A cyber-security expert has joined Western Australia's opposition in raising concerns after it was revealed that G2G pass data is to be kept indefinitely.
G2G passes were used to manage compliance with Western Australia's border rules between April 2020 and April 2022.
In answer to questions in state parliament this week — asked by the opposition's police spokesperson, Peter Collier — the government explained that G2G pass data would be managed by police for 25 years, or until 2047 in some cases.
After that period has expired, the information would still be retained by the government, but transferred to the care of the State Records Office (SRO).
Mr Collier questioned why that would be necessary.
"There is no conceivable reason as to why the government needs this information," he said.
"WA Police, and not only that, the minister for police and the premier need to be open and honest and transparent with the West Australian public and say why they find it necessary to retain people's personal information for 25 years for something that is unnecessary."
A police spokesperson said officers cannot directly access the information and could only do so once an 'Order to Produce' had been approved by a justice of the peace.
An application for such an order requires an officer to detail an offence they believe had been committed, the reasons for believing that, and explain why the information would be relevant to the offence.
The spokesperson confirmed that, while orders to produce had been used to access G2G information for reasons other than breaches of COVID-19 rules 22 times throughout the pandemic, the most recent was on March 2, 2022.
A spokesperson for Police Minister Paul Papalia said: "Police are retaining the data in accordance with the State Records Act."
"Information collected for the purposes of contact tracing is limited and health benefits of contact tracing expires after 28 days and therefore does not confirm to the State Records Act," a state government spokesperson said.
"Police have complied with the law, and have stored G2G data which they retain as they must under the State Records Act.
"The data is only accessible by six employees of the WA Police Force and an order must be made to comply with its access.
"It would set a very dangerous precedent if police were allowed to choose which records they retain or destroy."
That legislation requires almost "any record of information" created or received by government organisations, unless exempt, to be held for 25 years and then transferred to the SRO.
Addressing the issue today, Premier Mark McGowan reiterated that retaining the data was required under law.
"The police have pretty secure systems and government has pretty secure systems," he said.
"I can't guarantee at any point in time that someone can't hack something, as we saw recently with Optus, but it's in accordance with the law.
"The law says it needs to be held in that way. If the Liberal Party and Mr Collier are saying we should break the law, I don't agree with them."
Timeframe for archiving in question
Mr Papalia had previously told parliament that police were legally required to keep G2G pass information once quarantine or isolation periods had ended, and even if the app was deleted, but did not specify for how long.
"Individuals are required to consent to this," he said in June last year.
"This information is stated publicly on the wa.gov.au [website's] G2G pass' frequently asked questions page, in the G2G pass privacy policy and in the G2G pass terms of service."
While the frequently asked questions page has since been taken down, a version archived just days after that answer was provided makes no reference of how long data would be held for.
The page directed readers to WA Police's privacy statement, which also does not mention the length of time data will be retained for either.
An archived version of the privacy policy for the suite of G2G apps states that WA Police "may" keep information, before going on to say that keeping it is required by law but, again, without a timeframe.
Mr Collier said the length of time the data would be held for stood in stark contrast to COVID-19 legislation currently making its way through parliament, which will expire in two years' time.
He said he supported any legislation that would make G2G data exempt from the usual 25-year requirement.
"We would, as an opposition, be supportive of that, if it meant that the information or the data that the government had collected for something that is now redundant, would be destroyed," he said.
Other information gathered by the government during the pandemic, such as SafeWA check-in data, was specifically exempted from archive requirements and deleted after 28 days in most cases.
Data storage cause for concern
Cyber-security expert Paul Haskell-Dowland questioned why G2G pass data was not similarly exempted, and whether requirements under the State Records Act should be reviewed.
"The idea that the government is going to hold on to this particular set of data, for a rather generic reason, is of concern," he said.
"There may well be quite legitimate reasons to retain this data, but that isn't what's being discussed at this stage.
"I think there needs to be a lot more clarity over why the data is needed and, in particular, why it is needed over such a long period of time."
Both Professor Haskell-Dowland and Mr Collier pointed to the recent Optus data breach as a reason why any personal data must be handled carefully, and only stored for as long as needed.
"When people signed up to use the Good 2 Go pass, myself included for a small number of travel activities, we didn't really have any clear indication of what the data was going to be used for beyond Good 2 Go," Professor Haskell-Dowland said.
"I'm sure, hidden away in the small print, there was the usual get-out-of-jail-free card for the government, indicating that we signed over all rights to the data.
"But, honestly, I'm not convinced that we've got the appropriate level of buy-in from individuals."
Professor Haskell-Dowland — the Associate Dean of computing and security at Edith Cowan University — suggested governments should, instead, be taking the lead in helping people better understand what their data is going to be used for, rather than burying information in privacy policies.
"I could imagine an iconography-based approach where you have very clear indicators of what kind of data is being stored, for what kind of purpose, who will have access to it, under what conditions, and for what duration that data should be stored," he said.
"While we can turn to the private sector and we can certainly see examples of good practice there, it really needs to be led from the very highest levels.
"That doesn't just mean that governments set legislation and policy and protocol as to how to approach privacy, they really need to live by those standards as well."
