).

These areas should be addressed in the detailed COVIDSafe legislation.

Interaction with other legislation

Concerns have also been raised in some quarters about the interaction between the new COVIDSafe legislation and certain other Australian and international legislation. These include:

  • the US CLOUD (Clarifying Lawful Overseas Use of Data) Act: this applies to Amazon Web Services (AWS) as a subsidiary of a US incorporated entity, and allows the US Government to compel information from US-based cloud and technology companies under warrant. Our understanding is that the Department of Health will hold the encryption keys for information stored in the Data Store meaning AWS will not, as a matter of practice, be able to access de-encrypted COVID app data (whether pursuant to warrant or otherwise).
  • the Telecommunications Legislation Amendment (International Production Orders) Bill 2020. This has not yet been passed into law but, if passed, would allow foreign law enforcement and national security agencies to access data directly from certain designated communications providers (subject to international agreements being in place). The strict use and disclosure restrictions contained in the Determination, and which we expect will be mirrored into the detailed legislation, will mean that the COVID app data will not be accessible in response to international production orders in the same way as it will not be accessible to domestic warrants or court orders.  
  • changes to legislation by a future government which could remove or relax the current restrictions on the use and handling of COVID app data. This risk exists with any piece of legislation, and cannot be addressed with any level of certainty at this time. However, a clear and audited process for deletion of information obtained or generated in connection with COVIDSafe at the end of the COVID-19 pandemic means there is a practical limitation to this risk. It is also likely that any such change in strategy would be subject to heavy political scrutiny and criticism.