Check in using QR code when entering a shopping mall in Australia showing police abuse of contact tracing data

Australian Privacy Watchdog Looks to Ban Police From Accessing Contact Tracing Data for Unrelated Investigations

Australia has made news for having some of the world’s strongest anti-Covid measures, but the country’s lead privacy watchdog wants to ensure that this extraordinary state of affairs is not abused in the investigation of routine crimes. The Office of the Australian Information Commissioner (OAIC) has called for law enforcement to be blocked from accessing Covid contact tracing data to track suspects via their check-in histories, saying that it threatens to undermine public participation in the program.

The call from OAIC comes after several police agencies in the country attempted to access contact tracing data without a warrant, in at least one case looking for potential witnesses in the vicinity of a crime rather than attempting to track a specific subject.

Potential for abuse of contact tracing data raises concerns at Commonwealth level

The abuses of police access to contact tracing data have taken place at the state level, but there have now been multiple incidents across Australia. Western Australian police improperly accessed contact tracing data twice in June in the investigation of what it called “serious crimes,” leading the state government to introduce legislation to prevent it from happening again. Police in Victoria made similar attempts three times in recent months, but in all cases were blocked by health department officials due to not having the required warrant. And the Queensland police were told not to access contact tracing data except in “extraordinary circumstances” after attempting to use it to find weaponry that was stolen from an officer in a pub.

The most common system for contact tracing in Australia is the COVIDSafe app, which has users scan a QR code at locations to create a history of movement. The country’s Privacy Act has been updated to specify that law enforcement agencies are not supposed to collect, use or disclose information collected with the COVIDSafe app unless it is part of an investigation into a violation of the Privacy Act. However, this is not the only means of contact tracing and state governments are largely free to determine for themselves how privacy policies are implemented and what level of access law enforcement may have to data.

The Australian Capital Territory (ACT), the home to the country’s federal government, is presently considering an amendment to the country’s COVID-19 Emergency Response Bill to restrict police power to access contact tracing data, but if passed even this measure would not completely eliminate the possibility of access to the data store being allowed at the individual state and territory level.

Privacy concerns were in play even before law enforcement agencies made a grab for contact tracing data they did not have an entitlement to. Every state and territory in the country now makes use of the QR code movement tracking system (though residents usually have the option of writing down their name and contact information instead of scanning the code), and tens of millions of scans are processed per month. The country’s central MyGov platform is also currently preparing the display of Covid vaccination status certificates, which are expected to be used for movement restriction purposes once they begin displaying test result and recovery status. These plans have not firmed up yet, but the government has discussed vaccination requirements for interstate travel and for attendance at events of a certain size.

Privacy advocates want more protection of contact tracing data

The OAIC recently proposed a set of governing privacy principles for check in data in response to concerns about law enforcement access, but privacy advocates are already taking them to task for not providing enough protection. They note that the purpose limitation rules do not specifically prevent police access, stored data is not required to be encrypted, and there is no “sunset clause” for deleting stored data after some period of time, among other issues.

The privacy watchdog appeared to update its stance several days later, not only coming out against police use of contact tracing data but also telling the Sydney Morning Herald that it should not be used for other purposes such as “direct marketing.” The OAIC said it is seeking national consistency to inspire confidence in the program and encourage as high of a rate of voluntary compliance as is possible, and feels that police access and other non-health uses will do nothing but undermine that confidence.

Abuses of police access to #contacttracing data have taken place at the state level, but there have now been multiple incidents across Australia, including use to track down an officer’s stolen weapon. #privacy #respectdataClick to Tweet

Privacy advocates with the University of New South Wales have recommended a set of principles for adoption as a national standard for addressing privacy concerns and assuring that human rights are protected. These include terms to prevent unjustifiable discrimination, penalties for unauthorized use of data, an established right for individuals impacted by a breach to sue, data minimization principles, and a transparent program that includes regular deletion of data and public reports on how contact tracing operations access data.