Mandatory Checkin App raises privacy issues

QCCL President Michael Cope said today “The QCCL is extremely concerned about the government’s decision to make the Checkin QLD app mandatory for entry to restaurants, pubs etc without adequate privacy protection”

“The QCCL calls on the government to provide assurances to the people of Queensland, that data collected from the Check in QLD app will be used solely for the stated purpose of contact tracing. QCCL also seeks assurances that information collected from the Check-in app will not be used for law enforcement purposes or any other additional purpose” said Mr. Cope

Mr. Cope said, “Those assurances can only be satisfactorily provided by the passage of specific legislation limiting the use of data collected and providing for its destruction”.

The current privacy statement on the App is in fact misleading and deceptive, it says:

If required, CHDE will disclose your personal information to Queensland Health who will use your information for the purposes of contact tracing

Most Queenslanders will find this a comforting reassurance that the data will only be used for contact tracing purposes. But the privacy policy then says:

Information collected using the Check In Qld app may be disclosed to, and used:
• by authorities with powers and responsibilities in relation to COVID-19 (and those helping them) such as the Chief Health Officer and Queensland Health (including the Hospital and Health Services) for compliance activities, and for the purposes of overseeing and managing the Queensland Government’s COVID-19 response;
• where the use or disclosure is authorised or required by law

As every police officer in Queensland is an emergency officer under the Public Health Act this would allow information to be disclosed to the police for the extremely broad purpose of “compliance activities” relating to Covid.

“Most people would be surprised to learn that police are to be involved in contact tracing. And the range of activities for which the data can be used is much broader than contact tracing.”

But even broader is the power to disclose the data for purposes “authorised or required by law”. This would permit police access to this data for non Covid related purposes at the stroke of a pen by a bureaucrat.

We know this from the practice of police accessing Gocard data some years ago to make it easier to serve subpoenas, which was done on exactly that basis. Whilst processes were put in place to control such access in our view they were and are inadequate https://www.oic.qld.gov.au/__data/assets/pdf_file/0008/7766/report-go-card-disclosure.pdf.

We have already seen that the Singapore TraceTogether App, on which the COVIDSafe App was based, can be accessed by police in the course of a criminal investigation. This is despite explicit assurances that the App would only be used for contact tracing.

The government should introduce specific legislation like that introduced for the Covidsafe app to secure the privacy of Queenslanders in relation to the Check in App data. That legislation should:

1. have a defined end date, which we would suggest be should be 30 September 2021 consistent with other Covid emergency legislation passed by the parliament recently.
2. specify that on that date all data currently held will be deleted.
3. prohibit access by law enforcement to the data, Including by subpoena or warrant.
4. specify that the data is only to be accessed for contract tracing purposes and no other purposes. It must prohibit secondary use or disclosure of the data.
5. specifically task the Privacy Commissioner with oversight of access to the data, including providing regular reports to the relevant Parliamentary committee.
6. not include delegation of the primary legislation or ministerial discretion, particularly relating to the sunset period.

“QCCL strongly opposes the use of information gathered for health purposes for law enforcement or any other additional purpose, the use of the Checkin App should not be made mandatory until this legislation is passed” says Mr. Cope.