Law enforcement agencies have not accessed or decrypted any data from the federal government’s COVIDSafe app despite sometimes “incidentally” collecting information from it, the Inspector-General of Intelligence and Security has found.
Earlier this week the Western Australian government introduced urgent legislation to prevent the police from being able to access data from its COVID-19 contact tracing check-in app after it was unable to convince them not to.
While this was done legally by the WA Police, the federal government last year passed legislation restricting access to data from its own COVIDSafe contact tracing app for any reasons other than contact tracing by state and territory health authorities.
The Inspector-General of Intelligence and Security (IGIS) was tasked with reporting on how this was being implemented, and its latest six monthly report was released on Thursday as part of the Office of the Australian Information Commissioner’s (OAIC) own report on privacy protections around the app.
The IGIS found that while authorities have incidentally accessed data from COVIDSafe, which is allowed under the Privacy Act, they have not targeted it, or decrypted it.
“While relevant agencies have incidentally collected COVID app data, which the Privacy Act recognises may occur, IGIS has found that there is no evidence to suggest that these agencies have deliberately targeted or have decrypted, accessed or used such data,” the IGIS report said.
“IGIS also found the agencies are taking reasonable steps to quarantine and delete such data as soon as practicable after becoming aware of it.”
The OAIC report revealed the privacy office only received 14 enquiries and no complaints about COVIDSafe from November to May this year, a slight increase on the first half of last year.
Of these enquiries, 10 raised general issues around the contact tracing app, such as in terms of the changes to the Privacy Act and an individual seeking to delete data that had been uploaded to the National Data Store.
The other enquiries related to requests to download or use the app, including a venue refusing an individual entry unless they used the app or checked in using a QR code, and whether an employer can require an employee to download COVIDSafe.
The Privacy Commissioner provided general advice to 11 of these enquiries and assistance on how to make a formal complaint in response to three.
It comes after the OAIC received 11 enquiries and also no complaints in the first six months COVIDSafe was in operation last year.
The OAIC has not exercised powers in relation to complaints, investigations or information-sharing, and received no reports of data breaches.
The Health Minister is also required to report on the operation and effectiveness of COVIDSafe every six months, but is yet to produce one report despite the app now being in operation for well over a year.
COVIDSafe will cost $60,000 per month to run for the rest of the year, and has not picked up a new close contact in 2021.
It has identified 17 close contacts not previously identified by manual contact tracers in total, all in New South Wales.
The Digital Transformation Agency has changed the definition around these figures and is now saying that the app has found 561 close contacts, but this includes 544 people who were manually identified after COVIDSafe identified a new exposure time at a pub in NSW.