Question

After your successful engagement to develop privacy and personal data protection strategies for DAS, you have been engaged by the Department of Health (DoH) to advise on the development of privacy and data protection for CovidSafe users. DoH expect up to 16 million Australian mobile users to download and use this app. DoH have announced that they will be using a major U.S. based public cloud provider to host the CovidSafe data, but claim that the data will always be under Australian Government control.

You are to provide a report to DoH that:

1. Discusses the possible threats and risks to the security of user data on mobile phones, and in linked Cloud and financial accounts from the use of the CovidSafe app.
2. Discusses the possible threats to the privacy of a user's data, location and activities from the use of the CovidSafe app.
3. Discusses the issues of data sovereignty that may apply to the storage of CovidSafe data in U.S. based Cloud storage.
4. You are to recommend that DoH adopt:
   1. Possible security controls that would prevent the loss or breach of user data, while still enabling effective tracking for COVID-19, and the reasons these controls will be effective.
   2. Possible privacy controls to protect user privacy, particularly of data, location and activity, while still enabling effective tracking of COVID-19, and the reasons these controls will be effective.
   3. Possible controls to ensure that the CovidSafe data remains under Australian data sovereignty and control, and the reasons these controls will be effective.

Answer 1

Researchers around the world are rushing to create vaccines and medicines that can stop the COVID-19 pandemic or at least halt its spread. In the midst of these efforts, there has been plenty of evidence that technology has a useful role to play in mitigating the crisis and making a valuable contribution in this global battle.

The use of mobile devices as part of this effort has raised several important questions around privacy and security. First, it’s important to clarify what types of mobile data and application usage we are talking about. They fall into three main categories: 1) understanding general population movement, 2) potential proximity to COVID-19 positive individuals and advice on measures for self-quarantine, and 3) the collection of information from patients for statistical analysis.

1. Mobile tracking to understand population movement and the impact of lockdown:

Mobile carriers in Germany, Italy and France have started to share mobile location data with health officials in the form of aggregated, anonymised information. This falls in line with the law and local regulations. Because European Union member countries have very specific rules about how app and device users must consent to the use of personal data, developers must consider other forms of useful data unless they get individual consent from users. The aggregated and anonymized approach is related to groups within a population and not individuals, but it gives a clear view on population displacement trends and therefore the risk level of each area.

2. Determining potential proximity to COVID-19 positive individuals:

This approach is being explored in countries such as Germany and France. The objective is to limit the spread of the virus by 1) identifying people who have potentially come into contact with an individual who has tested positive, and 2) advising those people to self-quarantine, if proximity was determined. In Germany, the government is relying on the rules defined by the Pan-European Privacy-Preserving Proximity Tracing (PEPP-PT). France is exploring this subject with INRIA under the project: ROBERT-ROBust and privacy-presERving proximity Tracing protocol.

3. Collection of users’ information for statistical analysis:

This approach has been used by the UK government through the application ‘C-19 Covid Symptom Tracker’, which was developed by the startup ZOE in association with King’s College London.

The data needed to meet all three objectives is then stored by mobile providers in a variety of places that must be secured, both to protect the app users’ privacy but also to prevent manipulation/spoiling of the data by a third party. And given that data is sourced from different places, like repositories of GPS, Bluetooth and other apps on the device, different security arrangements by source may need to be considered.

a. Possible security controls that would prevent the loss or breach of user data, while still enabling effective tracking for COVID-19, and the reasons these controls will be effective:

Properly secure the collected data:

App providers need to ensure an appropriate level of security, possibly through the use of encryption, to avoid any data leaks and any data manipulation by non-trusted third parties. Providers should also be transparent about their choices regarding the technology implementation of their applications and how secure it is. A state-of-the-art implementation guide should be followed, as well as the compliance rules already put in place by international organizations and governments.

Prepare to facilitate data protection rights, including deletion rights:

Depending on the jurisdiction, end users may have the right to request access to personal data that has been collected and to delete the data. App developers must think through how they will receive, validate and action these requests. App developers are advised to work with their legal counterparts to understand evolving guidance from regulators.

Achieving a balance between swiftly releasing a new app to maximize its impact in helping halt the virus’ spread, whilst ensuring there’s a stringent and tested security/privacy strategy in place, is a challenge. However, if the steps discussed in this blog post are followed then it should mean users will have one less issue to worry about during what is already a difficult period for many.

b. Possible privacy controls to protect user privacy, particularly of data, location and activity, while still enabling effective tracking of COVID-19, and the reasons these controls will be effective:

Key Principles of Responsible COVID-19 Location Data Apps:

Collection of consent for tracking data on an individual level:

Today, most apps are voluntarily downloaded and activated by users. The challenge is that these applications often need to be used by a certain percentage of the population to truly be of value in the fight against the virus. This can tempt developers not to disclose the true purpose of an app. A recent survey in Europe showed that around 80 percent of the population in France, Italy and Germany was willing to adopt a tracking application during the COVID-19 pandemic. However, if the app hides a type of data collection and sharing, then the consent given by an individual cannot be valid.

App developers should outline under what conditions data collected by the app may be shared or sold to third parties. Third party sharing limited to public health bodies, as an example, may be more palatable to the end user than a sale of data to an unrelated third party.

Time restrictions:

App developers should build in the ability to discontinue their use if national health authorities determine that the data they collect is no longer needed to address the pandemic. Data retention and storage should also be guided by decisions flowing down from national health authorities.

Use the right technology:

Understanding the technology that users and providers are relying on to exchange information is the key to successful adoption. Providers and policy makers will need to define the specific rules for each technology and its associated use.

Several technologies might support these uses around the world among:

• GPS
• Bluetooth
• Video Surveillance (with or without AI)
• Mobile antenna location

c. Possible controls to ensure that the CovidSafe data remains under Australian data sovereignty and control, and the reasons these controls will be effective:

The COVIDSafe app is part of our work to slow the spread of COVID-19. COVIDSafe supports the current manual process of finding people who have been in close contact with someone with COVID-19.

The COVIDSafe app is completely voluntary. Downloading the app is something you can do to protect you, your family and friends and save the lives of other Australians. The more Australians connect to the COVIDSafe app, the quicker we can find the virus and prevent the spread.

What COVIDSafe is for:

The COVIDSafe app helps state and territory health officials to quickly identify and contact people who may have been exposed to COVID-19 (called ‘close contacts’).

Without the help of technology, finding close contacts relies on people:

• being able to recall everyone they have been in close contact with
• knowing their contact details

When an app user tests positive for COVID-19:

If you test positive for COVID-19, a state or territory health official will ask you to consent to upload your digital handshake information to the National COVIDSafe Data Store. If a child tests positive, the health official will ask the child’s parent, guardian or carer for consent.

After the pandemic:

When the Minister for Health declares the COVID-19 pandemic over, users will be prompted to delete the app from their phone. This will delete all app information on a person’s phone. The information contained in the National COVIDSafe Data Store will also be destroyed at the end of the pandemic.

Deleting the COVIDSafe app:

You can delete the COVIDSafe app from your phone at any time. This will delete all COVIDSafe app information from your phone. The information in the National COVIDSafe Data Store will not be deleted immediately. It will be destroyed at the end of the pandemic.

Privacy:

Your information and privacy are strictly protected. Downloading and using COVIDSafe is voluntary. The app has a range of privacy and security safeguards built in. It uses secure encryption and does not collect data on your location.

• The COVIDSafe Privacy Policy has details on how personal information collected in the app is handled (available in 63 languages).
• The Attorney-General’s Department explains how legislation protects your information.
• We commissioned a Privacy Impact Assessment to ensure we have addressed privacy risks. We have responded to the report.
• The COVIDSafe website covers privacy and security topics.
• We have entered into bilateral agreements with each state and territory health authority about collection, use and disclosure of COVIDSafe app data.