On 18 December 2020, the Auditor-General for New South Wales, Margaret Crawford, released a report criticising the effectiveness of Service NSW’s handling of customers’ personal information to ensure privacy. NSWCCL has long held concerns over the manner of the use, collection, and storage of personal information of NSW citizens by the NSW government. The damning report highlights the lack of understanding and commitment to proper privacy practices in the NSW public service.
The report states that “Service NSW is not effectively handling personal customer and business information to ensure its privacy. It continues to use business processes that pose a risk to the privacy of personal information. These include routinely emailing personal customer information to client agencies, which is one of the processes that contributed to the March 2020 data breach. Previously identified risks and recommended solutions had not been implemented on a timely basis.”[1]
The Auditor-General made eight recommendations aimed at ensuring improved processes, technologies, and governance arrangements for how Service NSW handles customers’ personal information. These included, as a matter of urgency, that Service NSW should, in consultation with relevant NSW government departments and agencies, and the Department of Customer Service, implement a solution for a secure method of transferring personal information between Service NSW and those agencies.
The 2019–20 bushfire emergency and COVID 19 pandemic restrictions have dramatically increased Service NSW processes. Additionally, as of 1 January 2021, s. 36(3)(a1) of the Public Health (COVID-19 Restrictions on Gathering and Movement) Order (No 7), requires people who enter a hospitality venue or hairdressing salon to register their contact details electronically with Service NSW (known as the COVID-19 Safe Check-in tool and generally using QR codes). Those details are kept for a period of 28 days and, if requested, will be provided to the Chief Health Officer for contact tracing purposes.
Several issues arise from the report’s findings and the use of personal information for the COVID-19 Safe Check-in tool:
1) There was outcry over the privacy implications of the Federal COVIDSafe App and as a consequence specific legislation was introduced around its use. There has been no accompanying legislation surrounding the COVID-19 Safe Check-in tool via the Service NSW app. The privacy collection statement for the check in tool is to be read in conjunction with the Service NSW privacy policy. The former, which is largely prescriptive of the operation of the collection rather than privacy policy, assures that the information is for contact tracing purposes. The latter states that, your personal information “may also be used in an emergency situation to help prevent a serious and imminent threat to life or health, or for law enforcement purposes, or where we are authorised or required to do so by law”.
We have already seen that the Singapore TraceTogether App, on which the COVIDSafe App was based, can be accessed by police in the course of a criminal investigation.[2]
NSWCCL strongly opposes the use of information gathered for health purposes being used for law enforcement or any other additional purpose.
Apart from the obvious areas of misuse of personal data and “big Brother” implications there is a strong possibility that, if aware police can use the data, many citizens of both innocent and criminal means will choose to enter false and misleading data.
The NSW government should be assuring NSW citizens that information gathered will be used only for its primary purpose. Ideally, the management of the COVID-19 Safe check-in tool needs to be enacted in primary legislation, not just in an Order.
2) When the QR code is scanned at a venue, Service NSW will collect your name, contact details time and date of entry and, crucially, your location. Collection of this information is mandatory to gain entry.
Opting out of digital interactions is not a realistic option for most people. Balancing interests therefore amounts to having to agree to terms of access or risking the suffering of economic disadvantage, discrimination, or social exclusion. Community sentiment suggests that location data should be considered highly sensitive.
A breach of this information means that an individual could be tracked, profiled, targeted, or otherwise impacted upon. NSWCCL believes that is a privacy harm which requires greater protection.
3) Service NSW is a custodian of our data and any disclosure of our personal information to third parties and agencies should only occur in very limited circumstances. The Auditor General has identified that Service NSW has been deficient in its agreements with client agencies as well as its policies and processes for managing privacy risk.
There is therefore little reason to trust that Service NSW will protect our personal sensitive information. Service NSW must adopt the recommendations of the Auditor General immediately.
[1] The March data breach refers to two external threats targeting the email accounts of 47 staff members, resulting in the breach of a large amount of personal customer information held in those email accounts. See Report; “client agencies” is a reference to NSW Government agencies that delegate to and enter into agreements with the Chief Executive Officer of Service NSW in order for Service NSW to undertake service functions for the agency.
[2] Han, K (11 Jan 2021) Broken promises: How Singapore lost trust on contact tracing privacy MIT Technology Review <https://www.technologyreview.com/2021/01/11/1016004/singapore-tracetogether-contact-tracing-police/>
