OAIC publishes first COVIDSafe report

By Dylan Bushell-Embling
Wednesday, 25 November, 2020

The Office of the Australian Information Commissioner (OAIC) has published its first six-month report into the privacy protections for the COVIDSafe app.

The half-year report, covering the period from 16 May to 15 November, found that the office commenced four assessments into the integrity of the app during the period.

The first of these relates to access controls applied to the National COVIDSafe Data Store by its data administrator the Digital Transformation Agency. The second relates to access controls applied to the use of COVID app data by state and territory health authorities.

Meanwhile, the OAIC is also probing the functionality of COVIDSafe against specified privacy protections set out under the COVIDSafe privacy policy, as well as the DTA as the data administrator’s compliance with data handling, retention and deletion requirements under the Privacy Act.

The report also found that the agency received 11 enquiries seeking information or expressing general concern about COVIDSafe over the period, with the majority received in July. But no formal complaints were filed, and there was no reason to commence any privacy investigations.

The agency was also not notified of any data breaches related to the app, and did not seek to exercise its power to share information with state or territory privacy authorities.

Australian Information Commissioner and Privacy Commissioner Angelene Falk said oversight of the operation of the privacy aspects of COVIDSafe is a key priority for the OAIC.

“The privacy protections that accompany COVIDSafe are important outcomes for privacy in Australia,” she said.

“My office will continue to work to ensure that the protections are being applied so that Australians can be confident in the protection of their personal information within the COVIDSafe system.”

In June, the DTA released guidance aimed at helping entities understand their privacy obligations related to COVIDSafe and COVID app data. According to this guidance, it is a criminal offence for any individual, organisation or government agency to require any individual to download or use the app.

It is also an offence for individuals or organisations to require an individual to upload their data to the National COVIDSafe Data Store without their consent.

COVID app data must also be stored on a database in Australia, and can only be collected, used or disclosed to conduct contact tracing by an individual authorised to manage the tracing process.

Image credit: ©stock.adobe.com/au/chamsitr