10 questions journos should be asking about the Privacy Impact Assessment (PIA) on the contact-tracing app:

A THREAD:

1.Did it follow the OAIC’s guidelines for conducting PIAs?

Ping @arielbogle @CroweDM @justinrhendry @MaxKoslowski @fergushunter @bengrubb

2.Was it done by privacy experts (such as one of the 21 pre-qualified suppliers listed on the Australian Government’s Privacy Services Panel, created via open tender: https://www.tenders.gov.au/Son/Show/57A7B1DB-D679-B5A6-2A52-ECC06B71FE66 )?

3. Did it consider legal compliance with privacy & surveillance laws by all players? Given involvement of State/Territory health authorities, this incl's complex consideration of State/Territory privacy laws and health-specific privacy laws, as well as the federal Privacy Act.

4.Did it consider community expectations? (How? Was there consultation? With who? Did it look at existing research into community attitudes around privacy, health info, and/or contact data specifically?)

5.Did it ask fundamental questions like:
Will the app work?
Will it achieve its public health objectives?
And critically:
Can those objectives be achieved in a more privacy-preserving manner?

6.Did it consider whether the privacy impacts would be outweighed by the public health benefits?

7.Did it take or promote a Privacy by Design approach?

8.Did it consider Privacy Design Strategies to offer recommendations for privacy-preserving design improvements?

9.Did it consider decentralised vs centralised models? Anonymous models?

10.Did it consider global initiatives for privacy-preserving design models, such as DP-3T?

END OF THREAD.