article banner
Insight

Multitude of privacy layers tested by COVID

Matthew Green Matthew Green

I’ve written before about COVID contact tracing apps and the need for robust privacy by design, supported by sufficient transparency and scrutiny.

There has been a lot of debate as to what is and isn’t required, not to mention the efficacy of the apps themselves. However, the need to contact trace isn’t going away and we must address the elephant in the room. 

As we return to new ways of working, many of us will be required to “check-in”, have our temperature checked, and assert to being “healthy”. If there is a risk of an employee being contagious, or has been in close contact with a confirmed case of COVID, then the workplace has a duty of care to inform other employees, clients, customers and visitors of this risk. Many organisations will be geared up to address this through existing privacy measures, but let’s be honest – those privacy policies were never really intended to cover health related information. However, the same rules surrounding your typical data must apply here as well. If you haven’t checked your privacy policies, or you have new people handling sensitive information, this is a timely reminder to all organisations to obtain consent, collect only what is necessary, collect it lawfully and directly, and limit disclosure to only when it’s absolutely necessary.

Clearly, the scope of data privacy needs to expand for organisations. However, in the larger scheme of things, the workplace is a relatively small ecosystem. It’s easier to control and consent when you are interacting with a defined workplace – but we know that people have far more complex social lives, with many more touchpoints in the community. And this presents a far greater challenge – not only for our health, but also when it comes to privacy.

In the absence of every Australian downloading the government track and trace app, and the little quirk of the app only registering a connection after 15 minutes of close contact, we have seen many retailers and businesses implementing their own contact tracing or check-in methods. Many of these appear to rely on QR codes, your mobile device and the user filling out a form on entry to a venue. But what is happening to your personal data once you hit submit? In the rush to roll out check-in and tracing apps, the capture (and sharing?) of personal information appears to have been overlooked. Indeed many of the organisations using these types of apps for the first time won’t have a privacy policy in place. 

You may shrug and think this is fine. It’s not a lot of information and what sort of privacy breach could there be when you’re picking up your morning coffee? However, these check-in apps will pull in a fairly rich picture of customer behaviour – think visiting patterns, dwell time on site, possibly orders, almost certainly lots of device information and so on. What these venues are capturing under the guise of COVID contact tracing might surprise you. How they wish to use this information for marketing purposes might do the same. The problem is, if you asked, most places probably can’t answer a few key questions about their use of the data they are collecting, let alone where it is stored and for how long it will be retained. 

I’ve seen calls recently for a government supplied check-in app. Whilst in theory I think the approach has merit, based on the COVIDSafe app rollout I think it would be a very hard sell to the public with very low take up rates. That said, is an app provided by a third party without any privacy disclosures or detailed design scrutiny any better? I think not. Perhaps the opportunity here is for the Government to extend the use of the COVIDSafe app to include check-in functionality, at least it would be more transparent than many others.

If you have expanded your privacy policy or introduced new track and trace measures, you should be able to answer the following:

  1. What information are you collecting?
  2. What are you going to do with the data?
  3. Where is the data stored?
  4. Who are you sharing the data with?
  5. Which third parties have access to my data and what will they do with it?
  6. When will my data be accessed?
  7. When will you delete my data?


COVID has meant getting your morning coffee or popping out for a bite just got that little bit more complex. In the past, you told the barista a name (maybe your real one) which they may or may not remember for your next order. However, now you’re being asked to hand over much more information in exchange for that $4 latte. It’s fair to ask for some assurance on how that data will be used and stored in return.

Subscribe to receive our publications

Subscribe now to be kept up-to-date with timely and relevant insights, unique to the nature of your business, your areas of interest and the industry in which you operate.