COVIDSafe: The latest government app and what it means for your privacy

The Federal Government have just released their highly anticipated COVIDSafe App to help monitor the spread of novel Coronavirus (COVID-19).

Of key concern to many is the privacy implications of downloading and using the App. There is much discussion regarding how much data the App collects, who can access the data and how that data is used.

What is COVIDSafe?

The App has been implemented by the Federal Government to quickly and efficiently contact individuals who may have been exposed to COVID-19.

Downloading the App is voluntary, however in the first 12 hours of its launch, the App had more than 1 million downloads. The

Though nationally coordinated, the App is utilised by the State and Territory Governments. Health officials at the State and Territory level will utilise the data collected by the App after someone tests positive for COVID-19 to alert people that they have been in close contact with for a period of 15 minutes or more. The App allows them to identify these people and advise them to either get tested or begin quarantining.

The App utilises Bluetooth technology to record instances of “Digital Handshakes”. Digital handshakes occur when two App users are recorded as being within a 1.5m proximity of one another. This information is then encrypted to the user’s phone

How does the App use and share my data?

Many Australians are hesitant about using the App and have expressed concerns over government-collected personal information and the potential threat the App poses to individual privacy. That said, there are a number of misconceptions about the App.

In registering for the App, users are required to provide their:

  • full name (or a pseudonym);
  • mobile number;
  • postcode; and
  • age, by selecting an age bracket.

This information, in addition to the Bluetooth Digital Handshake, is all the data the App collects. The App does not utilise geo-location features. When Digital Handshakes are recorded, no data about the location or length of contact is recorded. Digital Handshake data is automatically deleted after 21 days. User’s data is only accessible by relevant Health officials and access only occurs after you or someone you have been in contact with, has tested positive for COVID-19. Persons who have tested positive for COVID-19 must consent to having their COVIDSafe data accessed and when contact is made with identified individuals, the person’s identity is not revealed.

Data collected by the App is stored in the National COVIDSafe Data system. This can only be accessed by public health officials tasked with contacting persons potentially exposed to COVID-19, these are known as State and Territory Contact Tracers. The database may also be accessed by ICT Providers where necessary.

Key take-aways from the PIA and Privacy Policy

The Government commissioned a Privacy Impact Assessment (PIA) to be carried out on the App, which has been made publicly available. Many of the recommendations of the PIA have been adopted in the released App.

With the findings being released last week, here are a few key takeaways:

  • In a ground breaking move, the Government will be releasing the source code for the App, allowing public scrutiny on code used and which has been seen by many in the technology industry as an opportunity to assist the Government to address any ‘bugs’ or ‘gaps’ in the code.
  • Users can delete the App at any time. After the App is deleted, all information held by the App is also deleted. At the end of the pandemic, the Government will destroy all information contained within the Database.
  • Though not made expressly clear, the App allows Users to use a pseudonym instead of their real name.
  • To correct personal information, Users must delete and re-install the App and re-complete the registration process.
  • Uninstalling the App deletes all information stored on your device but won’t delete information collected in the 21 days prior. However, users can put through a request to delete their data by completing an online request form.
  • At the end of the pandemic, there will be a prompt to delete the App with all data collected by the App to be permanently deleted.
  • It is still unclear how State and Territory officials will be bound by the Commonwealth’s privacy legislation and COVIDSafe Privacy Policy – with these details yet to be made publicly. This is probably the biggest gap in the privacy assurance work the Government has been producing. Arguably, States and Territories that collect and use information from the App will be required to comply only with their local legislation, and not the Commonwealth legislation.

Before downloading any App which captures and uses data, you should always consider the way in which information is shared and how your data is managed by app owners and data collectors. This can be easily ascertained by reading the app’s Privacy Policy and any Collection Notices issued.

For more information on privacy implications of the CovidSafe App, or any App, please contact our specialist team of privacy advisors.

5 essential probity tasks in government procurement

When the Government spends money, it is spending your money and my money, so we expect that there is a certain level of transparency and accountability. If there is little transparency or accountability, it is easy to throw around allegations of bias, and unfair advantage. Such allegations are not only damaging to the individuals involved, …
Read more

Part of a government tender evaluation committee? Want to know your obligations?

A tender evaluation committee is responsible for ensuring that a government procurement process is transparent and that procurement related actions are documented, defensible and validated in accordance with probity obligations. Among other things, your job is to protect the Government of the day from allegations of impropriety in government purchasing. This blog provides an overview …
Read more