As has been widely publicised, the Federal Government has launched its digital contact tracing app, COVIDSafe. In order to encourage adoption and allay fears on how the data will be characterised and stored, the Minister for Health has made a Determination under the Biosecurity Act 2015 (Cth), which specifically prescribes rules around the collection, storage and use of data. This is an interim measure before legislation on the app can be passed when Parliament reconvenes in May.
While there is considerable debate regarding the merits of the app, set out below are some key features of which users should be aware.
Notably, from a technical perspective, the source code for the app (or at least a limited version) will be released publicly within the next 2 weeks. This will allow more robust testing and analysis of the technical architecture – we anticipate further public debate at that time.
Registration and use of the app is voluntary. The government has nominated 40% adoption as the minimum threshold to derive any meaningful public impact.
What data will be disclosed and shared?
Registration requires a user name (which can be a pseudonym), mobile number, age range and postcode. This allows the app to generate an encrypted code, which will be stored in the National COVIDSafe Data Store (using Australian based AWS cloud infrastructure). The app will record and store the following on the user’s phone:
- A periodically updated encrypted reference code – also logged at the Data Store.
- Date, time, distance and duration of contact with another COVIDSafe app.
The app will NOT record location data or track movements.
How is the data used?
When the app is open, it will – via a Bluetooth enabled ‘digital handshake’ – share encrypted reference codes (updated every 2 hours) with other enabled apps within range. These interactions are recorded on the phone but do not comprise identifiable data.
If an individual is confirmed positive for COVID-19, they will be asked to consent to the disclosure of that information to the centralised Data Store. Only if the user consents, the information uploaded to the Data Store will then be used to filter ‘close contacts’ with the confirmed case – ‘close contact’ being those users that have spent more than 15 minutes together within a 1.5 metre radius.
This information will be provided to the relevant State or Territory health authority, which will then disseminate health-related advice or actions to the confirmed case and close contacts. The registered age range and postcode data will assist in prioritising contact by health officials. This process is intended to expedite what would otherwise happen manually.
Users cannot access information stored on their phone and the government can only use the stored data for the purpose of health officials undertaking contact tracing, and ensuring that the app and Data Store function properly and are compliant. There are additional limited uses – e.g. generation of de-identified reports about uptake of the app. Other agencies cannot access the data.
Can a user delete their recorded data?
Users may delete the app from their phone at any time, together with all recorded data (it will also stop others from collecting contact data). To delete their information in the Data Store, individuals will need to complete a deletion request form.
In any case, any data collected will be automatically deleted from the user’s phone after a rolling 21 day period. It is also deleted upon upload to the Data Store.
All data will be deleted after the pandemic has concluded. At present however, there are no parameters regarding when and how this will be determined.
What are the risks?
A few risks have been raised, mainly relating to:
- Possible government overreach and use for other purposes. The Determination seeks to shut this down, but ultimately this depends on a level of trust.
- Whether the app can be hacked – the source code will help here.
- Uncertainty regarding when the information will finally and permanently be deleted – the legislation should shed some more light on this.
- The merits of storing in a central authority.
- Possible US subpoena of information in the Data Store as a result of the server provider – AWS – being subject to the US CLOUD Act.
Can businesses require its employees, contractors or others to download and operate the app?
No – the Determination made by the Minister specifically prohibits requiring any person to download or have the app in operation on a mobile device. There are protections to ensure individuals have a choice about whether to download and use the app, and must not be disadvantaged for choosing not to do so.
There are significant penalties for contravention of the Determination of up to five years imprisonment or a $63,000 fine, or both.
Employers will need to exercise caution in the event of any communications of encouragement to staff to install and use the app, to ensure that employees are not coerced or required to install and use the app or suffer any detriment for their choice not to do so.
The prohibition seems to equally apply to an individual’s personal mobile as well as any company owned mobile.
If you have any questions, please don’t hesitate to contact us.