GREENS BILL: Security of COVID-19 QR code information

Today Mark introduced a Greens Private Members Bill that will ensure that the information provided electronically to the Government via the new COVID-19 QR code system is permanently deleted after 28 days.



The Hon. M.C. PARNELL: If someone was to have made a speech or written an opinion piece or a blog at the end of 2019 suggesting that within 12 months all Australians would be legally compelled to notify the government every time they set foot inside a shop or a business they would have been dismissed as barking mad. The reaction would have been that such things are the stuff of conspiracy theorists, or dystopian novels or movies. It would never happen in Australia; Australians value their freedom. Many of us marched in the street against the proposal to carry an identity card back in the 1980s.

The idea of the government knowing every time you went out to buy bread or went to the gym or got your hair cut or went to a cafe, such a regime would have been inconceivable just a year or so ago. Yet, here we are. Not only is this now the law but the vast bulk of us willingly comply. We do so not because we are politically naive or gullible or stupid, we do it because we have come to realise that it is our collective effort and our collective compliance with public health measures that keeps us all safe. That is what the COVID pandemic has done to our collective consciousness. Things that would normally be completely unacceptable in a free society are now part of the price that we know we have to pay to help keep everyone safe.

That brings me to the world of contact tracing and the new system of QR codes that we scan on our smart phones multiple times every day. From what I have seen, this new state-based system is mostly being complied with, although it does take some getting used to and I am sure that most people have probably forgotten once or twice as they duck into a shop for 30 seconds to buy some milk or bread.

From the community's perspective, the quid pro quo of us agreeing to tell the government about just about every place we go outside the home is that the deal is as follows: firstly, that the information will only be used for contact tracing for public health purposes in relation to the COVID pandemic and, secondly, that the information will be permanently and irretrievably deleted once it is no longer useful or relevant for that purpose.

As I have said many times in this place, the major currency in this bargain between citizens and the state is trust. We trust that our health officials know what they are doing and we trust that the government will be true to their word and will not allow the misuse of this extraordinary amount of personal information that we are handing over.

Let me say at this point that I acknowledge the Attorney-General's consistent assurances regarding the protection of privacy in the use of QR codes for contact tracing. Most recently, these assurances were repeated in the House of Assembly just yesterday. I do not doubt the integrity of those commitments and I have no evidence that anything untoward has happened or that suggests that the government is doing anything other than what they have promised.

That is not something that I say in relation to other areas of government administration or government policy but in this case I, along with most South Australians, am prepared to trust that the government is honouring their compact with the people, that they are not allowing the misuse of the information and they are deleting it when it is no longer relevant for contact tracing.

I also acknowledge that there are some legal protections in place already. The minister has pointed to section 31A of the Emergency Management Act as one of those protections. However, there are a number of voices, including the Law Society, which remind us that the laws to protect our privacy are not comprehensive and they do not cover every situation.

It is also important that, wherever possible, public assurances from the government are backed up by comprehensive legislation. If the glue that holds this together is trust, then why would we not add emphasis to that trust by allowing the government to say, 'This is what we are doing and it is against the law to do otherwise'?

That is especially important when assurances are given by political players. Ministries can be reshuffled, senior officials may come and go, governments can change hands at elections and circumstances can change. For example, the government may, during times of relative calm when there is no community transmission of disease, make cool-headed assurances that the protection of our privacy is paramount, but we only need to cast our minds back to the attitude of the Premier towards the Spanish pizza worker during the height of the so-called 'Parafield cluster'.

The fuming Premier, no doubt spurred on by the social media mobs, wanted to throw the book at the Spanish pizza worker. In fact, SAPOL launched Taskforce Protect to investigate how to do just that. It was only when SA Health refused to release the information obtained by their contact tracing team, on the grounds that it was confidential and privileged, that the pursuit of the pizza worker came to an end.

The Premier told David Bevan on the ABC on 10 December that he understood 'the reasons why public health officials have made that decision, and will support it in this instance'. The words 'in this instance' are the operative words in that comment from the Premier. It is a caveat. It leaves the door open to overriding principles of confidentiality if the demand for retribution is strong enough. If the crowds wielding pitchforks and burning torches are large enough and loud enough then maybe the assurances might not hold.

The opposition health spokesperson, Chris Picton, on FIVEaa on the same day questioned why SA Health did not release the information, saying, 'The Public Health Act gives a number of different ways in which information could be released to authorities.' So there was a bipartisan push to make an example of the Spanish pizza worker, and that was at the expense of the confidentiality of contact tracing information.

This is also despite the public health advice from people like Dr Nicola Spurrier or the University of New South Wales Adjunct Professor Bill Bowtell or the professor of epidemiology from Deakin University, Catherine Bennett, who have all suggested that COVID witch-hunts could deter potentially infected citizens from coming forward to get tested. Adjunct Professor Bill Bowtell, on 23 November, said:

I [really] abhor this idea of blaming & shaming people. We cannot have politicians & senior people believing that they only claim responsibility when things go well, but everything that goes wrong is the fault of other people.

Meanwhile, Professor Catherine Bennett on the same day stated, 'People will not come forward either to work in a system or to be tested if they feel that their trust is being violated, their confidentiality is being ignored.'

In order to really mean anything, such safeguards must be included in the legislation, and that is what my amending bill seeks to achieve. The bottom line is that the law trumps promises every time if you want to instil confidence and trust in the community. The maintenance of public trust is an essential component of any public health strategy, and we all know too well that the words of politicians do not inspire the same level of trust as the black letter ink of legislative provisions.

In relation to the adequacy of existing legal safeguards, the Attorney-General has pointed to existing legislative protections as being adequate, particularly section 31A of the act; however, the Law Society of South Australia disagrees. In his letter to the Premier of 14 December last year, outgoing Law Society president, Tim White, asserted that the society's Humans Rights Committee was 'unable to identify any provisions within the Emergency Management (Public Activities No 15) (COVID-19) Direction 2020 which are to the same effect, or otherwise restrict the use or disclosure of the information collected by COVID-Safe Check-In'. He then expressed:

We are concerned about the lack of legislative safe guards in place to manage the collection, storage, use and disclosure of the personal information of persons...This particularly so given that a person is compelled to provide their relevant contact details to the COVID-Safe check-in to go about their day to day lives.

The Law Society repeated these concerns in response to the Attorney-General's speech. In today's Advertiser they state that 'these oral guarantees should be prescribed in law'. In their letter to the Premier, they stated that the commonwealth government's approach to privacy protection is a suitable model for South Australia.

Whilst the Morrison government's COVIDSafe app may have been much maligned, the legislation that accompanied it, the Privacy Amendment (Public Health Contact Information) Act 2020, did contain some sensible provisions which this bill seeks to apply at a state level to our own contact tracing regimes. The explanatory memorandum to the Morrison government's legislation explained that contact tracing during a pandemic must straddle a fine line; it is a line where the fundamental human right to enjoy the best attainable standard of health conflicts with the right to privacy.

Under article 17 of the International Covenant on Civil and Political Rights, the right to privacy may be restricted provided that such limitations are consistent with the aims of the treaty and serve a legitimate objective and are not arbitrary, with 'arbitrariness' defined under article 17(1) as 'lacking necessity or proportionality'. There is no doubt that the collection of personal details for the purpose of contact tracing during a pandemic is a legitimate purpose. As previously mentioned, doing so ensures the protection of the human right to health and life, arguably the most fundamental right, the one upon which all others depend.

The next question then is, given this legitimate objective, what degree of limitation is necessary and proportionate or, more specifically, who needs to have access to the personal information and how long do they need to hold on to it? This bill seeks to provide answers to those questions and in doing so ensures compliance with obligations under article 17 of the international covenant. Clause 3 adds a new section 31B to the part 5 offences of the Emergency Management Act 2004. Section 31B is a definition section. It defines the terms 'approved tracing system', 'contact tracing', 'contact tracing data', 'relevant contact details', and 'written contact tracing record'.

New section 31C makes it clear that these amendments apply to directions made under section 25 of the Emergency Management Act or under the COVID-19 Emergency Response Act 2020, an act that we extended in this place just last night. New section 31D creates the new offence of unauthorised collection, use or disclosure of COVID-19 contact tracing data, and then defines 'authorised collection, use and disclosure'. The penalty for this offence is a maximum of five years' gaol, which equates to the maximum penalty for a minor indictable offence, which aligns with identity theft provisions under the Criminal Law Consolidation Act 1935 and the penalties under the Privacy Amendment (Public Health Contact Information) Act 2020.

According to the Queensland Law Society in their 'Information Security During the COVID-19 Crisis: A quick reference guide', criminals are exploiting COVID-19 by, amongst other things, 'sending COVID-19-themed phishing emails and SMS in the form of "urgent" warnings and notifications'. In this time of great uncertainty and changing social norms, nefarious cyber actors will be looking to capitalise, and this new offence seeks to penalise those who try.

New section 31D(3) provides for a defence to the offence, with the onus on the defendant to prove that they did not know and could not reasonably know that the data they collected, used or disclosed was COVID-19 contact tracing data. New section 31E requires that contact tracing data be destroyed within a prescribed period by the prescribed person, and it defines both of those terms and specifies when the prescribed period commences.

The intent is for the data to be deleted or destroyed after 28 days, but the prescribed person has a leeway of seven days, so in other words up to 35 days, to destroy the data without incurring the penalty, which has a maximum fine of $10,000. Twenty-eight days is a period that is both necessary and proportionate as it equates to two COVID-19 incubation periods. It is also the length of time at which contact tracing data is automatically deleted in Tasmania, the Northern Territory and the ACT, while in Victoria the data is to be deleted as soon as practicable after 28 days. Western Australia and New South Wales set 28 days as the minimum but do not set a maximum, while Queensland, being Queensland, hold onto their data for twice as long as everybody else, for 56 days.

Clause 4 of the bill removes Crown immunity from the offences discussed above and, given the role that the Crown and employees of the Crown have in collecting and storing contact tracing data, the preceding provisions would lack teeth if Crown immunity remained.

This bill seeks to replicate sensible provisions adopted at the commonwealth level and by various state and territory governments. Doing so would ensure that our COVID-19 response balances competing international human rights obligations and instils public trust in our institutions at a time when it is much needed.

I would say finally that I understand all parties are sympathetic to what my bill seeks to achieve. I understand that the Attorney is keen for her lawyers to have a good look at it to see if there are any unintended consequences or things that might have been missed out. My call is very similar to the calls that have been made by the opposition. Perhaps it is just because of my more efficient office practices that I got my bill in first. I certainly know from conversations with the opposition that they have been thinking about something very much the same.

I am looking forward to further debate on this bill. I will say that, given the COVID collection QR code system is live and operative, the sooner we can give the public the assurance that the privacy commitments made by the government are backed up in law the better. I will be looking to bring this to a vote at the earliest possible opportunity, and I will advise all members accordingly.