Visit our COVID-19 page for information and advice on the assistance available for NSW residents and businesses

As part of the development of the COVID Safe Check-in functionality for the MyServiceNSW app, Service NSW sought an independent Privacy Impact Assessment by The Lockstep Group. The purpose of this Assessment was to ensure that collection, storage and sharing of personal information is consistent with the Information Protection Principles (IPPs), as set out in the Privacy and Personal Information Protection Act 1998.

A summary of the independent Privacy Impact Assessment is outlined below.

1. Assessment against the IPPs

IPP 1: Collection of personal information for lawful purposes

Findings & Assessment

COVID Safe Check-in generally uses contact details previously collected by Service NSW with the account holder agreeing to those details being made available to NSW Health for contact tracing if required. Some additional contact information (such as name and/or mobile phone number) will be collected by Service NSW through the COVID Safe Check-in feature if the account holder’s previous registration is incomplete and falls short of what is required for contact tracing.  

The Public Health Order requires collection of the time and date of attendance at certain venues.  These details are considered to constitute Personal Information.  Service NSW has been tasked by the government to provide support for prescribed businesses in this context, and as such, the collection is directly related to SNSW’s function.

In the case of discretionary use of the check-in app, given that Service NSW has been tasked by government with the function of safeguarding limited registration records for COVID-19 related record keeping, we find that the collection can be said to be directly related to the agency’s function as required by IPP 1.

We find that COVID Safe Check-in complies with IPP 1, and thus have no recommendations.

IPP 2: Collection of personal information directly from an individual

Findings & Assessment

COVID Safe Check-in collects contact details either directly from the individual (if they need to enter details into the registration screen on the app) or else from the individual’s MyServiceNSW account if account details are present and complete. We presume that an established MyServiceNSW account was originally completed by the person directly.

We find that COVID Safe Check-in complies with IPP 2, and thus have no recommendations.

IPP 3: Requirements when collecting personal information

Findings & Assessment

The COVID Safe Check-in privacy notice [2] informs the individual why their Personal Information (contact details and date & time of attendance at a business) is being collected and how it might be used, with reference to relevant Public Health Orders. 

We note that the location information and date & time of attendance at a venue will not be able to be amended or changed as it must be retained by Service NSW in accordance with the Public Health Orders.

We find that COVID Safe Check-in complies with IPP 3, and thus have no recommendations.

IPP 4: Other requirements relating to collection of personal information

Findings & Assessment

Contact details collected for COVID Safe Check-in are clearly relevant to relevant Public Health Orders [1] and to supporting potential contact tracing in general. Most COVID-19 Safety Plans require a name and email or phone number to be collected.  The contact details (namely name, email address and phone number) in Lockstep’s opinion are relevant, not excessive and not unreasonably intrusive (and in any case are a smaller set of information compared with what is routinely collated by contact tracers.  So in the context of contact tracing, the collection involved in COVID Safe Check-in is practically trivial.

The accuracy required of contact details for COVID-19 contact tracing is not specified by the Public Health Orders nor by any of the COVID-19 Safety Plans we reviewed.

Further, we note that contact details when recorded manually at COVID Safe businesses are not checked at all.  In Lockstep’s opinion, contact tracing processes deal with a great variety of information sources spanning a range of degrees of quality and accuracy.  Contact tracers should not need or expect any greater accuracy in the data furnished to them from the COVID Safe Check-in process compared with manual or other records.

We find that IPP 4 is satisfied and we make no recommendations. See also IPP 9 below.

IPP 5: Retention and security of personal information

Findings & Assessment 

The COVID Safe Check-in design and operation leverages the established Service NSW infrastructure, in which My Account currently runs and which underpins the mobile app, with end-user support, developer support, secure hosting, network communications and policy administration. This infrastructure has been built and is maintained within the overall governance and engineering frameworks deemed fit for purpose for the Service NSW app. 

The COVID Safe Check-in is a simple addition to the app, and a simple extension to the hosting infrastructure, with storage of new registration records within existing Kafka technology.

Lockstep has not reviewed in detail the security arrangements for the new storage of registration records, but we understand they are comparable to My Service NSW account infrastructure. We assume that the Service NSW platform continues to be monitored and assessed under the government’s Information Security Management System and cyber security policy.  We expect that the existing ISMS will protect the new COVID Safe Check-in records to the same standards as all other customer information.

Registration records are deleted if not required for contact training within 28 days of the visit.

The secure FTP service by Accellion used to transfer contact details to NSW Health provides end-to-end encryption, auditability of requests, and local data storage in Australia. 

In Lockstep’s opinion, Service NSW security arrangements are likely to be of a higher quality than most third party QR code collection services, and superior to the record keeping we would expect of most COVID Safe businesses. Therefore COVID Safe Check-in is almost certainly a security improvement over all alternatives. Thus there is an argument that discretionary use of the check-in tool by businesses which wish to record visitor and customer details is in the best interests of those individuals.

We find that the COVID Safe Check-in security design complies with IPP 5 and so we make no recommendations.

IPP 6: Information about personal information held by agencies

Findings & Assessment

The COVID Safe Check-in privacy notice [2] explains what Personal Information (contact details) is being collected and why, with reference to relevant Public Health Orders. 

In the case of discretionary use by businesses of the check-in tool, where PHOs do not mandate record keeping, then it is generally incumbent on the business to explain firstly its desire to collect contact details, and secondly its use of the app for the purpose. In Lockstep’s view, an explanation should be provided before the app needs to be opened or the app’s built-in privacy notice viewed by the customer.  As discussed above, the potential for confusion between the NSW and Commonwealth government’s COVID apps should also be addressed.

If the NSW government is not opposed to the check-in app being used in discretionary record keeping, then Lockstep suggests it is appropriate for Service NSW to support businesses with standardised explanatory material.  This could be naturally provided via the QR code poster being given to COVID Safe businesses. 

Recommendation

Lockstep recommends that guidance along the following lines be added to the COVID Safe Check-in QR code poster.

To help manage the COVID-19 pandemic, this COVID Safe business records your visit and uses the Service NSW mobile app and COVID Check-in tool to do so. Your name, phone number and time of visit are lodged with Service NSW, securely stored for 28 days, and then deleted if not needed for contact tracing.

Use of the Check-in tool means that this venue does not keep a record of your visit.

For further information, refer to the Privacy Notice within the Service NSW app.   

IPP 7: Access to personal information held by agencies

Findings & Assessment

All Personal Information involved in COVID Safe Check-in is stored either in the person’s MyServiceNSW account, where it is already freely accessible, or in the 28-day registration record database.  For guest users that have no SNSW account, the app will allow them to review their contact details (i.e. name and phone number) as they furnished them.

Therefore we find that COVID Safe Check-in conforms to IPP 7 and we make no recommendations.

IPP 8: Alteration of personal information

Findings & Assessment

Most Personal Information involved in COVID Safe Check-in is stored in the person’s MyServiceNSW account, where it may be freely updated, if necessary, through existing mechanisms.  For guest users, the app will allow them to update their name and phone number.

Additional Personal Information about location and date & time of attendance will not be alterable by that person as it must be retained by Service NSW in accordance with the Public Health Orders.  That is, it is not necessary for people to be able to amend this Personal Information.

We find that COVID Safe Check-in conforms to IPP 8 and we make no recommendations.

IPP 9: Agency must check accuracy of personal information before use

Findings & Assessment

Personal Information in COVID Safe Check-in will only be used by contact tracers in the event of a positive test, and will be deleted by Service NSW after 28 days otherwise.

Mobile phone number and email address in a MyServiceNSW account are verified at the time they are registered (in both cases, confirmation codes are sent to the phone number or email address and must be re-entered correctly at the website).  We understand that while the feature is still being designed, there is no plan to verify any additional contact details that might need to be entered into the COVID Safe Check-in process.

Lockstep does not see the need to do additional verification at the time new contact details are collected through COVID Safe Check-in.  The relevant PHO [1] does not require verification of contact details. Contact tracers have their own techniques for establishing the requisite accuracy of details reported by individuals, which we presume they will apply to information they obtain from Service NSW.

Therefore we find that COVID Safe Check-in meets IPP 9.

IPP 10: Limits on use of personal information

Findings & Assessment

Lockstep is satisfied that Service NSW will make no other use of contact details collected through COVID Safe Check-in

Therefore IPP 10 is met and we make no recommendations.  

IPP 11: Limits on disclosure of personal information

Findings & Assessment

Lockstep is satisfied that the disclosure of contact details collated through COVID Safe Check-in will be strictly limited to purposes allowed for under the Public Health Order (and only then in the event someone in the relevant business tests positive).  The purpose for disclosure is sanctioned by the Public Health Order [1] and comprehensively set out in the COVID Safe Check-in privacy notice [2].

Therefore IPP 11 is met and we make no recommendations.

IPP 12: Special restrictions on disclosure of personal information

Findings & Assessment

Lockstep is satisfied that if the information set out in the privacy notice [2] is brought to the user’s attention when presented with the COVID Safe Check-in feature, then the user’s agreement for their contact details to be used in the event that contact tracing is triggered constitutes consent under NSW privacy guidelines [8]. The user’s agreement appears to be obtained freely and in an informed manner; we expect reasonable users to also understand that there are alternatives to using COVID Safe Check-in.

In any case, the use of Personal Information for contact tracing in our opinion also meets the test within IPP 12 of dealing with “a serious and imminent threat to any person’s health or safety” (emphasis added) and that the use is expressly sanctioned (indeed, mandated) under public health legislation.

Therefore IPP 12 is met and we make no recommendations.