WA's COVID-19 contact tracing system is plagued with significant privacy and security concerns, putting at risk highly sensitive personal and medical information collected from more than half a million people.
Those are the findings from an auditor-general report tabled in parliament yesterday that examined the way the Health Department handled data collected from COVID-positive people and their close and casual contacts.
The litany of issues included:
- The absence of data encryption to protect personal information
- Inadequate logging of access to sensitive data
- A former contractor being allowed ongoing access to sensitive information
- A lack of restrictions to stop malicious files being uploaded and compromising confidentiality
- Errors and inefficiencies resulting from the manual entry of data, and
- A failure to adequately inform the public about information collected
In one instance, WA Health allowed a contractor to access its data without monitoring who had accessed the sensitive information.
The department's cloud-based COVID-19 information gathering system, known as Public Health COVID Unified System (PHOCUS), helps it harvest information for contact tracing.
As well as SafeWA check-ins, the data has been collected from SmartRiders, CCTV footage, G2G passes, taxi and ride share services and business records.
Personal medical information collected included pathology results, existing medical conditions and medications from people testing positive to COVID-19.
Erosion of trust in government
Auditor-general Caroline Spencer said controls within the department needed to be strengthened to protect the confidentiality of personal information.
"I am concerned that the security and privacy of peoples' highly sensitive medical and personal information has not been protected to the extent the community has a right to expect," she said.
She said WA did not have comprehensive privacy laws, and it was therefore especially important that the Health Department adequately protected the data it collected.
"This lack of transparency can lead to unintended consequences, including erosion of trust in government institutions."
Privacy laws lacking
Curtin University internet studies professor Tama Leaver said the report exposed "significant failings" in the government's handling of personal data.
He said the overarching issue was the lack of privacy laws in Western Australia.
"At the end of the day, the ongoing question is about us having proper privacy laws, which are applied before you set something up, not as an afterthought," Professor Leaver said.
"I don't think any of this data has been gathered illegally in the state, but I think that's because the state's laws are inefficient for looking after people's privacy."
Professor Leaver called for better transparency, given the sensitive nature of the data being stored.
"The fact that there was no real safeguards put in place to prevent that happening is the problem.
"I think as a bare minimum, people have a right to transparency about what data about them is being collected, how long it's being kept, where it's being kept, and who has access to it."
WA Health defends system
The report made four recommendations to WA Health, including improving transparency to the community around the sources used to collect personal information and how it is used, as well as protecting the confidentiality, integrity and availability of personal medical information.
WA Health has agreed to implement all of them.
Director-general David Russell-Weisz defended the contact tracing system as "one of the best systems in Australia, if not the world".
He credited the PHOCUS system with helping authorities contain the Delta outbreak among backpackers last Christmas.
"We welcome the auditor-general's findings … we have accepted the recommendations and indeed, many of the recommendations have been enacted during the past year," he said.
