20th April 2020
CONCERNS RE PRIVACY AND DIGITAL COVID-19 CONTACT TRACING
Prime Minister Scott Morrison has confirmed that the Australian government is progressing with Singapore-style digital options for contact tracing. The proposed app tracks, via Bluetooth technology, the previous close contacts of an individual who subsequently proves to be COVID-19 positive. This applies to any contact (also with the app) who had spent 15 minutes or more in close proximity with the infected person.
NSWCCL is concerned with the potential of the app to compromise data protection, increasing illegal and inappropriate use of data and facilitating surveillance and stigmatisation of Australians. Any collection or use of a person’s sensitive personal data for digital contact tracing must come with the imposition of strict limitations.
Despite assurances that the proposed app is opt-in and therefore voluntary, NSWCCL has grave concerns over the safety and privacy of information gathered, stored and shared, along with the potential for abuse of that information. Widespread uptake of any contact tracing app and effective contact tracing will be dependent on whether the Australian people trust the government to take their privacy concerns seriously. It is possible that, as with the My Health Record, the app is transitioned to opt-out, or worse, becomes mandatory because of insufficient uptake. Equally concerning is the possibility that individuals could be excluded by their workplaces or schools if not using the app.
The Minister has said If an individual registers COVID-19 positive status, that information is sent to a national health storage and then sent to State governments to notify the individual’s contacts. Cyber-attacks and accidental and illegal data breaches have and will continue to occur on Australian government databases. It is therefore desirable that mobile device contact tracing be decentralised, with contacts registered in encrypted form on the local mobile device, and not identifiable to others or the government. Such measures reduce the fallout should a data breach occur.
In convincing the community that restrictions can be eased with faster contact tracing, the government should be reminded that privacy and health are not tradeoffs, one for the other. Both are possible with well-designed technology.
NSWCCL recommends that the Australian government consider the use of alternative more privacy friendly digital contact tracing options which are currently under development. These options are rapidly becoming available. The Apple/Google collaboration is opt-in contact tracing which generates transitory arbitrary IDs processed locally on the device and not uploaded onto a central server. Bluetooth anonymous identifier beacons notify persons who have been in contact with a COVID-19 subject. MIT and the EU are developing similar apps. The EU DP-PPT model uses a backend server to push information through to notify the contact of a risk of infection and has purpose-limiting dismantling of the app at the end of the emergency.
NSWCCL recommends that the Australian government, at least, adopts the following privacy protections in the implementation of the proposed digital COVID-19 app:
- Consideration of reasonable digital alternatives to the proposed model of digital contact tracing
- Transparency and accountability, providing information about the development and use of any mobile device tracking technology and how rights of the individual will be affected and protected,
- The technology must be opt-in after the provision of accurate and complete information about the extent of its use, with the requirement to renew consent periodically,
- The ability to opt out or terminate participation at any time, accompanied by built-in destruction of personal data,
- The use of best practice privacy and security measures, including:
- strict and express data retention and destruction policy, linked to a short period of application;
- limits on the type of data collected and how it can be accessed;
- anonymisation of data;
- strict limits on data sharing, in particular no sharing of information between government agencies except for public health purposes,
- Decentralisation of anonymised data on users’ mobile devices,
- Strict limitation in relation to the purpose and objects, for which users have expressly consented. Personal data should not be retained for any new purpose,
- A clear, short period of application – (the sunset period for Israel’s contact tracing app is 30 days)
- An easily accessible complaints system and independent judicial oversight, to address any grievances,
- No ability to subpoena data through court proceedings, and
- An independent oversight role for the Office of the Australian Information Commissioner (or other government office) and the new Senate COVID Committee, with regular public reporting of data collected by the technology.
Beyond these specific recommendations it has been longstanding NSWCCL policy that the Australian Government should legislate for a Bill of Rights and a statutory cause of action for serious invasion of privacy.
Nicholas Cowdery AO QC
President NSW Council for Civil Liberties
Michelle Falstein Secretary NSWCCL: Michelle.firstname.lastname@example.org