As the world struggles to deal with the spread of coronavirus disease 2019 (COVID-19), governments are turning to technology to help “flatten the curve” and slow the rate of transmissions. Although Australia has been relatively successful in mitigating the widespread health impacts of COVID-19, the federal government has encouraged all Australians to download its COVIDSafe digital contact-tracing app (the App), citing that the relaxation of COVID-19 restrictions may depend on the App’s take-up by the Australian public. Due to privacy concerns, support for a contact-tracing app has, unsurprisingly, been mixed, even within the government itself.
Australia is not the first country to offer contact-tracing apps as a solution to the current pandemic. In fact, the App is based on Singapore’s TraceTogether app, which launched in late March 2020 and has been released as “open-source” code so that it can be used by other countries. However, contact-tracing is not the only technological measure being introduced to try and stop COVID-19. In Europe, some mobile operators are sharing data with Italian, German and Austrian health authorities to map movements and the concentration of individuals. Some overseas governments have implemented more invasive measures. For example, the South Korean government is using smartphone location data, surveillance footage and credit card records to monitor whether people have been complying with self-isolation measures, while the Chinese government is using surveillance apps to track its citizens’ locations and to prohibit entry into prescribed locations under certain conditions.
In Australia, the App is designed to digitise the manual contact tracing process that already occurs when an individual tests positive to COVID-19. The App uses a “Bluetooth digital handshake”, which logs Bluetooth connections between users’ phones by recording the encrypted hash code of other App users, as well as the date, time, duration and proximity of the contact. This enables the App to record who you were near to for a certain length of time (provided they also have the App installed and running). This data is encrypted at all times while held on a user’s phone (not accessible even to them) and will only be held for a period of 21 days before being automatically deleted. Importantly, the App cannot ascertain where you were, as the App does not collect geolocation data.
In the event that an individual tests positive for COVID-19, they will be asked to upload the history of “digital handshakes” recorded by the App to a secure information storage system. If they consent, their information will then be assessed by state and territory public health officials who will review the data for the purposes of contacting individuals who have recently been in close contact with the infected individual. Individuals notified as a result of contact-tracing through the App will only be informed that they have been in close contact with an individual who has contracted COVID-19. They will not be notified who that individual is, or when and where the contact occurred. The government has committed to shutting down operation of, and deleting all data collected by, the App at the conclusion of the pandemic.
The federal government released the App for download on 26 April 2020. So far, downloads have exceeded expectations, surpassing 1.13 million within the first 12 hours. The government has indicated that the App requires at least 40% uptake in order to be successful. Despite the App’s early success, there are still privacy concerns among the general public, creating a large hurdle in reaching the targeted 40% adoption rate.
The federal government has attempted to alleviate the public’s concerns with the App’s privacy policy, frequently asked questions and summary information reiterating that the data is encrypted, is only used on a consensual basis and will not be used for law enforcement purposes, such as enforcing lockdown restrictions or for general surveillance. To support these claims, the Federal Minister of Health, Greg Hunt, issued a determination under the Biosecurity Act 2015 (Cth) (the Determination) preventing the App’s data from being used for purposes other than contact tracing and limited associated purposes, such as investigating whether a breach of the Determination has occurred. According to Mr Hunt, the new laws will provide that “not even a court order during an investigation of an alleged crime” can access the data. The Determination also ensures that the data remains within Australia, that individuals cannot be required to use the App (for example, to enter a shopping centre or restaurant) and generally supports the limitations contained within the App’s privacy policy and FAQ, including that the data will be deleted after 21 days, that it cannot be uploaded without consent and that the government must delete all App data after the pandemic has concluded, among others).
By enacting the Determination, the government has proactively limited its data use rights further than would have applied had they merely complied with the Privacy Act 1988 (Cth) (the Privacy Act). Despite this, while the Determination’s restrictions are a positive for those concerned, there are a number of matters that still need to be further enshrined in legislation. Unfortunately, the federal government is currently not slated to return to parliament until August; however, the government is attempting to be flexible during this time and has flagged the potential of a May sitting. As such, those not satisfied with the level of protections currently offered by the App, for example the currently ambiguous end date of when the pandemic has “concluded”, may have to wait to have those concerns alleviated.
Regardless of the legislative and legal framework in place, the federal government has historically not had an ideal record on protecting data privacy within its organisations and agencies. For example, in 2016 the OAIC found breaches of the Privacy Act by the Department of Health for weak encryption techniques when protecting public health records and the federal government’s My Health Records system has suffered 115 data breaches across the last three years. These incidents serve as a useful reminder that, despite all the safeguards put in place, there is always the potential risk of data breaches arising from use of the App.
Very few of us in a democratic society, such as Australia, expect our government to trace us through our smartphones. However, the ability for smartphone technology to outpace the spread of COVID-19 means it is a valuable tool that should be considered in the defence against this pandemic. It is clear that the key to success for the government is to address any potential data privacy risks and to educate people on the privacy safeguards of the App, in order to ensure a higher uptake among the populous. Moving forward, it will be the government’s obligation to enforce these protections, protect data from misuse and data breaches and, when it is no longer necessary, roll back the App’s usage in order to return Australian society back to normality as soon as possible.