What can we learn about privacy practices from the COVIDSafe – The Australian Government’s coronavirus tracing app? 

It seems like everyone is talking about COVIDSafe, the Australian Government app that has been launched to help with coronavirus contact tracing and allow the easing of restrictions.  It’s not often that privacy practices enter public debate but when they do it is normally headline news (remember the telecommunications data retention issue, Cambridge Analytica and back in 2016, the Australian Bureau of Statistics online census).  The Prime Minister has declared a state of emergency affecting Australian citizens and permanent residents meaning that special provisions of the Privacy Act now apply.

The ongoing debate about the use of personal data in COVIDSafe is a great opportunity to learn from the government’s current experience.

It’s about what we expect as a society

A reasonable expectation is that our personal details remain private, shared only with those we nominate. And yet, even though our health information is one of the most sensitive types of personal information, it is now clear that use of our personal data will be critical to addressing the covid-19 public health crisis.

Australia has responded with in excess of 2m downloads of the COVIDSafe app within the first 36 hours of release. One of the key issues going forward for the Australian Government will be to ensure that the trust that individuals have placed in them is not breached.

Don’t forget you can use a pseudonym – there is no requirement to provide your full name.

Transparency in decision-making

A privacy impact assessment (PIA) is a tool used to help ensure personal information is collected, managed and used in ways that are necessary, reasonable and proportionate. It helps to identify risks early and instigate alternative actions to overcome or mitigate against them. It is good privacy practice. The Government’s willingness to share the PIA completed for COVIDSafe indicates a level of transparency in the decision-making process, as does the intention to share the source code of the app.

No action is ever completely risk-free; but the PIA demonstrates a willingness to acknowledge and address risks. Loss of control over personal information once it is passed onto the states has been identified as an area for further investigation. Also, how the data will be governed during and after the pandemic is not clear. We will be watching these issues closely to ensure that the Government follows through.

It is also heartening to hear that the Australian Government has committed to legislating that the app is for a single use, only during the pandemic. This will remove much of the risk that data will be re-used for other purposes after the pandemic has passed.

You are better to do something, than do nothing

The government acted swiftly to develop the app and must be commended for its “fail fast” approach to development. The app was never going to be perfect and will never be. It was also heartening to see that the app wasn’t built from scratch – instead, it was based on code developed for Singapore’s TraceTogether software and the lessons learned from Singapore.

So, what can we learn from this?

  1. Be transparent about what you are collecting, why, and how it will be used. A single use is always easier to explain. Good privacy practice is to only collect what you need, and only keep it for the minimum amount of time.
  2. Don’t re-invent the wheel. Leverage lessons learned from others; generally, we are more the same than we are different.
  3. It’s best to work within an existing authorising framework wherever possible. As we can see, it’s going to take longer to amend legislation than it took to build and release the app.

And don’t forget – it’s on us to delete the app once the pandemic is over!