The Impact on Privacy From a Digital Healthcare Initiative
COVID-19 has changed the world in dramatic ways. Contact tracing emerged as an approach to fight the pandemic’s spread and save lives. The idea is to notify people who have been in close contact with another person who tests positive for the virus. This should allow the contacted individuals to self-quarantine and take measures not to spread the virus before experiencing symptoms or otherwise learning that they are infected.
Australia, a country of about 25 million, has an App called CovidSafe, developed and owned by the federal government. By October 1, 2020, it has been downloaded by about 27% of Australians. The government target is 40%. Sign-up is voluntary. To register, a person provides name, mobile number, postcode and age range. The App must be open on a user’s smartphone with Bluetooth enabled. It does not use GPS location technology. Persons in close proximity for at least 15 minutes will be identified as App contacts and eligible for future notices in case one person learns of a positive Covid test – and if the individual consents to notifying others about this.
Results are mixed. In this podcast, Kelly Dickson, a principal lawyer of the Australian law firm of Macpherson Kelley, explains the CovidSafe App and discusses how data privacy and healthcare intertwine.
How does CovidSafe work? The app recognizes other registered users’ devices and uploads data to cloud-based central storage controlled by the federal government. Notices go to persons who had close contact when another person posts a positive test. The data is shared with others for 21 days from each contact on a rolling basis, though the Health Ministry may keep the data longer for public health purposes. Encryption and cybersecurity aim to protect the sensitive data and to convince Australians that their personal data is highly secure and shared only for the purpose of public health.
Great idea – but how’s it working? Critics say it’s not working as it was conceived. Limited participation and consent result in an undercount of those infected and so limit the impact of the effort. Having smartphone apps live constantly has resulted in a report of loss of functionality and battery drain. When phones lock, the App does not function as intended. There have been inevitable bugs and fixes for the App, which was rushed into a prompt launch.
States and territories have their own tracing methodologies (some in traditional hard copy format), with varying work and other restrictions in force. While workplaces are required to have a CovidSafe plan in place, this requires significant human intervention and is prone to haphazard error. Different states report varying degrees of take-up, support and efficacy.
Will sensitive healthcare information be misused? While a targeted federal statute covers the security of App collected and shared data, users control whether positive test information will be shared. If a person tests positive, that person may consent – or not – to share the data – and without consent, the system will not accomplish its purpose of notifying others.
There’s a CovidSafe Data Store where information is held in the cloud, leaving the possibility of hackers’ accessing both data in flight to and from the cloud and within the Store.
September 2020 polling showed a skeptical public, with 57% concerned about security and only 41% confident the government would protect the privacy of data collected. This is despite strong support from the Prime Minister and a lack of overly divisive public sentiment akin to the USA’s mask/no-mask divide. Some critics are concerned that Amazon holds the data or that it is otherwise retained or accessed outside of Australia.
Whether or not the CovidSafe App achieves its pandemic purpose, it has increased the public’s awareness of the intersection of public health, technology and privacy. People recognize the common good of limiting the spread of a killer virus. But to inspire confidence in sharing sensitive health data, the technology must work well, reassure the population about its security, and entice a large population to have the needed equipment and download the App.
The CovidSafe App is an Australian effort. Many other governments and the private sector are implementing and offering various techniques to collect and share responsibly data that can save lives and improve public health without unduly threatening individual privacy.
For an extended memorandum about the CovidSafe App and the data privacy and cybersecurity implications of contact tracing technology, see Kelly’s Tracing and Data Privacy Information Sheet.