COVIDSafe Assessment 4: retention, destruction and deletion of COVID app data

Publication date: 7 April 2022

1.1 This report outlines the findings of the Office of the Australian Information Commissioner’s (OAIC) privacy assessment of the retention, destruction and deletion of COVID app data, conducted from November 2020 to January 2021.

1.2 This assessment was conducted under para 33C(1)(a) of the Privacy Act 1988 (Cth), which allows the OAIC to assess whether an entity maintains and handles the personal information it holds in accordance with the Australian Privacy Principles (APPs).

1.3 This assessment was also conducted under subs 94T(1) of the Privacy Act which extends s 33C to allow the OAIC to assess whether the acts or practices of an entity or a State or Territory authority in relation to COVID app data comply with Part VIIIA of that Act.

1.4 The purpose of this assessment was to assess whether the Digital Transformation Agency (DTA), as the Data Store Administrator (DSA) is:

• taking all reasonable steps to:
  • destroy or de-identify COVID app data, and personal information collected in relation to the COVIDSafe System in accordance with APP 11.2
  • ensure that COVID app data is not retained on a communication device for more than 21 days and, if not, that the period of retention is no longer than ‘the shortest practical period’, in accordance with s 94K of the Privacy Act
  • delete COVID app data from the National COVIDSafe Data Store (NCDS) following a request from a COVIDSafe user, former COVIDSafe user, or a parent, guardian or carer of that person to delete their Registration Data[1] that has been uploaded to the NCDS, in accordance with paragraph 94L(1)(a) of the Privacy Act
• ensuring that COVID app data in relation to a COVIDSafe user or former COVIDSafe user is not used or disclosed, where a request has been made to delete that Registration Data and it is not practicable to delete the data immediately, in accordance with paragraph 94L(1)(b) of the Privacy Act
• not collecting from a person, through a particular communication device, COVID app data relating to the person where the person is a former COVIDSafe user in relation to that device, in accordance with s 94N of the Privacy Act.

1.5 At the time that fieldwork for this assessment was conducted, the DTA was the DSA. From 5 October 2021, the Department of Health (DoH) is the sole DSA for the NCDS, and the DTA no longer has access to COVIDSafe App data and information collected through the COVIDSafe app.

1.6 The assessment found that the DSA:

• in relation to APP 11.2, by virtue of the operation of s 94ZD of the Privacy Act, the DSA’s relevant obligations relating to the deletion and retention of COVID app data contained in ss 94K, 94L, 94M, 94N and 94P of Part VIIIA of the Privacy Act, prevail over other laws. Therefore, the OAIC has considered the DSA’s compliance with the data retention and deletion requirements in Part VIIIA of the Privacy Act in relation to COVID app data, which includes Registration Data, rather than obligations under APP 11.2
• is taking all reasonable steps to delete Registration Data as soon as practicable on request under para 94L(1)(a) of the Privacy Act, except in relation to steps that the DSA can take to address medium level privacy risks for COVIDSafe users who:
  • do not reply to the text message to confirm their deletion request; and
  • enter incorrect an mobile number into the ‘Request data deletion’ Webform
• in relation to para 94L(1)(b) of the Privacy Act, has not implemented measures to prevent use or disclosure of Registration Data, that cannot be immediately deleted after receiving a request for deletion, resulting in a high privacy risk
• is complying with s 94N of the Privacy Act as the OAIC found that the DSA is not collecting from a person, through a particular communication device, COVID app data relating to the person where the person is a former COVIDSafe user in relation to that device.

1.7 The OAIC has therefore made 3 recommendations and 2 suggestions in the report to address these privacy risks. The recommendations, suggestions and the DSA’s response, are outlined in Part 3 and Part 4 of this report.

Part 2: Introduction

Background

The COVIDSafe System

2.1 The COVIDSafe System refers to the system comprising the COVIDSafe app, the NCDS, the Health Official Portal (HOP) and the technological, administrative and legal measures which ensure the effective operation of the system and its compliance with applicable legislation.

2.2 The COVIDSafe System has been described in detail in COVIDSafe Assessment 1: National COVIDSafe Data Store Access Controls (COVIDSafe Assessment 1). As such, only a brief description of the COVIDSafe app, NCDS and the HOP is provided in this assessment report. Please refer to those assessment reports for further background information on the COVIDSafe System.

COVIDSafe app

2.3 The COVIDSafe app is a voluntary contact tracing mobile application developed by the DTA to help identify close contacts of COVID-19 cases, and to help state and territory health officials contact people who may have been exposed to COVID-19. The COVIDSafe app is available on both iOS and Android communication devices. The COVIDSafe app exchanges a ‘digital handshake’, via Bluetooth, between COVIDSafe users who are within 1.5 metres of each other.

National COVIDSafe Data Store (NCDS)

2.4 The NCDS is a cloud-based storage solution for information collected or generated using the COVIDSafe app. The NCDS is maintained by the DTA, as the DSA, and is hosted by Amazon Web Services (AWS). At the time that fieldwork for this assessment was conducted the DTA was the DSA. From 5 October 2021, the DoH is the sole DSA for the NCDS, and the DTA no longer has access to COVID app data and information collected through the COVIDSafe app. For the purposes of this report, the OAIC will use the term ‘DSA’ unless there is a specific reason to refer to the DTA.

2.5 ‘Registration Data’ (a user’s registration information, including name (or pseudonym), age range, postcode and phone number) entered by COVIDSafe users is encrypted and stored in the NCDS. Digital handshakes may be uploaded to the NCDS, following a COVIDSafe user testing positive for COVID-19 and consenting to upload the data to the NCDS.

Health Official Portal (HOP)

2.6 The HOP is an online portal for State or Territory health authorities (STHA) to access COVID app data stored within the NCDS. The HOP allows STHA officials to:

• access Registration Data (via a mobile number search), which is a user’s registration information including name (or pseudonym), age range, postcode and mobile number provided when an individual registers through COVIDSafe
• request a COVIDSafe user to upload their Bluetooth handshakes following a positive diagnosis for COVID-19
• filter the Bluetooth digital handshakes, via date range and proximity probability, to identify potential close contacts of a COVIDSafe user who has received a positive diagnosis for COVID-19.

2.7 The HOP defines a ‘close contact’ as 2 or more COVIDSafe users whose devices are within 1.5m consistently for 15 minutes. It categorises these close contacts as either stable (where contact is maintained every minute for a 15 minute period), or sporadic (where contact over a 15 minute period is intermittent).

Deletion of COVID app data

2.8 The DSA developed a webform for COVIDSafe users to request deletion of their Registration Data stored in the NCDS. This ‘Request data deletion’ Webform is available online at the DSA’s COVIDSafe website (www.covidsafe.gov.au) under the ‘Privacy and your data’ section. This report refers to the version of the webform that was in place at the time of fieldwork.

2.9 As outlined in figure 1 above, to request the deletion of their Registration Data, a COVIDSafe user needs to enter the name (or pseudonym) and the mobile number they used to register the COVIDSafe app, confirm they have read the COVIDSafe collection notice and consent to the information being provided to the Australian Government to enable Commonwealth, state and territory governments to respond to COVID-19.

2.10 Following the submission of the webform, the data deletion process, as described in figure 2 is followed. Full details on this process are provided in paragraphs 2.15 – 2.24.

2.11 Once the webform is submitted, the user is notified via the webform that their request has been received (see figure 3) and the deletion request will create a Jira[2] ticket. The OAIC notes that the personal information collected by the ‘Request data deletion’ Webform is not considered COVID app data under the definition in subs 94D(5) of the Privacy Act, though it will be identical to Registration Data stored in the NCDS.[3]

2.12 The DSA, depending on resourcing levels, will action the deletion requests once or twice a week.  To action these requests, a DSA staff member runs a query on Jira to identify all data deletion requests that have been submitted since the last time the process was run.

2.13 The DSA staff member will generate an electronic spreadsheet containing a list of the data deletion requests, which are added to a master electronic spreadsheet of all data deletion requests and checked for duplicate requests or invalid mobile numbers. The information included in these electronic spreadsheets is the mobile number used to register for the COVIDSafe app that the DSA has collected via the ‘Request data deletion’ Webform.

2.14 If a duplicate request has been actioned, it may be removed from the list. This will occur if the deletion request was actioned in the previous or a recent run of the process.  If a significant period[4] has passed since the last deletion request by a COVIDSafe user, then the duplicate request will be actioned again.  Jira tickets related to duplicate requests are closed with a ‘duplicate request’ comment added.

2.15 Invalid mobile numbers are also removed from the list.  Where a COVIDSafe user submits an invalid mobile number as part of their deletion request, the DSA cannot follow up with the COVIDSafe user to validate the number to action the request. Jira tickets related to invalid mobile number requests are closed with a comment to note ‘invalid mobile number’.

2.16 Once these checks have occurred, valid requests are copied into a new electronic spreadsheet for actioning by a DSA staff member. However, prior to these requests being actioned, the DSA will confirm that the COVIDSafe users wish to delete their Registration Data via a text message using the Australian Government’s ‘Notify[5]’ service to send a text message to the users (see figure 4). The COVIDSafe user who has submitted the deletion request will be asked to confirm that they wish to proceed with the request via return text message, ‘Yes’, to delete their data, or ‘No’, to not proceed with the deletion request.

2.17 Where a COVIDSafe user responds with ‘No’, responds with a message indicating it is not their intent for the data to be deleted, or does not respond within 7 days, the DSA removes the request from the list to be actioned for deletion. The Jira ticket is updated to indicate that the COVIDSafe user has responded to the message with a ‘No’ (or equivalent), or has not responded, and the relevant Jira ticket related to that COVIDSafe user is closed.

2.18 Where a COVIDSafe user responds with ‘Yes’ or responds with a message indicating their intent for the data to be deleted, their request is then sent to a DSA staff member with administrator access[6] (Administrator), who will run the process via AWS Lambda[7], to delete the Registration Data from the NCDS. This deletion process will confirm the number of records that have been deleted or, if a COVIDSafe user has submitted a request for deletion using a mobile number that does not exist in the NCDS, the deletion process will return a message informing the Administrator that the particular mobile number does not exist in the NCDS. Note that the message includes only the last 4 digits of the mobile number.

2.19 COVIDSafe users are then sent a message (see figure 5), via Notify, confirming that their Registration Data has been deleted from the NCDS and the Jira ticket is closed.

COVIDSafe legislative framework

2.20 The COVIDSafe legislative framework has been described in detail in COVIDSafe Assessment 1 and COVIDSafe Assessment 3. This information has also been included in Appendix A for reference.

2.21 The personal information collected by the COVIDSafe app through the COVIDSafe System is protected by the following:

• the Biosecurity Determination[8]
• the Privacy Act, which includes:
  • the APPs
  • Part VIIIA – Public health contact information.

Role of the OAIC

2.22 The new Part VIIIA of the Privacy Act has granted the Australian Information Commissioner (AIC) a range of additional proactive and reactive regulatory powers which support the AIC’s legislated functions in relation to the handling of personal information in the COVIDSafe System.

2.23 The OAIC engaged PricewaterhouseCoopers (PwC) under s 24 of the Australian Information Commissioner Act 2010 (Cth) to assist the OAIC with the COVIDSafe Assessment Program. PwC worked jointly with OAIC staff to assist the AIC to conduct elements of the fieldwork for this assessment.

2.24 The role of the OAIC has been described in detail in COVIDSafe Assessment 1 and COVIDSafe Assessment 3. This information has also been included in Appendix B for reference.

Part 3: Findings

Our approach

3.1 The key findings of the Assessment are set out below under the following headings and sub-headings:

• APP 11 – security of personal information
  • APP 11.2 – Destruction / de-identification of information
• Part VIIIA of the Privacy Act
  • section 94K – COVID app data not to be retained
  • section 94L – Deletion of registration data on request
  • section 94N – Effect of deletion of COVIDSafe from a communication device.

3.2 For each key finding, we have outlined the relevant control framework or measure, a summary of observations, the privacy risks arising from the observations, followed by opportunities to address identified privacy risks.

3.3 As part of this assessment, the OAIC considered the following control framework (see Appendix C for full details):

• Attorney-General’s Department (AGD) Protective Security Policy Framework (PSPF) core requirements:
  • INFOSEC-8

3.4 As part of this Assessment, the OAIC also considered the following control measures (see Appendix C for full details), which relate to the NCDS and the handling of COVID app data:

• APP Guidelines, which outline the mandatory requirements of the APPs, the way in which the OAIC will interpret the APPs and matters the OAIC may take into account when exercising functions and powers under the Privacy Act
• COVIDSafe Application Privacy Impact Assessment conducted by Maddocks, dated 24 April 2020.

3.5 Given the scale and sensitivity of COVID app data collection by the Australian Government, the OAIC considers it reasonable that a robust and comprehensive approach to the protection of personal information would be in place for the COVIDSafe System.

APP 11 – security of personal information

3.6 APP 11 requires an APP entity to take such steps as are reasonable in the circumstances to protect personal information from misuse, interference, loss, unauthorised access, modification and disclosure, and to destroy, or de-identify, personal information when the entity no longer needs the information for any purpose for which the information may be used or disclosed under the APPs.

3.7 For the purpose of this Assessment, the OAIC had regard to the Chapter 11 of the APP Guidelines, which provides guidance to APP entities on the reasonable steps APP entities must take to destroy the information or ensure that it is de-identified.

3.8 This section examines the design and technical implementation of the 8COVIDSafe app and the process the DSA, has implemented to destroy Registration Data in the NCDS upon request in compliance with the requirements of APP 11.2.

APP 11.2

3.9 APP 11.2 outlines the requirement for APP entities to take such steps as are reasonable in the circumstances to destroy, or de-identify the personal information it holds when it is no longer needed for any purpose for which the personal information may be used or disclosed under the APPs. This obligation extends to all copies of personal information that an APP entity holds, including copies that have been archived or are held as back-ups.

3.10 APP entities should have practices, procedures and systems in place to identify personal information that needs to be destroyed or de-identified.

Commonwealth records

3.11 Per APP 11.2(c), the requirement to take reasonable steps to destroy or de-identify personal information where it is no longer required does not apply if personal information is contained in a ‘Commonwealth record’. ‘Commonwealth record’ is defined in s 6(1) of the Privacy Act and has the same meaning as in s. 3 of the Archives Act 1983 (Cth) as being any record that is the property of the Commonwealth or a Commonwealth institution, or which is deemed to be a Commonwealth record by regulation or s 22 of the Archives Act.

3.12 Section 94ZC of the Privacy Act provides that COVID app data is, and remains, the property of the Commonwealth even after it is disclosed to or used by a STHA or any other person. As such, COVID app data is a ‘Commonwealth record’ for the purposes of the Archives Act.

3.13 The requirements of APP 11.2 do not apply to the deletion of personal information if it is contained in a Commonwealth record.

3.14 Subsection 94ZD(1) provides that all other statutory provisions will be superseded by Part VIIIA of the Privacy Act to the extent that there are inconsistencies in the manner in which COVID app data may be handled.

3.15 The OAIC considers that, by virtue of the operation of s 94ZD of the Privacy Act, the obligations in ss 94K, 94L, 94M, 94N and 94P of Part VIIIA of the Privacy Act, which contain relevant obligations relating to the deletion and retention of COVID app data, prevail over other laws. Therefore, the OAIC has considered the DSA’s compliance with the data retention and deletion requirements in Part VIIIA of the Privacy Act in relation to COVID app data, which includes Registration Data, rather than obligations under APP 11.2.

Part VIIIA of the Privacy Act

3.16 Part VIIIA of the Privacy Act provides additional privacy protections for personal information collected through the operation of the COVIDSafe app.

3.17 This section examines the design and technical implementation of the COVIDSafe app, the NCDS and the HOP for compliance with the requirements of Part VIIIA of the Privacy Act, specifically:

• section 94K of the Privacy Act, which requires the DSA to take all reasonable steps to ensure that COVID app data is not retained on a communications device for longer than 21 days, or where that is not possible only retain such data for the shortest practicable period
• section 94L, which provides that the DSA must take all reasonable steps to delete Registration Data from the NCDS as soon as practicable on request from a COVIDSafe user or a parent, guardian or carer of that person
• section 94N, which requires that the DSA must not collect COVID app data in relation to a former COVIDSafe user.

3.18 To examine compliance of the DSA with each of these sections in relation to COVIDSafe app, the NCDS and the HOP, the OAIC reviewed:

• the design documentation and technical implementation of the COVIDSafe app, the NCDS and the HOP
• the source code of the COVIDSafe app.

In addition, the OAIC conducted interviews with key DTA staff.

COVID app data access by STHA

3.19 As set out in COVIDSafe Assessment 2:

• STHA can access COVID app data as part of the contact tracing process
• according to the operation of para 94D(5)(c), where COVID app data is independently verified by STHA from another source, it is no longer COVID app data.[9]

3.20 COVIDSafe Assessment 2 considers the risks associated with retention and deletion of COVID app data by STHA.

COVID app data retention

3.21 The COVIDSafe app holds COVID app data on a COVIDSafe user’s device. The DoH, the policy owner of the COVIDSafe app, includes a summary of how the app works on its website[10] which provides:

• the COVIDSafe app uses Bluetooth to look for other devices that have the app installed
• the COVIDSafe app records a contact when it occurs through digital handshakes and securely logs the other users’ encrypted reference code and the date, time, Bluetooth signal strength and proximity of the contact on the user’s device, and notes the device model
• this information is then securely encrypted and stored on the device, and it is an offence under s 94G of the Privacy Act to decrypt COVID app data on the device
• the COVIDSafe app stores COVID app data on the device for 21 days and then automatically deletes data older than 21 days.

3.22 When a user deletes the COVIDSafe app from their device, the COVID app data on their device is also deleted from their device.

COVIDSafe user request deletion of Registration Data

3.23 Under s 94L of the Privacy Act:

• the DSA must, upon the request of the individual, their parent, guardian or carer, take all reasonable steps to delete that individual’s Registration Data from the NCDS as soon as practicable, and
• if it is not practicable to delete the data immediately, the data must not be used or disclosed by the DSA for any purpose.

3.24 This requirement does not apply to:

• digital handshake data, held in the NCDS, comprising of Bluetooth connections between the communication device of the individual who is seeking deletion (or on whose behalf the deletion is sought) and other communication devices, or
• de-identified data.

COVID app data not to be retained – s 94K

3.25 Section 94K of the Privacy Act requires the DSA to take all reasonable steps to ensure that COVID app data is not retained on a communication device for more than 21 days, or if this is not possible, for no longer than the shortest practical period.

3.26 The DSA has designed the COVIDSafe app to only store data for 21 days on a communication device. As is set out in the Explanatory Memoranda, limiting the duration of COVID app data that is retained on a communication device to 21 days, provides the scope of COVID app data that can be uploaded to the NCDS is only the minimum COVID app data needed the enable contact tracing.[11] After 21 days, the COVID app data is deleted from the device. The OAIC reviewed the design of the COVIDSafe app to validate this, and confirmed, via a review of the COVIDSafe app source code, that the retention of COVID app data is time bound, and will be removed on a rolling 21 day basis.

3.27 After examination of the documentation, review of the source code of the COVIDSafe app and consideration of information provided by key DTA staff during interviews, the OAIC is satisfied that COVID app data is only retained on a communication device for a period of 21 days as required under s 94K of Part VIIIA of the Privacy Act.

Deletion of Registration Data held in NCDS on request – s 94L

3.28 Section 94L of the Privacy Act outlines that the DSA must:

• according to para 94L(1)(a), take all reasonable steps to delete Registration Data from the NCDS, as soon as practicable, following a request to do so from a COVIDSafe user or the parent, guardian or carer of a COVIDSafe user, and
• according to para 94L(1)(b), where it is not practicable to delete the Registration Data immediately, the DSA must not use or disclose the Registration Data for any purpose.

Subsection 94L(1)(a) all reasonable steps

3.29 The APP Guidelines provide that the ‘reasonable steps’ test is an objective test. It is the responsibility of an APP entity to be able to justify that reasonable steps were taken. It is an objective test that has regard to how a reasonable person, who is properly informed, would be expected to act in the circumstances. What is reasonable can be influenced by current standards and practices. The APP Guidelines also provide that an entity is not excused from taking particular steps by reason only that it would be inconvenient, time-consuming or impose some cost to do so. Whether these factors make it unreasonable to take particular steps will depend on whether the burden is excessive in all the circumstances. While the APPs contain references to ‘reasonable steps’ or ‘such steps (if any) as are reasonable in the circumstances’, para 94L(1)(a) requires the DSA to take all reasonable steps to delete Registration Data as soon as practicable following a request from a COVIDSafe user.

3.30 In the context of para 94L(1)(a), ‘all reasonable steps’ requires the DSA to undertake a more comprehensive assessment of the ‘reasonable steps’ that should be taken in the circumstances. In particular DSA is required to:

• not only take some of the reasonable steps immediately available to the DSA to delete Registration Data as soon as practicable following a request to do so
• take other steps that may be available to the DSA to meet their obligations which may take longer to implement, such as implementing technical measures, policies and procedures and training of staff in relation to their obligations.

3.31 The OAIC has reviewed the DSA’s data deletion processes in response to a request from an individual to delete their Registration Data, including their documented processes and by observing a live demonstration of DTA staff actioning requests to delete Registration Data.  At the time fieldwork was undertaken, the DTA had received 3,464 requests to delete registration data. Of these requests, at the time of fieldwork:

• 3,403 have been resolved, including requests where COVIDSafe users’ Registration Data was successfully deleted, the COVIDSafe user responded ‘No’ to the DSA’s confirmation message or the COVIDSafe user had not confirmed their deletion request within 7 days (refer to paragraph 3.18)
• 36 were waiting to be actioned, where the request had been received but the DSA had yet to action the request
• 25 were pending, where the DSA had sent the COVIDSafe user a message to confirm the deletion request but had yet to receive a response.

3.32 The process undertaken by the DSA, and observed by the OAIC, aligns with the DSA’s documented processes for the deletion of Registration Data reviewed by the OAIC.

3.33 The OAIC observed during fieldwork that where a COVIDSafe user submits a request to have their data deleted via the webform, and they respond to the confirmation text message, their request is included in deletion lots that the DSA completes once or twice weekly, and usually within 7 days from the day that the COVIDSafe user responds to the confirmation text message.

3.34 Section 94L(1)(a) requires the DSA must take all reasonable steps to delete Registration Data from the NCDS as soon as practicable following the request. The OAIC considers that the DTA is taking all reasonable steps to complete these requests as required by para 94L(1)(a), except as is discussed in the following paragraphs.

COVIDSafe user does not respond

3.35 As identified in paragraph 2.16, if a COVIDSafe user does not respond to the confirmation text message within 7 days, the DSA closes their Jira ticket. The DSA advised that they do not follow up with the COVIDSafe users that have not responded to the confirmation message. The DSA advised that this is based on a decision by the DSA in relation to user experience, to minimise the DSA’s contact with COVIDSafe users to only contact which is necessary.

3.36 The OAIC considers that for COVIDSafe users who have not responded to the confirmation message to delete their data, there is a medium privacy risk that the request to have their Registration Data deleted is not completed. This indicates that, for these individuals who have not responded to the text message to delete their data, the DSA is not taking all reasonable steps to delete Registration Data in the NCDS following the request

3.37 The process adopted by the DSA requires the COVIDSafe user to confirm by return text message that they wish to have their data deleted. The OAIC notes the permanent impact of a deletion request, the significance of opting out of this contact tracing system and that user verification  mitigates the risk of unauthorised requests. The OAIC considers verifying a user’s request in this manner is a reasonable step in the assurance process prior to the deletion of data.

3.38 The OAIC recommends that the DSA should take further steps to address this medium privacy risk in relation to individuals that have not responded to the confirmation message to delete their data. The DSA should:

• amend the notification that a COVIDSafe user’s request has been submitted (figure 3) to note that if the COVIDSafe user does not respond to the text message within 7 days then their request to delete their data will not be actioned, and
• follow up with COVIDSafe users who have not responded to the confirmation text message in a shorter timeframe than 7 days by issuing a subsequent confirmation text message for their response; and
• follow up with COVIDSafe users who have not responded to the confirmation text message after 7 days to inform them that their request has not been actioned, and that they will need to resubmit a new request for their Registration Data to be deleted.

Confirmation/verification of deletion of Registration Data in NCDS

3.39 As identified in paragraph 2.17, when the Administrator runs the deletion process on the NCDS they may receive a notification that the mobile number searched for does not exist in the NCDS. Where a mobile number does not exist in the NCDS, the DSA is unable to follow up with the applicable COVIDSafe user as the system message only returns the last 4 digits of the mobile number. The Administrator is only provided with the number of records that were successfully deleted and the number of records that did not exist within the NCDS.

3.40 The DSA informed the OAIC that they made a policy decision to prevent privileged users (i.e. Administrators) accessing COVID app data in the NCDS. The effect of this decision is that Administrators are unable to follow up with COVIDSafe users who have requested the deletion of their Registration Data, but whose number does not exist in the NCDS. This means that while the Administrator has the ability to run the deletion processes, they do not have access to validate records in the NCDS prior to or after deletion. However, the OAIC notes:

• subsection 94L(3) which provides that nothing in subs 94L(1) prevents the DSA from accessing data for the purpose of, and only to the extent required for the purpose of, confirming that the correct data is being deleted, and
• paragraph 94D(2)(g) which contains an exception to the offence to collect, use or disclose data that is COVID app data for the purposes of access by the DSA for the purpose of, and only to the extent required for the purpose of, confirming that the correct data is being deleted following a request from a COVIDSafe user for their Registration Data to be deleted under subs 94L(1).

3.41 The OAIC considers the lack of validation by the DSA following the deletion of Registration Data presents a medium privacy risk that a COVIDSafe users’ Registration Data is not deleted upon request in compliance with para 94L(1)(a). The OAIC recommends that the DTA updates its practices to align with para 94L(1)(a) and in consideration of subs 94L(3) and para 94D(2)(g), which permit access to COVID app data for the purpose of, and only to the extent required for the purpose of, confirming that the correct data is being deleted.

Paragraph 94L(1)(a) as soon as practicable

3.42 The ‘as soon as practicable’ timeframe allows for an appropriate degree of flexibility, but does reflect an obligation to delete Registration Data as soon as reasonably possible and without undue delay.[12] As outlined in paragraph 2.7, the DSA has established a data deletion process, described in the ‘Deletion of COVID app data’ section of this report, that allows COVIDSafe users to delete their COVID app data upon request. As identified in paragraph 2.11, the DSA will action these requests, at a minimum, weekly. This process may be run twice a week, depending on the availability of DSA resources, but the DTA stated to the OAIC that the DTA believes that maximum amount of a time from a COVIDSafe user submitting their form to their request being actioned is 7 days.

3.43 Having regard to the documentation reviewed, the demonstration observed by the OAIC of the DTA’s data deletion process and the key DTA staff interviewed, the OAIC is satisfied that the DTA has implemented processes to delete Registration Data from the NCDS upon request from a COVIDSafe user, or the parent, guardian or carer of a COVIDSafe user, as soon as practicable as required by para 94L(1)(a) of Part VIIIA of the Privacy Act. At the time of fieldwork, noting the volume of deletion requests, the OAIC considers the timeframe of 7 days allows for an appropriate degree of flexibility for the DSA to fulfil the data deletion requests, while meeting the requirement to delete the Registration Data as soon as practicable. The DSA has established processes to action the majority of requests to delete Registration Data within 7 days following a request from a COVIDSafe user, noting that

• these requests may be processed in a shorter timeframe where the DSA runs the process twice a week, and
• some requests may take longer than 7 days to process, for example where the COVIDSafe user provides confirmation via text message on the seventh day.

3.44 The practical implications of taking a particular step including how resource intensive, is not an overriding factor that may make a particular step unreasonable for an APP entity to take. Whether these factors make it unreasonable to take particular steps will depend on whether the burden is excessive in all the circumstances. The OAIC notes that the DSA has a manual process for data deletion requests which requires a DSA staff member to work across a number of systems. Based on the numbers of requests that were being received at the time of fieldwork, and DSA resourcing at that time, these requests were processed at least once per week.

3.45 The OAIC notes however, that if the volume of deletion requests from COVIDSafe users were to increase in the future, then it may be difficult for the DSA to scale the current manual process to meet the increased volume of requests. The OAIC suggests that the DSA considers implementing an automated means to process deletion requests to:

• mitigate privacy risks associated with manual handling of personal information across multiple systems where there is an increased volume of requests
• enable scalability in response to any increased volume of data deletion requests.

COVID app data held on device

3.46 Once a COVIDSafe user’s Registration Data is deleted, it will no longer exist in the NCDS. However, a COVIDSafe user’s Bluetooth exchanges may exist on the COVIDSafe user’s, or other COVIDSafe users’ devices for up to 21 days, based on the maximum timeframe COVID app data is permitted to be stored on a communication device under s 94K of the Privacy Act.

3.47 A COVIDSafe user who does not delete the COVIDSafe app from their device may continue to collect and retain COVID app data on their own device, or other COVIDSafe users’ devices, if the COVIDSafe app is active on their device. In order to prevent the collection of COVID app data on a device, it is necessary for a COVIDSafe user to uninstall or delete the COVIDSafe app from their device. Uninstalling the app will also delete any COVID app data retained on the device.  The OAIC also notes that other than designing the app to enable the 21 day rolling deletion schedule for digital handshakes, the DSA does not have the power to delete any other COVID app data in a user’s device. Section 94N(2) defines a ‘former COVIDSafe user’ as an individual who has deleted the COVIDSafe app from their communication device and, after the COVIDSafe app was last deleted from the device, the COVIDSafe app has not been downloaded on that device.

3.48 The OAIC notes that, as part of the process for a COVIDSafe user requesting deletion of their Registration Data, COVIDSafe users are not explicitly informed that is it necessary to delete the COVIDSafe app in order to delete personal information from their communication device. However, this requirement is detailed in the COVIDSafe app privacy policy, which is linked to the COVIDSafe users when accessing the webform (see figure 1), and COVIDSafe users are advised to delete the COVIDSafe app via text message following a request to delete their Registration Data (see figure 4). The OAIC considers that this presents a low privacy risk that users are not aware of the requirement to delete the COVIDSafe app from their device and that it will continue to collect and create COVID app data.

3.49As identified in the COVIDSafe Assessment 3, the Bluetooth exchange captures an encrypted ID, the date and time of the contact, the Bluetooth signal strength and the model of the device. In order for a STHA to the access the details of a COVIDSafe user, the data uploaded from a communication device has to match a record within the NCDS, via the encrypted ID.

3.50 Once a deletion request is successfully actioned, a COVIDSafe user’s Registration Data, including the encrypted ID, no longer exists within the NCDS and STHA cannot access any Registration Data of that COVIDSafe user.

3.51 The OAIC notes that, following the data deletion process, if a COVIDSafe user has not deleted the app from their device, and it remains active, it will not be possible for the COVIDSafe user’s data to be uploaded from their device to the NCDS, or for this information to be displayed in the HOP.  After an individual’s Registration Data is deleted from the NCDS, which includes the mobile number, it is not technically possible to upload data from the device to the NCDS.

Restriction on use or disclosure where Registration Data cannot be deleted immediately – para 94L(1)(b)

3.52 The DTA informed the OAIC that their policy decision to not provide privileged users (i.e. Administrators) access to Registration Data in the NCDS, prevents the DTA from implementing measures to ensure that Registration Data is not used or disclosed for any purpose where a request to delete that data has been made, but where it is not practicable to delete the Registration Data immediately. The OAIC notes that this practice does not align with subs 94L(3) and para 94D(2)g) of the Privacy Act which allow the DSA to access data for the purpose of, and only to the extent required for the purpose of, confirming that the correct data is being deleted

3.53 As outlined in para 2.11, in the event that a COVIDSafe user requests the deletion of their Registration Data, there is up to a 7 day period between a COVIDSafe user submitting a request via the ‘Request data deletion’ Webform and the deletion occurring. During this period, the OAIC understands that the Registration Data may be accessed by a STHA in the HOP as part of the contact tracing procedure described in further detail in COVIDSafe Assessment 2.[13]

3.54 The OAIC also notes the following matters:

• the DSA considers that the data deletion process commences when the confirmation text message is provided by a COVIDSafe user, as opposed to the time when the COVIDSafe user submits the ‘Request data deletion’ Webform. While the OAIC accepts this assessment of when the data deletion process commences, the OAIC notes that the DSA, at the time of the assessment, waits up to 7 days for the confirmation text from the user and the OAIC has made the recommendation for the DSA to follow up with COVIDSafe users who have not responded to the confirmation text message in a shorter timeframe than 7 days (see Recommendation 1)
• access to the applicable COVIDSafe user’s Registration Data by STHA officials is contingent on a ‘close contact’ of the applicable COVIDSafe user being diagnosed as positive for COVID-19 and the STHA accessing the Registration Data, via the HOP, and this data may only be accessed for contact tracing purposes in accordance with subs 94D(2). These processes are described in COVIDSafe Assessment 2[14]
• the relevant security, retention and deletion obligations relating to COVID app data held by STHA, as detailed in COVIDSafe Assessment 2.[15]

3.55 The OAIC considers there is a high privacy risk that a COVIDSafe users Registration Data is used or disclosed in breach of para 94L(1)(b) of the Privacy Act which is associated with the failure of the DSA to implement measures to prevent the use or disclosure of Registration Data where it cannot be deleted immediately.

Section 94N – Effect of deletion of COVIDSafe from a communication device

3.56 Section 94N of the Privacy Act outlines that the DSA must not collect COVID app data from a person, on a communication device, once that person is considered a ‘former COVIDSafe user’.

3.57 From the OAIC’s review of documentation and the source code of the COVIDSafe app, the OAIC understands that, for the COVIDSafe app to collect COVID app data and pass information between COVIDSafe users, the COVIDSafe app must be active and Bluetooth must be enabled on the applicable communication device. When a COVIDSafe user uninstalls the COVIDSafe app from their device, the COVIDSafe app will no longer be ‘active’ and therefore will not be able to collect or pass information to other COVIDSafe users’ devices, or to the NCDS. Additional information on the functionality of the COVIDSafe app is available is COVIDSafe Assessment 3: COVIDSafe application functionality, privacy policy and collection notices.

3.58 On the basis of the documentation reviewed, the review of the source code of the COVIDSafe app and the key DSA staff interviewed, the OAIC is satisfied that COVID app data is not collected by the DSA, on a communication device, once a COVIDSafe user has deleted the COVIDSafe app, as required under s 94N of Part VIIIA of the Privacy Act.

Part 4:Recommendations and responses

Recommendation 1

OAIC recommendation

4.1 The OAIC recommends that the DSA should:

• amend the notification that a COVIDSafe user’s request has been submitted (figure 3) to note that if the COVIDSafe user does not respond to the text message within 7 days then their request to delete their data will not be actioned; and
• follow up with COVIDSafe users who have not responded to the confirmation text message in a shorter timeframe than 7 days by issuing a subsequent confirmation text message for their response; and
• follow up with COVIDSafe users who have not responded to the confirmation text message after 7 days to inform them that their request has not been actioned, and that they will need to resubmit a new request for their Registration Data to be deleted.

Stakeholder response to the recommendation

4.2 Noted. The DSA will update the ‘Request data deletion’ webform to include language that

1. specifies that the COVIDSafe user initiate another data deletion request if they have not immediately received a confirmation request via text,
2. informs COVIDSafe users that only one confirmation text will be sent, and
3. if they do not respond to said text within seven days, that their data deletion request will not be processed.

The DSA will update the confirmation text message to include (2) and (3) above.

The DSA will not issue subsequent confirmation messages to COVIDSafe users following the issuing of the initial notification, as less than one percent of users requesting deletion fail to confirm their request.

Recommendation 2

OAIC recommendation

4.3 The OAIC recommends that the DSA updates its practices to align with para 94L(1)(a) and in consideration of subs 94L(3) and para 94D(2)(g) which permit access to COVID app data for the purpose of, and only to the extent required for the purpose of, confirming that the correct data is being deleted.

Stakeholder response to the recommendation

4.4 Noted. The Department acknowledges the risks associated with the current processes of data deletion requests however considers the risks have been appropriately mitigated.

Current technical parameters prevent the DSA from processing data deletion requests unless the information provided by a COVIDSafe user exactly matches that provided at registration and contained in the NCDS. In case of erroneous data provided by the COVIDSafe user e.g. incorrect or incomplete telephone number, there is no capacity to query the NCDS to match the information submitted by the user and searching by that information is prohibited under the data access rules to the NCDS. The existing confirmation process ensures that the COVIDSafe user initiated the data deletion request, and the correct corresponding data, is being deleted. The Department considers the current arrangements appropriate to manage and mitigate risks.

Recommendation 3

OAIC recommendation

4.5 The OAIC recommends that the DSA, as a matter of priority, implement measures to prevent the use or disclosure of Registration Data following a request from a COVIDSafe user to delete their Registration Data, where this data cannot be deleted immediately, to ensure that the DSA is complying with para 94L(1)(b) of the Privacy Act. Measures could include technical measures, such as flagging data that is subject to a deletion request in the NCDS so that it is quarantined from use and disclosure.

Stakeholder response to the recommendation

4.6 Noted. The DSA is taking all reasonable steps to delete Registration Data from the NCDS as soon as practicable following a data deletion request confirmed by a COVIDSafe user. If the COVIDSafe user has already had their data uploaded to the NCDS it is not possible to quarantine it from access, use or disclosure by a public health official until the data is deleted.

Suggestion 1

OAIC suggestion

4.7 The OAIC suggests that the DSA considers implementing an automated process to complete deletion requests to:

• mitigate privacy risks associated with manual handing of personal information across multiple systems where there is an increased volume of requests
• enable scalability in response to any increased volume of data deletion requests.

Stakeholder response to the suggestion

4.8 Agree in part. The DSA has implemented a partially automated process to complete data deletion requests. This process reduces manual data handling to a minimum. This process will support any increased volume of data deletion requests. Data that is to be deleted remains secure within the NCDS and is not accessed by the DSA, so the privacy risks associated with this process have been mitigated.

Suggestion 2

OAIC suggestion

4.9The OAIC suggests that the DSA update the ‘Request data deletion’ Webform to include a statement that it is necessary for a COVIDSafe user to uninstall or delete the COVIDSafe app from their device, following a request to delete their Registration Data, to ensure that COVIDSafe app data will not remain on their device.

Stakeholder response to the recommendation

4.10 Agree. This requirement to delete the COVIDSafe app to ensure that COVIDSafe app data will not remain on their device is articulated on the help topics page on the COVIDSafe site (https://www.covidsafe.gov.au/help-topics.html). The DSA will update the ‘Request data deletion’ webform as suggested.

Part 5: Description of assessment

Objective and scope of assessment

5.1 This assessment was conducted under para 33C(1)(a) and subs 94T(2) in Part VIIIA of the Privacy Act, which legislates oversight for the COVIDSafe System by the AIC.

5.2 The objective of this assessment is to determine whether the DSA has taken reasonable steps to comply with Australian Privacy Principle (APP) 11.2 and the data retention and deletion requirements of Part VIIIA of the Privacy Act 1988 (Cth).

5.3 In order to form a conclusion against Assessment 4 objectives, the following criteria were examined:

• the Data Store Administrator (DSA) is taking all reasonable steps to ensure that COVID app data is:
  • not retained on a communication device for more than 21 days and, if not, that the period of retention is no longer than ‘the shortest practical period’
  • not collected on a communication device, following a COVIDSafe user deleting the COVIDSafe app from their communication device.
• In relation to a request from a person, or the parent, guardian or carer of a person, to delete registration data from the National COVIDSafe Data Store (NCDS)
  • the DSA is taking all reasonable steps to action a request as soon as practicable following a request to do so
  • the DSA has taken all reasonable steps to prevent the use and disclosure of registration data that is required to be deleted, where it is not practicable to delete the data immediately.

5.4 OAIC determined the approach undertaken in conducting Assessment 4, referring to reporting requirements as legislated in the Privacy Act. The PwC Global Internal Audit Methodology aligned with the requirements of the International Professional Practices Framework was also referenced to provide further assurance.

Privacy risks

5.5 Where the OAIC identified privacy risks and considered those risks to be low risks, the OAIC made suggestions about how to address those risks. These observations are set out in Part 3 of this report.

5.6 The OAIC assessments are conducted as a ‘point in time’ assessment i.e. observations are only applicable to the time period in which the assessment was undertaken.

5.7 For more information about OAIC privacy risk ratings, refer to the OAIC’s ‘Risk based assessments – privacy risk guidance’. Chapter 7 of the OAIC’s Guide to privacy regulatory action provides further detail on this approach.

5.8 Assessment 4 provides assurance that the DTA and DoH are effectively managing the following specific risks as noted in the DoH COVIDSafe app Privacy Impact Assessment:

Timing, location and assessment techniques

5.9 The OAIC conducted both a risk-based assessment of the data retention and deletion of COVID app data under APP 11 which focused on identifying privacy risks to the secure handling of COVID app data and a compliance-based assessment under Part VIIIA of the Privacy Act.

5.10 Assessment 4 involved the following activities:

• review of relevant policies, procedures, design and technical documentation provided by the DoH and the DTA
• a review of the COVIDSafe app source code
• fieldwork, which included interviewing key members of staff at the DTA and the DoH offices in Canberra during November and December 2020
• a demonstration of the deletion process provided by DTA staff.

5.11 The OAIC engaged PwC to assist with undertaking the COVIDSafe Assessment Program to provide independent assurance to Australian citizens that data in the COVIDSafe app is meeting legislative requirements. The OAIC considered PwC observations in the writing of this report.

Reporting

5.12 The OAIC publishes final assessment reports in full, or if necessary, an abridged version, on its website. All or part of an assessment report may be withheld from publication due to statutory secrecy provisions, privacy, confidentiality, security or privilege.

Appendix A: COVIDSafe Legislative Framework

1.1 The personal information collected by the COVIDSafe app through the COVIDSafe System is protected by the following:

• The Biosecurity (Human Biosecurity Emergency) (Human Coronavirus with Pandemic Potential) (Emergency Requirements—Public Health Contact Information) Determination 2020 (Cth) (the Biosecurity Determination)
• The Privacy Act, which includes:
  • The APPs
  • Part VIIIA – Public health contact information.

The Biosecurity Determination

1.2 The Biosecurity Determination was issued by the Minister for Health on 25 April 2020 under the Biosecurity Act 2015 (Cth) and was repealed on 16 May 2020 following commencement of the Privacy Amendment (Public Health Contact Information) Act 2020 (Cth) (Privacy Amendment Act).

1.3 The Biosecurity Determination included requirements for the collection, use and disclosure of COVID app data and was regulated by the Australian Federal Police, not the OAIC.

Privacy Act – the Australian Privacy Principles

1.4 The Privacy Act promotes and protects the privacy of individuals and regulates how APP entities, which includes Australian Government agencies and organisations, handle personal information.

1.5 The APPs at Schedule 1 of the Privacy Act are the cornerstone of the privacy protection framework in the Act. The 13 APPs govern standards, rights and obligations around:

• the collection, use and disclosure of personal information
• an organisation or agency’s privacy governance and accountability
• the integrity and correction of personal information
• the rights of individuals to access their personal information.

1.6 The APPs apply to any ‘personal information’ collected by Australian Government agencies in relation to the COVIDSafe System.

Privacy Amendment (Public Health Contact Information) Act 2020 (Privacy Amendment Act) and Part VIIIA of the Privacy Act

1.7 The Australian Government passed the Privacy Amendment Act on 14 May 2020 which amended the Privacy Act by inserting Part VIIIA – Public health contact information into the Privacy Act. Part VIIIA commenced on 16 May 2020.

1.8 Part VIIIA of the Privacy Act provides strong privacy protections for personal information collected through the COVIDSafe app. The Australian Information Commissioner (AIC) has an independent oversight function in relation to COVIDSafe under the Privacy Act and is actively monitoring and regulating compliance.

1.9 Specific privacy protections under Part VIIIA include:

• section 94K: COVID app data not to be retained
• section 94L: Deletion of registration data on request
• section 94F: Effect of deletion of COVIDSafe from a communication device.

1.10 The provisions dealing with privacy protection are supported by procedural amendments which relate to or assist with oversight of the COVIDSafe System by the OAIC, including:

• section 94T: expands the assessment power in s 33C to include assessments of whether the acts or practices of an entity or a STHA in relation to COVIDSafe data comply with Part VIIIA of the Privacy Act
• section 94Y: provides the Minister for Health with the power to determine, by notifiable instrument, the end of the COVIDSafe data period
• section 94ZB: requires the AIC to report on the performance of their functions and powers relating to Part VIIIA of the Privacy Act every six months
• section 94ZC: provides that COVIDSafe data remains the property of the Commonwealth even after disclosure to and use by STHA.

Appendix B: Role of the OAIC

1.1 The new Part VIIIA of the Privacy Act has granted the AIC a range of additional proactive and reactive regulatory powers which support the AIC’s legislated responsibilities in relation to the privacy oversight of the COVIDSafe System.

1.2 The OAIC is undertaking five privacy assessments (the COVIDSafe Assessment Program) under s 33C and s 94T of the Privacy Act to proactively execute its oversight function in relation to the COVIDSafe System.

1.3 The five COVIDSafe privacy assessments (COVIDSafe Assessment Program) are:

• Assessment 1 – Access controls applied to the Data Store by the DSA
• Assessment 2 – Access controls applied to the use of COVID app data by State or Territory Health Authorities
• Assessment 3 – Functionality of the COVIDSafe app against specified privacy protections set out under the COVIDSafe privacy policy and collection notices, and against the requirements of Part VIIIA
• Assessment 4 – Compliance of the DSA with data handling, retention and deletion requirements under Part VIIIA
• Assessment 5 – Compliance of the DSA with the deletion and notification requirements in Part VIIIA which relate to the end of the pandemic.

1.4 Each COVIDSafe Assessment targets different components of the COVIDSafe System, with the COVIDSafe Assessment Program designed to collectively follow the ‘information lifecycle’ of personal information collected by the Australian Government’s COVIDSafe app.

1.5 In undertaking the COVIDSafe Assessment Program, the OAIC seeks to provide independent assurance to Australians that personal information in the COVIDSafe app is being handled in accordance with Part VIIIA and the APPs.

1.6 The OAIC engaged PricewaterhouseCoopers (PwC) under s 24 of the Australian Information Commissioner Act 2010 (Cth) to assist the OAIC with the COVIDSafe Assessment Program. PwC worked jointly with OAIC staff to assist the AIC to conduct elements of the fieldwork for this assessment and provide independent assurance that access to COVID app data is meeting legislative requirements.

Appendix C: Control Frameworks and Control Measures

The following Control Frameworks and Control Measures have been identified and have been used as the basis for testing in this Assessment.

Legislative framework

Control framework