30 April 2020
The COVID-19 pandemic has led to concerted efforts around the world to contain and monitor the spread of the virus. As a result, numerous countries have introduced mobile contact tracing applications to monitor interactions between users and help identify persons at risk of having contracted COVID-19.
At 6.00pm (AEST) on 26 April 2020, the Australian Government launched its contact tracing application, COVIDSafe. Based on Singapore’s TraceTogether, COVIDSafe has been designed to complement the stages in which Australia’s State and Territory isolation measures will be lifted, with a view to it assisting with minimising the risk of infection as such measures are relaxed and face-to-face contact increases.
Essentially a method of warning persons who have been exposed to other persons who have contracted an illness, contact tracing is particularly useful where patients are unable to recall who they have recently been in contact with.
Below, we outline the functions of the COVIDSafe application and discuss the key privacy and data security considerations involved with its use.
COVIDSafe is modelled off Singapore’s TraceTogether and its underlying open-source code base, and was developed by the Australian Government’s Digital Transformation Agency and vetted by the Australian Signals Directorate.
The parameters of the application’s operation are set out under Biosecurity (Human Biosecurity Emergency) (Human Coronavirus with Pandemic Potential) (Emergency Requirements—Public Health Contact Information) Determination 2020 (Biosecurity Determination) under the Biosecurity Act 2015. The Biosecurity Determination is a legislative instrument under the Biosecurity Act 2015 and has the force of law.
The initiative to develop this application was based upon the resources established under the BlueTrace protocol, upon which TraceTogether is built. Use of the application is voluntary, and it is illegal to discriminate in any way on the grounds that an individual has not downloaded the app.
At its core, the application provides the capacity to provide a notice to users when they have come into close proximity (1.5 metres), for a period of 15 minutes or more, with another person who has been diagnosed with COVID-19. The application also provides information to designated health authorities through an encrypted database or backend server.
The contact tracing application operates via Bluetooth signals, which are short-range peer-to-peer communications that emit signals within a range of approximately ten metres. Once installed, the application runs in the background of a user’s phone and constantly emits and receives Bluetooth signals, noting interactions or ‘digital handshakes’ between users who have downloaded the application.
The application uses two identifiers. When accessing the application for the first time, users are prompted to input their mobile number, which is paired with a random anonymised and temporary user ID generated by the application.
The data gathered relating to the user’s interactions is stored and processed locally on the user’s device for 21 days, in an encrypted form. Application data that resides on a user’s phone cannot be decrypted (it may only be decrypted once on the backend server). After this period, information is automatically deleted. The data relating to users’ interactions is not automatically centralised. As a result, Government authorities do not have any means by which they can obtain a holistic overview of all connections and data points collected through the application.
When the user’s device comes into close proximity (approximately 1.5 metres) with another user that has tested positive to COVID-19, the encrypted reference code is logged. Following this, the original user may be contacted on the mobile number registered with COVIDSafe by relevant health authorities. The notification will not include any personal information about the user who has tested positive – only the temporary ID will be provided along with various health information.
Users who have tested positive to COVID-19 may voluntarily submit their diagnosis and contact tracing data to a central server, in order to facilitate the contact tracing process above. This sever is located in a secure facility within Australia and operates using Amazon Web Services (AWS). App data cannot be disclosed to persons outside Australia. The Federal Government has verified the security standards utilised by AWS as appropriate for the storage of this type of information.
The data collected may include recordings of the timestamp of any at-risk interactions, the period of time over which the user was exposed and the place where the interaction occurred.
The logs of users’ personal information can only be accessed and decrypted by ‘health detectives’ or designated health authorities for the purposes of:
It can be used ‘for no other purpose’. The information collected through the application cannot be used to enforce other laws (e.g., isolation measures). It is illegal to decrypt users’ information for any other purpose and without user consent. The Australian Government has stated that the data gathered from COVIDSafe can only be accessed by the states’ and territories' ‘health detectives’ currently performing tracing efforts. Singapore employs a central public health agency to receive and process the TraceTogether data.
1. Geolocation data. The COVIDSafe application is limited to gathering information relating to the user’s proximity to other users and, upon download, does not collect geolocation data. As a result, the user’s actual location is unknown.
2. Opt-in consents. COVIDSafe is enabled by users’ opt-in consent in respect of the following:
3. Limited records on data store. The backend server of COVIDSafe only records the user’s mobile number and temporary user ID. This number is refreshed at regular intervals, making it difficult for unauthorised third-parties to re-identify and track the user. The backend server does not collect data relating to a user’s:
4. Limited access. The health authorities have exclusive access to the data store. No other government agency or private entity is granted access to the data store, including the Commonwealth, and the data is only decrypted when a user needs to be contacted by a health authority.
5. Time limitations. Use of the application has been designed in a way that is time-bound and will continue only where strictly necessary – any information collected by the application is required to be deleted after the pandemic has ended.
A Privacy Impact Assessment (PIA) has been conducted by Department of Health. The PIA notes the privacy-by-design approach adopted by app developers and calls for further clarity about data governance arrangements between entities implementing and operating the application.
The key features of COVIDSafe show a willingness on the Government’s part to implement privacy and data security safeguards. In the rollout of the application, the Government will look to ensure the veracity of its security measures by liaising with bodies such as the Australian Signals Directorate and the Australian Cyber Security Centre
The OAIC has independent oversight over the use, collection and disclosure of users’ personal information by the app and the National COVIDSafe data store. The Government is also expected to consider implementing a number of additional data security recommendations, including:
This publication is part of our insight series COVID-19: Navigating the implications for business in Australia and beyond. To get notified by email when new COVID-19 insights are released, please subscribe for updates here.
This publication is introductory in nature. Its content is current at the date of publication. It does not constitute legal advice and should not be relied upon as such. You should always obtain legal advice based on your specific circumstances before taking any action relating to matters covered by this publication. Some information may have been obtained from external sources, and we cannot guarantee the accuracy or currency of any such information.