As part of the development of the proof of vaccination functionality for the Service NSW app, Service NSW sought an independent Privacy Impact Assessment by Information Integrity Solutions (IIS Partners).
The purpose of this Assessment was to ensure that collection, storage and sharing of personal information is consistent with the Information Protection Principles (IPPs), as set out in the Privacy and Personal Information Protection Act 1998. The Privacy Impact Assessment includes assessment against the Health Privacy Principles (HPPs) in the Health Records and Information Privacy Act 2002 (NSW) (HRIP Act), regulator guidance and privacy best practice.
A summary of the independent Privacy Impact Assessment is outlined below.
Findings and Recommendations
In considering the requirements of the HPPs and broader privacy issues, IIS has identified some areas where Service NSW could take additional steps to ensure compliance, or to promote better privacy practice.
5.1 Collection (HPPs 1-3)
HPPs 1-3 set out the following obligations in relation to the collection of personal information:
- Lawful (HPP 1) – Only collect health information for a lawful purpose, which is directly related to the agency’s activities and reasonably necessary for that purpose.
- Relevant (HPP 2) – Ensure that the health information is relevant, accurate, up-to-date and not excessive, and that the collection does not unreasonably intrude into the personal affairs of the individual.
- Direct (HPP 3) – Only collect health information directly from the individual concerned, unless certain exceptions apply.
The National Covid-19 Privacy Principles also require:
- Data minimisation – The collection of personal information including sensitive information such as health information should be limited to the minimum information reasonably necessary to achieve the legitimate purpose.
- Purpose limitation – Information that is required to be collected for a specific purpose related to mitigating the risks of COVID-19 should generally not be used for other purposes.
5.1.1 Purpose of collection
IIS understands that the purposes to which vaccine certificate information collected by Service NSW is to be used are outlined in the data sharing agreement with Services Australia and in the privacy collection notice. The primary purpose of collection is that individuals who choose to do so can use their Service NSW app to more easily show proof that they are vaccinated against COVID-19.
IIS notes that while the project is not dependent on a PHO, a relevant PHO may specify additional purposes for vaccine certificate information and therefore play a role in defining the ‘lawful purpose’ for collection required by HPP 1. We consider that such purposes should be narrowly framed and be directly related to enabling individuals to prove their vaccination status. See Section 5 below for further discussion on ensuring a strong legal framework for such information.
5.1.2 Collection during certificate download
HPPs 1 and 2 require that collection of health information be reasonably necessary (with regard to the lawful purpose) and not excessive. This aligns with the National Covid-19 Privacy Principles which require data minimisation.
In its current form, the proof of vaccine solution requires Service NSW to collect some limited health information from Services Australia – specifically a series of tokens, including a vaccine token which contains the individual’s name, date of birth and vaccination status. The full list of available data items provided by Services Australia contains a richer set of information (e.g., vaccine brand and immunisation date for first and second doses) than what the MVP proposes to use. IIS commends Service NSW for limiting the data items it collects from Services Australia to only what is necessary for the MVP.
Service NSW pushes the vaccine token to the individual’s device which stores the information and generates the vaccine certificate that the individual displays in their Service NSW app. The vaccine certificate displays the individual’s name and date of birth – IIS discusses the display of the date of birth further below. Service NSW stores a hashed version of the vaccine token and device ID. IIS finds that the collection of name, date of birth and vaccination status in the vaccine token are reasonably necessary collections for the purposes of HPP 1. We also find that the collection meets the HPP 2 requirements of being accurate and up-to-date given that vaccination status information is sourced in real-time from Services Australia which manages the AIR – the source of truth for vaccination status.
5.1.3 Collection during COVID Safe Check-in
Once the vaccine certificate information from Services Australia has been linked to an individual’s device, the fact that the individual’s vaccination status has been linked will form part of the check-in information collected by Service NSW when that person checks in to a venue in NSW using the COVID Safe Check-in tool via the Service NSW app. IIS considers this to be privacy-enhancing because rather than collecting vaccine certificate information directly or in more detail, during check-in Service NSW will only collect a yes/no ‘flag’ that indicates vaccination status.
Nevertheless, Service NSW should only collect vaccination status during check-in if this collection is determined to be reasonably necessary for a lawful purpose, as required by HPP 1 – for example, if collecting vaccination status would allow contact tracers to prioritise unvaccinated individuals when tracing contacts. However, other unrelated uses should be strictly prohibited. Ideally, permitted uses of vaccination status information by contact tracers should be specified in the PHO and the PHO should also prohibit other uses unrelated to contact tracing.
5.1.4 Collection during checking of vaccine certificate
Based on the information flows, Service NSW’s server collects the user’s vaccine token from the checker’s Service NSW app in order to compare the token with the hash that it already holds. IIS considers that there are no issues with this because:
- The information is collected for a lawful purpose that directly relates to a Service NSW activity, namely, to ensure the proper functioning and integrity of the proof of vaccination solution.
- The information is discarded once the comparison has been made, which eliminates privacy risks associated with retaining data for longer than required.
5.1.5 Collection of metadata
The solution backend generates metadata in the form of audit and activity logs. This includes: Splunk logs, New Relic logs, Apigee logs and business activity logs. It is not clear to IIS the extent to which such logs capture personal information of individuals downloading or displaying their vaccine certificates. Splunk logs appear to capture user and device identifiers. If configured poorly, activity logs can create privacy risks by allowing the capture and storage of a rich dataset of individuals’ actions and behaviours as they interact with the app.
To comply with HPP 1, activity logs should minimise collection of identifying information to the extent possible. Activity logging is not inherently bad – it plays an important security and monitoring role. However, logs need to be carefully managed from a privacy standpoint. This includes only generating identifying information that is reasonably necessary to system operations and security, and having data disposal arrangements in place to avoid excessive retention of identifiable information.
Recommendation 1 – Ensure activity logs minimise collection of identifiable information.
Confirm that activity logs (including any potential fraud detection audit logs) minimise collection of identifiable information about individual users to the extent possible. Implement data disposal schedules for activity log data.
5.1.6 Direct collection
HPP 3 requires an agency to collect health information about an individual only from that individual, unless it is unreasonable or impracticable to do so. In the case of the proof of vaccination solution, Service NSW collects health information indirectly, in that it collects the information from Services Australia which holds the relevant information in the AIR. Direct collection in these circumstances would be unreasonable and impracticable.
IIS finds that risks associated with indirect collection are largely offset by the individual being the one to initiate vaccine certificate sharing. The individual is therefore in control, and aware, of Service NSW’s collection and transmission of their vaccine certificate. Nevertheless, transparency measures remain important – see next section below.
5.2 Transparency (HPPs 4 and 6)
HPPs 4 and 6 are intended to promote transparency about the handling of personal information. They aim to allow individuals to make informed choices about providing information or using a service and to have a general understanding of how information about them is handled. Transparency is both a matter of compliance as well as key to building public confidence and trust. The principles require:
- Open collection (HPP 4) – Before collection or as soon as practicable afterwards, agencies should inform individuals as to why their health information is being collected and other matters.
- Transparency (HPP 6) – An agency must provide individuals with details regarding the health information they store, why it is being used and any rights individuals have to access it.
5.2.1 Privacy collection notice
IIS reviewed a draft privacy collection notice for individuals who import the vaccine certificate to their Service NSW app and provided some feedback to Service NSW. Since then, we have also reviewed a final version of the notice and consider that the notice is likely to meet HPP 4 requirements, and if the information is also easily accessible via the app, will likely meet HPP 6 requirements also.
While Services Australia displays terms and conditions that the user must accept when they elect to share their vaccine certificate with a state-based app, Service NSW does not display a privacy collection notice until the certificate import is underway in the back-end and the individual’s Service NSW app has launched. While it is always preferable to display a privacy collection notice before any collection takes place, IIS finds this approach is likely to align with the HPP 4 requirement that individuals receive a collection notice ‘at or before the time that it collects the information (or if that is not practicable, as soon as practicable after that time)’. Further, IIS understands that Services Australia’s terms and conditions will contain information explaining the data flows to which the individual must agree to before the sharing takes place. No further compliance issues were identified.
5.2.2 Public awareness and education
With regard to businesses, it is important that they are aware of what the rules are surrounding the process of checking a customer’s vaccination status, and their obligation to collect or not to collect certain information. Just as it has previously done when rolling out the COVID Safe Check-in solution last year, Service NSW could include information packs for businesses.
Individuals should also have adequate information on when they may be required to display their vaccine certificate, what the process is when allowing businesses to view their vaccination status and what their rights are. This information could be made available on the Service NSW website and in COVID Safe Check-in FAQs. Service NSW should also implement a communications strategy to raise awareness with individuals about rights and requirements.
IIS also emphasises that Service NSW’s communications are a good opportunity to promote the privacy protecting aspects of the solution. Service NSW should highlight that the solution is founded on individual control, and that it only involves displaying vaccine information (not transferring it to anyone else).
Recommendation 2 – Support business and community understanding of rights and responsibilities
As a matter of best practice and to ensure compliance at minimal cost, deploy a communications strategy to support individuals and businesses to understand their rights and responsibilities with regard to vaccination checking. Such a strategy should ensure that individuals and businesses are aware of:
- The privacy-positive aspects of the solution, including individual control and that it is only for displaying vaccine information (not transferring it to anyone else).
- When vaccine checking is required.
- When vaccine checking is not required but voluntary.
- When vaccine checking is not permitted. The fact that individuals do not have to hand over their device when having their vaccine certificate checked.
- The fact that businesses should minimise collection of health information during the vaccine check-in process and that collection of health information may be covered by the Privacy Act.
- Where individuals can get help or advice about vaccine certificates.
5.3 Security and retention (HPP 5)
HPP 5 obliges NSW agencies to ensure that:
- Health information they hold is kept for no longer than is necessary for the purposes for which the information may lawfully be used.
- Health information is disposed of securely and in accordance with any requirements for the retention and disposal of health information.
- Health information is protected by reasonable security safeguards.
These obligations are echoed in the National COVID-19 Privacy Principles. The Security principle requires protection of data misuse and storage in Australia while the Retention/Deletion principle states that personal information should be destroyed once it is no longer needed for the purpose for which it was collected.
A security assessment of the proof of vaccination solution is being conducted by another external service provider, separate to this PIA process. That said, IIS reviewed high-level security arrangements and found that the proof of vaccination solution in its current form has a number of security strengths.
- Use of a one-time access code (OTAC) minimises disclosure of information to Services Australia The use of an OTAC to initiate vaccine certificate sharing means Service NSW does not need to disclose any personal information to Services Australia during the certificate export process; the OTAC expires after three minutes which minimises the time during which it may be interfered with.
- Use of digital signatures and encryption to establish a secure channel IIS understands that transmissions between Services Australia and Service NSW occur in encrypted form via Public Key Infrastructure (PKI) and use Open Authorisation standard (OAuth) access tokens to support secure delegated access authentication of Service NSW’s servers. Transmissions between Service NSW and the individual’s device are also encrypted.
- Secure on-device storage of the vaccine certificate. The vaccine token and certificate attributes are stored encoded on the device in app-specific storage. The data is protected against jailbreak and the app itself is PIN controlled.
- Use of holograms to prevent false apps and screenshots. The app will display a hologram on the confirmation check-in screen to guard against fraudulent use; IIS understands that further protections will be added post-MVP.
To ensure compliance with the NSW Cyber Security Policy, Service NSW’s Security Team is reviewing the proof of vaccination solution and undertaking a risk assessment. The Security Team has also allocated a dedicated subject matter expert to the project to provide ongoing security advice as design decisions are made. In addition (as mentioned above), Service NSW has engaged an external service provider to conduct a security assessment and penetration testing. Service NSW indicated that findings of security and risk assessments will be shared with SteerCo before ‘go-live’.
The NSW Cyber Security Policy requires agencies to implement the ACSC Essential Eight.3 Therefore, IIS would expect the Security Team to confirm Service NSW’s performance against Essential Eight indicators, with particular regard to the systems and servers that support the proof of vaccination solution.
In particular, Service NSW should ensure:
- Strong application control for the system to ensure only approved applications may be executed and prevent execution of malware.
- Ensuring patches are up-to-date both for applications and operating systems and arrangements are in place to ensure Service NSW is aware of the patch status of its environment and is responsive to patch updates.
- Systems are secured against malicious macros either by disabling macros or only enabling macros from trusted locations.
- Appropriate restrictions are in place for privileged accounts ensuring that staff have the least amount of privilege for their tasks and are unable to undertake risky activities such as reading emails, opening attachments or browsing the internet.
- Access controls are in place which entail multi-factor authentication.
Other considerations for Service NSW will be any security requirements imposed by Services Australia as a condition of access to vaccine information. IIS has not been provided with information about any such requirements but suggests that Service NSW imposes appropriate governance and assurance measures to ensure it follows through on security commitments made to Services Australia, including any security controls applying to Application Program Interfaces (APIs). APIs provide information on the underlying implementation of an application. These details may give malicious actors clues that could lead to attack vectors they might otherwise not be able to exploit. Good, tested API controls are important for protection of information.
Service NSW should also be aware that Services Australia has mandatory breach notification obligations under the Privacy Act and that Services Australia may require Service NSW’s cooperation in meeting those obligations. This may, for example, require Service NSW to update its data breach response plan and/or cyber incident response plan to make clear the types of incidents requiring notification to Services Australia and what the protocol is for that notification (for example, what information should be relayed and to whom). Service NSW should also consider undertaking breach response testing in cooperation with Services Australia.
In terms of data stored by Service NSW, IIS understands this to include metadata (outlined above at section 5.1.5) and hashed vaccine tokens and device identifiers. Security and storage of COVID Safe Check-in data has been reviewed in previous PIAs. The security or risk assessment should confirm that metadata and vaccine token data is stored securely. It should also confirm that all identifiable data is stored in Australia, in line with the National COVID-19 Privacy Principles.
Recommendation 3 – Ensure security assessments take account of security commitments made to Services Australia. Ensure that security and risk assessments take account of any security commitments made to Services Australia. During sign-off, SteerCo should confirm that the assessments have adequately addressed and implemented any such requirements.
Recommendation 4 – Review breach response plan Review (and if necessary, update) the Service NSW breach response plan and/or cyber incident response plan to ensure it contains an appropriate protocol for notification of a breach to Services Australia. Updates could include information about what information needs to be relayed to Services Australia and who are the appropriate contact points.
HPP 5 regulates data retention and requires that agencies not keep health information for longer than is necessary for the purposes for which the information may lawfully be used. The National COVID-19 Privacy Principles also state that personal information should be destroyed once it is no longer needed for the purpose for which it was collected. Specifically, the principles observe that ‘the Australian community expects that the information they provide to support the COVID-19 public health response will not be retained indefinitely and should be deleted as soon as it is no longer needed.’
Service NSW plans to retain hashed vaccine tokens (which include the individual’s name, date of birth and vaccination status). The key question is whether retaining the vaccine token remains necessary with regard to the purpose for which it was collected. IIS understands that the vaccine token and device identifier are being retained to enable checkers to verify the vaccine certificate on an individual’s Service NSW app.
We consider this to be a low privacy risk given that Service NSW is using a SHA-256 one-way hash that is difficult to break and renders the token de-identified for practical purposes. As a matter of best practice, we encourage Service NSW to continue pursuing data minimisation and de-identification for its solution. Service NSW should also put in place measures to dispose of identifiable data associated with the proof of vaccine solution once it is no longer needed, and certainly once vaccine checking ceases.
Recommendation 5 – Continue pursuing data minimisation and de-identification for the solution. Assess and explore ways to promote data minimisation and de-identification for the solution. This should occur through a combination of policy, personnel and technological means.
5.4 Access (HPP 7)
HPP 7 requires an agency that holds health information about an individual to give the individual access to the information on request. As the proof of vaccination solution is fundamentally about giving the individual access to vaccination information about themselves in the form of a vaccine certificate, IIS finds that HPP 7 is unlikely to impose any additional obligations. That said, if Service NSW combines identifiable vaccine information with other information it holds, it would be required to give access to that information on request.
5.5 Data quality and correction
(HPPs 2, 8 and 9) The HPPs require agencies to collect and use accurate information and allow individuals to correct their information if it is incorrect. Given that the AIR is the source of truth for vaccination information, data quality considerations largely sit with Services Australia. IIS understands that currently a refresh will occur when there is a specific need (e.g., an individual is onboarding with a new device or Services Australia is issuing an update on vaccination date), and that a timed refresh may be introduced in the future depending on the project’s status and needs.
Although accuracy of vaccination information is largely the purview of Services Australia, Service NSW still has a role to play in helping individuals resolve issues with their vaccine certificates. Given that individuals are only assigned a certificate if they have had two doses of the vaccine, the main issue they are likely to face is where they have had two doses but the AIR has recorded only one dose or none and therefore the individual has no certificate to export to the Service NSW app. Given that this issue will occur in the Medicare app phase of the process, it appears likely that most individuals will direct their queries to Services Australia. However, Service NSW should still be prepared to field queries, particularly if its app promotes downloading the vaccine certificate (as this may mean that users direct their queries to Service NSW).
Service NSW should provide information to users about how to resolve accuracy issues – the information should be easy to find and follow. Service NSW should also work with Services Australia to implement a streamlined ‘no-wrong-door’ approach to resolving user issues. A poor outcome would be Service NSW call centre staff giving individuals the message that: ‘We can’t help you; you have to call Services Australia.’
Recommendation 6 – Establish a straightforward process for resolving certificate issues. Provide a straightforward process for individuals to correct their vaccination information. The process should take a ‘no-wrong-door’ approach, allowing individuals to be seamlessly transferred to the appropriate part of Services Australia to resolve the issue. Further, Service NSW information about vaccine certificates should explain how individuals may correct their vaccination information with Services Australia.
Recommendation 7 – Ensure effective privacy complaint handling. Equip Service NSW staff to handle privacy complaints about vaccine certificates. Given the involvement of both Commonwealth and State agencies, complaints handling also requires a ‘no wrong door’ approach. This may require updates to internal complaint handling procedures to clarify when Service NSW should resolve a complaint itself and when a complaint should be referred to Services Australia. Resolution by Service NSW should be preferred where possible. It may also involve some additional training for relevant staff. If it has not already, Service NSW should put in place measures to identify systemic privacy issues arising in complaints about vaccine certificates.
5.6 Use and disclosure (HPPs 10 and 11)
HPPs 10 and 11 limit agency use and disclosure of health information. Generally, health information may only be used or disclosed for the purpose it was collected unless an exception applies. Exceptions include where individuals have given their consent for a secondary use or disclosure, or where the secondary use or disclosure is directly related to the primary purpose of collection and the individual would reasonably expect the secondary use or disclosure. Other exceptions also apply. The objective of HPPs 10 and 11 is to ensure purpose limitation and avoid function creep. This aligns with the second of the National COVID-19 Privacy Principles.
5.6.1 Clarifying permitted secondary uses and disclosures
Function creep is a risk unless primary and secondary uses are prescribed and limited. Wider use of vaccine certificates beyond what the community expects threatens public trust in the system, which may result in individuals attempting to circumvent vaccine mandates. While certain secondary uses and disclosures may be permitted by exceptions contained in HPPs 10 and 11, IIS considers that the NSW Government should restrict the use and disclosure of vaccine certificates (and vaccination status information) to specific uses and disclosures directly related to pandemic management and public health – see further Section 5 below.
5.6.2 Use for diagnostics and support
Service NSW indicated that activity logs, including Splunk logs and New Relic logs, would be used for monitoring, error reporting and diagnostics. These activities enable the system to operate smoothly and ensure issues can be identified and troubleshooted. Where the data contained in the logs is unidentifiable, HPP 10 will not apply – see recommendation 2. Where the data is identifiable, such activities are likely to be permitted under HPP 10(1)(b) which allows use of health information for a secondary purpose if the secondary purpose is directly related to the primary purpose and the individual would reasonably expect the agency to use the information for the secondary purpose. No further compliance issues were identified.
5.6.3 Use for detecting and preventing individual misuse of vaccine certificates
For the MVP, Service NSW is implementing a step in the initial importing flow that will involve matching the full name and date of birth received from Services Australia with the individual user’s full name and date of birth held by the MyServiceNSW Account team. If the match falls below a certain threshold (e.g., 80%), Service NSW would halt the transaction and display an error message to the user. The main purpose of the data-matching is to prevent misuse by an individual seeking to use another person’s vaccine certificate.
IIS considers that the use of the individual’s name and date of birth for this purpose is likely to satisfy HPP 10(1)(b). That is, conducting the matching to ensure the integrity of the vaccine certificate is directly related to the primary purpose of collecting the health information to enable the display of the digital vaccine certificate. We consider that the individual would also be likely to reasonably expect this, especially given that it is mentioned in the privacy collection notice.
Beyond the compliance issue, IIS considers that Service NSW should ensure its approach is proportionate to the risks and that the privacy impact (including public perception) does not outweigh the gains in fraud prevention. Use of identifiable data should be proportional to the problem being addressed, and collection of additional information in audit logs should not be excessive. This is something that Service NSW should monitor over time.
Recommendation 8 – Monitor the system to identify the size and nature of certificate misuse. Monitor the system to identify the size and nature of any certificate misuse to ensure data-matching is appropriate and proportionate. Activities to address certificate misuse should avoid excessive data collection and use.
5.6.4 Use for repairing MyServiceNSW Account information
Data-matching described above – involving matching vaccine certificate name and date of birth with identity credentials held in the individual’s MyServiceNSW Account – could be used by Service NSW to check and repair incorrect or incomplete MyServiceNSW Account information. However, IIS finds that this is likely to breach HPP 10, being unconnected to the primary purpose the data was collected. Service NSW should therefore not use vaccine certificate data for this purpose unless it first seeks the individual’s consent.
Recommendation 9 – Do not use vaccine certificate information to repair MyServiceNSW Account information. Do not use vaccine certificate information (name and date of birth) to repair incorrect or incomplete MyServiceNSW Account information. Use for this purpose is unconnected to the primary purpose the vaccination information was collected by Service NSW.
5.6.5 Use for checker functionality
As noted above, IIS considers the collection by Service NSW’s server of the user’s vaccine token for the checker functionality to be a lawful purpose that is directly related to ensuring the proper functioning and integrity of the proof of vaccination solution. The use of the information contained in the token for the checker functionality is for this primary purpose. No further compliance issues were identified.
5.6.6 Use and disclosure for analytics
Business activity logs collect data that will be used for analytics purposes to understand take-up of the proof of vaccination solution and demographic information about those downloading the digital vaccine certificates, such as age group. Those analytics are disclosed to an analytics dashboard accessible by the Minister for Customer Service. Use of data in activity logs for this purpose is likely to be permitted under HPPs 10 and 11, as long as the information is in de-identified form. Service NSW should ensure that any changes to how data is analysed or displayed in the dashboard are reviewed to ensure data is not inadvertently rendered identifiable by the change.
Recommendation 10 – Ensure changes to analytics activities do not render the data identifiable. Ensure that changes to how data is analysed or displayed in the DOMO dashboard are reviewed to ensure data is not inadvertently rendered identifiable by the change. Service NSW could achieve this by implementing a mandatory check for changes to analytics activities. The check would either confirm data remains de-identified or identify measures to remove re-identification risks.
5.6.7 Disclosure to Services Australia
The proof of vaccination solution is configured so that Service NSW does not disclose any personal information about the user to Services Australia during the vaccine certificate export. Service NSW does disclose refresh tokens to Services Australia at certain intervals to check whether the certificate requires refresh, however IIS understands that those tokens do not contain identifiable information. This constitutes good Privacy by Design and minimises the privacy impact on the individual. No further compliance issues were identified.
5.7 Identifiers (HPP 12)
HPP 12 states that an agency may only assign identifiers to individuals if the assignment of identifiers is reasonably necessary to enable the organisation to carry out any of its functions efficiently. IIS understands that the digital licence platform assigns some identifiers such as device identifiers. It is not clear that the vaccine token would meet the definition of ‘identifier’ in s 4 of the HRIP Act. In any case, IIS finds the use of device identifier and vaccine token to be reasonably necessary to the functioning of the proof of vaccine solution. No further compliance issues were identified.
5.8 Anonymity (HPP 13)
HPP 13 states that, wherever it is lawful and practicable, individuals must be given the opportunity to not identify themselves when entering into transactions with an agency. IIS finds that this principle is not applicable to the proof of vaccine solution. No further compliance issues were identified.
5.9 Disclosure outside NSW (HPP 14)
HPP 14 restricts disclosure of health information outside NSW in certain circumstances. IIS is not aware of any plans by Service NSW to disclose vaccination status information to a recipient outside of NSW. While an individual may display their vaccine certificate to an organisation outside NSW (such as when entering a venue in another state), this would constitute a disclosure by the individual rather than Service NSW, notwithstanding that the certificate is being displayed via the Service NSW app. No further compliance issues were identified.
5.10 Other considerations
5.10.1 Display of date of birth
Service NSW indicated that Services Australia has requested for the vaccine certificate to be displayed in the Service NSW app in the same way as it is displayed in the Medicare app. The certificate includes an individual’s name, the ‘valid from’ date of the certificate and the individual’s date of birth. The display of an individual’s date of birth prominently on the certificate for all businesses and other checkers to see is poor privacy practice given that an individual’s date of birth may be easily misused, including for identity fraud. IIS understands that it is displayed for identity verification purposes. Moreover, it is also displayed on paper certificates.
If the date of birth is displayed to distinguish between a person and their parent with the same name, for example, then this could be achieved by displaying the age of the individual rather than the date of birth. The fact that the date of birth is displayed on the paper certificate is not adequate justification for reproducing a poor privacy practice into the digital certificate. IIS accepts that this matter is to some extent outside Service NSW’s control but encourages Service NSW to advocate for minimal personal information to be displayed on the digital certificate, in conversations with the Commonwealth. Care should be taken to avoid the vaccine certificate operating like a de facto ID card.
5.10.2 Business checking and collection of vaccination status information
COVID Safe Check-in has been configured to minimise business collection of customer personal information. The individual checks in to the venue and their name and phone number is collected by Service NSW. With the introduction of proof of vaccine requirements for certain venues, it appears that businesses may have a more active role in checking their customers on entry. The risk is that businesses record customers’ vaccine certificate details rather than only sighting them. This increases the privacy impact on individuals and may result in venues that traditionally do not handle much customer personal information now handling large amounts of information with the attendant privacy risks that brings. It also reduces individuals’ rights to anonymity.
IIS understands that it is currently the intention of the NSW government to restrict business collection of vaccination status and that this will be given effect via the PHO. IIS supports this approach.
5.10.3 Ensuring strong assurance and governance
The privacy protections contained in any data sharing agreement with Services Australia and other regulatory arrangements (including existing privacy law) will only be effective if the NSW government implements strong assurance and governance arrangements to confirm that the protections are being implemented and complied with appropriately. It was unclear to IIS at the time of writing what agency or group would play this governing role over the longer term after the new system becomes ‘business as usual’ – whether SteerCo would continue to monitor the system or whether it would be the Ministry of Health or the Deputy Secretaries group.
Whichever the case may be, the NSW government should ensure the governing group or agency has a clear mandate to oversee adherence to privacy protections and carry out assurance activities to confirm that the system is operating as intended.
Recommendation 11 – Clarify governance and assurance arrangements. Clarify post roll-out governance and assurance arrangements for the proof of vaccination project and ensure the relevant group or agency has a clear mandate to oversee implementation of the PHO and carry out assurance activities to confirm that the system is operating as intended.
5.10.4 Considerations for future iterations of the solution
As noted in the introduction, the scope of this PIA is limited to the MVP. IIS understands that Service NSW is planning future iterations of the solution and extensions to its functionality. This could include, for example, incorporating more vaccine token information from Services Australia, developing more sophisticated fraud checking capabilities, and extending data flows to other parties (beyond simply displaying the vaccine certificate on-device).
Service NSW has acknowledged the need to keep privacy front-of-mind when further developing the solution. IIS supports this approach and recommends ongoing Privacy by Design (and further PIAs where appropriate) to ensure privacy risks are identified and addressed.
Recommendation 12 – Continue to incorporate Privacy by Design into solution development and conduct. PIAs as needed Continue to incorporate Privacy by Design into future iterations of the solution, when developing functionalities that involve the handling of personal information. Update this PIA or conduct new PIAs as necessary to reflect significant changes in the solution.