14 COVIDSafe enquiries to OAIC, but still no complaints or breaches
The Office of the Australian Information Commissioner (OAIC) has released its second six-monthly report on the privacy and security of Australia’s controversial COVIDSafe app.
While there were no reports of breaches, no complaints made, and no investigations underway, the OAIC said the app, paraded by Prime Minister Scott Morrison as “digital sunscreen“, was the subject of 14 “enquiries”.
This comprised 12 enquiries from individuals and two from businesses during the period 16 November 2020 to 15 May 2021.
“We provided general information in response to 11 enquiries and provided assistance on how to make a complaint in response to three enquiries,” the report [PDF] said.
During Senate Estimates last month, Information and Privacy Commissioner Angelene Falk said the OAIC, by the end of April, received around 25 inquiries from members of the public seeking information about COVIDsafe and their privacy rights.
Breaking down the types of enquiries, the report said the OAIC received 10 enquiries raising general issues or concerns about COVIDSafe, including an enquiry about the changes to the Privacy Act relating to COVIDSafe and an enquiry from an individual seeking to delete data uploaded to the National COVIDSafe Data Store.
The OAIC also received four enquiries about a request to download or use COVIDSafe, which the report explained as an enquiry about a venue refusing an individual entry unless they used COVIDSafe or signed in using a QR code and an enquiry about whether an employer could require an employee to download COVIDSafe.
The legislation wrapped around COVIDSafe prevents a directive from an employer or venue to require the app’s download.
Falk told Senators last month the OAIC has implemented a series of assessments or audits of the COVIDSafe app, which she said assess the privacy safeguards in relation to the Privacy Act and follow the “information lifecycle” of the COVIDsafe app.
“We’re assessing the security and access protections to the national COVIDSafe’s data storage facility,” she said. “We’re also assessing the manner in which information is accessed by the states and territories. And the legislation passed by Parliament at this time last year, gave my office jurisdiction in relation to the states and territories handling of that COVIDSafe app data.”
The OAIC has four assessments underway. The report said the OAIC has progressed draft reports for all of them.
The agency also provided guidance for state and territory health authorities regarding COVIDSafe and COVID app data during the reported period.
Also included in the OAIC document is a report from the Inspector-General of Intelligence and Security (IGIS).
IGIS reviewed the compliance of agencies it has oversight of between 16 November 2020 and 15 May 2021 and said it remained satisfied that these agencies have appropriate policies and/or procedures in place and are taking reasonable steps to avoid the intentional collection of COVID app data.
“IGIS staff have conducted inspections of these agencies to determine whether COVID app data that has been collected incidentally as part of agency functions has not been accessed or used, and that any COVID app data has been deleted as soon as practicable after the agency becomes aware it has been collected,” IGIS wrote in its brief report.
“While relevant agencies have incidentally collected COVID app data, which the Privacy Act recognises may occur, IGIS had found that there is no evidence to suggest that these agencies have deliberately targeted or have decrypted, accessed, or used such data.”
IGIS has not received any complaints or public interest disclosures about COVIDSafe app data, but said there were ongoing discussions between relevant parties regarding the application of the prohibition against “disclosure” as set out in the Privacy Act.
COVIDSafe, according to the Digital Transformation Agency, had picked up 567 close contacts not found through my manual contact tracing, a large increase on the previous number of 17 contacts. The agency said there have been 779 uploads to the National Data Store since inception last year.
Earlier this week, the government of Western Australia introduced legislation that would keep the information obtained via the SafeWA check-in app by contact tracers away from the state’s law enforcement authorities.
The state currently lacks protections for such information, with WA Police having used it to investigate “two serious crimes”.
“The system was introduced in the middle of the global pandemic and while access to this information was lawful, the WA government’s intention was for contact registers to only be used for contact tracing purposes,” the government said.
“Information collected through the SafeWA app has never been able to be used for commercial purposes. This will remain the case under the new legislation.”
The ABC on Wednesday reported the state government was forced to introduce legislation after failing to reach an agreement with police. The report indicates Premier Mark McGowan found out in April that police were accessing the data to find witnesses to a number of serious crimes, including a murder, but was previously unaware.
“We attempted to negotiate an agreement with the police. They advised that it was lawful, and they couldn’t not do things that are lawful,” he told ABC Radio Perth.
WA Police Commissioner Chris Dawson said the circumstances that required access to the SafeWA data were exceptional.
“I accept that people don’t always read fine print on insurance policies or whatever, and this is a very important principle, but the police have only got information twice out of 240 million transactions and they were exceptional circumstances, and it is lawful,” he said, speaking on 6PR radio.
“Police have a duty to investigate crime, and we’re talking about a man who was shot in a public arena with an allegedly high-powered weapon, and other people were injured.”
The state opposition has called it “a breach of trust”.