11 May 2020
The Hon Greg Hunt MP
Minister for Health
Minister.Hunt@health.gov.au
Dear Minister,
COVIDSafe app
Federal, State and Territory governments must be applauded for the significant measures taken to contain the spread of COVID-19 in Australia. As a group of community organisations and privacy experts, we recognise the complex policy questions involved in the launch of the COVIDSafe tracing app as we move towards easing current restrictions.
One of the key challenges of developing the COVIDSafe tracing app is the need to have a broad range of expertise and perspectives involved – public health, technology, security, privacy, human rights, digital inclusion, communications and community interests all need to be considered within a tight timeframe. This response captures that feedback.
We welcome the temporary legal framework established through a Ministerial Determination under the Biosecurity Act 2015, and more recently the exposure draft of the Bill which is to be considered by Federal Parliament this week.
In this context, we urge the Federal Government to address a number of concerns about the app to increase community trust and confidence in its operation, and ultimately support greater uptake.
These are:
- Improved public education and information for all communities
- Acknowledgment of the digital divide and limitations of the app
- Improved accessibility features to assist people with disability
- Arrangements to ensure use of the app will remain voluntary
- Attending to outstanding privacy issues
- Transparency and audit reporting
- Regulatory oversight
1. Improved public education and information for all communities
Public education is needed to better explain the operation of the app and facilitate fully informed consent with an understanding of the limitations and risks involved. Misunderstanding of its function risks generating misplaced confidence that other precautions to reduce the risk of infection are no longer required, undermining its public health intent.
In addition, there needs to be clear, easy to understand education about privacy aspects of the app and how it operates both for the general population, and more specifically for multicultural and Indigenous communities, in multiple languages and in Easy English.
Victims of domestic violence must be assured that information stored on the COVIDSafe app for 21 days cannot be retrieved by a perpetrator of domestic violence who has access to a victim’s unlocked phone. Access to this data would enable a perpetrator of domestic violence to deduce who the victim’s close contacts are and when and for how long they have visited them. Assurances must be given that data collected by the COVID app is encrypted both ‘at rest’ and in transit to make it safe to use by all Australians, including victims of domestic violence.
As we move into the next phase of containing the spread of the virus, specific educational responses are needed both for the public in general, and for specific communities, to ensure they are informed and in a position to provide genuine consent to adoption of the app.
2. Acknowledgment of the digital divide and limitations of the app
As community sector organisations working with low income consumers, we are aware that the Indigenous and homeless sectors of the community have unequal access to the app. People in disadvantaged communities often both lack the resources to own personal mobile phones and have limited internet and mobile network access. Many homeless people and Indigenous people in remote communities share phones.
Lack of individual ownership of mobile phones, sharing of mobile devices and lack of internet and mobile coverage means the effective operation of individual tracking and tracing in these communities is undermined. The digital divide and lack of digital inclusion means that some of Australia’s most vulnerable communities are not able to download and use the app. This includes people who do not own a smartphone and those using smartphones with older operating systems not compatible with the COVIDSafe app.
On a broader scale, many rural Australians are unable to register for the app due to unreliable mobile service networks and an inability to receive SMS messages as part of the two-factor authentication installation process.
We urge the Federal, State and Territory governments to continue to work together to use effective existing contact tracing methods for these communities. Deployment of the COVIDSafe app must not result in any consequential reduction of these measures for consumers not afforded the protection of the app, who must not be further disadvantaged.
In addition, consideration should be given to establishing a program to supply and distribute smartphones with capacity to run the COVIDSafe app to those without access to devices, to support increased take up.
3. Improved accessibility features to assist people with disability
Vision and hearing-impaired people are also at a disadvantage in using the app. Testing by disability groups has found that it is not fully screen reader accessible, and there is no known Auslan guide on access and use. There is an urgent need for immediate consultation with this community to enable accessibility features to be built into the app design and inform any future iterations.
4. Arrangements to ensure use of the app will remain voluntary
We welcome the temporary three-month legal framework established under the Determination to provide consumer protection measures until the Bill is enacted. We support the clear rules in the Determination and the Bill (s94H) governing the voluntariness of the COVID tracing app, so that it cannot be made mandatory by law or pseudo-voluntary by employers and other service providers.
These provisions must be reflected in enforceable State and Territory legislation to guarantee that use of the app does not become mandatory, and that there is no overreach in use of the collected data beyond the ‘single use’ purpose of contact tracing. Such a guarantee should include a provision prohibiting the app from becoming ‘opt-out’ as in the case of My Health Record.
While the criminal penalties imposed by the Bill for breach are important to encourage adherence, they must (as noted below) be complemented by private rights of enforcement actions.
5. Attending to outstanding privacy issues
We welcome many of the provisions in the Bill, but there are outstanding issues that are not addressed and need attention:
- Under the Bill, Commonwealth privacy law is to be applied in the case of data breaches, and this applies to State and Territory health authorities to the extent that these authorities deal with COVID app data (s94X). However, State and Territory governments should enshrine the provisions of the Bill in complementary State and Territory legislation, to cover any constitutional limitation in the application of other provisions of the Commonwealth Privacy Act.
- COVID app data has been included in the definition of ‘personal information’ under the Privacy Act. To improve protection of the data collected by the app overall, the definition of COVID app data should be expanded to include all data collected by and associated with the app to ensure it covers the whole chain of data from a user’s smartphone, via the Commonwealth-run central server, to a contact trace in a state health agency.
- A corresponding right for personal action for misuse of data and any other breaches should be included in the Bill to allow those affected not only to complain to the Office of the Australian Information Commissioner, but also have legal access to compensation and to take out injunctions if needed to prevent ongoing misuse.
- The provisions enforcing deletion of data on request ( ), providing users with an opportunity to ‘opt out’, and the restrictions on the collection, use and retention of data after the end of the COVIDSafe data period are welcome. However, in the interests of transparency and informed consent, the specific statistical purposes for which de-identified data may be used should be disclosed, and a definition of ‘de-identified’ included in the Act as a guard against any ‘back-door’ use of the data.
- The end date for use of the app in the Bill is at the discretion of the Federal Health Minister on the advice of the Chief Medical Officer (CMO) or the Australian Health Protection Principal Committee . The Health Minister must be required to consult with the CMO, the AHPPC and health experts independent of government in deciding when to withdraw the app, as there is a need for independent oversight in making such a determination.
- The Bill does not expressly exclude use of data collected via the app for purposes of national security. It needs to explicitly state that national security and law enforcement are barred from using data collected via the app for other purposes. Single use only status of the app must be maintained and protected. The Bill states subsequent legislation could override the its provisions. Further assurance is needed that subsequent and overriding legislation will not enable backdoor access to a user’s COVID app data.
6. Transparency and audit reporting
The Privacy Impact Statement for the app, conducted by the Maddocks’ law firm for the Department of Health, involved limited consultation. A more transparent privacy assessment process and measures for ongoing audit reporting by an independent body, would cultivate more community trust in the app and support a higher adoption rate. Transparent disclosure of technical information to experts, including the apps’ functionality, data flows and source code, would allow technical experts to conduct an independent audit.
The government has stated that 40% of Australian citizens need to install and use the app for tracing to be effective, although officials have confirmed there is no advice about any specific uptake target. Ongoing transparency of usage figures by Australian citizens would allow people to monitor the efficacy of the app.
Transparent publication of daily and weekly statistics of actual use of data (including metadata) as it passes through and is transformed end-to-end within the COVIDSafe contact tracing system would reassure consumers that the app is performing the public health purpose for which it has been designed. Health experts independent of government CMOs should be guaranteed access to the data necessary for them to assess, and report to the public on the effectiveness of the app in combatting COVID19.
To these ends, the Bill should include:
- A mechanism ensuring public reporting of which state and territory agencies are using the data generated by the app and for what purposes. Reports must include numbers of ‘close contacts’ disclosed to State and Territory health officials, how many of these are actually contacted.
- Details about the design of the app, the central server, and the way in which information is collected and shared. Inclusion of this information would both facilitate informed consent and ensure the privacy-by-design features of the app could not easily be changed.
- Provide for parliamentary review after several months of operation to consult and report on evidence of effectiveness, any emerging problems, and constructive solutions.
7. Regulatory oversight
The Bill creates an oversight and regulatory role for the Office of the Australian Information Commissioner for use of COVID app data. However, the Office of the Australian Information Commissioner has limited powers to enforce and penalise non-adherence to privacy principles. Adequate resourcing and appropriate authority are needed for it to properly regulate the collection and use of COVIDSafe data, to enforce any time limitations on the collection of data and to ensure the app does not become mandatory by either law or in effect. These measures may encourage increased trust in the system and promote user downloads of the app.
We are keen to discuss our proposals with you in more detail, with Teresa Corbin, ACCAN CEO, as the key anchor contact.
Signatories:
Australian Communications Consumer Action Network
Australian Council of Social Service (ACOSS)
Australian Federation of Aids Organisations
Australian Federation of Disabilities Organisations
Australian Privacy Foundation
Centre for Inclusive Design
Community Legal Centres Australia
Consumer Health Forum
Country Women’s Association Australia
Federation of Ethnic Communities Councils of Australia (FECCA)
Financial Rights Legal Centre (FRLC)
First Nations Media
Human Rights Law Centre (HRLC)
Internet Australia
Money Mob
Multicultural Youth Action Network (MYAN)
Public Interest Advocacy Centre (PIAC)
Women’s Legal Service NSW
Professor Graham Greenleaf, University of NSW
Nigel Waters, former Deputy Australian Privacy Commissioner
Share this