Case Studies

Maddocks advises the Australian Government on privacy aspects of the COVIDSafe app

• 25 May 2020 • 6 min read

Facing a once-in-a century pandemic, the Australian Government co-ordinated the country’s response to keeping its people healthy and safe in the face of COVID-19.

The Australian Government Department of Health delivers policies and programs relating to health and aged care to ensure better health for Australians. As part of the ongoing work being done by the Australian Government to minimise the impact of COVID-19 on communities, and to streamline contact tracing of the virus, the Department of Health played an integral part in the development of the COVIDSafe app.

The Australian Government wanted the COVIDSafe app to be downloaded by as many Australians as possible to help fast-track the road to recovery, but was concerned that many Australians may be reluctant to do so given previous privacy and security concerns associated with the collection of personal information by the Australian Government.

Maddocks advised the Australian Government, as represented by the Commonwealth Department of Health, on the privacy aspects of the COVIDSafe app. While the Department of Health was the main point of contact, there was also involvement from a range of Australian Government departments and agencies, including the Prime Minister’s Office, the Attorney-General’s Department, the Office of the Australian Information Commissioner, the Australian Government Solicitor, the Digital Transformation Agency, the Department of the Prime Minister and Cabinet, and the Australian Human Rights Commissioner.

Seeking a solution that protected the security and privacy of all Australians

The implementation of the COVIDSafe app was potentially a controversial issue as it required Australians to trust that their information would be handled correctly by the Australian Government.

As the COVIDSafe app was going to be highly scrutinised by the Australian public, including experts in security and privacy, it was important that the Australian Government understood and addressed all privacy considerations, issues and risks.

As COVID-19 was a fast-developing issue, the timeframe around the development of the COVIDSafe app was tight. Maddocks was asked to provide a Privacy Impact Assessment (PIA) in a timeframe much shorter than the minimum 6 weeks normally needed for a PIA of the same complexity.

The team at Maddocks has extensive experience in conducting privacy impact assessments for numerous Commonwealth departments and agencies, and has assisted the Australian Government in successfully addressing, and mitigating, identified privacy risks.

“We also had extensive experience assisting our Australian Government clients by providing urgent, highly sophisticated and thorough privacy advice and solutions” says Katherine Armytage, Partner at Maddocks.

The COVIDSafe app in use

A collaborative and agile approach to engage stakeholders

The Maddocks team on this matter included Canberra-based partner Katherine Armytage, associate Indi Prickett and lawyer Tara Dhanushkoti.

To conduct this PIA, the team drew on their past experiences on doing major, complex and high-profile PIAs (such as the PIA on the consumer data right in 2019), as well as our vast experience on doing PIAs for a number of different Commonwealth agencies and departments, where the project required consultation and engagement with several stakeholders.

The team also faced a new challenge in that, because of the COVID-19 pandemic, everyone was working remotely. The team had to work collaboratively, ensuring we communicated clearly with each other throughout the entire process, and effectively utilise the technology available to us.

They worked under stressful conditions because, as is understandable with a pandemic, the circumstances around COVID-19 changed rapidly, meaning that they were receiving new instructions regularly. This required the team to be available at all times, be quick in their responses, and thorough in their work to ensure they accurately incorporated all of the new information and conducted comprehensive analysis of that information.

The team had to ensure they acted in the most efficient manner, whilst maintaining their high standard of analysis of risks, and providing the client with practical recommendations.

Another element of the PIA process that was unique was the number of different stakeholders Maddocks was engaging with to complete the PIA – several times a day the team was receiving instructions from and consulting with a range of stakeholders, and receiving various instructions from those stakeholders. They needed to balance the views and expectations of the client (and what was feasible and manageable in the extremely tight timeframe), whilst also taking into account the views of the broader stakeholders (such as the OAIC as the privacy regulator and the Human Rights Commissioner).

This project was one of the most collaborative PIAs Maddocks has worked on, with all stakeholders (including the client) and the team constantly in contact to ensure an accurate and comprehensive PIA report.

"The Privacy Impact Assessment has provided transparency and accountability for the use of personal information, and supports community confidence in the App"

Angelene Falk, Australian Information Commissioner.

A ‘privacy by design’ approach to address and mitigate any privacy risks

The Maddocks team prepared a 78-page PIA report, which included a clear methodology of their approach to the PIA process, the scope of the PIA, a succinct Project Description to explain the COVIDSafe app (including an information flow diagram to explain the collection, use and disclosure of personal information in relation to the COVIDSafe app), and thorough and comprehensive analysis of the COVIDSafe app against the client’s obligations specified in the Privacy Act 1988 (including the Australian Privacy Principles).

Maddocks took a very pragmatic and practical approach, noting that the client had very tight deadlines it needed to meet, and also the importance of implementing the COVIDSafe app. This meant that Maddocks had to ensure that it was possible for their client to effectively and successfully implement any of the team's recommendations developed, designed to address and mitigate any privacy risks Maddocks identified.

Almost all recommendations were adopted by the client, which assisted in assuring the Australian public that the Australian Government had appropriately considered, and addressed, the privacy risks associated with the COVIDSafe app.

The Australian Government made the Maddocks PIA report publicly available at the same time as releasing the COVIDSafe app, which meant that Australians could read the report (including our recommendations), and the Australian Government’s response to those recommendations, before deciding to download the app.

Many Australians have praised the Australian Government in adopting a ‘privacy by design’ approach in relation to the urgent implementation of the COVIDSafe app, and Maddocks PIA report has assisted the Australian Government in raising trust in the its approach to privacy, as they have considered, and changed the design and implementation of the COVIDSafe app because of, the team's recommendations.

The COVIDSafe app has also been widely supported by security and privacy experts across Australia, which is incredibly important for the Australian Government to ensure the COVIDSafe app is taken up by as many Australians as possible.

Looking for more information?

Get in touch with the Privacy team.

  • Share

Related articles

Online Access