Peak body questions rollout of COVID-19 contact tracing app despite lack of oversight and ability to report on its use
The Law Council of Australia has voiced privacy-related concerns with the new COVID-19 contact tracing app COVIDSafe, released by the government Sunday.
The app monitors users who are within 1.5 metres of each other for a minimum of 15 minutes in order to determine whether they have come into contact with someone who has tested positive for coronavirus. COVIDSafe is available for both Android and Apple devices, and has been downloaded by over a million Australians since its rollout, according to Reuters.
However, while the app has proven extremely popular, the Law Council points out a number of issues with regard to how it makes use of the data it collects from users.
Law Council President Pauline Wright said that the chief concern was that “the determination instrument underpinning the legality of the app makes no provision for oversight and reporting on its use.”
The council had called for the integration of some core design principles into COVIDSafe’s legislative framework in a statement dated 20 April. Among these principles are restrictions on the personal information to be collected from users, information security, prohibitions on utilising the data for secondary purposes and prohibitions on information disclosure even if it has been made anonymous. The use of the app should also be voluntary, the council said.
While the Law Council applauded the steps taken by the federal government to incorporate some of these principles, such as the voluntary opt-in model, it said there were still a number of ambiguous factors in the legislative framework.
“A potential legal ambiguity exists around whether other laws authorising the issuing of law enforcement and intelligence warrants could override the prohibition on access, as provided under the determination, without an express provision included in the determination stating that it prevails over all other laws,” said Wright.
She pointed out that the app does not clarify when it will be obligated to delete user data, and does not indicate what ongoing obligations would be once the COVIDSafe determination is no longer in effect. Thus, she said, the implementation of proper legislation is crucial, especially in a situation where the privacy and security of personal data must be ensured.
“As an executive instrument, the determination is inherently susceptible to unilateral executive amendment or repeal and must be considered as a strictly interim measure, pending the introduction of legislation in the parliament to put the regulatory framework on a comprehensive statutory footing,” Wright said.