Checking out data protection and privacy in Check-In CBR app
As Australia starts to ease out of COVID lockdown, the ACT Government has announced that the capital’s cafes, restaurants and bars can begin to welcome more customers, provided they sign up to the Territory’s bespoke Check In CBR app. Venues using the new Check In CBR app can now double their capacity to one person per two square metres indoors (to a maximum of 500 in total) as opposed to one person per four square metres otherwise.
The Check In CBR app is good news for the ACT’s hospitality industry, and patrons wishing to frequent cafes, restaurants and bars. Despite this positive news, there are privacy, data protection and cybersecurity issues to be considered, including who has access to the data, how will it be stored, where will it be stored, and for how long?
Enter the QR Codes
Australians have become accustomed to scanning QR codes and submitting personal details before entering venues. Most such schemes are privately run but all must comply with the Privacy Act 1988 (Cth) (Privacy Act) and the 13 Australian Privacy Principles (APP). The APP are designed to balance each individual’s right to information security against the legitimate interests of public agencies and private organisations in implementing public health policy.
Against the background of an ongoing pandemic, it is important that the public feel able to trust check-in apps not to mishandle their personal information, and trust that compliance with the APPs is even more important than usual.
COVID app data
The legal issues associated with the Check In CBR app are comparable to those faced by the Commonwealth Government when establishing the COVIDSafe app.
To provide suitable data protection and privacy of information in the COVIDSafe app, the Commonwealth Government enacted the Privacy Amendment (Public Health Contact Information) Act 2020 (Cth) (Contact Information Act) to support the COVIDSafe app and provide stronger privacy protections. The Commonwealth Government also created the National COVIDSafe Data Store and confirmed that COVID app data is ‘personal information’ for the purposes of the Privacy Act (with breaches of the Contact Information Act amounting to a breach of the Privacy Act).
The Privacy Act provides the Office of the Australian Information Commissioner (OAIC) with regulatory oversight in relation to how COVID app data must be collected, used and disclosed.
For example, APP 11, requires organisations handling COVID app data to take reasonable steps to protect the data from misuse, interference, loss, unauthorised access, unauthorised modification and unauthorised disclosure.
State and Territory health authorities must comply with the Privacy Act when COVID app data is downloaded from the National COVIDSafe Data Store and used as part of a COVID app. COVID app data in the National COVIDSafe Data Store must be stored on a database in Australia.
The Privacy Act’s Notifiable Data Breaches scheme has been extended to apply to COVIDSafe app data.
Data on check in apps
Check-in apps should be clear that they only collect a minimal amount of data, only use it for the stated purpose of “track and trace”, and do not keep it for longer than reasonable. In other words, apps should only require enough information to identify and locate an individual – importantly, there is no need to collect details such as data of birth or sensitive information about an individual’s state of health. In promoting the Check In CBR app, the ACT Government made it clear that such sensitive information will not be collected or stored on the Check In CBR app.
All collected data should be securely stored and destroyed after a reasonable time (e.g. 28 days, by which time it should have become clear whether the individual has been exposed to COVID19), and neither venues nor app operators should make any further use of the data (for instance, contact details should not be added to marketing databases).
When Mickey went drinking with Donald
While there is scant information as to how the numerous apps in circulation are living up to these standards, anecdotal evidence suggests the public is not wholly convinced of their reliability or trustworthiness. How else to explain the surprising number of times “M Mouse” has apparently been out for beers with “D Duck”?
While many apps seem properly compliant, with clear and accessible procedures and policies, there is still clearly some reluctance on the part of the public to engage fully with them.
Why the Check In CBR app checks out
In order to reassure the population at large, and to ensure maximum engagement and compliance, the Check In CBR app is unusual in being launched and operated by the ACT Government rather than by a private developer. One of the major benefits of this is that all personal data is collected directly by ACT Health rather than being directed there via intermediaries, and this directness should help allay any fears about data security or misuse.
Private apps tend to use unverified QR codes to forward data via a back-end website, leaving obvious room for repurposing of data, or phishing by interception or diversion. Check In CBR, on the other hand, cuts out all middlemen as well as validating each venue specific QR code before allowing data to be transmitted.
In addition, the set-up process means that each individual’s personal data only has to be entered once and not on each subsequent use. For customers who cannot (or will not) make use of the app, paper-based alternatives will be available, but this clearly will not be as quick, easy, effective or secure.
As noted, Check In CBR is designed to work alongside the Federal Government’s COVIDSafe app, which makes use of bluetooth to keep track of proximity to other individual subscribers and is aimed at covering public spaces and transport.
Data protection and privacy
Data protection and privacy are complex issues. Storage of data and personal information on multiple apps and back-end servers only adds to this complexity.
If you have any questions about the collection, storage, or processing of personal data around the world, and especially in Australia or the EU (including in relation to compliance with GDPR), please contact us.
Moulis Legal is on the Commonwealth Government and ACT Government Legal Services Panels for Information Communications & Technology Law, Intellectual Property Law, General Contract and Commercial Law.
This memo presents an overview and commentary of the subject matter. It is not provided in the context of a solicitor-client relationship and no duty of care is assumed or accepted. It does not constitute legal advice.
© Moulis Legal 2020