What happens to Australia’s COVID-19 data after the pandemic?

By Katina Michael and Roba Abbas

The COVID-19 pandemic forced Australians to share more data than they would ordinarily be comfortable sharing — state-level Quick Response (QR) code mandates required people to check-in and out everywhere.

These measures were important to notify people who had come into proximity with a confirmed COVID-19 case, but came at a price: citizens were handing over an unprecedented amount of sensitive information to governments — their name, their location at a specific date and time and, often, details of accompanying dependents.

A databank like this should be governed carefully and stored securely — this has not been the case. Laws surrounding the mandatory collection of data gathered by QR code-based check-ins have either come “after the fact”, or have not been communicated well to the public. 

After the federal COVIDSafe app floundered, state governments scrambled to create their own QR-code apps. While it was mandatory for businesses to collect customer visits during COVID, they could opt to choose from a small number of implementation options. For example, third-party suppliers, MyGuestList and ImpactData, stored tens of millions of check-ins on their databases by developing their own custom check-in apps using the state government’s Application Programming Interface (API).

Nothing is stopping these companies from exploiting this data for their own benefit, or their clients’ benefit. The law does not prohibit these entities from analysing the collected data to determine users’ spending patterns, if their annual turnover is less than $3 million a year. 

Australians have broadly complied with this new level of monitoring because of the public health imperative, but also because of the assurances made by governments. Citizens were told by government bodies that their data was safe, but there have been breaches of trust.

For example, after repeated claims that QR code check-in apps would retain data for only 28 days, SA Health breached its own guidelines, storing QR code data indefinitely until an audit discovered the alleged error. On at least six occasions, state police forces (e.g. Western Australian Police without a search warrant and Queensland Police with a search warrant) have accessed check-in data for criminal investigations after assurances this would not be allowed. Victoria Police attempted to access the data and were blocked from doing so.

In a positive development, some states (e.g. NSW) have now introduced laws preventing the retrospective or secondary use of COVID QR code data. The Service NSW (One-stop Access to Government Services) Amendment (COVID-19 Information Privacy) Bill 2021 recently came into effect.

Australians are still waiting to be told whether check-in data is being housed on servers in the United States — which was purportedly the case for the federal government’s COVIDSafe app. Storing Australian data in the United States would subject users to the Cloud Act, American legislation that allows personal information to be accessed under subpoena.

This lack of transparency is worrying given how much personal information has been stored: within four months of launching in Oct. 2020, for example, the Service NSW app lodged 30 million check-ins. Indicative numbers for Service NSW report 50.6 million check-ins in May 2021 alone. In Victoria, an estimated 18 million check-ins were recorded in the fortnight of May 13 and May 31, 2021.

Not only are citizens giving up data that links their identity to their movements on the app, but the identities of ‘dependents’ (when checking in on behalf of family members or friends). If there was a major hack to any of the state’s major cloud service providers, this data would be compromised. It would provide the capability to potentially create a web of social connections, like a social network of sorts, only physical in nature.

Looking forward

The shortcomings and lack of transparency in QR code data storage partly arose from public health directives delivered in a flurry. Businesses scrambled to figure out how they would address new government rules, with very little notice or guidance, before more prescriptive directions were delivered.

This is a major lesson for the government, organisations and the Australian public to be better prepared for technology rollouts during periods of emergency declaration or disaster. Australia has experience using apps and visualisation dashboards in its bushfire history (e.g. the Rural Fire Service’s app, FiresNearMe). The COVIDSafe app implementation demonstrated issues of accessibility and the QR code system rollout overlooked inclusivity, for example did not account for those living with vision impairment.

Governance frameworks are necessary to harness the power of technology in the public interest. It’s everyone’s responsibility. While new technologies are not silver bullet solutions, we will increasingly become accustomed to using them more effectively over time.

Australia must be more considered as it charts its course to post-pandemic life. Governments need to answer persisting questions: Moving forward, what will happen to the gathered data? Can we relax check-in and check-out mandates at low-risk venues? Can we securely store QR codes and vaccine certificates in a single app? And what of counterfeit QR codes being set up surreptitiously to redirect smartphone traffic?

These questions and others must be resolved to avoid QR code systems becoming a default surveillance mechanism after the public health crisis ends. If states terminate check-in mandates after vaccination rates reach 95 percent, as promised in New South Wales, the challenge of breaking this ingrained habit will begin.

Handing over such sensitive data already feels normalised for many, and unless citizens are made aware of their rights they will continue to do so.

Originally published under Creative Commons by 360info™. 

Terri Bookman of IEEE Society on the Social Implications of Technology and Vanessa Teague of Australian National University provided editorial input into this article.

Katina Michael is a professor at Arizona State University, a Senior Global Futures Scientist in the Global Futures Laboratory and has a joint appointment in the School for the Future of Innovation in Society and School of Computing and Augmented Intelligence. She is also the founding editor-in-chief of the IEEE Transactions on Technology and Society.

Roba Abbas is a Lecturer and Academic Program Director with the Faculty of Business and Law at the University of Wollongong, Australia. She is also co-editor of the IEEE Transactions on Technology and Society.