1.1 This report outlines the findings of the Office of the Australian Information Commissioner’s (OAIC) privacy assessment of the National COVIDSafe Data Store (NCDS) access controls, conducted from August to November 2020.
1.2 This assessment was conducted under s 33C(1)(a) of the Privacy Act 1988 (Cth) (Privacy Act), which allows the OAIC to assess whether an entity maintains and handles the personal information it holds in accordance with the Australian Privacy Principles (APPs).
1.3 This assessment was also conducted under s 94T(1) of the Privacy Act which extends s 33C to allow the OAIC to assess whether the acts or practices of an entity or a State or Territory authority in relation to COVID app data comply with Part VIIIA of that Act.
1.4 The purpose of this assessment was to assess whether:
- the Data Store Administrator (DSA) is taking reasonable steps, in accordance with APP 11, to secure personal information held in the NCDS
- the acts or practices of the DSA in relation to the handling of COVID app data comply with COVID app data handling provisions under Part VIIIA of the Privacy Act that are relevant to the NCDS, including:
1.5 The assessment found that the Australian Government Department of Health (DoH) and the Digital Transformation Agency (DTA) are taking reasonable steps in relation to the access controls applied to the NCDS, to secure personal information of registered users of the COVIDSafe application (COVIDSafe app).
1.6 The assessment also found that the DoH and the DTA are complying with data handling provisions under Part VIIIA of the Privacy Act that are relevant to the NCDS.
1.7 However, this assessment identified 4 medium level privacy risks and 2 low level privacy risks associated with the COVIDSafe app, the NCDS and the Health Official Portal (HOP). These privacy risks relate to:
- documentation of key governance systems and practices
- documentation and delivery of training in relation to the handling of COVID app data
- access security – in particular, documentation relating to logical access controls applied to the NCDS. 
1.8 The OAIC has therefore made 4 recommendations and 2 suggestions in the report to address these privacy risks. The recommendations and suggestions, and the DoH and the DTA’s responses, are outlined in Part 3 and Part 4 of this report.
Part 2: Introduction
The COVIDSafe System
2.1 The COVIDSafe System refers to the system comprising the COVIDSafe app, the NCDS, the HOP and the technological, administrative and legal supports which ensure the effective operation of the system and compliance with legislation.
2.2 The flow of personal information through the COVIDSafe System is outlined in the figure below.
Figure 1: The flow of personal information through the COVIDSafe System (as outlined in the DoH training package).
2.3 The COVIDSafe app is a voluntary contact tracing mobile application developed by the DTA to help identify close contacts of COVID-19 cases, and to help state and territory health officials contact people who may have been exposed to COVID-19.
2.4 The COVIDSafe app was first released on 26 April 2020, and over 7 million Australians have downloaded and registered to use the COVIDSafe app. 
2.5 COVIDSafe users enter their registration data including their name (or pseudonym), mobile phone number, age-range and postcode into the COVIDSafe app. The COVIDSafe app asks the user to consent to this registration information being collected by the DTA, as the DSA.
2.6 The COVIDSafe app also seeks the consent of the user for the DTA to collect information about their contact with other users of the COVIDSafe app in the event a user they have had contact with is diagnosed with COVID-19 and uploads their contact data.
National COVIDSafe Data Store
2.7 Registration data entered into the COVIDSafe app and data uploaded from the COVIDSafe app (or ‘COVID app data’)  is maintained in the NCDS, which is a cloud-based storage solution for information collected or generated using the COVIDSafe app. The NCDS is maintained by the DSA and is hosted by Amazon Web Services (AWS).
2.8 The DTA has been appointed, by legislative instrument , as the DSA and is responsible for ensuring the proper functioning, integrity and security of the NCDS.
2.9 However, the DoH retains policy ownership of the COVIDSafe System, which includes the NCDS.
Health Official Portal (HOP)
2.10 State and Territory health authorities (STHA) are responsible for contact tracing of COVID-19. Arrangements to support the collection, use and disclosure of COVID app data, (Bilateral Agreements) have been established with the DoH (see Figure 2).
Figure 2: Access to COVID app data via the HOP based on the Bilateral Agreements
2.11 STHA are given access to COVID app data and the NCDS via the HOP. The HOP allows state and territory health officials to:
- access registration data (via phone number search)
- request a COVIDSafe app user to upload their Bluetooth handshakes, following a positive diagnosis for COVID-19
- filter the Bluetooth handshakes, via date range and proximity probability, to identify potential close contacts of a COVIDSafe app user who has received a positive diagnosis for COVID-19.
COVIDSafe legislative framework
2.12 The personal information collected by the COVIDSafe app through the COVIDSafe System is protected by the following:
- the Biosecurity (Human Biosecurity Emergency) (Human Coronavirus with Pandemic Potential) (Emergency Requirements—Public Health Contact Information) Determination 2020 (Cth) (Biosecurity Determination)
- the Privacy Act, which includes:
- the APPs
- Part VIIIA—Public health contact information.
The Biosecurity Determination
2.13 The Biosecurity Determination was issued by the Minister for Health on 25 April 2020 under the Biosecurity Act 2015 (Cth) and was repealed on 16 May 2020 following commencement of the Privacy Amendment (Public Health Contact Information) Act 2020 (Cth) (Privacy Amendment Act).
2.14 The Biosecurity Determination included requirements for the collection, use and disclosure of COVID app data.
Privacy Act – the Australian Privacy Principles
2.15 The Privacy Act promotes and protects the privacy of individuals and regulates how APP entities, which includes Australian Government agencies and organisations, handle personal information.
2.16 The APPs at Schedule 1 of the Privacy Act are the cornerstone of the privacy protection framework in the Act. The 13 APPs govern standards, rights and obligations around:
- the collection, use and disclosure of personal information
- an organisation or agency’s privacy governance and accountability
- the integrity and correction of personal information
- the rights of individuals to access their personal information.
2.17 The APPs apply to any ‘personal information’ collected by Australian Government agencies in relation to the COVIDSafe System.
Privacy Amendment (Public Health Contact Information) Act 2020 and Part VIIIA of the Privacy Act
2.18 The Australian Parliament passed the Privacy Amendment Act on 14 May 2020 which amended the Privacy Act by inserting Part VIIIA—Public health contact information into the Privacy Act. Part VIIIA commenced on 16 May 2020.
2.19 Part VIIIA of the Privacy Act provides strong privacy protections for personal information collected through the COVIDSafe app – including data held by STHA. The Australian Information Commissioner (AIC) has an independent oversight function in relation to COVIDSafe under the Privacy Act and is actively monitoring and regulating compliance.
2.20 Specific privacy protections under Part VIIIA include:
- s 94D: collection, use and disclosure of COVID app data
- s 94F: cross-border transfer of COVID app data
- s 94K and 94L: retention and deletion requirements for COVID app data
- s 94N: effect of deletion of COVID app data
- s 94P: cessation of collection and deletion of COVID app data following a determination by the Minister for Health under s 94Y.
2.21 The provisions dealing with privacy protection are supported by procedural amendments which relate to or assist with oversight of the COVIDSafe System by the OAIC, including:
- s 94T: expands the assessment power in s 33C to include assessments of whether the acts or practices of an entity or a State or Territory authority in relation to COVID app data comply with Part VIIIA of the Privacy Act
- s 94Y: provides the Minister for Health with the power to determine, by notifiable instrument, the end of the COVIDSafe data period
- s 94ZB: requires the AIC to report on the performance of their functions and powers relating to Part VIIIA of the Privacy Act every 6 months
- s 94ZC: provides that COVID app data remains the property of the Commonwealth even after disclosure to and use by STHA.
Role of the OAIC
2.22 The new Part VIIIA of the Privacy Act has granted the AIC a range of additional proactive and reactive regulatory powers which support the AIC’s legislated functions in relation to the handling of personal information in the COVIDSafe System.
2.23 The OAIC is undertaking 5 privacy assessments (COVIDSafe Assessment Program) under s 33C and s 94T of the Privacy Act in relation to the COVIDSafe System.
2.24 The COVIDSafe Assessment Program consists of:
- Assessment 1 – Access controls applied to the NCDS by the DSA
- Assessment 2 – Access controls applied to the use of COVID app data by STHA
- Assessment 4 – Compliance of the DSA with data handling, retention and deletion requirements under Part VIIIA
- Assessment 5 – Compliance of the DSA with the deletion and notification requirements in Part VIIIA which relate to the end of the pandemic (each a ‘COVIDSafe Assessment’).
2.25 Each COVIDSafe Assessment targets different components of the COVIDSafe System, with the COVIDSafe Assessment Program designed to collectively follow the ‘information lifecycle’ of personal information collected by the Australian Government’s COVIDSafe app.
2.26 In undertaking the COVIDSafe Assessment Program, the OAIC provides independent assessment to Australians of the handling of personal information in the COVIDSafe app in accordance with Part VIIIA and the APPs.
2.27 The OAIC engaged PricewaterhouseCoopers (PwC) under s 24 of the Australian Information Commissioner Act 2010 (Cth) to assist the OAIC with the COVIDSafe Assessment Program. PwC worked jointly with OAIC staff to assist the AIC to conduct elements of the fieldwork for this assessment.
Part 3: Findings
3.1 The key findings of Assessment 1 are set out below under the following headings and sub-headings:
- APP 11.1 – Security of personal information
- COVIDSafe System governance:
- oversight, accountability and decision making
- formal agreements
- STHA engagement:
- Bilateral Agreements
- Access controls applied by the DSA:
- Other management practices, procedures and systems:
- S 94D – Collection, use and disclosure of COVID app data
- S 94F – COVID app data in the National COVIDSafe Data Store.
3.2 For each key finding, the report outlines the relevant controls framework or measure, a summary of observations, the privacy risks arising from the observations, followed by opportunities to address identified privacy risks.
3.3 As part of this assessment, the OAIC considered the following control frameworks (see Appendix A for full details):
- Attorney-General’s Department (AGD) Protective Security Policy Framework (PSPF) core requirements:
- INFOSEC-8, INFOSEC-9
- Policy 10, Policy 11, Policy 16
- Australian Government Information Security Manual (ISM) principles:
- G3, G4, G5
- P2, P3, P4, P5, P6, P8, P10, P11, P12, P13, P14
- International Organization for Standardization (ISO)/International Electrotechnical Commissioner (IEC) 27001 sections:
- 6.1, 6.2
- 7.2, 7.5
- 8.1, 8.2, 8.3
- 10.1, 10.2.
- ASAE3150 Assurance Engagement on Controls.
3.4 As part of this assessment, the OAIC also considered the following control measures (see Appendix A for full details), which relate to the NCDS and the handling of COVID app data:
- APP Guidelines, which outline the mandatory requirements of the APPs, the way in which the OAIC will interpret the APPs and matters the OAIC may take into account when exercising functions and powers under the Privacy Act
- COVIDSafe App Privacy Impact Assessment
- Bilateral Agreements between the DoH and STHA (initial and current versions).
3.5 The OAIC considered the above frameworks and measures to inform its evaluation of what is ‘reasonable’ in relation to COVID app data, noting that what is ‘reasonable’ for the purposes of APP 11 depends on the facts and circumstances of each individual case.
3.6 Given the scale and sensitivity of COVID app data collection by the Australian Government, the OAIC considers it reasonable that a robust and comprehensive approach to the protection of personal information would be in place for the COVIDSafe System.
APP 11.1 – Security of Personal Information
COVIDSafe System governance
3.7 The establishment of appropriate governance arrangements for the COVIDSafe System is a key control in ensuring the handling and protection of personal information captured by the COVIDSafe app is being undertaken in accordance with APP 11.1 and in compliance with Part VIIIA of the Privacy Act.
3.8 This section examines key governance features of the COVIDSafe System which relate to the NCDS including:
- oversight, accountability and decision-making
- formal agreements
Oversight, accountability and decision-making
3.9 The Minister for Health and the Minister for Government Services are jointly responsible for the COVIDSafe System.
3.10 The DoH is the policy owner of the COVIDSafe System. It is responsible for the administration of the policy framework of the COVIDSafe System and engagement with, and training of, STHA personnel.
3.11 The DTA has been determined by the Secretary of Health to be the DSA under s 94Z of the Privacy Act and is therefore responsible for the development and operation of the COVIDSafe System. It is responsible for ensuring the proper functioning, integrity and security of the COVIDSafe app and the NCDS.
3.12 The COVIDSafe System is subject to numerous formalised and informal governance arrangements (see Figure 3), including:
- the Australian Health Protection Principal Committee (AHPPC)
- the Implementation and Management Committee (IMC)
- senior executive meetings
- internal governance arrangements.
Figure 3: Relationships in the COVIDSafe System, ‘ACSC’ in Figure 3 refers to the Australian Cyber Security Centre.
3.13 The AHPPC is the key advisory committee for health emergencies. It comprises all state and territory Chief Health Officers and is chaired by the Australian Chief Medical Officer. While the AHPPC does not have a formal decision-making role in relation to the COVIDSafe app, nor NCDS, it is considered to have an influential role in the direction of the COVIDSafe app functionality. 
3.14 The IMC was established by the DoH to enable information sharing between the DoH, the DTA and STHA. This committee does not make decisions relating to the COVIDSafe app, nor the NCDS, but enables the DoH and the DTA to advise STHA in relation to the COVIDSafe app and NCDS. The committee also allows STHA to provide feedback to the DoH and the DTA on the function of the COVIDSafe System.
3.15 Formal terms of reference have been defined for the IMC that outline the purpose and role of the committee, which are:
- monitoring implementation progress of the COVIDSafe App and the NCDS, including:
- identifying, consolidating and contributing to the prioritisation of implementation and operational work programs (including a systems backlog)
- identifying and providing feedback on issues and emerging risks regarding access, use and disclosure of COVID app data
- reviewing necessary changes to the Bilateral Agreements, and providing input to an evaluation of these agreements (within 3 months of being signed, and following expiry)
- as appropriate, contributing to evaluations of the operation and effectiveness of the COVIDSafe app and the NCDS including effectiveness of privacy controls and impact on public health measures
- providing coordinated communications between Jurisdiction Contact Officers  and the committee.
3.16 When fieldwork for this assessment was conducted, the IMC was chaired by the DoH, specifically the First Assistant Secretary, Medical Benefits Division.  Membership includes additional staff from the DoH, the DTA, state and territory health coordinators, and a secondary representative from each STHA.
3.17 A senior executive meeting has been established to discuss and make decision relating to the management, functionality and enhancements of the COVIDSafe app, the NCDS and the HOP. This meeting occurs weekly and is attended by senior executives from both the DoH and the DTA.
3.18 No formal terms of reference for this group exist and there are no defined roles, responsibilities or accountabilities. The DTA referred to this meeting as ‘the steering committee’. The DoH did not refer to this group by any specific name. Minutes or documentation for decisions made within these meetings were not available for review.
3.19 The governance structures were established to accommodate the speed in which the COVIDSafe app, the NCDS and the HOP were required to be established. These structures and procedures were considered effective and enabling at the time, but given the time since establishment, the OAIC would expect a greater degree of formalisation and rigour to these governance mechanisms.
3.20 The OAIC notes that formalising governance arrangements was of low priority given the immediate need to establish the COVIDSafe app to support state and territory contact tracing efforts. The lack of formalised governance arrangements around this senior executive meeting presents a medium privacy risk because decisions potentially impacting the privacy of COVIDSafe users made by this group are not documented and traceable.
The OAIC recommends that the DoH and the DTA formalise the senior executive meeting into a steering committee, with formal terms of reference to ensure clear lines of responsibility and accountability and documented decision making.
3.21 The DTA has established formal roles and responsibilities for all staff working on the COVIDSafe app, the NCDS and the HOP. This has been established through the creation of a RACSI matrix within the DTA.  The RACSI matrix also identifies the aspects of the COVIDSafe System that the DoH is responsible for.
3.22 The DoH has informal roles and responsibilities for all staff involved in the COVIDSafe app, the NCDS and the HOP. While these informal roles and responsibilities were known to DoH staff, the DoH did not provide information to the OAIC demonstrating that roles and responsibilities had been formally documented.
3.23 The OAIC considers the lack of defined roles and responsibilities presents a low privacy risk that DoH staff are unaware of their responsibilities, and their obligations under the Privacy Act, in relation to COVID app data, and the NCDS.
The OAIC suggests that the DoH document and communicate the roles and responsibilities of all staff involved in the COVIDSafe app, the NCDS and the HOP.
3.24 The DoH and the DTA have entered a Memorandum of Understanding (MoU) to foster co-operation and to facilitate operational arrangements between them with respect to the COVIDSafe app and NCDS.
3.25 The MoU details the roles and responsibilities for the DoH and the DTA in relation to the provision of access to COVID app data and the NCDS, via the HOP.
3.26 Under the MoU, the DoH is responsible for coordinating the list of approved state and territory health officials who may access the HOP and advising the DTA of those officials to be given access. The DTA is responsible for administering HOP access and providing technical support to state and territory health officials who have been given access to the HOP.
3.27 The MoU remains in effect from 5 August 2020 to 31 December 2022, unless terminated by either the DoH or the DTA with 90 days written notice. The DoH and the DTA advise that they are satisfied that the terms of the MoU effectively facilitate the effective operation of the COVIDSafe system.
3.28 In relation to privacy governance, the OAIC considers the MoU to be a suitable arrangement to facilitate the effective operation of the COVIDSafe system by the DoH and the DTA. The MoU clearly documents the roles and responsibilities between the 2 entities, and thereby provides clarity and transparency in relation to their privacy related roles and responsibilities.
Third party providers
3.29 Entities that outsource part or all of their personal information handling practices may still be considered to ‘hold’ that personal information, meaning that reasonable steps must be taken by the contracting entity to secure the personal information in accordance with APP 11. This requirement is also supported by ISM principle P2, which seeks to ensure that ‘systems and applications are delivered and supported by trusted suppliers.’ 
3.30 The DTA has contractual measures in place with AWS, through the AWS Whole-of-Government Enterprise Agreement, to host the COVIDSafe app, the NCDS and the HOP (AWS Agreement).
3.31 In examining whether the DTA, as the contracting entity, is taking reasonable steps to secure personal information in accordance with APP 11 and ensure the effectiveness of access controls applied to the NCDS, the OAIC considered:
- the existence of appropriate contractual measures to secure personal information
- the roles and responsibilities of the parties under the contractual measures
- any acts and practices, and assurance activities undertaken by the Australian Government in support of the contractual measures
- the legislative context.
3.32 The OAIC’s Guide to Securing Personal Information provides guidance to APP entities on specific contractual measures that the OAIC considers to be reasonable steps to protect personal information when an APP entity enters into a third party agreement.
3.33 Among other measures, the OAIC recommends that APP entities include clear terms in contracts to deal with specific obligations that may arise in relation to the handling of personal information by the contracted party.
3.34 The OAIC considered the contractual measures taken by the DTA as DSA in context, and found that the Australian Government had
- actively considered the risks posed by the use of third party providers
- taken positive and reasonable steps within the contract to mitigate those risks, secure COVID app data and ensure the effectiveness of access controls applied to the NCDS.
3.35 In addition to specific contractual measures taken by the DTA, the OAIC further found that cloud-based hosting services for the NCDS are provided by AWS under a shared responsibility model, where the security and compliance of AWS services is shared between both AWS and their customers.
3.36 Under the shared responsibility model, AWS is responsible for the ‘Security of the Cloud’ and the customer (DTA) is responsible for ‘Security in the Cloud’. In effect, this means AWS is responsible for protecting the infrastructure that runs all of the services offered in the AWS cloud while customers are responsible for managing their data (including encryption), classifying their assets, and using identity and access management tools to apply appropriate permissions to their data.
3.37 The OAIC found the allocation of roles and responsibilities between the customer (DTA) and provider (AWS) were logical and privacy risks were attributed to the entity best positioned to manage those risks. The OAIC considers that the shared responsibility model is reasonable in the circumstances. The measures implemented by the DTA as the customer under this model are further assessed in the ‘Access Controls applied by the DSA’ section of this assessment report.
3.38 While contractual measures must be a primary consideration of any entity seeking to outsource part or all of their personal information handling, they must be supported by appropriate assurance activities and robust contract management practices, including ongoing due diligence and active monitoring of privacy risks under the contract.
3.39 In undertaking fieldwork for this assessment, the OAIC found that the DTA had engaged in appropriate assurance activities in connection with the contractual measures, including in relation to the legislative context, and that reasonable steps were being taken by the DTA to protect COVID app data and ensure the effectiveness of access controls applied to the NCDS.
3.40 The OAIC notes that AWS has undergone a previous cloud-based hosting services Information Security Registered Assessors Program (IRAP) assessment, which provides assurance that AWS products have applicable controls required for Australian Government information at the PROTECTED level. On the basis of this past assurance, the OAIC notes that it may be reasonable in the circumstances for the DTA to consider AWS to be a trusted supplier.
3.41 The OAIC found the DTA considered past assurance activities associated with AWS’ onboarding to the legacy Australian Cyber Security Centre (ACSC) Certified Cloud Services List, including IRAP and Security Construction and Equipment Committee (SCEC) assessments. As part of their due diligence the DTA also engaged in further assurance activities including commissioning Ionize to undertake a more specific IRAP assessment (Ionize IRAP assessment) on the COVIDSafe System in late 2020.
3.42 At the time this assessment was conducted, the Ionize IRAP assessment was not yet completed. However the OAIC understands that this assessment will build upon previous risk assessments undertaken in relation to the COVIDSafe System (including privacy impact assessments) and will review whether all elements of the COVIDSafe System are compliant with the ISM.
3.43 The OAIC notes that this process is additional to existing COVIDSafe security documentation, such as the Security Risk Management Plan and System Security Plan, which have been developed to address and manage risks associated with the COVIDSafe System. Additionally, the ACSC monitored cyber security risks to the COVIDSafe app which were identified by the ACSC or reported by security researchers. ACSC notified the DTA regularly of these cyber security risks to ensure that the DTA was aware of and could mitigate these risks. The risks identified by these assessments are actively monitored by the DTA which maintains a risk register of identified risks and the remediation activities that have been undertaken to address those risks.
3.44 The OAIC considered the existing risk assessments undertaken, the risk mitigations established, the active monitoring of risks by the DTA and the proposal and timing of the Ionize IRAP assessment of the COVIDSafe System and considers these assurance and monitoring activities to be appropriate in the circumstances. The combination of these measures to address cyber security risks collectively constitute reasonable steps in relation to the security of personal information held in the COVIDSafe System, including the NCDS.
3.45 Should the Ionize IRAP assessment reveal any security deficiencies in relation to the COVIDSafe System, the OAIC expects that the DTA will take timely remedial action to rectify any issues identified. Additional information on physical security is provided in paragraphs 3.86 to 3.91 of this assessment report.
3.46 Lastly, in relation to the legislative context of the NCDS, the OAIC notes that ss 94D and 94F of the Privacy Act contain specific statutory obligations concerning collection, use or disclosure of COVID app data and storage of COVID app data respectively.
3.47 These statutory provisions inform what may be considered reasonable steps to take in relation to the contractual measures and access controls applied to the NCDS, but also contain criminal penalties for non-compliance which represent strong privacy protective measures that apply to AWS and operate independently of any contractual measures imposed by the DTA.  Compliance of the DSA with ss 94D and 94F is dealt with in further detail below in this assessment report.
3.48 Based on the OAIC’s review of documents, interviews conducted and in consideration of the legislative context, the OAIC is satisfied that the contractual measures, assurance activities, and the contract management activities being undertaken by the DTA with respect to AWS and the NCDS represent reasonable steps in the circumstances to support the access controls applied to COVID app data and secure that personal information.
State and Territory Health Authority engagement
3.49 STHA are the primary users of the COVIDSafe System and COVID app data. Effective engagement with STHA is necessary to ensure they are aware of their obligations under the Privacy Act, specifically in relation to Part VIIIA, for the appropriate handling of COVID app data. Part VIIIA also brings STHA under the jurisdiction of the Privacy Act, which increases the importance of effective engagement between the DoH, the DTA and STHA.
3.50 This section examines engagement features of the COVIDSafe System which relate to STHA and the NCDS including:
- Bilateral Agreements
3.51 This section does not examine in detail access controls STHA have implemented or personnel checks of state and territory health officials as this is a subject of COVIDSafe Assessment 2: State or Territory Health Authorities Access Controls.
3.52 As the policy owner for the COVIDSafe System, the DoH is responsible for negotiating and establishing agreements between the Commonwealth and Australian states and territories. These agreements are an important administrative and governance measure within the COVIDSafe system.
3.53 INFOSEC-9 outlines the requirements for government entities to ensure information is shared appropriately with relevant personnel. Specifically, when disclosing security classified information or resources to a person or organisation outside of the Australian Government, entities must have in place an agreement or arrangement, such as a contract or deed, governing how the information is used and protected.
3.54 Bilateral Agreements, while not legally binding, can be considered an appropriate arrangement for sharing information when they:
- are fit-for-purpose
- reflect the type of arrangement in place
- ensure the effective discharge of accountabilities, and
- clearly define roles and responsibilities.
Risks must also be understood and addressed and reporting frameworks must be in place. Additionally, to be effective, these agreements require ongoing management and oversight.
3.55 The DoH has established Bilateral Agreements to facilitate the provision of COVID app data to each STHA via the HOP. These agreements govern the information sharing arrangements between the Australian Government and STHA in relation to COVID app data and outline the terms and conditions for the collection, use and disclosure of COVID app data by STHA. These agreements were initially established under the Biosecurity Determination and subsequently updated following the introduction of Part VIIIA of the Privacy Act.
3.56 The Bilateral Agreements cover both access to, and the ability to download data from, the NCDS. However, at the time fieldwork was conducted for this assessment, the DoH had made a policy decision not to enable the download functionality for any STHA. This decision was made due to a lack of a control mechanism to ensure data downloaded, or extracted, by STHA would be deleted after 30 days or as soon as practicable after the day determined by the Health Minister under s 94Y(1) of the Privacy Act.
3.57 Under the terms of the Bilateral Agreements, STHA are responsible for identifying appropriate individuals to be given access to COVID app data. The Bilateral Agreements do not require either the DoH or the DTA to vet individuals who are identified by STHA to be given access to COVID app data; this issue is considered below at paragraphs 3.75 to 3.77 (refer Recommendation 3).
3.58 The OAIC considers the Bilateral Agreements an appropriate arrangement to facilitate STHA access to COVID app data as they outline condition precedents for access and remind the STHA of the requirement to comply with the Privacy Act, including Part VIIIA and the Notifiable Data Breaches scheme.
3.59 DoH uses training to convey to STHA the requirements for the collection, use and disclosure of COVID app data and specify the purposes for which STHA can access, use and disclose COVID app data. It allows the DoH to confirm STHA are aware of their obligations under the Privacy Act, specifically, the strict requirements in relation to COVID app data set out under Part VIIIA of the Privacy Act.
3.60 The Bilateral Agreements establish that the DoH is responsible for delivering a training package that state and territory health officials must complete before they access COVID app data and the NCDS through the HOP. The training is provided to state and territory health officials who have been identified by STHA. It is a mandatory to undertake this training prior to being given access to the HOP.
3.61 The training requires participants to attend a 1-hour training session. The DoH conducts these training sessions virtually using a slide presentation and there is no assessment component to the training. State and territory health officials are guided through the training by the DoH facilitator, they are not able to click through the training independently. The training is provided on an ‘as needed’ basis, following the identification of participants by STHA. DoH advises that multiple training sessions occur weekly. STHA can also request, and have been provided, refresher training. Training materials are made available to state and territory health officials outside of training to review independently.
3.62 The training provided by the DoH covers the following topics:
- Why has COVIDSafe been developed?
- How does the web portal work?
- How can we use the information in COVIDSafe?
- How do I use the web portal?
- How do I review and interpret the data?
- How will this work with our existing processes?
- How do I get support?
3.63 The training also provides information about:
- the collection, use and disclosure of COVID app data as defined within Part VIIIA of the Privacy Act
- the importance of seeking consent prior to a user uploading their information (including proposed scripts for STHA to use)
- how to interpret the data displayed in the HOP,  and
- some options for how STHA can incorporate the use of the HOP into their existing processes.
3.64 The OAIC considers the training provided to STHA covers the key requirements around the access, use and disclosure of COVID app data. However, the absence of an assessment component to the training or some other assurance mechanism presents a medium privacy risk that STHA are not aware of their obligations under Part VIIIA of the Privacy Act.
The OAIC recommends that the DoH include an assessment component in the training package in order to further demonstrate STHA understanding of, and ability to comply with, their obligations under Part VIIIA of the Privacy Act.
3.65 The DoH maintains a register of attendees of the training. This register is provided to the DTA to enable trained state and territory health officials to access the HOP. As at 13 November 2020, 397 state and territory health officials had attended the training. Training by state and territory is provided in the table below.
Table 1: Number of state and territory health officials trained
3.66 An additional 28 people undertook the training, on the expectation that Australian Government resources may be deployed to support Victoria’s contact tracing efforts during an outbreak of the virus in that state. However, this arrangement did not go ahead and these names were not provided to the DTA to facilitate access. The OAIC reviewed the list of users with access, provided by the DTA, and confirmed these users did not have access.
3.67 Communication between the DoH, the DTA and STHA is essential to ensure the effectiveness of privacy and access controls implemented on the NCDS and the HOP. The DoH has, through the IMC, established a formal mechanism to communicate with STHA. This committee provides STHA input into the operation of the COVIDSafe System and proposed changes or enhancements, the Bilateral Agreements and contributes to the evaluation of the operation and effectiveness of the COVIDSafe app, the NCDS and the HOP. Further information on the IMC is provided in the ‘COVIDSafe System governance’ section of this assessment report.
3.68 In addition to the formal communication via the IMC, there are informal communication channels and support options provided to the STHA, including:
- the COVIDSafe secretariat, used predominantly to facilitate training for state or territory health officials
- health officials support desk, for technical support on the HOP.
3.69 The DoH and the DTA advised that there is sufficient and regular communication with the states and territories in relation to the COVIDSafe app, NCDS and HOP. The OAIC considers that the DoH and the DTA have established appropriate mechanisms to communicate effectively with STHA. The effectiveness of these communication mechanisms will be further reviewed as part of COVIDSafe Assessment 2 under the COVIDSafe Assessment Program.
Access controls applied by the DSA
3.70 Access controls, both physical and logical, refer to the selective restriction of access to a physical location or information asset. Sections 94D and 94F of the Privacy Act limit access to COVID app data to particular people for particular purposes. The access controls of the system are critical to ensure compliance with those provisions.
3.71 This section examines access controls applied to the COVIDSafe System by the DSA which relate to the NCDS including:
- logical controls
- physical controls.
3.72 Logical access controls either allow or prevent access to a system once a user’s identity has been established. Logical access controls will allow, or prevent, access to information based on the level of access a user requires and are a key control to prevent unauthorised access to COVID app data.
3.73 The PSPF and ISM detail Australian Government requirements and expected logical access controls to systems. The implementation of these access controls provides a level of confidence that the security of personal information is appropriate and in compliance with APP 11. The policies and principles relevant to COVID app data, the NCDS and the HOP include:
- PSPF INFOSEC-8 Sensitive and security classified information: which outlines the requirement for operational controls, proportional to value, importance and sensitivity, are implemented and managed effectively
- PSPF INFOSEC-9 Access to information: which outlines requirements for controlling access to systems, networks, infrastructure, devices and applications is implemented and managed effectively
- ISM P10: Only trusted and vetted personal are granted access to systems, application and data repositories
- ISM P11: Personnel are granted the minimum access to systems, applications and data repositories required for their duties
- ISM P12: Multiple methods are used to identify and authenticate personnel to systems, applications, data repositories.
3.74 COVID app data collected by the COVIDSafe app is encrypted while in transit and at rest within the NCDS. In undertaking fieldwork for this assessment, the OAIC found that the ACSC provided advice to the DTA in relation to the implementation of the encryption. Both encryption in transit and platform-level encryption of the NCDS (encryption at rest) protect COVID app data. However, it is important to note that COVID app data is decrypted (as intended by design) when accessed through the HOP; for this reason appropriate access controls restricting access to the HOP are necessary to uphold the security of COVID app data.
3.75 Access to COVID app data and the NCDS, either directly or via the HOP, is provided based on defined roles. The DTA has developed a single access role for STHA to access COVID app data and the NCDS, via the HOP. This access, assigned to individuals, allows state and territory health officials to access the HOP to search registration data, and view and filter Bluetooth handshakes data (distance and duration) in their jurisdiction to determine potential close contacts of a COVIDSafe app user following a positive COVID-19 diagnosis. State and territory health officials are generally only permitted to view data within their jurisdiction, except in instances of cross-border post codes, which are able to be viewed by both jurisdictions. To support surge capacity, a jurisdiction may seek approval to access COVID app data for another jurisdiction when operating in service of that jurisdiction. While this functionality exists, DoH confirmed that it had not been deployed at the time this assessment was conducted, as no jurisdiction has requested this.
3.76 As identified in paragraph 3.26, the DoH is responsible for coordinating the list of approved recognised state and territory health officials with access to the HOP. Currently, the DoH relies on STHA to identify and undertake their own vetting of appropriate users of the HOP. Under ISM P10, the DoH has an obligation to ensure that only trusted and vetted personnel have access to the HOP. The DoH has not defined the vetting obligations expected by STHA or outlined the assurance approach to determine that personnel nominated by STHA are considered trusted personnel to be accessing COVID app data.
3.77 The OAIC considers that a medium privacy risk arises of inappropriate access to COVID app data due to the absence of any vetting requirements by the DoH or the DTA of personnel granted access to COVID app data and the NCDS, via the HOP, or establishment of any assurance against the vetting undertaken by STHA.
The OAIC recommends that the DoH define minimum requirements for vetting of personnel who are granted access to COVID app data and communicate these requirements to STHA and confirm (via ongoing assurance) these requirements are met by STHA.
3.78 The DTA, as the DSA, has implemented a number of additional logical controls, in accordance with the PSPF and ISM, including whitelisting, multi-factor authentication and privileged user management.
3.79 In order to be given access to the NCDS, a state and territory health official who has been nominated by a STHA and undergone the training provided by the DoH is required to have their IP address whitelisted. The IP address must fall within a STHA domain if access is to be granted. In addition to whitelisting of IP addresses, a state and territory health official must also provide a mobile phone number to enable multi-factor authentication.
3.80 When a state and territory health official is granted access, a one-time password (OTP) is generated and sent via SMS. This OTP is valid for 5 days. If the state and territory health official does not login within this timeframe, they must contact the health officials support desk to request a new password. Subsequent logins also require the use of an OTP, generated once a state and territory health official enters their username and password.
3.81 Upon first login, a state and territory health official must change their password. Strong passwords are required. Currently the requirement for password length implemented by the DTA exceeds the ISM guidance for PROTECTED level systems.
3.82 Privileged users within the DTA, ‘Administrators’ and ‘Developers’, have access to maintain and enhance the COVIDSafe app, NCDS and HOP. Privileged users do not have access to COVID app data except in limited circumstances. The DTA has defined scenarios for when this access may be required and documented these in the Administrator Playbook . The OAIC considers that these scenarios fall within the scope of the permitted purpose under s 94D of the Privacy Act and ensure the proper functioning, integrity or security of the COVIDSafe System.
3.83 The OAIC reviewed the users of the HOP and privileged users and confirmed that DoH staff do not currently have access to COVID app data, the NCDS or the HOP.
3.84 When fieldwork was conducted for this assessment, the DTA has given 21 individuals privileged users’ access to the COVIDSafe System. Four Administrators (3 Active) and 17 Developers (10 Active). Administrator access has been removed from one user and developer access removed from 7 users. Access is removed when there is no longer a requirement for the user to access the COVIDSafe System.
3.85 The logical access controls implemented by the DTA, as the DSA, are aligned to good practices, and the OAIC is therefore satisfied that reasonable steps are being taken to ensure compliance with APP 11 and Part VIIIA of the Privacy Act.
3.86 Physical access controls allow or prevent physical access to a location or resource (such as a server). Physical access controls are a key control to prevent physical access to infrastructure supporting the COVIDSafe System.
3.87 The PSPF sets out the requirements of physical access controls for entity facilities and resources. The implementation of physical controls in line with the PSPF provides a level of confidence that the security of personal information is appropriate and in compliance with APP 11. The policies relevant to COVID app data, the NCDS and the HOP include:
- PSPF PHYSEC-15 Physical security for entity resources: which requires the physical security measures at each site managing entity resources are implemented to minimise or remove the risk of information and physical assets resources being made inoperable or inaccessible, or being accessed, used or removed without appropriate authorisation
- PSPF Policy 16 Entity facilities: which provides a consistent and structured approach to be applied to building construction, security zoning and physical security control measures of entity facilities. This ensures the protection of Australia Government people, information and physical assets secured by those facilities.
3.88 The DTA, under the terms of the AWS Agreement can determine the region in which COVID app data will be stored. The DTA has determined that COVID app data will only be stored in Australia, in compliance with s 94F of the Privacy Act.
3.89 AWS advises that as part of the process to on board to the legacy ACSC Certified Cloud Services List (which applied at the time of the COVIDSafe app launch) both IRAP and SCEC assessments were conducted which resulted in the listing of AWS as suitable for PROTECTED workloads. The DTA confirmed that the accreditation and certification to the appropriate level (PROTECTED) is in place. While DTA advised that the appropriate physical accreditation and certification is in place, the supporting documentation was not provided to the OAIC for review. The System Security Plan, developed by Ionize, also identified that the AWS data centres in use were assessed at Zone 3  which meets the physical security requirements for storage of PROTECTED information.
3.90 While the OAIC did not inspect the physical security of AWS data centres in use for the COVIDSafe system, the OAIC relied upon the previous IRAP and SCEC assessments of those data centres to on board AWS to the legacy ACSC Certified Cloud Services List and System Security Plan developed by Ionize for the COVIDSafe System.
3.91 In relying on these third party assessments and documents, the OAIC had regard to the specialist accreditation of the assessors and cybersecurity expertise of the System Security Plan developers. The OAIC therefore considers that the physical access controls applied to those locations are more likely than not aligned to good practice, such as the PSPF, and indicate that reasonable steps are being taken in relation to the physical security of the NCDS to ensure compliance with APP 11.
Other management practices, procedures and systems
3.92 The following management practices, procedures and systems were identified as being important to APP 11.1 and relevant to the NCDS because they ensure that access to COVID app data is monitored and reported on appropriately.
3.93 This section examines monitoring and reporting.
Monitoring and Reporting
3.94 Monitoring access to COVID app data is a key control to determine whether security controls are in place to prevent inappropriate access to, or misuse of, COVID app data. The ISM, specifically P4, requires that systems and applications are administered in a secure, accountable and auditable manner. Additionally, ISM D1 states that cyber security events and anomalous activities are detected, collected, correlated and analysed in a timely manner.
3.95 There are 390 state and territory health officials that have been granted access to COVID app data. At the time of fieldwork for this assessment, 257 of these are considered active, 3 have had access disabled and 130 are considered inactive. Inactive users have been granted access by the DTA but have never logged in to activate their account. Access by state and territory are provided in the table below.
Table 2: Number of state and territory health officials with HOP access
3.96 At the time fieldwork was conducted, the OAIC noted a discrepancy between the number of users with access, and the number that have been trained by the DoH, with more people provided training than were given access to the data. The discrepancy was attributed to the fact that DoH has not yet provided these names to the DTA to be given access. The OAIC notes that there appears to be one additional user in NSW with access that has not been trained. An analysis of the data provided by DoH and DTA indicates this is likely a duplicate account. Based on this, the OAIC considers there is a low privacy risk that an untrained user is given access to the COVID app data via the HOP.
The OAIC suggests that the DoH and DTA regularly reconcile the register of trained state and territory health officials with the register of state and territory health officials with access to the HOP to ensure that all state and territory health officials who have access to the HOP have undertaken training.
3.97 The DTA can monitor and audit user activity in relation to COVID app data, the NCDS and the HOP. The DTA can track state and territory health official login and failed login activity, state and territory health official activity within the NCDS and HOP, Administrator activity and system activity.
3.98 At present, although the functionality is in place to monitor access, there is no structured assessment of the appropriateness of access or mechanism to identify anomalous behaviour that may warrant further investigation. This means that these systems may be of some utility in investigating inappropriate access once identified but are not being used to proactively identify inappropriate access.
3.99 One of the DTA’s service providers identified an incident in relation to COVID app data. The incident occurred on 30 April 2020 at approximately 6pm. The service provider alerted the DTA, which investigated the incident and quickly took appropriate steps to resolve and prevent the reoccurrence of the incident. The incident was resolved at 3am on 1 May 2020. Additionally, in response to the incident, the DTA initiated its Data Breach Response Plan, assessed the incident and determined it was not an eligible data breach under Part IIIC of the Privacy Act. The DTA confirmed with the OAIC that at no point during the incident, did COVID app data leave the COVIDSafe environment.
3.100 Having considered the documents and information provided by the DTA and the applicable law, the OAIC is satisfied that the incident was managed in accordance with the Data Breach Response Plan for the DTA. The OAIC accepts the assessment by the DTA that the incident was not an eligible data breach under Part IIIC of the Privacy Act.
3.101 During the fieldwork meetings, the DTA advised that it has not currently defined what is considered to be normal user behaviour, which limits the ability to detect anomalous activity. The DTA relies on communication with the DoH, STHA and publicly available information (such as media announcements of outbreaks) to determine the appropriateness of STHA access to COVID app data.
3.102 The DTA produces regular reports on user access and activity which are provided to relevant DTA and DoH staff. The purpose of these reports is to monitor access and, if necessary, audit user activity. To date there has not been a requirement for the DTA to audit user activity. The reports are provided to the DoH to identify inactive users. The user access and activity reports for state and territory health officials is also made available to STHA Chief Information Security Officers upon request.
3.103 The absence of defined normal user behaviour limits the DTA’s ability to proactively detect inappropriate access and represents a medium privacy risk that COVID app data is accessed for purposes other than contact tracing by approved users of the HOP.
The OAIC recommends that the DTA define and document normal user behaviour and develop reporting to identify behaviour that falls outside normal user behaviour to ensure it can proactively detect anomalous user activity.
Key finding: On the basis of this point in time assessment, the OAIC is satisfied that the DoH and DTA have taken reasonable steps in relation to access controls applied to the NCDS to protect COVID app data from misuse, interference and loss and from unauthorised access, modification or disclosure in accordance with APP 11.1.
Section 94D – Collection, use and disclosure of COVID app data
3.104 Section 94D(2) of the Privacy Act limits access to COVID app data to people in specific roles and for particular purposes.
3.105 To examine compliance of the DSA with s 94D(2) in relation to COVID app data held in the NCDS, the OAIC reviewed:
- key documentation related to the practices, procedures and processes that the DTA have implemented in terms of access controls (both logical and physical) to the NCDS and the HOP
- the contractual arrangements for the hosting of the COVIDSafe System
- the Bilateral Agreements established by the DoH to allow access to STHA.
3.106 In addition, the OAIC conducted interviews with key DoH and DTA staff.
3.107 In conducting fieldwork for this assessment, the OAIC identified one incident in relation to COVID app data mentioned above at paragraph 3.99. This incident occurred prior to the commencement of Part VIIIA of the Privacy Act, meaning that s 94D does not apply to the incident. The OAIC has considered the steps undertaken by the DTA in response to this incident and has concluded that the incident was managed appropriately.
3.108 On the basis of the documentation reviewed and the key DoH and DTA staff interviewed, the OAIC is satisfied that the access controls, both physical and logical, implemented by the DTA are appropriate to ensure access to COVID app data is provided in accordance with the permitted purpose as defined in s 94D(2). The OAIC did not detect any instances, or acts, practices or procedures in relation to COVID app data held in the NCDS which might contravene s 94D(2) of the Privacy Act.
Key finding: On the basis of this point in time assessment, the OAIC is satisfied that the Data Store Administrator is complying with s 94D(2) in relation to the National COVIDSafe Data Store.
Section 94F – COVID app data in the National COVIDSafe Data Store
3.109 Section 94F of the Privacy Act outlines that it is an offence to retain or disclose COVID app data outside of Australia.
3.110 To assess compliance of the DSA with s 94F in relation to COVID app data held in the NCDS, the OAIC examined the relevant parts of procurement contracts in place with AWS for the storage of COVID app data in the NCDS, the Bilateral Agreements in place with the STHA for the disclosure and use of COVID app data and conducted interviews with key DoH and DTA staff. Additionally, as part of this assessment the OAIC engaged in discussions with AWS who confirmed that COVID app data is and will only be held in AWS data centres nominated by the DTA in accordance with the contractual arrangements.
3.111 As identified in paragraph 3.88 the DTA has taken steps to ensure that COVID app data is only to be stored in Australia and has taken contractual measures with AWS to prevent the storage, or disclosure, of COVID app data outside of Australia.
3.112 The OAIC did not detect any instances, or acts, practices or procedures, in relation to COVID app data during the course of this assessment which might contravene s 94F of the Privacy Act.
Key finding: On the basis of this point in time assessment, the OAIC is satisfied that s 94F is being complied with by the Data Store Administrator in relation to the National COVIDSafe Data Store.
Part 4: Recommendations and responses
4.1 The OAIC recommends that the DoH and the DTA formalise the senior executive meeting into a steering committee, with formal terms of reference to ensure clear lines of responsibility and accountability and documented decision making.
Stakeholder response to the recommendation (DoH)
4.2 Agreed. The senior executive meeting will continue to operate as a mechanism for priority setting and communication, and this will be supported through formal terms of reference. Lines of responsibility and accountability will continue as outlined in the Health/DTA Memorandum of Understanding, and decisions will continue to be documented through separate line management processes.
Stakeholder response to the recommendation (DTA)
4.3 Agreed. This is in line with areas of responsibility as detailed within the MoU. The DTA works in an agile way, and outcomes from the senior executive meeting are recorded in the COVIDSafe product development backlog. The DTA views the weekly senior executive meeting as a priority setting and communication forum. Decision-making occurs through separate management channels in the DTA and DoH.
4.4 The OAIC recommends that the DoH include an assessment component in the training package in order to further demonstrate STHA understanding of, and ability to comply with, their obligations under Part VIIIA of the Privacy Act.
Stakeholder response to the recommendation (DoH)
4.6 The OAIC recommends that DoH define minimum requirements for vetting of personnel who are granted access to COVID app data and communicate these requirements to STHA and confirm (via ongoing assurance) these requirements are met by STHA.
Stakeholder response to the recommendation (DoH)
4.7 Agreed. The purpose of the COVIDSafe app is to support existing STHA contact tracing processes. The Bilateral Agreements require that STHAs ensure the eligibility and suitability of nominated officers with appropriate screening and vetting undertaken. Noting State and Territory public health officers already access sensitive data to support contact tracing, and are subject to obligations under their respective public service legislation, Health will specify minimum requirements that align with current STHA screening and vetting processes.
4.8 The OAIC recommends that the DTA define and document normal user behaviour and develop reporting to identify behaviour that falls outside normal user behaviour to ensure it can proactively detect anomalous user activity.
Stakeholder response to the recommendation (DTA)
4.9 Agreed. The DTA will work with the state and territory health authorities and DoH through the Implementation Management Committee, as the experts, to define what is considered normal user behaviour from a contract tracing perspective. Based on this information, the DTA will formalise the process of identifying anomalous behaviour and provide regular reporting to the jurisdictions. It is anticipated that this information can be used to prevent and respond to abnormal user behaviour and allow for the proactive identification of inappropriate access.
4.10 It should be noted the definition and response to actions that fall outside of the range of normal behaviour will require action from the state and territory jurisdictions. Should the jurisdictions judge that particular behaviour requires further investigation, the DTA would support as needed.
4.11 The OAIC suggests that the DoH document the roles and responsibilities of all staff involved in the COVIDSafe app, NCDS and HOP.
Stakeholder response to the suggestion (DoH)
4.12 Agreed. Health staff receive formal training on their obligations under the Privacy Act 1988, and have access to information about their responsibilities under Part VIIIA of this Act. Health has formal mechanisms in the Department to document roles and responsibilities, and will review existing documentation to ensure that roles and responsibilities with respect to COVIDSafe are clarified, and up to date.
4.13 The OAIC suggests that the DoH and DTA reconcile the register of trained state and territory health officials with the register of state and territory health officials with access to the HOP to ensure that all state and territory health officials who have access to the HOP have undertaken training.
Stakeholder response to the suggestion (DoH)
Stakeholder response to the suggestion (DTA)
4.15 The DTA agrees with this suggestion and will work with DoH to reconcile the register of trained state and territory health officials with the register of state and territory health officials with access to the HOP.
Part 5: Description of assessment
Objective and scope of assessment
5.1 This assessment was conducted under Part VIIIA of the Privacy Act, which legislates oversight for the COVIDSafe System by the AIC.
5.2 The objective of this assessment was to assess:
- whether the DSA has taken reasonable steps, in accordance with APP 11, to secure personal information held in the NCDS
- whether the acts or practices of the DSA in relation to the handling of COVID app data comply with COVID app data handling provisions under Part VIIIA of the Privacy Act that are relevant to the NCDS.
5.3 In order to form a conclusion against COVIDSafe Assessment 1 objectives, the following criteria were examined:
- the steps, including access security measures the DSA has taken, is taking or will take to protect personal information held in the NCDS, including COVID app data, from misuse, interference and loss, to assess if they are reasonable
- the steps, including access security measures the DSA has taken, is taking or will take to protect personal information held in the NCDS from unauthorised access, modification or disclosure, to assess if they are reasonable
- the compliance of the DSA with the collection, use and disclosure requirements of s 94D of the Privacy Act relevant to the NCDS
- the compliance of the DSA with the retention and disclosure requirements of s 94F of the Privacy Act relevant to the NCDS.
5.4 The scope of COVIDSafe Assessment 1 excluded consideration of APP 11.2 (destruction and de-identification of personal information) or the retention and deletion of personal information in the NCDS under provisions of Part VIIIA of the Privacy Act.
5.5 The OAIC determined the approach undertaken in conducting COVIDSafe Assessment 1, referring to reporting requirements as legislated in the Privacy Act. The PwC Global Internal Audit Methodology, aligned with the requirements of the International Professional Practices Framework, was also referenced to provide further assurance.
5.6 Where the OAIC identified privacy risks and considered those risks to be low risks, the OAIC made suggestions about how to address those risks. Where the OAIC identified privacy risks and considered those risks to be medium risks, the OAIC made recommendations about how to address those risks. These observations are set out in Part 3 of this report.
5.7 The OAIC assessments are conducted as a ‘point in time’ assessment, that is observations are only applicable to the time period in which the assessment was undertaken.
5.8 For more information about OAIC privacy risk ratings, refer to the OAIC’s ‘Risk based assessments – privacy risk guidance’ (set out in Appendix B). Chapter 7 of the OAIC’s Guide to privacy regulatory action provides further detail on this approach.
5.9 COVIDSafe Assessment 1 provides assurance that the DTA and DoH are effectively managing the following specific risks and recommendations as identified in the DoH COVIDSafe App Privacy Impact Assessment:
- Recommendation 2: Future changes to the COVIDSafe App
- Recommendation 3: Appropriate legislative framework
- Recommendation 10: Further assurances by [the Department of] Health about access to and use of Registration Information in the National COVIDSafe Data Store
- Recommendation 11: Development of training and/or scripts
- Recommendation 12: Contractual or other arrangements with State and Territory public health authorities
- Recommendation 14: Security arrangements
- Recommendation 16: Confirmation of arrangements with AWS
- Recommendation 17: Ensure ICT contracts and arrangements are properly documented, and contain appropriate contractual or other protections
Timing, location and assessment techniques
5.10 The OAIC conducted both a risk-based assessment of the NCDS access controls under APP 11.1 which focused on identifying privacy risks to the secure handling of COVID app data and a compliance-based assessment under ss 94D and 94F of the Privacy Act.
5.11 COVIDSafe Assessment 1 involved the following activities:
- review of relevant policies and procedures provided by the DoH and the DTA
- fieldwork, which included interviewing key members of staff at the DTA and the DoH offices in Canberra during October and November 2020.
5.12 The OAIC engaged PwC to assist with undertaking the COVIDSafe Assessment Program to provide independent assurance to Australian citizens that data in the COVIDSafe app is meeting legislative requirements. The OAIC considered PwC observations in the writing of this report.
5.13 The OAIC publishes final assessment reports in full, or if necessary, an abridged version, on its website. All or part of an assessment report may be withheld from publication due to statutory secrecy provisions, privacy, confidentiality, security or privilege.
Appendix A: Legislative framework, control frameworks and control measures
The following legislative framework control frameworks and control measures have been identified and have been used as the basis for testing in this assessment:
The Privacy Act was introduced to promote and protect the privacy of individuals and to regulate how Australian Government agencies and organisations with an annual turnover of more than $3 million, and some other organisations, handle personal information. For the purpose of these assessments the following aspects of the of the Privacy Act were applied:
- APPs: The APPs are the cornerstone of the privacy protection framework in the Privacy Act. They apply to any organisation or agency the Privacy Act covers. The following APPs were referenced in COVIDSafe Assessment 1:
- APP 1—open and transparent management of personal information:
- APP 6—use or disclosure of personal information:
- reviewing arrangements for handling of personal information collected in relation to the COVIDSafe app
- APP 8—cross-border disclosure of personal information:
- reviewing arrangements surrounding STHA personnel accessing and sharing NCDS information
- APP 11—security of personal information:
- reviewing arrangements surrounding measures taken to protect personal information from misuse, interference or loss
- Notifiable Data Breaches: A data breach happens when personal information is accessed or disclosed without authorisation or is lost. If the Privacy Act covers an organisation or agency, that organisation or agency must notify affected individuals and the OAIC when a data breach involving personal information is likely to result in serious harm
- Part VIIIA: The Privacy Act was amended on 14 May 2020 to protect data in the COVIDSafe app and the NCDS. The relevant provisions of Part VIIIA of the Privacy Act and how these were applied, include through:
- examining the circumstances under which COVID app data is collected, used or disclosed to confirm:
- that it meets the definition of COVID app data (ss 94D(3) and 94D(5))
- it is for a permitted purpose (ss 94D(2), and 94D(6))
- it is not disclosed to a person outside of Australia (s 94F(2)).
- examining the circumstances under which COVID app data is stored to ensure that no data is retained on a database outside of Australia (s 94F(1))
- examining the personnel permitted to be involved in the collection, usage and disclosure of COVID app data (s 94D(2)), that is:
- state or territory health officials who are contact tracing individuals possibly exposed to COVID-19
- the administrators of the COVIDSafe app and the NCDS, to enable the app, the NCDS and contact tracing to work properly and to ensure the integrity of the app and the NCDS
- the OAIC and police enforcing these privacy protections.
Protective Security Policy Framework
The PSPF assists Australian Government entities to protect their people, information and assets, both at home and overseas. It sets out government protective security policy and supports entities to effectively implement the policy across security governance, information security, personnel security and physical security.
The Information Security and Physical Security domains were applied in COVIDSafe Assessment 1. Specifically, the following core requirements were referenced: 
- INFOSEC-8 Sensitive and security classified information
- COVIDSafe app information holdings are identified
- Sensitivity and security classification of information holdings are assessed
- Operational controls proportional to value, importance and sensitivity are implemented and managed effectively
- INFOSEC-9 Access to information
- Information is shared appropriately within DTA/DoH as well as with other relevant personnel such as STHA personnel
- Personnel who access sensitive or security classified information have appropriate security clearance and need to know that information
- Controls on STHA access (including remote access) to supporting COVIDSafe systems, networks, infrastructure, devices and applications are implemented and managed effectively
- Policy 10 – Safeguarding information from cyber threats
- Core mitigation strategies are implemented and managed effectively across:
- application controls
- restricting administrative privileges
- Additional mitigation strategies to protect COVID app data are implemented
- Policy 11 – Robust ICT systems
- The Australian Information Security Manual’s cyber security principles are applied during all stages of the lifecycle of each COVIDSafe System to ensure the secure operation of ICT systems, safeguard COVID app data and to continuously deliver COVIDSafe app services
- PHYSEC-15 Physical security for entity resources
- Physical security measures at each site managing COVID app data are implemented to minimise or remove the risk of information and physical asset resources being made inoperable or inaccessible, or being accessed, used or removed without appropriate authorisation
- Policy 16 – Entity facilities
- Protective security is integrated in the process of planning, selecting, designing and modifying facilities employed for the COVIDSafe System to protect people, information and physical assets
- Physical security zones are certified for facilities employed for COVIDSafe System purposes, in areas where sensitive or security classified information and assets are used, transmitted, stored or discussed
- Security zones are accredited
Information Security Manual
The Australian Government ISM is a cyber security framework that organisations can apply, using their risk management framework, to protect their systems and information from cyber threats.
The ‘govern, protect and detect’ activities were applied in COVIDSafe Assessment 1. Specifically, the following principles were referenced:
- G3: The confidentiality, integrity and availability requirements of systems, applications and information is determined and documented
- G4: Security risk management processes are embedded into organisational risk management frameworks
- G5: Security risks are identified, documented, managed and accepted both before systems and applications are authorised for use, and continuously throughout their operational life
- P2: Systems and applications are delivered and supported by trusted suppliers
- P3: Systems and applications are configured to reduce their attack surface
- P4: Systems and applications are administered in a secure, accountable and auditable manner
- P5: Security vulnerabilities in systems and applications are identified and mitigated in a timely manner
- P6: Only trusted and supported operating systems, applications and computer code can execute on systems
- P8: Information communicated between different systems is controlled, inspectable and auditable
- P10: Only trusted and vetted personnel are granted access to systems, applications and data repositories
- P11: Personnel are granted the minimum access to systems, applications and data repositories required for their duties
- P12: Multiple methods are used to identify and authenticate personnel to systems, applications and data repositories
- P13: Personnel are provided with ongoing cyber security awareness training
- P14: Physical access to systems, supporting infrastructure and facilities is restricted to authorised personnel
- D1: Cyber security events and anomalous activities are detected, collected, correlated and analysed in a timely manner.
International Organization for Standardization/International Electrotechnical Commission 27001
The ISO/IEC 27001 is an international standard on how to manage information security. It details requirements for establishing, implementing, maintaining and continually improving an information security management system.
For the purposes of COVIDSafe Assessment 1 the following sections were referenced:
- 5.2 Policy
- 6.1 Actions to address risks and opportunities
- 6.2 Information security objectives and planning to achieve them
- 7.2 Competence
- 7.5 Documented information
- 8.1 Operational planning and control
- 8.2 Information security risk assessment
- 8.3 Information security risk treatment
- 9.1 Monitoring, measurement, analysis and evaluation
- 10.1 Nonconformity and corrective action
- 10.2 Continual improvement.
ASAE3150 Assurance Engagement on Controls
ASAE3150 is the Australian Auditing and Assurance Standards Board framework applied to engagements that provide an assurance report on controls at an entity. This standard informed the procedures, practices and reporting for the assessments.
The COVIDSafe Application Privacy Impact Assessment  (dated 24 April 2020)
A privacy impact assessment is a systematic assessment of a project that identifies the impact that the project might have on the privacy of individuals, and sets out recommendations for managing, minimising or eliminating that impact.
The PIA process was undertaken, in parallel to the development of the COVIDSafe app, to allow the DoH to consider the relevant information flows, determine whether the COVIDSafe app includes appropriate privacy obligations and protections, and if not, determine what steps should be taken to address and mitigate identified privacy risks. The privacy risks and recommendations identified through the PIA process were evaluated as part of this assessment.
Bilateral Agreements 
Bilateral Agreements between the DoH, acting on behalf of the Australian Government, and STHA have been established to enhance contract tracing activities by states and territories to respond to, manage and control COVID-19.
These agreements supplement the Privacy Act, relevant state and territory public health and privacy legislation and outline the arrangements for access, use and disclosure of COVIDSafe app data.
Appendix B: Privacy Risk Guidance
Privacy risk rating
Entity action required
Likely outcome if risk is not addressed
Entity must, as a high priority, take steps to address mandatory requirements of Privacy and related legislation
Immediate management attention is required
This is an internal control or risk management issue that if not mitigated is likely to lead to the following effects
- Likely breach of relevant legislative obligations (for example, APP, TFN, Credit, privacy safeguard, Part VIIIA) or not likely to meet significant requirements of a specific obligation (for example, an enforceable undertaking)
- Likely adverse or negative impact upon the handling of individuals’ personal information
- Likely violation of entity policies or procedures
- Likely reputational damage to the entity, such as negative publicity in national or international media
- Likely adverse regulatory impact, such as Commissioner Initiated Investigation (CII), enforceable undertakings, material fines
- Likely ministerial involvement or censure (for agencies)
Entity should, as a medium priority, take steps to address OAIC expectations around requirements of Privacy and related legislation
Timely management attention is expected
This is an internal control or risk management issue that may lead to the following effects
- Possible breach of relevant legislative obligations (for example, APP, TFN, Credit, privacy safeguard, Part VIIIA) or meets some (but not all) requirements of a specific obligation
- Possible adverse or negative impact upon the handling of individuals’ personal information
- Possible violation of entity policies or procedures
- Possible reputational damage to the entity, such as negative publicity in local or regional media
- Possible adverse regulatory impacts, such as Commissioner Initiated Investigation (CII), public sanctions (CII report) or follow up assessment activities
- Possible ministerial involvement or censure (for agencies)
Entity could, as a lower priority than for high and medium risks, take steps to better address compliance with requirements of Privacy and related legislation
Management attention is suggested
This is an internal control or risk management issue, the solution to which may lead to improvement in the quality and/or efficiency of the entity or process being assessed
- Risks are limited, and may be within acceptable entity risk tolerance levels
- Unlikely to breach relevant legislative obligations (for example, APP, TFN, Credit, privacy safeguard, Part VIIIA)
- Minimum compliance obligations are being met
 Appendix B sets out guidance on the categorisation of privacy risks.
 As advised by the Acting Secretary of Health, in Senate Estimates Hearing (Community Affairs Legislation Committee) 26 October 2020.
 ‘COVID app data’ is defined in Privacy Act, s 94D(5).
 The Secretary of Health, by legislative instrument Privacy Amendment (Public Health Contact Information) (Data Store Administrator) Determination 2020 (Cth), determined that from 16 May 2020 the DTA is the DSA.
 The OAIC notes that the Chief Medical Officer and AHPPC have a formal role in advising the Health Minister when determining the end of the COVIDSafe data period under s 94Y of the Privacy Act.
 This term is taken directly from the terms of reference (including capitalisation) and is used to identify the representatives of STHA.
The OAIC notes that the terms of reference for the IMC identifies that the Chair of the committee was the Assistant Secretary, Data and Analytics Branch, National Incident Response Division During consultation for this assessment report, the DoH requested the Chair of the committee be changed to First Assistant Secretary, Medical Benefits Division.
 The RASCI matrix is a project management tool which helps to clarify the roles and responsibilities of different organisations and people in complex structures. RASCI is an acronym derived from the 5 key criteria most typically used: Responsible, Accountable, Supporting, Consulted and Informed.
 In addition to AWS and Ionize, the OAIC found that the DTA has also engaged the following external consultants in relation to the COVIDSafe System:
- BCG Digital Ventures: BCG was contracted to support delivery of the COVIDSafe app in order to enable the public launch. This included completing the build and testing of features for launch into the user interface, in conjunction with AWS and Shine Solutions. BCG developed the ‘Project Management Office’ operating model and defined metrics and scope of development for the HOP.
- Shine: Shine was contracted for provision of level 2 and 3 support for software defects, investigation and rectification. This included level 2 and 3 support for AWS hosted services and engagement with AWS for AWS infrastructure support and escalation where needed. Shine was also contracted to provide ongoing development and enhancement services for the COVIDSafe app.
- Delv: Delv was contracted to manage the transition of the Coronavirus Australia (COVID-19) mobile platform, including all associated components such as Apple iOS and Android apps.
- CEVO: CEVO was contracted to provide professional services for COVIDSafe, including services in relation to ongoing development and enhancement of COVIDSafe core components.
- While relevant to the operation and maintenance of the COVIDSafe System, these third party providers were not considered in scope for this assessment as the procurement of these services did not directly relate to the management of access to COVID app data, or access controls within the NCDS or the HOP.
On 22 January 2021 the DTA provided additional documents relating to COVIDSafe Assessment 1, including a Change Order in relation to the contractor Shine which was executed on 23 October 2020, prior to the finalisation of fieldwork for this privacy assessment. On 3 February 2021 the OAIC met with and sought further information from the DTA in relation to terms of the Change Order. On the basis of the further information provided to the OAIC by the DTA, the OAIC is satisfied that the contract with Shine, and services provided by Shine as revised by the 23 October 2020 Change Order do not directly relate to the management of access to COVID app data, or access controls within the NCDS or the HOP.
 Importantly, the AGD gave evidence before the Senate Select Committee on COVID-19 on 6 May 2020, which addressed the risk that AWS could be compelled by the laws of a foreign jurisdiction, to transfer data held in the NCDS to that jurisdiction due to the application of a foreign law, or due to the operation of a binding court order of a (foreign) government body. While the AGD did not rule out the risk of COVID app data access under the laws of a foreign jurisdiction (in particular United States law enforcement agencies), the evidence of AGD suggests that the department considers that possibility as remote and viewed such circumstances as ‘not conceivable’.
This training is undertaken within a training environment created by DTA using dummy data.
open and transparent management of personal The Administrator Playbook is a document created by the DTA as a guide on the role and responsibility of the DTA as the DSA. It outlines the processes and procedures the DTA must follow to ensure compliance with the Privacy Act in administering the COVIDSafe System.
 Privacy Risk Guidancene 3 is defined in PHYSEC-16 Entity facilities as:
- No public access.
- Visitor access for visitors with a need to know and close escort.
- Restricted access for authorised personnel.
- Single factor authentication for access control.
 Supporting requirements will be referenced as necessary.
 A PIA is not formally considered a Control Framework, however, is considered relevant to this assessment as it outlines recommendations to be implemented and access requirements.
 A Bilateral Agreement is not formally considered a Control Framework, however, is considered relevant to this assessment as it outlines STHA access requirements.