INSIGHT

Using tech and data in a crisis – contact tracing

By Gavin Smith, Phil O'Sullivan, Claudia Hall
COVID-19 Cybersecurity & Privacy Data Media, Advertising & Marketing Technology Telecommunications

In brief 8 min read

Data analysis, and the technology that facilitates it, is currently playing a critical role in the global and national efforts to combat the COVID-19 pandemic. Alongside the front-line health response, it has become a core part of the daily calculations made by governments and health organisations. It is also becoming a key tool in some countries in tracking and monitoring the efficacy of self-isolation, social distancing and lockdown rules.

In Australia, consideration is currently being given to the introduction of digital contact tracing in order to monitor, control and reduce the spread of COVID-19. Contact tracing relies on anonymised data, information provided by individuals and/or other information accessed through devices.

Contact tracing raises a number of complex legal and ethical issues. We have compared approaches being taken internationally, as well as outlined the key issues which will need to be considered in Australia as part of any implementation of digital contact tracing.

We plan to release further, more detailed insights in the coming weeks on the rights for governments to gain access to different of categories data during the current health crisis, the legal basis for use of data for contact tracing and potentially for enforcement of lockdown rules. We will also address the difficult issue of post-pandemic use of data collected during the current period.

Key takeaways

  • Digital contact tracing has been introduced by a number of countries around the world in various forms. This spans the use of simple alerts to all individuals in a region, to real-time location tracking of individuals who are subject to quarantine orders.
  • Australian State and Territory health authorities are currently undertaking manual contact tracing processes, including contacting individuals who may have come into contact with confirmed cases of COVID-19. The Federal Digital Transformation Agency has clarified that it is assessing the role of technology in dealing with this pandemic.
  • It is not yet clear precisely what approach the Australian Government will take to digital contact tracing. Complex legal and ethical issues will need to be considered, and community expectations also need to be addressed. A balancing of public health, economic and privacy aspects is required. The Prime Minister has been clear that any implementation in Australia will be framed on the basis of 'what our rules are and what our society understands and accepts'.1 This means it remains unclear whether the Government would seek to undertake any digital contact tracing within the current parameters of privacy and surveillance laws, or whether it would seek to rely on emergency declarations and/or warrants to get access to data.
  • If the Government does not decide to implement a uniform national digital contact tracing approach, it is possible that one or more private companies could seek to fill this gap on a voluntary basis, although this raises the possibility of fragmenting the response and creating interoperability issues between different contact tracing applications.

International approaches

In considering the approach which the Australian Government may take, it is useful to compare approaches which have already been taken in other countries:

  • Singapore's TraceTogether application is a voluntary opt-in app which, using Bluetooth, allows users to log their proximity to other users (and the duration of such proximity). If a user tests positive for COVID-19, the Singaporean Government receives an encrypted list of the users they have had contact with, who can then be contacted. It has been reported that the Australian Government undertook a fast-track review of TraceTogether.
  • In the UK, it has been reported that the Government has been using aggregated, anonymised phone data to create heat maps of where individuals are congregating and that it, through NHSX, is in the process of developing a Bluetooth based app which would permit individuals who are confirmed to have COVID-19 to input a code in the app alerting other users they have come into contact with. NHSX has indicated it will appoint an ethics board to oversee this project, and that the app will not involve the disclosure of collected information to the UK Government.
  • In Taiwan, it has been reported that the Government uses real-time tracking of individuals who are subject to quarantine orders, including sending alerts if they move away from their residence.

Government oversight

A key component in managing the response to COVID-19 and any digital contact tracing efforts will be the level of government oversight.

  • It has been reported that Parliament is likely to authorise a Senate select committee to exercise oversight and hold ministers and officials to account in respect of their actions in connection with the pandemic. This approach would be similar to the oversight committees established in New Zealand and the United Kingdom.
  • The OAIC has also convened a 'National COVID-19 Privacy Team' consisting of the Australian Privacy Commissioner as well as State and Territory Information Commissioners or Ombudsmen, to assess the necessity and proportionality of, and to respond to, any proposal with national implications in respect of personal information.

Privacy considerations

One of the key considerations in undertaking contact tracing (and in particular, digital contact tracing) is to assess the kinds of data which will be collected, and the ways in which such data will be used. A balanced approach is required.

The use of appropriately anonymised or de-identified data allows privacy considerations to be navigated.  However, the risk of re-identification of data must be appropriately and proactively managed.

However, from a public health perspective, the more detailed and granular the information, the more likely it is that contact tracing (and any corresponding enforcement action) will be effective. This would enable individuals who may have come into contact with an infected person to be identified and located in a timely and consistent manner. Internationally, it is becoming clear that an optimal public health outcome may be to track positive cases using privacy-by-design peer-to-peer software on people's mobile devices. This requires sufficient uptake and use of the relevant application.

There are a number of restrictions governing the manner in which detailed location, timing and exposure information (which is likely to constitute personal information and, where an individual is confirmed or suspected to have COVID-19, sensitive information) can be collected from individuals, and then used and disclosed by the Government or other entities as part of digital contact tracing efforts.

On the other hand, while there are fewer restrictions on the Government's use of anonymised or de-identified information, given the speed of response required, it is a complex task to:

  • ensure that information is in fact properly de-identified such that the risk of re-identifying individuals is appropriately managed; and
  • ensure that individuals who have come into contact with confirmed COVID-19 cases can be identified quickly, with the necessary level of precision.

If the Government issues an emergency declaration under the Privacy Act, entities will be permitted to collect, use and disclose personal information for a purpose directly related to the Government's response to the emergency, and if the entity reasonably believes the individual may be involved in the emergency. Further, under the Telecommunications (Interception and Access) Act 1979 (Cth) the Australian Security Intelligence Organisation (ASIO) and certain State and Federal law enforcement agencies may authorise the disclosure of telecommunications data by a carrier or carriage service provider for limited purposes including the performance of ASIO's functions or where reasonably necessary for the enforcement of criminal law.

Surveillance considerations

Where digital contact tracing relies on mobile phone or other device information, decision makers will also need to consider requirements under various Australian State and Territory surveillance legislation. In particular, where digital contact tracing involves the tracking of specific phones or devices (ie through their MAC ID, or a Bluetooth address), this is likely to engage applicable surveillance legislation, and may require the consent of the individual who possesses or controls that device (even if the device is not attributed to a particular person, and no personal information is collected or used).

Security and destruction of data

Information security management is key. Digital contact tracing involves the collection, use and storage of a substantial amount of information. It follows that any concentrated repository of information developed through the implementation of contact tracing could be a new target for cyber attacks.

To the extent that the Government releases any information to the public (or portions of the public), it will need to consider how it can protect such information against unauthorised access, modification and disclosure, misuse loss and interference.

Interoperability and linking of data sets

As the response to the pandemic develops, it will become increasingly important that any use of contact tracing ensures appropriate interoperability across systems and exchanges, and it is likely that this will involve the linking of a number of data sets. For example, as a hypothetical, if an approach is taken to allow those who have developed anti-bodies back into the community at a point in time, it will be important to determine who those individuals are to ensure that resources are most efficiently devoted to isolating individuals who have not yet developed anti-bodies. Any such data linkage must be navigated with core public health, legal and ethical issues at front of mind. 

Post-pandemic issues

Once the immediate health threat of the COVID-19 pandemic has passed, decision makers will need to consider whether they:

  • are entitled to retain the information collected for digital contact tracing (eg to assist with future modelling and public health research);
  • should retain such information on an anonymised or de-identified basis, which may be difficult where the underlying information is detailed and specific (ie location and proximity data); or
  • should delete such information, as the general public is unlikely to expect ongoing retention of personal and sensitive information once the immediate, serious health threat has passed.

A key element of digital contact tracing in a peer-to-peer context will be the period in which data remains available for extraction from individual devices. We'll have more to say on these topics in the coming weeks.