In its defence against the spread of COVID-19, the Australian Government has developed the COVIDSafe app. The COVIDSafe app is intended to provide health agencies and professionals with the ability to rapidly contact trace. Adoption by Australians of the COVIDSafe app is seen by health experts as a crucial step before there can be further loosening of current lockdown measures and in terms of providing longer term resilience to the virus.
The Biosecurity Determination is a temporary legal framework governing the COVIDSafe app and the data collected. Having reviewed this Determination and related information provided by the Government, we set out below answers to some common questions about the COVIDSafe app.
What is contact tracing?
Contact tracing is a method that has been used to protect public health and safety for decades. It is a method that has been used historically to find people who have been in contact with those who have confirmed cases of diseases such as tuberculosis, meningococcal diseases and sexually transmitted infections such as HIV.
Contact tracing is seen as a way of slowing the spread of COVID-19 through identifying those who have been in contact with a person who has tested positive for the virus. It allows health professionals to appropriately advise those contacts in order to reduce community transmission of COVID-19 (for example, through encouraging testing etc.).
Why was COVIDSafe developed?
The COVIDSafe app digitises the manual process that is already followed when an individual tests positive to COVID-19. However, the existing manual process relies heavily on a person’s memory to recall with whom they have been in contact. This can be unreliable and ineffective in general, and in particular for those who are or may have been asymptomatic before being tested. The COVIDSafe app leverages technology to facilitate faster and more accurate contact tracing.
How does COVIDSafe work?
Once the COVIDSafe app is downloaded, and a user has successfully registered, The COVIDSafe app will use Bluetooth technology to seek out the signal of other devices that have the COVIDSafe app installed. It takes note when this occurs (creating a Digital Handshake) and stores this data in an encrypted format on the mobile device.
What data is collected?
After downloading the COVIDSafe app, the user will be asked to insert the following:
- name – to confirm user identification when contact tracing is being performed
- age – so contact tracing can be prioritised
- postcode – to allocate the user to the correct State or Territory authority and to identify hotspot areas
- mobile number – so that the user can be contacted for contact tracing purposes
The Digital Handshake will record the following data points:
- that there was contact between two users
- the contact’s unique ID
- the Bluetooth signal strength during the Digital Handshake
- the date and time of the Digital Handshake.
The Government has confirmed location data will not be recorded and retained either as part of the Digital Handshake or by the COVIDSafe app more generally. However, it has been conceded that location could be inferred from the specific data elements that will be collected.
How will the data be used?
If a user tests positive for COVID-19, and they provide consent, all Digital Handshakes stored on their mobile device will be uploaded to the National COVIDSafe Data Store (Data Store). The relevant State and Territory authority will then be able to access that user’s data and identify which Digital Handshakes represent an exposure risk (being contacts within proximity for 1.5 metres for 15 minutes or more) and continue on with the current contact tracing process.
The Government has publicly stated that its intention is the COVIDSafe app data will not be used for law enforcement purposes. This is reflected in the Determination which generally prohibits the use of COVIDSafe app data except for contact tracing purposes, for de-identified statistical purposes or for investigating whether there has been a breach of the Determination.
How and where will the data be stored?
Digital Handshakes from a user who has tested positive to COVID-19 will be uploaded to the Data Store in an encrypted format. The Federal Department of Health will be responsible for controlling access and ensuring it is available only to those undertaking contact tracing in each State and Territory. The Determination requires that COVIDSafe app data must not be stored or disclosed outside of Australia.
When will the data be deleted?
Each Digital Handshake will be automatically deleted from a user’s mobile device 21 days after it was created.
If a user uninstalls the COVIDSafe app from their mobile device, all Digital Handshakes stored on that device will be permanently deleted. However, any Digital Handshakes which are stored on another user’s device will not be deleted i.e. they will remain on that device for the 21 day period. Further, any Digital Handshakes that have already been uploaded to the Data Store will not be deleted.
At the end of the Australian COVID-19 pandemic, users will be prompted to delete the COVIDSafe app from their mobile device which will delete all COVIDSafe app data. The Government must also cause the data contained in the Data Store to be destroyed at the end of the pandemic.
Can I make someone use COVIDSafe?
The Determination provides that nobody can coerce another person to use the COVIDSafe app or take adverse action on the grounds that the other person has not downloaded the COVIDSafe app. This means, for example, landlords or employers should not discriminate or disadvantage tenants or employees who do not use the COVIDSafe app.
Have there been any teething issues?
It has been reported the use of Bluetooth technology for the Digital Handshakes has caused some early issues. Diabetes Australia advised the Department of Health about reports from people with diabetes who have downloaded the COVIDSafe app that they experienced connection problems with their continuous glucose monitoring (CGM) apps.
While the technical details are yet to be made clear, it has also been reported that the COVIDSafe app may not work effectively if an iPhone is in low power mode. Low power mode on an iPhone reduces the default background app refresh and may impact the COVIDSafe app to create Digital Handshakes. It is also understood the COVIDSafe app works best when the iPhone is unlocked and it is open on the screen. This means, for example, when the COVIDSafe app is running in the background and in a user’s pocket there may be some issues with creating Digital Handshakes.
The Determination governing the use of COVIDSafe app data was issued on 25 April 2020. It is issued under Ministerial powers and can be amended or repealed at any time. The Determination is a legislative instrument that takes precedence over State and Territory law to the extent there is any inconsistency. The Determination is a temporary legal framework and legislation governing the COVIDSafe app is expected to be introduced in May.
One issue expected to be formalised in the legislation is how personal information contained in the COVIDSafe app data can be used by State and Territory authorities. Currently contact tracers in different States and Territories are subject to different privacy regimes. It is expected that all users will be afforded the same protections across all jurisdictions.
Useful information sources:
The following information sources were used to provide the summary:
- Biosecurity Determination
- Coronavirus Contact App FAQs
- Department of Health Privacy Impact Assessment
Please contact us if you would like to discuss the rules regulating the COVIDSafe app or how to respond to its impacts.
The contents of this publication, current at the date of publication set out above, are for reference purposes only. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action based on this publication.
© Herbert Smith Freehills 2020