When SA first introduced its government based, universal QR code check-in system in December 2020, it was clear that most businesses and customers were quite willing to support the contact tracing data collection regime.
Despite some businesses and consumers still catching up with QR code requirements (with a recent police blitz of 846 businesses finding that 114 were non-compliant, and 4 fines being issued), for many of us, pointing our phone camera at a square barcode before entering a public building has become an act of muscle memory and is now a natural part of our daily lives.
This is a good thing. The digital check-in system is an important safety measure against the spread of COVID-19 and presumably most of us would want to help make it quick and easy to know as soon as possible if we might have been exposed to the virus.
However, while we certainly support a widespread digital contact tracing system, we do think there are still some legislative gaps that should be addressed to better protect people’s privacy. Those steps are particularly important in light of recent suggestions from the Chief Public Health Officer to expand the use of the contact tracing system beyond the current pandemic (although we note those calls have already been strongly opposed by local business, who supported QR codes as a temporary means of managing the public health risks of the pandemic but would not support their ongoing use).
Late last year, the Society wrote to the Premier recommending legislation to mandate the safe disposal of data that is collected via the COVIDSAfe check-in app.
The Premier and State Coordinator have made verbal assurances that the data that we digitally hand over to health authorities – our name, phone number and locations we visited – will be safely removed after 28 days. Police Commissioner Stevens has also been quick to confirm that the check-in system is purely for the management of COVID-19 and won’t be used once those requirements come to an end.
It’s pleasing that these assurances have been made, but we think these oral guarantees should be prescribed in law. It is not advisable, in the Society’s view, to rely on purely verbal assurances with regards to the safe handling of personal data (even though we have no reason to doubt those assurances have been genuinely given and the government intends to comply with them), especially when it is being collected on this unprecedented scale.
Aren’t there existing privacy laws that protect our data?
Yes and no. As a starting point it’s important to remember that whilst it is businesses that have to display QR codes, the personal data is actually being collected by the State Government, which affects how the Privacy Act applies to that collection.
Similarly, under the provisions of the latest Public Activities Direction for private gatherings of between 51-200 people, individuals and organisations hosting those events now need a COVID-SafePlan and must use an approved contact tracing system (meaning they will be provided with an approved QR code for the event). For private functions at licensed premises, the person who conducts the gathering must on request of an authorised officer provide a hard copy list of the names and residential addresses of all attendees.
The Public Health Act does have confidentiality provisions which prohibit a public health official from disclosing personal information, except under certain circumstances. However, the list of exceptions permitting a public health official to lawfully disclose personal information is rather long, and fairly broad. For example, some instances where a public health official can disclose personal information to another person include:
- If required by another law or court/tribunal order
- If there is no reason to believe the disclosure would be contrary to the person’s best interests
- If disclosure is reasonably required to lessen or prevent a serious threat to the life, health or safety of a person, or a serious threat to public health
- to prevent the transmission of a notifiable disease
SA does not currently have legislation granting an express universal right to privacy, but public agencies are subject to the Cabinet Administrative Instruction (Information Privacy Principles Instruction), which says that public agencies should not disclose personal information for any reason other than the specified purpose for which the information was collected (such as for contact tracing). But there are a number of exemptions similar to those in the Public Health Act – and it’s also important to remember that the Cabinet Instruction is an internal government policy, not an externally enforceable law.
Generally speaking, the exemptions provide perfectly justifiable reasons why public officials may break confidentiality without penalty in some appropriate circumstances. However, we ought to be extra vigilant during a declared public emergency where the law is so dynamic and regulations that govern our daily activities are regularly changing. Mundane activities that are completely lawful one day could be unlawful the next day with the stroke of the State Coordinator’s pen. The Cabinet Instructions explain that a public agency can disclose personal information if it has “reason to suspect that unlawful activity has been, is being or may be engaged in, and discloses the personal information as a necessary part of its investigation of the matter or in reporting its concerns to relevant persons or authorities”. Providing some additional legislative assurance about how the data that is being collected – keeping in mind it is being collected for public health, contact tracing purposes – is to be managed is prudent given those circumstances.
In any case, there is certainly no law in place at the moment that gives effect to the 28-day timeframe in which data collected for the purposes of contact tracing data is meant to be deleted.
Who cares if the government knows where I’ve been?
Many people aren’t too concerned about public health officials knowing what cafes they’ve been to or where they do their grocery shopping. However, even if the government has made every effort to keep data secure (and we have no reason to believe they haven’t), there are bound to be a significant number of people who, for various personal reasons, are anxious about recording their whereabouts at particular locations. After all, the reluctance of one person to reveal what they were doing on a particular day sent a whole State into lockdown. Some people will have very legitimate concerns about the potential for information about their daily movements being recorded and potentially available to those within government (or a broader audience in the event of a data breach). For example, domestic violence perpetrators may look to use that information to dangerous ends.
And yes, it is true that that many of us willingly provide much more personal information to private companies such as Facebook, but one of the differences, of course, is that we do so voluntarily, and for a particular purpose – that’s entirely different from finding that information we’ve given for one purpose is being used for another. After all, how many of us have provided our personal information to one business, only to discover that our contact details have been disseminated to a who’s who of telemarketers, and find ourselves fielding calls from people offering “great” deals on solar panels and life insurance? Even if personal data is not being harvested and sold for nefarious purposes (although it often is, when provided to private businesses), it can still be terribly annoying.
We want to be able to have every confidence that the data collected by the government (for a worthwhile and clearly stated purpose) does not inadvertently fall into anyone else’s hands. Data hacks and the mass harvesting of personal information are not exactly rare. These are serious risks that require stringent safeguards, which should include legally prescribed directions on the collection, use and destruction of personal data. This is the first time that data of this nature has been collected at this scale and we should be extra careful about how that data is handled and managed, to avoid as far as possible the risks of mass breaches of privacy in the event of a data breach.
How secure is the data?
Our understanding is that the data collected by the COVIDSAfe Check-in app is encrypted and held on a secure server. That’s appropriate and encouraging but of course, no digital storage system is completely infallible – ensuring that the data is deleted after it is no longer needed, and in accordance with the verbal assurances that have been provided, means we can have greater confidence in the system.
What can I do to maximise the safety of my data?
First things first – we recommend people continue to scan QR codes before entering any public facing premises. Contact tracing is a vital tool in our fight against COVID-19, and it is important that we avoid complacency.
Anyone entering a premises should check that the QR code is the official State Government issued code, not a third-party code. Interstate there have been some concerns about reports of businesses outsourcing QR codes to platforms that collect and distribute personal data for marketing purposes but in SA, businesses must use the State Government code, which minimises the need for businesses to collect and manage data on the Government’s behalf (other than the collection of personal information for those who are unable to check in digitally).
How safe is your personal information if you enter your details manually?
The paper-based sign in sheets, for those who are unable to check in digitally, do raise a few privacy concerns.
For one, the business will have access to your name, email address and phone number. With the COVIDSAfe app on the other hand, your details are only accessible by SA Health, not the venue that you are checking in to.
Secondly, most sign-in sheets are in a table format which lists multiple persons’ contact details on a single page – what is to stop someone obtaining yours and others’ contact details with a surreptitious photo of the sign-in sheet? Some businesses will have obligations under the Privacy Act to try and limit the risks of this occurring, but it is still a significant risk.
Thirdly, can you be confident that the venue itself will properly store and hand over the data to SA Health and then safely dispose of it? Although the relevant government directions do include provisions that require businesses not to use that data for any purpose other than providing it to the Government for contact tracing purposes, any risks that a business will not comply with that requirement can be limited by using the QR code and providing the data directly to the government.
Do I have to provide my contact details when I enter a public facing premises?
The short answer is yes. Under the latest Public Activities Direction, a person attending a defined public activity must use their best endeavours to ensure their relevant contact details are captured by the COVID SAfe Check-In system. If you choose not to provide your details, the business has the right to refuse entry or service.
Individuals face fines of up to $1060 for not checking in, however SA Police has indicated that they will look to take an educational rather than punitive approach with regards to enforcing compliance with the check-in system, but may issue penalties where there are blatant breaches by individuals or businesses. SA Police have recently indicated some concerns that certain businesses are not fully compliant but so far, have only had to issue a handful of fines (and as far as we are aware, have not issued any fines to individuals at this stage).
What’s the take home message?
Overall, the Government, health officials and law enforcement authorities are doing a great job in the unique and unusual situation they have found themselves in, trying to manage the health concerns from the pandemic without unduly restricting our liberties. But, in addition to sound data security measures, we still think there should be legislation that prescribes how our personal information will be collected, used, secured and most importantly, safely destroyed once it has served its purpose. It would be nice if we could always just take the authorities at their word, but if that was the case, we would hardly need laws at all!