Read on Twitter
The Privacy Impact Assessment is now available:
https://www.health.gov.au/resources/publications/covidsafe-application-privacy-impact-assessment
That it was released the same day as the app is very problematic.
For all the reasons I said earlier today ... https://twitter.com/MsLods/status/1254265386985390080 https://twitter.com/MsLods/status/1254281929513295874
https://www.health.gov.au/resources/publications/covidsafe-application-privacy-impact-assessment
That it was released the same day as the app is very problematic.
For all the reasons I said earlier today ... https://twitter.com/MsLods/status/1254265386985390080 https://twitter.com/MsLods/status/1254281929513295874
The Privacy Impact Assessment also includes the Dept of Health's response to the PIA. https://www.health.gov.au/sites/default/files/documents/2020/04/covidsafe-application-privacy-impact-assessment-agency-response.pdf
I'll share extracts as I read it:
I'll share extracts as I read it:
Dept of Health response:
"The PIA and source code will be released subject to
consultation with the Australian Signals Directorate’s Australian Cyber Security Centre"
"The PIA and source code will be released subject to
consultation with the Australian Signals Directorate’s Australian Cyber Security Centre"
Dept of Health response:
"The Attorney-General will introduce legislation in the next
Parliamentary sitting week to establish a strict legal framework for information handling in the App.
Any changes to the App will need to comply with these
additional legal protections ...
"The Attorney-General will introduce legislation in the next
Parliamentary sitting week to establish a strict legal framework for information handling in the App.
Any changes to the App will need to comply with these
additional legal protections ...
This will minimise the risk of “function creep".
Dept of Health response:
"The App Privacy Policy provides a mechanism for Users to
raise complaints if they consider the consent requirements of the Privacy Act have not been complied with"
"The App Privacy Policy provides a mechanism for Users to
raise complaints if they consider the consent requirements of the Privacy Act have not been complied with"
Dept of Health response:
"The App will be reviewed within six months of the launch and the need for further consent will be considered at that time or earlier if and when issues are raised. ....
"The App will be reviewed within six months of the launch and the need for further consent will be considered at that time or earlier if and when issues are raised. ....
The Government has committed to advising all users when the Pandemic is over and prompting them to delete the App."
Dept of Health response:
"Instead of users accessing their information using COVIDSafe they will be able to change their registration information by deleting and re-installing COVIDSafe. ...
"Instead of users accessing their information using COVIDSafe they will be able to change their registration information by deleting and re-installing COVIDSafe. ...
A process for users to update or correct their registration
information in the National COVIDSafe Data Store will be
implemented."
information in the National COVIDSafe Data Store will be
implemented."
Dept of Health response:
"Health is liaising with State and Territory health
authorities to assess what additional assistance is required to support the use of the App. ...
"Health is liaising with State and Territory health
authorities to assess what additional assistance is required to support the use of the App. ...
Protocols with appropriate minimum standards, regarding the appropriate interaction between Public Health officials & people under 16, will be confirmed after consultation with State & Territory health authorities. Access will be provided only after these protocols are in place."
Dept of Health response:
"... Public Health officials will be required to acknowledge the terms and conditions of use, and work is underway to
determine the form of this acknowledgement. "
"... Public Health officials will be required to acknowledge the terms and conditions of use, and work is underway to
determine the form of this acknowledgement. "
Dept of Health response:
seeking independent advice from the ASD’s Australian Cyber Security Centre security experts and will consider making this information publically available subject to an assessment of whether publication results in an increased security risk.
seeking independent advice from the ASD’s Australian Cyber Security Centre security experts and will consider making this information publically available subject to an assessment of whether publication results in an increased security risk.
Dept of Health response:
"AWS are engaged through the DTA under a
standard Commonwealth procurement policy that ensures
service providers adhere to government policy including
security, privacy and confidentiality controls. ...
"AWS are engaged through the DTA under a
standard Commonwealth procurement policy that ensures
service providers adhere to government policy including
security, privacy and confidentiality controls. ...
Health will work with the DTA to immediately review the contract with AWS to ensure relevant provisions are included, assess adherence with the Protective Security Policy Framework and audit access management arrangements."
Dept of Health response:
Health will implement appropriate arrangements
with the DTA to clarify roles and responsibilities regarding
appropriate security and information flows. Health will also
work with DTA re contractual arrangements with
relevant ICT& other service providers
Health will implement appropriate arrangements
with the DTA to clarify roles and responsibilities regarding
appropriate security and information flows. Health will also
work with DTA re contractual arrangements with
relevant ICT& other service providers
