The COVID-19 pandemic has led to concerted efforts around the world to contain and monitor the spread of the virus. As a result, numerous countries have introduced mobile contact tracing applications to monitor interactions between users and help identify persons at risk of having contracted COVID-19.
At 6.00pm (AEST) on 26 April 2020, the Australian Government launched its contact tracing application, COVIDSafe. Based on Singapore’s TraceTogether, COVIDSafe has been designed to complement the stages in which Australia’s State and Territory isolation measures will be lifted, with a view to it assisting with minimising the risk of infection as such measures are relaxed and face-to-face contact increases.
Essentially a method of warning persons who have been exposed to other persons who have contracted an illness, contact tracing is particularly useful where patients are unable to recall who they have recently been in contact with.
Below, we outline the functions of the COVIDSafe application and discuss the key privacy and data security considerations involved with its use.
How does COVIDSafe work?
COVIDSafe is modelled off Singapore’s TraceTogether and its underlying open-source code base, and was developed by the Australian Government’s Digital Transformation Agency and vetted by the Australian Signals Directorate.
The parameters of the application’s operation are set out under Biosecurity (Human Biosecurity Emergency) (Human Coronavirus with Pandemic Potential) (Emergency Requirements—Public Health Contact Information) Determination 2020 (Biosecurity Determination) under the Biosecurity Act 2015. The Biosecurity Determination is a legislative instrument under the Biosecurity Act 2015 and has the force of law.
The initiative to develop this application was based upon the resources established under the BlueTrace protocol, upon which TraceTogether is built. Use of the application is voluntary, and it is illegal to discriminate in any way on the grounds that an individual has not downloaded the app.
At its core, the application provides the capacity to provide a notice to users when they have come into close proximity (1.5 metres), for a period of 15 minutes or more, with another person who has been diagnosed with COVID-19. The application also provides information to designated health authorities through an encrypted database or backend server.
The contact tracing application operates via Bluetooth signals, which are short-range peer-to-peer communications that emit signals within a range of approximately ten metres. Once installed, the application runs in the background of a user’s phone and constantly emits and receives Bluetooth signals, noting interactions or ‘digital handshakes’ between users who have downloaded the application.
The application uses two identifiers. When accessing the application for the first time, users are prompted to input their mobile number, which is paired with a random anonymised and temporary user ID generated by the application.
The data gathered relating to the user’s interactions is stored and processed locally on the user’s device for 21 days, in an encrypted form. Application data that resides on a user’s phone cannot be decrypted (it may only be decrypted once on the backend server). After this period, information is automatically deleted. The data relating to users’ interactions is not automatically centralised. As a result, Government authorities do not have any means by which they can obtain a holistic overview of all connections and data points collected through the application.
When the user’s device comes into close proximity (approximately 1.5 metres) with another user that has tested positive to COVID-19, the encrypted reference code is logged. Following this, the original user may be contacted on the mobile number registered with COVIDSafe by relevant health authorities. The notification will not include any personal information about the user who has tested positive – only the temporary ID will be provided along with various health information.
Users who have tested positive to COVID-19 may voluntarily submit their diagnosis and contact tracing data to a central server, in order to facilitate the contact tracing process above. This sever is located in a secure facility within Australia and operates using Amazon Web Services (AWS). App data cannot be disclosed to persons outside Australia. The Federal Government has verified the security standards utilised by AWS as appropriate for the storage of this type of information.
The data collected may include recordings of the timestamp of any at-risk interactions, the period of time over which the user was exposed and the place where the interaction occurred.
The logs of users’ personal information can only be accessed and decrypted by ‘health detectives’ or designated health authorities for the purposes of:
- enabling contact tracing by viewing interactions or ‘digital handshakes’ between positive users and all other users and conducting analysis on interactions between users (e.g. identifying interactions as transient, casual or close);
- ensuring proper and lawful functioning of the app (e.g. by authenticating diagnosis reports); and
- prosecuting or investigate a breach of the law relating to contact tracing (e.g. submitting fraudulent diagnosis).
It can be used ‘for no other purpose’. The information collected through the application cannot be used to enforce other laws (e.g., isolation measures). It is illegal to decrypt users’ information for any other purpose and without user consent. The Australian Government has stated that the data gathered from COVIDSafe can only be accessed by the states’ and territories' ‘health detectives’ currently performing tracing efforts. Singapore employs a central public health agency to receive and process the TraceTogether data.
1. Geolocation data. The COVIDSafe application is limited to gathering information relating to the user’s proximity to other users and, upon download, does not collect geolocation data. As a result, the user’s actual location is unknown.
2. Opt-in consents. COVIDSafe is enabled by users’ opt-in consent in respect of the following:
- users must provide consent before the application enables communications with other users;
- users who have been diagnosed COVID-19 positive may voluntarily provide this information to the application (if they do so, this is submitted to a centralised backend server enabling contact tracing to be conducted); and
- users may voluntarily upload data gathered through COVIDSafe onto the data store allowing health authorities to provide notice of at-risk interactions (the app data is stored locally on the user’s device until consent is provided).
3. Limited records on data store. The backend server of COVIDSafe only records the user’s mobile number and temporary user ID. This number is refreshed at regular intervals, making it difficult for unauthorised third-parties to re-identify and track the user. The backend server does not collect data relating to a user’s:
- GPS location or geolocation data;
- data relating to the WiFi or mobile network; or
- personal identity data (i.e. the identity of the user who has tested positive is treated anonymously).
4. Limited access. The health authorities have exclusive access to the data store. No other government agency or private entity is granted access to the data store, including the Commonwealth, and the data is only decrypted when a user needs to be contacted by a health authority.
5. Time limitations. Use of the application has been designed in a way that is time-bound and will continue only where strictly necessary – any information collected by the application is required to be deleted after the pandemic has ended.
Any person who feels pressured to do any of these things can make a complaint to the Office of the Australian Information Commissioner (OAIC) or the Australian Human Rights Commission.
A Privacy Impact Assessment (PIA) has been conducted by Department of Health. The PIA notes the privacy-by-design approach adopted by app developers and calls for further clarity about data governance arrangements between entities implementing and operating the application.
What’s next for COVIDSafe’s privacy and data security?
The key features of COVIDSafe show a willingness on the Government’s part to implement privacy and data security safeguards. In the rollout of the application, the Government will look to ensure the veracity of its security measures by liaising with bodies such as the Australian Signals Directorate and the Australian Cyber Security Centre
The OAIC has independent oversight over the use, collection and disclosure of users’ personal information by the app and the National COVIDSafe data store. The Government is also expected to consider implementing a number of additional data security recommendations, including:
- Source code – the Government has been encouraged to publish the source code for its application to assist in the interoperability and further improvement of the application’s design and codebase.
- Data minimisation – confirmation that any data that may be used by authorised third parties is to de-identified and/or aggregated. Once further contact tracing activities have been undertaken, the Department of Health should reconsider the various categories of personal information it collects and re-assess whether they are necessary to facilitate contact tracing efforts (e.g. allowing real names to be substituted for pseudonyms when registering to the app).
- Deletion or right to erasure – similar to TraceTogether, and in line with the right to erasure provided in the EU, COVIDSafe must provide users with the right to opt-out of the program at any time and request that their information on the system be deleted. Currently, if any user uninstalls the app from their device, any information relating to that user held in the data store will not be deleted. Similarly, there should be a focus on ease of access for users to request and correct their personal information held in the data store.
This publication is introductory in nature. Its content is current at the date of publication. It does not constitute legal advice and should not be relied upon as such. You should always obtain legal advice based on your specific circumstances before taking any action relating to matters covered by this publication. Some information may have been obtained from external sources, and we cannot guarantee the accuracy or currency of any such information.