Similar letters were sent to the Leader of the Opposition and the Parliamentary Friends of the Bring Julian Assange Home Group. 

The NSW Council for Civil Liberties has concerns with the potential for sharing of personal and health information collected using the ServiceNSW check in tool.

The following correspondence, addressing our concerns, was sent to Minister Dominello, Department Customer Services. Similar letters were sent to Minister Hazzard and Minister Elliott.

On 18 December 2020, the Auditor-General for New South Wales, Margaret Crawford, released a report criticising the effectiveness of Service NSW’s handling of customers’ personal information to ensure privacy. NSWCCL has long held concerns over the manner of the use, collection, and storage of personal information of NSW citizens by the NSW government. The damning report highlights the lack of understanding and commitment to proper privacy practices in the NSW public service.

The report states that “Service NSW is not effectively handling personal customer and business information to ensure its privacy. It continues to use business processes that pose a risk to the privacy of personal information. These include routinely emailing personal customer information to client agencies, which is one of the processes that contributed to the March 2020 data breach. Previously identified risks and recommended solutions had not been implemented on a timely basis.”[1]

The Auditor-General made eight recommendations aimed at ensuring improved processes, technologies, and governance arrangements for how Service NSW handles customers’ personal information. These included, as a matter of urgency, that Service NSW should, in consultation with relevant NSW government departments and agencies, and the Department of Customer Service, implement a solution for a secure method of transferring personal information between Service NSW and those agencies.

The 2019–20 bushfire emergency and COVID 19 pandemic restrictions have dramatically increased Service NSW processes. Additionally, as of 1 January 2021, s. 36(3)(a1) of the Public Health (COVID-19 Restrictions on Gathering and Movement) Order (No 7), requires people who enter a hospitality venue or hairdressing salon to register their contact details electronically with Service NSW (known as the COVID-19 Safe Check-in tool and generally using QR codes). Those details are kept for a period of 28 days and, if requested, will be provided to the Chief Health Officer for contact tracing purposes.

Several issues arise from the report’s findings and the use of personal information for the COVID-19 Safe Check-in tool:

1) There was outcry over the privacy implications of the Federal COVIDSafe App and as a consequence specific legislation was introduced around its use. There has been no accompanying legislation surrounding the COVID-19 Safe Check-in tool via the Service NSW app. The privacy collection statement for the check in tool is to be read in conjunction with the Service NSW privacy policy. The former, which is largely prescriptive of the operation of the collection rather than privacy policy, assures that the information is for contact tracing purposes. The latter states that, your personal information “may also be used in an emergency situation to help prevent a serious and imminent threat to life or health, or for law enforcement purposes, or where we are authorised or required to do so by law”.

We have already seen that the Singapore TraceTogether App, on which the COVIDSafe App was based, can be accessed by police in the course of a criminal investigation.[2]

NSWCCL strongly opposes the use of information gathered for health purposes being used for law enforcement or any other additional purpose.

Apart from the obvious areas of misuse of personal data and “big Brother” implications there is a strong possibility that, if aware police can use the data, many citizens of both innocent and criminal means will choose to enter false and misleading data.

The NSW government should be assuring NSW citizens that information gathered will be used only for its primary purpose. Ideally, the management of the COVID-19 Safe check-in tool needs to be enacted in primary legislation, not just in an Order.

2) When the QR code is scanned at a venue, Service NSW will collect your name, contact details time and date of entry and, crucially, your location. Collection of this information is mandatory to gain entry.

Opting out of digital interactions is not a realistic option for most people. Balancing interests therefore amounts to having to agree to terms of access or risking the suffering of economic disadvantage, discrimination, or social exclusion. Community sentiment suggests that location data should be considered highly sensitive.

A breach of this information means that an individual could be tracked, profiled, targeted, or otherwise impacted upon. NSWCCL believes that is a privacy harm which requires greater protection.

3) Service NSW is a custodian of our data and any disclosure of our personal information to third parties and agencies should only occur in very limited circumstances. The Auditor General has identified that Service NSW has been deficient in its agreements with client agencies as well as its policies and processes for managing privacy risk.

There is therefore little reason to trust that Service NSW will protect our personal sensitive information. Service NSW must adopt the recommendations of the Auditor General immediately. 

[1] The March data breach refers to two external threats targeting the email accounts of 47 staff members, resulting in the breach of a large amount of personal customer information held in those email accounts. See Report; “client agencies” is a reference to NSW Government agencies that delegate to and enter into agreements with the Chief Executive Officer of Service NSW in order for Service NSW to undertake service functions for the agency.

[2] Han, K (11 Jan 2021) Broken promises: How Singapore lost trust on contact tracing privacy MIT Technology Review <https://www.technologyreview.com/2021/01/11/1016004/singapore-tracetogether-contact-tracing-police/>

2020 NSWCCL AGM

Item 8.3        Policy on Human Rights and Technology

Human Rights and Digital Technology

Australia has experienced an exponential uptake and increased sophistication of surveillance methods, AI informed decision making, and other modern technologies collecting vast amounts of data (Digital Technology). At the same time, laws protecting individuals against breaches of their privacy rights have not kept pace with those technologies. There has been a “drift towards self-regulation in the technology sector, as laws and regulators have not effectively anticipated or responded to new technologies” [1]. While there will always be some degree of regulatory lag with regards to policy design and implementation, capacity-building programs should specifically target policy makers to ensure the development of a policy framework that is remains relevant as technology progresses.

NSWCCL acknowledges that “digital technologies have the potential to facilitate efforts to accelerate human progress, to promote and protect human rights and fundamental freedoms” but also that “the impacts, opportunities and challenges of rapid technological change […] are not fully understood”.[2] In fact, surveys have shown that community trust in new and emerging Digital Technologies has been diminishing, for example, with most Australians concerned about their online privacy.[3]

Safeguards are necessary to ensure that the liberties and rights of Australians are not unreasonably curtailed by Digital Technology. As a society, we need to avoid the possibility that people feel unable to go about their normal business because they are constantly being watched or tracked.  Once collected, used and stored by third parties, personal private information becomes increasingly difficult to protect and regulate. Often that personal private information is collected or used in a manner that is without the knowledge, or consent, of the individual.

NSWCCL policy, in the face of the expansion of Digital Technology, includes:

1. A national strategy on new and emerging Digital Technologies that promotes effective regulation, consistent with Article 22 of the EU General Data Protection Regulation (GDPR).
   
   Australian government policy on Digital Technology has tended towards self-regulation which is also, inevitably, fragmented. The Australian Productivity Commission has called for fundamental, systematic change in the way governments, businesses and individuals handle data.[4] As a starting point, the substance of Article 22 of the GDPR, should be adopted by Australian legislators, as best practice. Article 22 of the GDPR provides for the right not to be subject to a decision based solely on ‘automated processing, including profiling’ which has a legal or significant impact on the individual.
   
   
2. A National Bill of Rights. One of the most significant gaps, from a policy perspective, with regards to the protection of human rights, data collection and AI informed decision making, is the absence of legislated human rights protection, particularly through a national Human Rights Act or charter. As a corollary, international policies and treaties around human rights and Digital Technology protection need to be more effectively implemented.
    
3. Implementation of legislative framework with a human-rights centred approach.
   
   Australia needs “greater statutory clarity regarding the ambit of responsibility and consequence of automated decision making”.[5] The overarching framework should provide for Digital Technology being designed and applied around principles of transparency, accountability, responsibility, mitigation of risk, fairness and trust. It should provide for clear and enforceable laws as a main means to ensure and promote an accountable and responsible use of Digital Technology, aiming at fostering innovation while also protecting human rights.
   
   
4. Accountability of institutions for decisions that are made using Digital Technology and liability for the consequences of those decisions.
   
   Exclusion and discrimination can be exacerbated  by the “feedback loop of injustice”.[6] For example, if AI is tasked to make a decision it will base its decision on past data, and if a person if affected that is part of a group sharing a characteristic such as race, age, gender or other, it is therefore likely to replicate past imbalances and injustices that that group was involved in.
   
   This problem concerns society defining areas, such as capital distribution (who gets the home loan?), employment (who gets the job?), and criminal justice (who goes to jail?). While the public discussion of the human rights implications of Digital Technology has tended to focus on the right to privacy and non-discrimination, other areas are also engaged, such as the right to equality, the right to work, the right to justice, and the right to health.
   
   
5. Notification to the individual impacted when Digital Technology facilitated decision making occurs.
   
   The Council of Europe, Commissioner of Human Rights, considers that those who have had a decision made about them by a public authority, that is solely or significantly informed by the output of an AI system, should be promptly notified.[7] In the context of public services, especially justice, welfare, and healthcare, the individual user needs to be notified in clear and accessible terms that an AI system will be interacting with them and that there is hasty recourse to a complaints person. Specific information about processing, purpose and the legal basis for processing, should be available to the individual whether that information is retrieved directly, or from other sources.
   
   
6. A Consumer Protection approach to Consent. While consent of the user is a necessary condition for the use and decision-making processes of Digital Technology, it is not sufficient. A user should not be able to consent to waive rights under consumer law; laws which provide that the data controller must do certain specified things. Where consent is required and sought, that consent needs to be express, voluntary, specific and unambiguous;[8] not bundled consent, nor opt out. Any changes in use of information collected or stored should prompt a requirement for renewed express consent.
   
   
7. Reform to more easily assess the lawfulness of decision-making by Digital Technology. Accessing technical information used in decision-making or having open source AI are methods for doing so.
   
   
8. Easily accessed complaints and independent appeal processes, and remedies for the benefit of the adversely affected individual user.
   
   Digital technologies are still developing and high error margins need to be accounted for. At any stage, a user affected by automated decision making should have the right to human intervention.[9] The appeal system(s) that will need to be established must be easily and cheaply accessible, so that those in vulnerable positions have the chance to contest contentious decisions.
   
   
9. A moratorium on the use of the technology should be implemented in any situation where the use of a technology in a specific situation is not regulated clearly enough by the policy and/or legislative framework.
   
   Digital Technology needs to be continuously assessed for accuracy and reliability, as software behind, for example, facial recognition can still show high error margins and substantial system bias. Misidentification and bias affecting citizens have led to various city and state governments, international organisations and software companies, to either impose or call for a moratorium on the technology’s use, until its functionality and the laws around it meet certain conditions.[10]
   
   
10. The establishment of a Digital Regulatory Body (DRB) tasked with developing policies around the design and application of big data, AI informed decision-making systems and advanced surveillance technologies. Its powers including:
    
    a) Enforcement of policies. The DRB should be tasked with supervising compliance with data protection regulations by government and the private sector. [11] The powers invested in the body, like European models, should include investigation and access to premises and data processing equipment, for the purposes of compliance with regulations. There should be authority to impose a fine and/or a ban on processing.[12] 
    
    b) Regular auditing of public and private organisations’ systems to ensure high rates of policy compliance. Regular auditing also serves to detect potential bias in Digital Technologies. The DRB, given the appropriate expertise, should be able to keep intellectual property confidential and yet recognise where algorithms reinforce social differences and discrimination.
    
    c) Advocacy, encouraging laws and practices around technologies to be human rights compliant and used for the public good. Soft measures could take the shape of offering targeted education and training for decision makers and leaders, in the Australian private and public institutions, to build capacity around existing and new laws in the context of new technologies.
    
    d) Fostering innovation and technological progress. In order to achieve both human rights compliance and technological innovation and progress, the regulatory body could be tasked with the implementation of ‘regulatory sandboxes’. In these regulatory sandboxes “new products or services can be tested in live market conditions but with reduced regulatory or licensing requirements and exemption from legal liability, and with access to expert advice and feedback”[13].
    
    e) Research into making AI more privacy friendly. Privacy friendly AI systems can more easily comply with regulations, use anonymisation techniques and explain how data is processed.[14]
    
    
11. A limited statutory cause of action to sue for serious breach of privacy, where there is a reasonable expectation of privacy. The existing privacy legislation at Commonwealth and State levels does not provide protection, or remedy, for many kinds of invasion of personal privacy. Any cause of action needs to be broadly formulated to capture future forms of privacy infringement.[15]
    
    In 2019, the Australian Competition and Consumer Commission recommended that a new statutory cause of action be created to cover serious invasions of privacy with the aim to reduce the “bargaining power imbalance” between individuals and digital platforms.[16]

Resolution

That the proposed policy on Human Rights and Technology be adopted.

Moved at the NSWCCL AGM October 21st 2020 by: Michelle Falstein

Seconded by: Stephen Blanks

[1] Farthing, S., Howell, J., Lecchi, K., Paleologos, Z., Saintilan, P. and Santow, E., 2019. Human Rights and Technology: Discussion Paper. <https://humanrights.gov.au/sites/default/files/document/publication/techrights_2019_discussionpaper_0.pdf> [Accessed 13 September 2020] at p.38

[2] UN Human Rights Council, 2019. New and emerging digital technologies and human rights: 41st session. [online] Available at: <https://documents-dds-ny.un.org/doc/UNDOC/LTD/G19/208/64/PDF/G1920864.pdf?OpenElement> [Accessed 13 September 2020] at p.2

[3] Goggin, G., Vromen, A., Weatherall, K., Martin, F., Webb, A., Sunman, L., & Bailo, F. (2017) Digital Rights in Australia Departments of Media Communications, and Government and International Relations, Faculty of Arts and Social Sciences, and the University of Sydney Law School, University of Sydney. <https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3090774 >accessed 25 Feb 2020

[4] Australian Productivity Commission (2017) Data Availability and Use Report, p. 12 in Goggin, G., Vromen, A., Weatherall, K., Martin, F., Webb, A., Sunman, L., & Bailo, F. (2017) Digital Rights in Australia Departments of Media Communications, and Government and International Relations, Faculty of Arts and Social Sciences, and the University of Sydney Law School, University of Sydney. pp21-22 <https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3090774 >accessed 25 Feb 2020 

[5] Murray, A., 2019. Legal technology: Computer says no …but then what. The Proctor, 39(8), 48-49.

[6] Eubanks, V., 2017. Automating inequality: How high-tech tools profile, police, and punish the poor/Virginia Eubanks. New York, NY: St. Martin's Press.

[7] Council of Europe Commissioner of Human Rights (May 2019) Unboxing Artificial Intelligence: 10to protect Human Rights https://rm.coe.int/unboxing-artificial-intelligence-10-steps-to-protect-human-rights-reco/1680946e64; Also Art 13 GDPR

[8] The Norwegian Data Protection Authority (January 2018) Artificial Intelligence and privacy Datatilsynet, p.29

[9] Art 22 GDPR

[10] Conger, K., Fausset, R. and Kovaleski, S. F., 2019. San Francisco Bans Facial Recognition Technology. The New York Times. [online] 14 May. Available at: <https://www.nytimes.com/2019/05/14/us/facial-recognition-ban-san-francisco.html> [Accessed 14 September 2020]; Kelion, L., 2019. MPs call for halt to police's use of live facial recognition. BBC. [online] 18 Jul. Available at: <https://www.bbc.com/news/technology-49030595> [Accessed 14 September 2020]; Larson, N., 2020. UN urges 'moratorium' on facial recognition tech use in protests. [e-book]: AFP. <https://news.yahoo.com/un-urges-moratorium-facial-recognition-tech-protests-142542401.html> [Accessed 26 June 2020].

[11] Shaping Europe’s digital future -Report/Study (8 April 2019) Ethics guidelines for trustworthy AI <https://ec.europa.eu/digital-single-market/en/news/ethics-guidelines-trustworthy-ai>

[12] The Norwegian Data Protection Authority op.cit. p.23

[13] Op.cit. Farthing, et al., 2019 p.118

[14] The Norwegian Data Protection Authority op.cit. p.28

[15] Witzleb, Normann (2011) A statutory cause of action for privacy? A critical appraisal of three recent Australian law reform proposals 19 Torts Law Journal 104-134 DOI: 10.13140/2.1.3159.1684

[16] Australian Competition and Consumer Commission (June 2019) Digital Platforms Inquiry- Final Report <https://www.accc.gov.au/system/files/Digital%20platforms%20inquiry%20-%20final%20report.pdf>

The Australian Government has released the Privacy Amendment (Public Health Contact Information) Bill 2020 (COVIDSafe Bill) which will be considered by Parliament this week. The COVIDSafe Bill largely reproduces the biosecurity orders which made it possible to begin to download and operate the COVIDSafe App (App).

The NSW, Queensland and South Australian Councils for Civil Liberties, along with the Australian Council for Civil Liberties, support the introduction of effective digital contact tracing if it is underpinned by robust privacy and transparency legislation.

The joint statement has been sent to the Prime Minister, the Attorney General and Opposition Leader, along with all MPs and Senators. 

In the statement we recommend that a number of issues should be considered by Parliament for incorporation into the Act – or for Government action - to more adequately protect the privacy of Australian citizens who have voluntarily participated in this tracking exercise.

The Sydney Morning Herald reported on the statement - 'The civil liberties groups want the government to change the design to ensure personal data is not stored on a central database, arguing this increases the danger from a single cyber attack.'

'More needs to be done to ensure that the app does not compromise data protection and thereby increase the risk of illegal and inappropriate use of data or surveillance of Australians.'

Read the full statement HERE. 

20^th April 2020

CONCERNS RE PRIVACY AND DIGITAL COVID-19 CONTACT TRACING

Prime Minister Scott Morrison has confirmed that the Australian government is progressing with Singapore-style digital options for contact tracing. The proposed app tracks, via Bluetooth technology, the previous close contacts of an individual who subsequently proves to be COVID-19 positive.  This applies to any contact (also with the app) who had spent 15 minutes or more in close proximity with the infected person.

NSWCCL is concerned with the potential of the app to compromise data protection, increasing illegal and inappropriate use of data and facilitating surveillance and stigmatisation of Australians. Any collection or use of a person’s sensitive personal data for digital contact tracing must come with the imposition of strict limitations.

Despite assurances that the proposed app is opt-in and therefore voluntary, NSWCCL has grave concerns over the safety and privacy of information gathered, stored and shared, along with the potential for abuse of that information. Widespread uptake of any contact tracing app and effective contact tracing will be dependent on whether the Australian people trust the government to take their privacy concerns seriously. It is possible that, as with the My Health Record, the app is transitioned to opt-out, or worse, becomes mandatory because of insufficient uptake. Equally concerning is the possibility that individuals could be excluded by their workplaces or schools if not using the app.

The Minister has said If an individual registers COVID-19 positive status, that information is sent to a national health storage and then sent to State governments to notify the individual’s contacts. Cyber-attacks and accidental and illegal data breaches have and will continue to occur on Australian government databases. It is therefore desirable that mobile device contact tracing be decentralised, with contacts registered in encrypted form on the local mobile device, and not identifiable to others or the government. Such measures reduce the fallout should a data breach occur.

In convincing the community that restrictions can be eased with faster contact tracing, the government should be reminded that privacy and health are not tradeoffs, one for the other. Both are possible with well-designed technology.

NSWCCL recommends that the Australian government consider the use of alternative more privacy friendly digital contact tracing options which are currently under development. These options are rapidly becoming available. The Apple/Google collaboration is opt-in contact tracing which generates transitory arbitrary IDs processed locally on the device and not uploaded onto a central server. Bluetooth anonymous identifier beacons notify persons who have been in contact with a COVID-19 subject.  MIT and the EU are developing similar apps. The EU DP-PPT model uses a backend server to push information through to notify the contact of a risk of infection and has purpose-limiting dismantling of the app at the end of the emergency.

NSWCCL recommends that the Australian government, at least, adopts the following privacy protections in the implementation of the proposed digital COVID-19 app:

• Consideration of reasonable digital alternatives to the proposed model of digital contact tracing
• Transparency and accountability, providing information about the development and use of any mobile device tracking technology and how rights of the individual will be affected and protected,
• The technology must be opt-in after the provision of accurate and complete information about the extent of its use, with the requirement to renew consent periodically,
• The ability to opt out or terminate participation at any time, accompanied by built-in destruction of personal data,
• The use of best practice privacy and security measures, including:
• short, clear and accurate privacy policy;
• strict and express data retention and destruction policy, linked to a short period of application;
• limits on the type of data collected and how it can be accessed;
• anonymisation of data;
• strict limits on data sharing, in particular no sharing of information between government agencies except for public health purposes,
• Decentralisation of anonymised data on users’ mobile devices,
• Strict limitation in relation to the purpose and objects, for which users have expressly consented. Personal data should not be retained for any new purpose,
• A clear, short period of application – (the sunset period for Israel’s contact tracing app is 30 days)
• An easily accessible complaints system and independent judicial oversight, to address any grievances,
• No ability to subpoena data through court proceedings, and
• An independent oversight role for the Office of the Australian Information Commissioner (or other government office) and the new Senate COVID Committee, with regular public reporting of data collected by the technology.

Beyond these specific recommendations it has been longstanding NSWCCL policy that the Australian Government should legislate for a Bill of Rights and a statutory cause of action for serious invasion of privacy.

Nicholas Cowdery AO QC

President NSW Council for Civil Liberties  

------------------

Contacts

Michelle Falstein Secretary NSWCCL: [email protected]

Dr Lesley Lynch: [email protected]

Today the High Court unanimously found the AFP warrant to enter  journalist Annika Smethurst’s home in search of information relating to the publication of classified information, was invalid on a technical ground:

“that it misstated the substance of s 79(3) of the Crimes Act, as it stood on 29 April 2018, and failed to state the offence to which the warrant related with sufficient precision. The entry, search and seizure which occurred on 4 June 2019 were therefore unlawful”

Costs were also awarded to the plaintiffs.  

NSWCCL welcomes this limited victory for Annika Smethurst today - but we remain deeply concerned that freedom of the press and effective investigative journalism continues to be under serious threat in Australia.  This decision does nothing to alleviate those concerns.

The unprecedented raids on both Smethurst and the ABC offices occurred in the context of widespread community concern about the proliferation of draconian secrecy laws and the impact of these laws on the free press and investigative journalism in Australia - especially in relation to reporting on national security matters. 

The motive for the raids was clearly to warn off journalists and whistle-blowers.   The publications posed no threat to national security and the revelation of the information was in the public interest.

The High Court finding that the warrant lacked ‘sufficient precision’ identifies an apparent lack of competence in the AFP’s drafting, but has no wider implications for any protections for investigative journalism or freedom of the press in Australia.

The AFP -with the agreement of the Minister – is still able to press charges against Annika Smethurst.

Divided HC views on return of the unlawfully seized information

Surprisingly - even though the “entry, search and seizure” were declared unlawful – a majority of the High Court Justices refused the plaintiff’s application for the return of the information copied from the journalist’s mobile phone onto a USB stick. 

This was a particularly disappointing majority (4-3) decision.

A key agenda for the raids was the identification of the journalist’s sources which this information is likely to enable.

Whistle-blowers underpin much investigative journalism. If journalists are no longer able to guarantee their informant’s anonymity, investigative journalism and an effective free press will be greatly weakened.

The minority views of the three dissenting Justices (Gageler, Gordon and Edelman) on this issue provide a more positive perspective.

Justice Gordon was of the view that:

165 The law would take a seriously wrong turn if this Court held that it could not grant an injunction to restore a plaintiff, so far as possible, to the position they would have been in had power not been exceeded without the plaintiff demonstrating that, in addition to the excess of power, a private right is also breached by retaining what was seized. To require demonstration of some further or additional private law wrong as the only basis on which injunction may go treats the excess of power as irrelevant and ignores the constitutional purpose of s 75(v) of the Constitution.

Justice Gageler took a similar position:

117…I do not share their Honours' doubts as to the existence of a juridical basis for the final mandatory injunction which Ms Smethurst seeks, requiring the AFP to deliver up the USB drive on which the copied data is stored to enable that data to be deleted. And I disagree with their Honours' view that such an injunction should be refused in the exercise of discretion.

122 For so long as the information remains in the hands of the AFP, the direct effects of the infringement of her rights to possession of her home and of her mobile phone are serious and ongoing. There being no suggestion that the value of the information embedded in the data to her is wholly commercial, money alone cannot restore her to the position she would have been in had the trespasses not been committed. 

All three Justices ordered the return of the USB drive to Annika so the data could be deleted. Gordon and Edelman also required the AFP to delete any copies. Gageler was silent on this but flagged the obvious fact that nothing stopped the AFP from seeking a new and valid warrant for the information.

Legal and constitutional implications

The one application by the plaintiffs which may have had significant legal and constitutional implications was that:

the warrant was invalid on the ground that s 79(3) of the Crimes Act, as it stood on 29 April 2018, infringed the implied freedom of political communication.

This matter was not addressed by the High Court as it was not necessary given their decision that the warrant was invalid on technical reasons.

Therefore the huge issue relating to the encroachment of draconian secrecy laws on the freedom of the media in Australia will have to wait the outcomes of the pending report of the Parliamentary Joint Committee on Intelligence and Security on this broad issue.

This now very overdue PJCIS report will be very significant and carries a weight of expectation that it is not likely to be able to meet given the constraints of its terms of reference.  

In our view, the only effective remedy for the current immense constraint on the media’s capacity to deliver quality investigative journalism and to provide the reporting the community needs to hold governments accountable is a major rollback of Australia’s excessive secrecy laws and a strong human rights charter which includes an effective right of the media to freedom of expression.

NSWCCL Public statement 

Smethurst v Commissioner of Police 

April 1, 2020

PUBLIC STATEMENT

Mobile device tracking of COVID-19 infected persons

Prime Minister Scott Morrison has confirmed that the Commonwealth government is progressing with Singapore-style digital options for contact tracing: the identification, contacting and monitoring of those who may be infected with COVID-19, and their contacts.[1] In addition, the Australian government has now launched a Coronavirus Australia app and WhatsApp group, to provide Australians with information, and advice, about the pandemic. The Coronavirus Australia app permits the voluntary registration of a person’s self-isolation but does not, currently, provide for contact tracing.[2] At present, in Australia, contact tracing is conducted manually and directly with the affected person.[3]

NSWCCL supports the appropriate and generalised use of aggregated, anonymised map data for tracking people’s movements; to assist health services and determine where to target critical medical resources. Contact tracing is essential. However, any collection or use of a person’s sensitive personal data for digital contact tracing must come with the imposition of strict limitations.

The move to monitor citizens’ movements may set a dangerous precedent. Contact tracing and the wider application of mobile device tracking would enable the Australian government to assemble a person’s location history into a single, searchable database. Mobile device tracking, in Australia, could involve tracking infected persons to ensure compliance with self-quarantine, as in Israel (see below). South Korean authorities publicly share details of the age, gender and location of persons infected with COVID-19, by mobile phone alert and on the government’s health website.[4] Often that information is sufficient to identify the infected person.

NSWCCL calls for complete transparency from the Australian government of its development and use of any mobile device tracking technology in this emergency.

NSWCCL provided a submission to the Australian Treasury on the Census and Statistics Amendment (Statistical Information) Regulations 2019 (Regs) amending the Census and Statistics Regulation 2016. This amendment makes significant and concerning changes to the regulation which we oppose on privacy grounds.

Whilst NSWCCL supports the updating of the statistical information topics for inclusion in the census we oppose mandatory collection of sensitive health information and its storage for 4 years by the Australian Bureau of Statistics (ABS).

The amendment proposes the insertion of a new topic relating to health conditions diagnosed by a doctor or a nurse which must be answered by all respondents.  The rationale is that this information will assist health service planning and delivery.

We oppose this proposal is given the retention of that information by the ABS.

In 2016 the Australian government reinstated a plan to retain names and addresses from the census, a move which leaves open the opportunity for a future government to access sensitive personal information. NSWCCL appreciates the need for longitudinal studies but considers these can be conducted on a sample basis.  We continue to support the prior approach to the census which collected important census information but which was disassociated from the individual identification data.  

As a minimum we recommend the ABS conduct an adequate, independent, publicly available, Privacy Impact Statement (PIA).

We also registered our objection to the timing of the consultation period which ended on 10^th January to the Xmas/NY holiday period.  This does not suggest a serious desire to generate community input to the review process.

NSWCCL submission