The COVIDSafe App – What we know and questions that remain unanswered
Published on April 27, 2020 by Patricia Monemvasitis
On 26 April 2020, the Federal Government released a voluntary App for Android and iPhone – COVIDSafe – to assist in contact tracing COVID-19 in the community. This Guide asks some of the common questions about the App and covers some of the things that you need to know when considering whether to voluntarily download it.
What is the purpose of the COVIDSafe App?
The Government says COVIDSafe will facilitate contact tracing with the aim of further supressing the spread of COVID-19 in Australia, particularly once the current social distancing restrictions are relaxed and/or lifted.
How does the App work?
The App uses Bluetooth to communicate between your mobile phone and the mobile phones of those you come into contact with who have also uploaded the COVIDSafe App.
The Commonwealth Government’s resource and information page states:
“When the app recognises another user, it notes the date, time, distance and duration of the contact and the other user’s reference code. The COVIDSafe app does not collect your location.”
When someone has tested positive for Covid-19 and agrees to their information being uploaded to the National Data Store, then those who have downloaded the App will be notified immediately by their local State Health department by text or telephone that he/she has come into contact with someone who has tested positive for COVID-19 and be given advice. Where a third party is responsible for the App user (such as a parent or a guardian), that person will be notified that the App user has come into contact with a confirmed COVID-19 contact and given advice.
The Federal Government needs at least 40% of the population to download the App for it to operate effectively.
What data will the App collect and how?
The data COVIDSafe collects consists of:
- Your name
- Your mobile number
- Your age range
- Your postcode
Each user will be provided an encrypted registration number, however, users will not be given this number.
What has been the reaction to the COVIDSafe App?
Reaction has been varied with some prominent Australians such as Barnaby Joyce and organisations and other individuals citing privacy concerns. There has been extensive commentary from cyber security experts, the Law Council of Australia and privacy law experts.
You can view and/or read some of the responses to the COVIDSafe App here:
MPs refuse to download official COVID-19 app and demand privacy guarantees – Sydney Morning Herald
Shannon Sedgwick on 7 News Australia The Latest 20/4/20
Law Council Australia
What are the specific privacy concerns?
The main concerns raised are:
- Firstly, that the data collected by the App is protected under the current Australian Privacy Law, including that the data remains stored within Australia;
- Secondly, that the data must be used only for contract tracing by state health agencies and for no other purpose; and,
- Thirdly, it must be clear when the data will be deleted, it cannot remain with the government for longer than it is needed.
What steps have now been taken by the Government to address these concerns?
On 25 April 2020, pursuant to his powers under Section 477 (1) of the Biosecurity Act 2015 (Cth), the Federal Minister for Health, Mr Greg Hunt, made the Biosecurity (Human Biosecurity Emergency) (Human Coronavirus with Pandemic Potential) (Emergency Requirements—Public Health Contact Information) Determination 2020
The stated object of the Determination is “to make contact tracing faster and more effective by encouraging public acceptance and uptake of COVIDSafe”. The Determination is therefore intended to provide the community with a set of rules which frames the collection, use, storage and destruction of data collected by the App.
The Privacy Commissioner is currently reviewing the App. In addition, the Government has agreed to the bipartisan request of the Labour party to refer the Determination to the Senate Select Committee for scrutiny ahead of the Determination being confirmed by Parliament.
The Determination addresses the following issues:
That the download and use of the App is voluntary
The Determination states that it is illegal to coerce or require an individual to download and to use the App and that the use of the App cannot be required by an employer of an individual, the occupier of a building an individual wishes to enter, the organiser of an activity an individual wishes to participate in nor a supplier or customer of an individual or their business and/or employer.
The privacy protections available under the App
The Privacy Act 1988 (Cth) applies in relation to collection of data except to the extent the Privacy Law is inconsistent with the Determination (see section 477(5) of the Biosecurity Act 2015).
The data that will be collected must be stored only in encrypted form and the name of the person with a confirmed COVID-19 diagnosis will not be given to App users.
On 26 April 2020 Greg Hunt said, “It (your data) cannot be accessed by anybody other than a state public health official. It cannot be used for any purpose other than the provision of the data for the purposes of finding people with whom you have been in close contact with and it is punishable by jail if there is a breach of that.”
What data can be collected?
The only data that will be collected will be:
- Your name
- Your mobile number
- Your age range
- Your postcode
The manner in which the collected data can be used and not used
The Determination provides that an individual’s data can be used by the State and Territory Health agencies only for:
- Contact tracing,
- Ensuring “proper functioning, integrity or security of COVIDSafe or of the National COVIDSafe Data Store”,
- Transferring encrypted information between the App users devices and between an App user’s device and the National COVIDSafe Data Store,
- Ensuring compliance with the Determination, and
- Producing de-identified statistical information.
What is Contact tracing?
The Determination states that ‘contact tracing’ is “the process of identifying persons who have been in contact with a person who has tested positive for the coronavirus known as COVID‑19, and includes”:
- Contacting the App user or persons responsible for the App user (where applicable) to notify them that they have been in contact with a person who has tested positive for Covid-19, and
- When making contact will provide the app user or responsible person with information and advice. The advice will include:
- what to look out for
- when, how and where to get tested
- what to do to protect friends and family from exposure
In contrast, China’s contact tracing application Aliplay, goes beyond merely providing advice to citizens who are found to have been in contact with someone who has tested positive for Covid-19. Namely, when Chinese citizens sign up for this application or during its use they are assigned a colour code, which indicates their health status:
- Red is allocated if they have tested positive,
- Yellow if they have come into contact with someone that tests positive, visit a hot zone or report having symptoms, and
- Green is allocated if they are given the all clear.
Dependant on the colour code assigned to a citizen, Aliplay then dictates whether the individual is or is not allowed to travel, use subways or enter other public places or whether they are required to quarantine. When a citizen is allocated the colour yellow they may be asked to stay at home for 7 days. When a citizen is allocated the colour red they are immediately requited to quarantine for 14 days. Certain Information gathered by the application including the location and the identity of the individual involved is shared with authorities.
Where the data will be stored
Data collected for up to 21 days will be stored locally on App users device and stored at the National COVIDSafe Data Store which is “the database administered by or on behalf of the Commonwealth for the purpose of contact tracing”.
How long the data may be kept and when it must be deleted
Paragraph 7(5) of the Determinations states that:
“The Commonwealth must cause COVID app data in the National COVIDSafe Data Store to be deleted after the COVID‑19 pandemic has concluded.”
Greg Hunt, in an interview given on Sky News on 26 April 2020 stated that at the point in time, which is 6 months after the making of the Determination, there would be a review of the situation.
If you delete the App prior to the end of the pandemic, the data on your phone will be deleted, however, all data at the national storage will not be deleted unless you make a specific request using the data deletion form that can be found at this website as at the date of this article:
Link to COVIDSafe App Part 2 – Legislation passed by Parliament seeks to address privacy concerns with the COVIDSafe App and what it means for you, published on 15 May by Patricia Monemvasitis and Yue Lucy Han.